Dutch pension funds need to improve their cybersecurity, according to pension fund regulator DNB.
According to Jacco Jacobs, head of operational and IT risks at the regulator, knowledge of operational and other non-financial risks is also lacking among pension fund managers and supervisory boards.
Jacobs based his concerns, which he voiced at a convention for pension fund executives last month, on the results of an information security investigation of pension funds.
As of this year, the survey also includes specific questions on cybersecurity. In addition to sending the electronic survey, DNB also carried out site visits to 20 pension funds and pension administrators.
Blue sky group
The hack of pension administrator Blue Sky Group in August, when personal data of 30,000 pension fund members was stolen, sent shock waves through the Dutch pension industry and added a sense of urgency to the problem.
“Cyber criminals see the pension industry as lucrative. Members’ personal data is worth money, ”warned Jacobs.
Jacobs noted that cybersecurity risks are more likely to increase than to decrease. At the same time, cyber and IT risks are often not an integral part of risk management procedures and the “DNA” of pension funds, noted the director of the DNB.
“Some mitigation measures should be taken as standard. But not all organizations use such standards, and that puts information security at risk, ”Jacobs said.
An example of such a standard measure, he added, is to add software patches in a timely manner to fix security leaks.
DNB also concluded from its study that 40% of pension funds have insufficient control over their information security outsourcing partners.
According to Jacobs, funds sometimes don’t realize to what extent some outsourcing partners also outsource data and processes to third parties.
“Sometimes the same management of a dataset can be outsourced up to eight times. In these cases, we ask the funds how they make sure all of their information is always safe. “
Jacobs advises funds to regularly test their security systems. He suggests it could be done by “ethical hackers” – hackers who expose data security weaknesses to help organizations improve their systems. Pension funds could jointly hire such hackers to keep costs down, he suggested.
The knowledge of pension fund managers and supervisors is not yet at the desired level, Jacobs said.
DNB doesn’t require administrators to become “cyber-wizz kids,” he said, but they should be able to ask the right questions and understand the basics of IT.
“It still takes work. As an industry, we’re not there yet, ”said Jacobs.