Outdated browser

You are using an outdated browser. DNB.nl works best with:

Q&A Information Security

Factsheet
Read aloud

Question:

How can pension funds, premium pension institutions and insurers (hereinafter "institutions") meet the legal requirements under the supervision of DNB with regard to the continuous availability, integrity, confidentiality, authenticity, accountability, non-repudiation and reliability of automated data processing?

Published: 07 July 2023

Latest update: 19 December 2023

Answer:

Pursuant to art. 3.17 Financial Supervision Act, in conjunction with Article 20 of the Prudential Rules Decree and Article 143 of the Pension Act and Article 18 of the FTK Decree, institutions under the supervision of DNB have adequate procedures and measures to manage ICT risks. Managing ICT risks includes ensuring the integrity, continuous availability and security of automated data processing. In this context, adequate means that the procedures and control measures are based on the nature, scale and complexity of the risks of the institution's activities and the complexity of its organisational structure. This also includes procedures and control measures for those parts of automated data processing that have been (sub)outsourced. In this document, ensuring the integrity, continuous availability and security of automated data is briefly referred to as 'information security and cybersecurity'.

In order to comply with these provisions, institutions have taken control measures in the field of information security and cybersecurity based on a risk analysis. These control measures are not only aimed at technological solutions (Technology), they are also aimed at human actions (People), design of processes (Processes) and facilities (Facilities).

Institutions periodically and demonstrably evaluate the extent to which the control measures taken are effective in design, existence and operation to deal with the constantly changing risks in the field of information security and cybersecurity. They do this on the basis of a risk analysis – as part of their risk management process (Risk Management Cycle). Where necessary, control measures are improved or replaced by other control measures. The institutions set up their management (Governance) and organisation (Organisation) to manage this. Institutions ensure, among other things, in line with the new corporate governance code 2022, the DNB Q&A Key functions and adequate separation of functions and the DNB Q&A Key functions with operational independence and proportional set-up, for an appropriate separation and independence of ICT risk management functions, control functions and internal audit functions. Furthermore, the board has demonstrably followed training and education tailored to them to understand the most important ICT risks and control measures for its institution (People).

Institutions also ensure that they are 'in control' in the field of information security when outsourcing (Outsourcing). In addition, they test (Testing) to what extent they as an institution are resilient to cyber threats.

In the Good Practice Information Security accompanying this Q&A, DNB offers tools with which institutions can give practical substance to the control measures in the areas of Governance, Organisation, People, Processes, Technology, Facilities,

Outsourcing, Testing and the Risk Management Cycle. This document contains various Good Practices (recommendations for control measures) that, in the opinion of DNB, properly fulfill the aforementioned requirements from Article 3.17 of the Financial Supervision Act, in conjunction with Article 20 of the Prudential Rules Decree and Article 143 of the Pension Act and Article 18 of the FTK Decree.

This Q&A was updated on December 19, 2023. The answer has been expanded with passages about (sub)outsourcing, governance & key functions, training & education and a definition of information security & cybersecurity.

DISCLAIMER

Q&As provide further insight into DNB's policy practice because we interpret statutory supervisory rules. Supervised institutions can also comply with legislation or regulations in other ways. Institutions must be able to provide substantiated evidence to DNB that their implementation complies with legislation or regulations. For a further explanation of the status of DNB's policy statements, see the Reading Guide to DNB Policy Statements on Open Book Supervision.

Should there be any discrepancies between the Dutch and the English version of this good practice document, the Dutch version shall prevail.

Elements of governance system

Downloads

Relevant legislation and regulations

Financial Supervision Act (Wft)

  • Article 1:1; definitions
  • Article 3:17 first paragraph; controlled and ethical business operations
  • Article 3:17 second paragraph; managing business processes and business risks

Prudential Rules Decree (Bpr)

  • Article 17; Financial institution means a payment company, clearing company, risk acceptance entity, credit company, premium pension company, insurer or branch
  • Article 20, second paragraph; have procedures and measures in place to ensure the integrity, continued availability and security of automated data.

Pension Act

  • Article 143, first paragraph; safeguarding controlled and ethical business operations

Compulsory Occupational Pension Scheme Act

  • Article 138, first paragraph; safeguarding controlled and ethical business operations*

Decree on the Financial Assessment Framework for Pension Funds

  • Article 18; controlled business operations

EIOPA

  • EIOPA Guidelines on Security and Governance of information and communication technology
  • EIOPA Guidelines for outsourcing to providers of cloud services
  • Regulation on Digital Operational Resilience

Other

  • Good practice for outsourcing by insurance companies published by De Nederlandsche Bank N.V. from August 2018
  • Guidance on outsourcing by pension funds, publication of De Nederlandsche Bank N.V. of June 2014

* DNB is of the opinion that the corresponding applicability for these (professional pension funds) of the general standard regarding an organizational structure that ensures controlled and sound business operations, entails that these institutions also apply to the extent applicable - i.e. applied proportionately - must have procedures and measures in place to ensure the integrity, continued availability and security of automated data.

Discover related articles

DNB uses cookies

We use cookies to optimise the user-friendliness of our website. 
Read more about the cookies we use and the data they collect in our cookie notice.

To ensure the proper operation of the website, De Nederlandsche Bank (DNB) uses functional cookies and analytics cookies, and has taken measures to ensure that these cookies have little or no impact on the privacy of website users.

Some pages include embedded content from external websites. These websites may use proprietary (tracking) cookies. This allows third parties to track visitor statistics, show personalised content and display targeted ads, for example. You can make your choice about allowing these optional cookies both when you first visit the website and when you navigate to a page with embedded content.