Q&A Assessment Framework for DNB Information Security Examination

In accordance with Section 3:17 of the Financial Supervision Act (Wet op het financieel toezicht – Wft), in conjunction with Section 20 of the Decree on Prudential Rules for Financial Undertakings (Besluit prudentiële regels Wft – Bpr) and the Pensions Act (Pensioenwet – Pw, see the relevant links under Law and EU Directives elsewhere on this page), institutions under DNB’s supervision must have appropriate procedures and measures in place to control IT risks. These procedures and measures aim to safeguard the integrity, continuous availability and security of electronic data. In this context, “appropriate” means that the procedures and measures are based on the nature, scale and complexity of the risks associated with the institution’s activities, and on the complexity of its organisational structure.

In order to comply with these provisions, institutions take measures to control their information security based on a risk analysis. These control measures are not limited to technological solutions (Technology),they also address human actions (People), Processes and Facilities.

In addition, institutions assess the design, existence and operating effectiveness of control measures on a regular basis as part of their Risk management cycle in order to deal with constantly changing information security and cybersecurity risks. They improve or replace any control measures that are not effective. Institutions set up their Governance and Organisation in such a way as to steer this process.

Also, institutions ensure that they are in control of information security and cybersecurity regarding outsourced activities (Outsourcing) and that they Test their resilience to cyberthreats.

The Good Practices for Information Security connected with this Q&A (see the link under “Related downloads”) provides institutions with practical guidance in establishing their control measures in the areas of Governance, Organisation, People, Processes, Technology, Facilities, Outsourcing, Testing and the Risk management cycle. The document contains a selection of recommended control measures to put the requirements of Section 3:17 of the Wft in conjunction with Section 20 of the Decree on Prudential Rules for Finacial Undertakings and the Pension Act into practice.

Relevant laws and regulations

Financial Supervision Act (Wet op het financieel toezicht – Wft)

• Section 1:1: definitions
• Section 3:17(1): sound and ethical business operations
• Section 3:17(2): managing business processes and operational risks

Decree on Prudential Rules for Financial Undertakings (Besluit prudentiële regels Wft – Bpr)

• Section 17: a financial institution is defined as a payment institution, clearing institution, special purpose reinsurance vehicle, credit institution, premium pension institution, insurer or branch office
• Section 20(2): procedures and measures in place to ensure the integrity, continuous availability and security of electronic data processing.

Pensions Act

• Section 143(1): safeguarding sound and ethical business operations

Mandatory Occupational Pension Scheme Act

• Section 138(1): safeguarding sound and ethical business operations*
• Good practice document on outsourcing for insurers, published by De Nederlandsche Bank N.V., August 2018
• Guidance document on outsourcing for pension funds, published by De Nederlandsche Bank N.V, June 2014

* DNB is of the opinion that the corresponding applicability to pension funds and occupational pension funds of the general standard to have an organisational structure in place that ensures sound and ethical business operations entails that where applicable and with due observance of the principle of proportionality these institutions must also have in place procedures and measures to ensure the integrity, continuous availability and security of electronic data processing.

# We will add relevant laws and regulations issued by EIOPA and EBA once these have entered into effect.

Should there be any discrepancies between the Dutch and the English version of this good practice document, the Dutch version shall prevail.