Q&A Information Security
Question:
How can pension funds, premium pension institutions and insurers (hereinafter "institutions") meet the legal requirements under the supervision of DNB with regard to the continuous availability, integrity, confidentiality, authenticity, accountability, non-repudiation and reliability of automated data processing?
Published: 07 July 2023
Latest update: 19 December 2023
Answer:
Pursuant to art. 3.17 Financial Supervision Act, in conjunction with Article 20 of the Prudential Rules Decree and Article 143 of the Pension Act and Article 18 of the FTK Decree, institutions under the supervision of DNB have adequate procedures and measures to manage ICT risks. Managing ICT risks includes ensuring the integrity, continuous availability and security of automated data processing. In this context, adequate means that the procedures and control measures are based on the nature, scale and complexity of the risks of the institution's activities and the complexity of its organisational structure. This also includes procedures and control measures for those parts of automated data processing that have been (sub)outsourced. In this document, ensuring the integrity, continuous availability and security of automated data is briefly referred to as 'information security and cybersecurity'.
In order to comply with these provisions, institutions have taken control measures in the field of information security and cybersecurity based on a risk analysis. These control measures are not only aimed at technological solutions (Technology), they are also aimed at human actions (People), design of processes (Processes) and facilities (Facilities).
Institutions periodically and demonstrably evaluate the extent to which the control measures taken are effective in design, existence and operation to deal with the constantly changing risks in the field of information security and cybersecurity. They do this on the basis of a risk analysis – as part of their risk management process (Risk Management Cycle). Where necessary, control measures are improved or replaced by other control measures. The institutions set up their management (Governance) and organisation (Organisation) to manage this. Institutions ensure, among other things, in line with the new corporate governance code 2022, the DNB Q&A Key functions and adequate separation of functions and the DNB Q&A Key functions with operational independence and proportional set-up, for an appropriate separation and independence of ICT risk management functions, control functions and internal audit functions. Furthermore, the board has demonstrably followed training and education tailored to them to understand the most important ICT risks and control measures for its institution (People).
Institutions also ensure that they are 'in control' in the field of information security when outsourcing (Outsourcing). In addition, they test (Testing) to what extent they as an institution are resilient to cyber threats.
In the Good Practice Information Security accompanying this Q&A, DNB offers tools with which institutions can give practical substance to the control measures in the areas of Governance, Organisation, People, Processes, Technology, Facilities,
Outsourcing, Testing and the Risk Management Cycle. This document contains various Good Practices (recommendations for control measures) that, in the opinion of DNB, properly fulfill the aforementioned requirements from Article 3.17 of the Financial Supervision Act, in conjunction with Article 20 of the Prudential Rules Decree and Article 143 of the Pension Act and Article 18 of the FTK Decree.
This Q&A was updated on December 19, 2023. The answer has been expanded with passages about (sub)outsourcing, governance & key functions, training & education and a definition of information security & cybersecurity.
DISCLAIMER
Q&As provide further insight into DNB's policy practice because we interpret statutory supervisory rules. Supervised institutions can also comply with legislation or regulations in other ways. Institutions must be able to provide substantiated evidence to DNB that their implementation complies with legislation or regulations. For a further explanation of the status of DNB's policy statements, see the Reading Guide to DNB Policy Statements on Open Book Supervision.
Should there be any discrepancies between the Dutch and the English version of this good practice document, the Dutch version shall prevail.
Downloads
- Good Practice IB 2023 ENG (19 February 2024 | 2.2MB PDF)
- Self Assessment IB (19 December 2023 | 6MB XLSX)
- Good Practice IB 2019 2020 (20 May 2019 | 2.9MB PDF)
Relevant legislation and regulations
Financial Supervision Act (Wft)
- Article 1:1; definitions
- Article 3:17 first paragraph; controlled and ethical business operations
- Article 3:17 second paragraph; managing business processes and business risks
Prudential Rules Decree (Bpr)
- Article 17; Financial institution means a payment company, clearing company, risk acceptance entity, credit company, premium pension company, insurer or branch
- Article 20, second paragraph; have procedures and measures in place to ensure the integrity, continued availability and security of automated data.
Pension Act
- Article 143, first paragraph; safeguarding controlled and ethical business operations
Compulsory Occupational Pension Scheme Act
- Article 138, first paragraph; safeguarding controlled and ethical business operations*
Decree on the Financial Assessment Framework for Pension Funds
- Article 18; controlled business operations
EIOPA
- EIOPA Guidelines on Security and Governance of information and communication technology
- EIOPA Guidelines for outsourcing to providers of cloud services
- Regulation on Digital Operational Resilience
Other
- Good practice for outsourcing by insurance companies published by De Nederlandsche Bank N.V. from August 2018
- Guidance on outsourcing by pension funds, publication of De Nederlandsche Bank N.V. of June 2014
* DNB is of the opinion that the corresponding applicability for these (professional pension funds) of the general standard regarding an organizational structure that ensures controlled and sound business operations, entails that these institutions also apply to the extent applicable - i.e. applied proportionately - must have procedures and measures in place to ensure the integrity, continued availability and security of automated data.
Discover related articles
DNB uses cookies
We use cookies to optimise the user-friendliness of our website.
Read more about the cookies we use and the data they collect in our cookie notice.