Dutch pension funds need to improve their cybersecurity, according to pension fund regulator DNB.
Knowledge of operational and other non-financial risks is also lacking with pension fund executives and supervisory boards, according to Jacco Jacobs, head of operational and IT risks at the regulator.
Jacobs based his concerns, which he voiced speaking at a congress for pension fund executives last month, on the outcomes of an information security survey with pension funds.
Since this year, the survey also includes specific questions on cybersecurity. In addition to sending the electronic survey, DNB also did on-site visits to 20 pension funds and pension administrators.
Blue Sky Group
The hack at pension administrator Blue Sky Group in August, when personal data of 30,000 pension fund members were stolen, sent shockwaves through the Dutch pension sector and added a sense of urgency to the issue.
“Cyber criminals consider the pension sector as lucrative. Personal data of members are worth money,” Jacobs warned.
Jacobs noted that cybersecurity risks are more likely to increase than decrease. At the same time however, cyber and IT risks are often not integral parts of the risk management procedures and the “DNA” of pension funds, the DNB director noted.
“Certain mitigation measures should be considered standard. But not all organisations do employ such standards, and this is endangering information security,” Jacobs said.
An example of such a standard measure, he added, is to timely add patches to software in order to repair security leaks.
DNB also concluded from its study that 40% of pension funds have insufficient control of their outsourcing partners when it comes to information security.
According to Jacobs, funds do sometimes not realise to what extent certain outsourcing partners also outsource data and processes to third parties.
“Sometimes, the same management of one set of data can be outsourced as many as eight times. In those instances, we ask funds how they make sure that all their information is still safe.”
Jacobs advises funds to test their security systems on a regular basis. He suggests this could be done by “ethical hackers” – hackers who expose weaknesses in data security to help organisations to improve their systems. Pension funds could jointly hire such hackers in order to limit costs, he suggested.
The knowledge of pension fund executives and supervisors are also not yet at the desired level, said Jacobs.
DNB does not require trustees to become “cyber whizz kids”, he said, but they should be able to ask the right questions and understand the basics of IT.
“This still needs some work. As a sector we are not there yet,” Jacobs said.