Danish pension fund for academics P+ has been slapped with official orders to resolve problems within its IT security management and IT risk management operations, after the Danish FSA said it found “significant deficiencies” in these areas.
Finanstilsynet, the regulator, said P+, which was formed from the merger of the pension fund for lawyers and economists JØP and engineers’ pension fund DIP last year, must now improve IT procedures related to outsourcing, access control and contingency planning.
The Danish FSA said it had carried out an IT inspection at P+ between October 2018 and January 2019 and January 2020.
In a statement, the FSA said: “There was a lack of framework and structure for IT security management, and as a result, the executive board and the board of directors had an inadequate overview and control of the company’s risk exposure in the IT area.”
The financial watchdog said it ordered the DKK135bn (€18.2bn) pension fund to implement a method of documentation for its IT security management, ensuring coherence between IT security risks and controls, including a documented management follow-up.
In a brief acknowledgement of the FSA’s statement, P+ said on its website: “The pension fund takes note of the orders”.
The FSA also said the fund had to improve procedures and clarify its risk assessments relating to access control to its systems and data, including the establishment of a system for logging all access and use of systems.
Among other points made, the FSA also criticised P+ for having insufficient contingency planning, with no uniform method of risk assessment of “critical business processes,” ordering it to ensure a documented approach to preparation for emergencies, identifying relevant scenarios for its contingency tests.