Pursuant to the Financial Supervision Act (Wet op het financieel toezicht) and the Pension Act (Pensioenwet), DNB holds that, within financial institutions, adequate procedures and measures should be in place to control IT risks. These risks relate to, among other things, the continuity of IT and the security of information. In this context, ‘adequate’ means that the procedures should be in line with the nature of the financial institution and the complexity of its organisational structure. The procedures must be in conformity with generally accepted standards (good practices). In addition, they should preferably be in line with the sector-specific conditions relating to the financial institution. Examples of such standards are Cobit and ISO27000. These standards provide for measures which are, in principle, considered adequate by DNB.
In order to test the security of information, DNB has developed an assessment framework consisting of a selection from Cobit. In respect of all measures, institutions must comply with a maturity level of at least 3 (“defined process”). In 2014 the framework has been updated to clarify the maturity levels. Also the required maturity levels of three controls in the 'Assess and manage (IT) Risk' category have been raised to level '4'. The content of DNB's 2017 Assessment Framework for Information Security has remained unchanged relative to the version published in 2014. However, some small textual changes were made and the explanatory notes were updated. The assessment framework and the explanatory notes may be downloaded using the link below. It is, of course, possible that conditions may arise which require the security of a financial institution’s operations to be in excess of what is feasible under Cobit or ISO 27000. Whether or not this is the case is at the discretion of the institution itself. The procedures and measures must be embedded in the IT processes and operations of all relevant units of the financial institution so that they constitute an integral element of the organisation as a whole.
Statutory requirements regarding security
The paragraphs below set out the statutory framework underlying the above answer.
Financial institutions subject to section 3:17 of the Financial Supervision Act (Wet op het financieel toezicht) must, in pursuance of the first subsection of said section, organise their operations in such a way as to safeguard controlled and sound operations.
The second subsection, opening sentence and under (a), stipulates that rules may be laid down by or pursuant to general administrative order with regard to the attainment of controlled business processes and business risks.
To implement these provisions, section 20(2) of the Decree on Prudential Rules for Financial Undertakings (Besluit prudentiële regels Wft) stipulates that a financial institution – defined as a payment institution, a clearing institution, a special purpose reinsurance vehicle, a credit institution, a premium pension institution, an insurer or a branch as referred to in section 17 of the Decree – must have in place procedures and measures to safeguard the integrity, continuous availability and security of electronic data.
Pension funds and occupational pension funds subject to section 143 of the Pension Act (Pensioenwet) or section 138 of the Obligatory Occupational Pension Schemes Act (Wet verplichte beroepspensioenregeling), respectively, must, in pursuance of the first subsection of said section, ensure that their organisation is such as to ensure controlled and sound operations. The second subsection of the section concerned, opening sentence and under (a), stipulates that rules may be laid down by or pursuant to general administrative order with regard to the attainment of controlled business processes and business risks.
Where pension funds and occupational pension funds are concerned, the requirement of controlled and sound operations has not been worked out in any greater detail in rules regarding the control of business processes and business risks in pursuance of section 20(2) of the Decree on Prudential Rules for Financial Undertakings (Besluit prudentiële regels Wft). There is only a provision to the effect that sound administrative and accounting procedures and adequate internal control mechanisms and policies must be in place for controlling risks (section 18 of the Pension Fund (Financial Assessment Framework) Decree (Besluit financieel toetsingskader pensioenfondsen).
This does not alter the fact that DNB holds that the corresponding applicability to pension funds and occupational pension funds of the general standard to have such an organisation so as to ensure controlled and sound operations entails that, where applicable and with due observance of the principle of proportionality, these institutions must also have in place procedures and measures to ensure the integrity, continuous availability and security of electronic data processing.