Edward Roozenburg: IT risk control is pretty good, but not good enough

Edward Roozenburg: IT risk control is pretty good, but not good enough

January 27, 2026

Risk Management Pensionfunds

This column was originally written in Dutch. This is an English translation.

By Edward Roozenburg, Service Line Lead IT Risk and Information Security, Probability & Partners

The Dutch Central Bank (DNB) recently published the results of its annual survey on operational and IT risks in the pension sector on its website. The publication is entitled “Managing operational risks in the pension sector requires attention”. An alarming headline that reads like a clear call for improvement in IT and operational risks.

However, anyone who reads the content of the article will see a more nuanced picture. In my opinion, it is even more positive than the title suggests. There seems to be a tension between the strength of the message in the title and the actual findings on which that message is based. How can this alarming tone be interpreted in light of the not-so-shocking findings?

Findings from the DNB survey

The DNB substantiates its call for attention with a number of concrete findings from the survey. In summary, the conclusions are as follows:

  • According to 20% of respondents, the risk management process surrounding information security needs further improvement.
  • Not all funds and implementing organisations can demonstrate that their ICT risk management processes actually contribute to better control of ICT and cyber risks.
  • A number of respondents have not defined risk tolerance limits for ICT outsourcing.
  • The maturity of fundamental control measures is not demonstrably comprehensive, with DNB specifically pointing to business continuity, configuration management and security testing.
  • 14% of respondents indicate that they are dependent on legacy systems that are no longer supported by suppliers.
  • 14% of respondents needed more than ten days to install critical patches.
  • A large number of institutions have insufficient insight into and control over critical outsourcing chains, and there is often a lack of prior risk analyses, measurable agreements on information security and testing of business continuity plans at third parties.

Anyone who takes these findings at face value would be hard pressed to avoid the impression that, broadly speaking, IT risk management in the sector is actually going quite well. Most deviations concern a minority of respondents. These deviations concern 14% to 20% of respondents and are described using phrases such as “not all funds can demonstrate that...”, “a number” and “maturity is not demonstrable across the board”. In other words, most measures have been adequately implemented at most institutions. Only in the area of the outsourcing chain do the problems affect “a large number of institutions”.

What could be the reason that, despite this relatively favourable picture, DNB has opted for a title and tone that issue an emphatic warning?

Chain risk as Achilles' heel

With the advent of the Digital Operational Resilience Act (DORA), the importance of the chain has also been further formalised in legislation. Institutions must demonstrate that chain dependencies are controlled and that disruptions — including those involving third parties — can be mitigated.

When we look at the above findings from a chain perspective, the fact that 14% of respondents do not install their patches within ten days takes on greater significance. Although 86% of the sector apparently installs critical patches within ten days, a delay in installing patches at one key chain partner in the sector can affect a large proportion of the funds associated with that chain partner. A single deviation at one party can disrupt the entire sector. In a traditional risk framework, in which risks are primarily assessed on an individual organisation basis, a deviation at another party would be of little relevance. However, precisely because there is chain dependency and disruptions can spread rapidly and across sectors, matters must be in order throughout the sector.

The most striking finding therefore remains that concerning outsourcing. Pension funds have become deeply intertwined with IT service providers, cloud providers and software suppliers. Yet it appears that risk analyses are often incomplete, security agreements are insufficiently measurable and third-party continuity plans are rarely tested.

This is not a minor detail, but a fundamental governance issue. Those who remain responsible for risks that are actually outside their own organisation must also have demonstrable control over those risks. This is precisely where the problem lies.

“Pretty good” is not good enough

Although IT control is pretty good at many institutions in the sector, it is not good enough. It is not the majority of institutions that need to have their affairs in order, but the entire sector. And especially the parties that play a key role in the chain. The alarming title is therefore probably a conscious choice. DNB apparently believes that even if the required measures are in place for the majority of the sector, this is no longer sufficient in a world of chains.

It is striking, incidentally, that the publication does not yet draw any explicit conclusions about the increasing dependence on American technology and cloud providers in particular. In the current geopolitical climate, this is a topic that is clearly coming to the fore. I encourage pension fund managers to engage in this discussion.

For now, the message is clear. Because things are going pretty well. But that is precisely what DNB does not mean. In the current climate, “pretty well” is simply no longer good enough.