More than 15% of pension funds and insurance firms in the Netherlands have suffered significant damage from cyber crime in the past year, according to an annual survey by regulator DNB on information security.
The regulator has been calling for an increase in attention to cybersecurity risks for years. Back in October, an earlier DNB study concluded that 40% of pension funds have insufficient control of their outsourcing partners when it comes to information security, and that knowledge on the topic is lacking with pension fund executives and supervisory boards.
Pension funds and insurance firms have been hit equally by cyber criminals, with 15% of both groups reporting significant damage from cybercrime between June 2020 and June 2021.
These institutions have reported financial losses from cybercrime, which include reparation costs, ransoms paid to reinstitute data and costs caused by failing systems, to DNB.
The regulator declined, however, to provide any specifics on this, apart from the sums involved being “wide-ranging”.
Pension funds are not required to report financial losses from cyber crime in their annual reports, so the real damage could be even greater. “It is up to the institutions to determine how transparent they are in their annual reports about these incidents,” according to a DNB spokesperson.
One in 20 pension funds reported a successful cyber attack over the research period, whereby third persons got access to IT systems. According to DNB, the effects of such attacks become ever bigger and more disruptive.
The largest known data leak in the Dutch pension sector so far occurred this year at Blue Sky Group, the pension provider of the KLM pension funds, when the data of tens of thousands of members were seized by hackers.
Although cybersecurity risk is now seen as the most urgent operational risk by pension funds according to another DNB survey published last month, DNB said that 40% of schemes do not have sufficiently integrated information security in risk management.
DNB also believes the scenarios analyses that are used to prepare for possible cyber attacks are not up-to-date and not specific enough.
Most pension funds believe hackers’ sole purpose is financial gain, and as a result they fail to prepare for attackers with other goals such as spying or committing sabotage.