Managing risk: from the new pension system to cybercrime

1 November 2023

Managing risk is the pension fund's top priority. The most obvious risks are of course investment risks: striking a sensible balance between making a profit on investments and the desired security. But there's more to it than that, says board member Hanneke Niekus. She singles out two 'non-financial' risks: cybercrime and the new pension legislation. Pensions in the Netherlands have been subject to new rules since 1 July. She explains how the fund is approaching them.

To start with the new pension legislation, what risk is presented by the new pension rules?

Generally speaking, you must be sure you can implement new legislation properly in practice, including the agreements made by the social partners. And it mustn't be too complex or expensive, either. Otherwise, this will pose a risk for the fund as well as its members. That's the last thing we want. 
In the world of pensions, the Future of Pensions Act is by far the most drastic operation we have ever faced. That is not even so much about the new law itself, which is feasible. The biggest challenge is the transition from the existing to the new situation.

Can you cite an example of this?

We now have substantial pension assets from which we pay for the pensions. In the new situation, everyone will have their own pension pot. This means those substantial assets must be divided among those pots. That way, pensions that have already been accrued are transferred to the new situation in a fair manner.

That sounds fairly straightforward.

Yes, but it's anything but. In practice, redistribution involves a highly complex calculation. The new system works out relatively favourably for some groups and somewhat less so for others. The reality is that when the time comes, you will not only have personal pension pots. As a pension fund, we will still have opportunities to share good and bad times between us: there will still be a form of solidarity. That's something we want to handle very carefully: we care equally about all our members. 

Hanneke Niekus
Blik op de toekomst

What are the upcoming milestones?

The first milestone is the choice made by the social partners: different pension contracts are possible and these in turn have implications for the transition. We will know more about the lie of the land by the end of this year. Based on this, a transition plan must be submitted to De Nederlandsche Bank, our supervisory authority. We'll be spending a good deal of time on that in the first half of 2024. The biggest milestone of all is of course the transition itself. Ultimately, all pension funds must be transferred to the new system by 1 January 2028. That's over four more years. That seems far away, but there's a great deal of work to be done. We do have one advantage: our scheme is already very uniform and streamlined, which is a big help in such a complicated transition.

How does the pension fund involve members in the whole process?

As I touched on above, the distribution method is highly complex. It is illusory to think that you as a member can simply back-calculate and receive what you are entitled to. That means every member must be able to trust that we get it right. We will of course do our utmost to explain it as clearly and simply as possible when the time comes. 

And then there's cybercrime. Why is the pension fund prioritising this?

Pension funds are an attractive target to people with bad intentions. We hold many addresses and personal data; we know bank account numbers and pay out a lot of money from our huge assets every month. That places us high up on the 'hit list' of cybercriminals. In bygone times we worked with box files, and that meant you had to physically go somewhere and actually break in. These days, criminals try to break in from all over the world, so to speak, with a few clicks of the mouse.

What forms of cybercrime could arise?

It is common for cybercriminals to work with what is known as 'ransomware'. Hackers break in digitally and disable an organisation's entire system until a ransom is paid. Maastricht University fell victim to this, for example. 
Alternatively, hackers could break in to capture and misuse personal data.

How do you make sure the door is securely locked?

You want to prevent hackers from getting in. And should that unexpectedly happen, you want to limit the damage as much as possible. Blue Sky Group, our administrator, suffered a data breach a few years ago. Fortunately, this did not cause us any serious harm but it once again underlined the need for proper protection. 
You can do that in two ways. First, by together making systems as watertight as possible. And secondly, by working to raise awareness among people. We see in practice that they are the weakest link. For example, cybercriminals get in through phishing emails, so you must never click on them. And then there are the stories we all hear about people accidentally leaving a USB stick on the train.
It is perpetual work in progress: you have to continuously work on system security and employee awareness. De Nederlandsche Bank, our pension fund supervisor, requires us to do precisely that. We have to demonstrate that we have our security properly in place, and we do.