The risk of data security incidents is increasing as pension funds insufficiently factor cybersecurity into their risk assessments, Dutch pensions supervisor De Nederlandsche Bank (DNB) has warned.

In its annual security monitor, the regulator said that financial institutions, including pension funds, insufficiently evaluated their risk management in this area, or failed to anticipate developments in data security.

“As cybersecurity threats increase and change, evaluating and anticipating is crucial,” said DNB.

It said it was remarkable that concrete threats – such as phishing, ransomware and hacking – received “little attention”.

The watchdog also noted that pension funds often did not have sufficient knowledge of security measures at their outsourced service providers.

“As a consequence, schemes are unable to show they are in control, or make clear that measures are effective,” DNB said.

DNB added that sometimes a scheme knew how outsourcing partners had organised their security, but lacked insight into mutual dependencies.

This raised questions about whether all measures combined would be sufficient for the entire investment chain.

Last year, DNB warned that pension funds’ view on data security often fell short of the requirements, sometimes because of data stored in ‘the cloud’.

The regulator also drew attention to access rights, highlighting that schemes often lacked formal procedures for processes such as authorisation of access to data.

Further reading:

 

Briefing: Cyberwar without end
Daniel Ben-Ami explores how financial institutions are faring in the cyber arms race against criminals

Asset managers urged to collaborate on cybersecurity
Investment firms should share resources and invest in new technologies, says the UK’s trade body for the sector

Pensions industry underestimating threat of cyber crime, experts warn
The pensions industry worldwide is underestimating the risks posed by cyber crime, and too few experts are available to help tackle the problem