Adam Barszczowski: Cyber risks at PUOs – insights for board members

March 4, 2026

_{This article was originally written in Dutch. This is an English translation.}

Pension fund boards are ultimately responsible for cyber risks, but do not have the information they need to properly fulfil that responsibility. How can this structural information disadvantage be reduced?

By Adam Barszczowski, pension fund board member, written in a personal capacity.

Pension funds rely heavily on their pension administration organisations (PAOs) for administration, IT processes and data exchange. This means that a fund's digital resilience largely lies outside its own walls. Nevertheless, the regulator requires the board to demonstrate that it is “in control” with regard to cyber risks. This creates a complex paradox: the responsibility lies with the fund, but the relevant information is held by the PUO. This is not an operational detail, but a structural governance and information problem.

Why this problem arises

The core of this problem is information asymmetry. The PUO has detailed knowledge of systems, vulnerabilities, incidents and recovery capacity. The fund mainly receives dashboards, ISAE reports and abstract RAG scores. As a result, the board can see “that controls exist”, but not whether they are effective when things really go wrong.

This mechanism ties in directly with the economic theory of hidden quality developed by American economist George Akerlof: when the customer cannot assess quality, there is an incentive for the supplier to invest in visible compliance rather than real resilience.

At the same time, there is moral hazard. The PUO bears the costs of additional security, while the reputational damage, social impact and supervisory pressure mainly affect the fund. The incentives are therefore misaligned. An incident at a large PUO also has external effects: multiple funds are affected, with potential systemic risk for the sector.

How this manifests itself in practice

Boards receive an abundance of documents, but the information is filtered, legally optimised and often too high-level. Formal assurance focuses primarily on the “design and existence” of controls. It says little about:

• actual vulnerabilities
• technical test results
• detection capability and response speed
• forensic preparedness
• dependencies on chain partners

This creates a false sense of security. Directors are given comfort, but no blueprint of actual digital resilience. The governance distance causes nuances to disappear. A green KPI score often hides more than it reveals.

The role of DORA

DORA strengthens supervision, but also exposes the fundamental problem. Legal responsibility lies with the fund, while implementation is largely the responsibility of the PUO. The PUO is not yet legally required to share much information, while the fund must be able to submit that information to the supervisory authority. This does not reduce the asymmetry, but makes it more visible.

Impact for directors

The asymmetry affects three elements of good governance:

1) Risk assessment becomes unreliable

Boards assess abstract reports that say little about real attack scenarios.

2) Supervision becomes reactive rather than proactive

Incident information only comes after the fact. Boards lack insight into near misses, trends and risk behaviour.

3) Responsibility and influence diverge

The board is legally responsible, but has limited access to the knowledge needed to fulfil this role properly.

In practice, this means that directors often rely more on “relationships of trust” than on verifiable information. This makes cyber governance vulnerable, especially in a sector with concentration risk among a few large PUOs.

A joint benchmark for PUO quality, even if anonymised, highlights differences between pension funds and encourages improvement.

Possible solutions

1) From compliance to effectiveness

Boards need less of yet another assurance report and more evidence that security is working. Consider:

• access to red team results (anonymised, under NDA)
• outcome-oriented indicators: detection time, recovery time, lessons learned
• periodic evaluations of response quality
• trend analyses of vulnerabilities and near misses

This shifts the discussion from “are controls in place?” to “do controls work when it really matters?”.

2) Continuous monitoring instead of annual assessments

Cyber threats change daily. Annual ISAE testing is insufficient. A workable model includes:

• quarterly meetings between CISOs
• half-yearly thematic deep dives
• interim updates in the event of significant changes

This creates a dynamic information position and an early warning monitoring model.

3) Sector-wide benchmarking

Because individual funds have little insight into each other's PUO quality, there is no reputation mechanism that creates pressure for quality. A joint benchmark, even if anonymised, makes differences visible and encourages improvement.

It reduces asymmetry not through more information, but through comparable information.

4) Structural access to near misses

Near misses often provide more insight than actual incidents because they show where things almost went wrong. A category report (without operational details) helps directors assess:

• where the weak spots are
• whether the organisation is demonstrating learning ability
• whether improvement measures are effective

This is precisely the type of “practically verifiable” information that ISAE reports do not provide.

5) Strengthening the fund's governance capacity

Greater transparency is only valuable if the board has the knowledge to interpret it. Therefore, the following is necessary:

• structural strengthening of audit and risk committees
• regular training for directors
• direct, unfiltered discussions at MT level (CISO, CTO)

Good cyber governance can only exist when the recipient of the information is able to understand its content.

6) Review incentive structures

As long as the PUO invests and the fund bears the damage, asymmetric behaviour remains rational. Ways to correct this include:

• linking performance indicators to cybersecurity results
• sharing contractual risk in the event of insufficient resilience
• having insurers assess actual effectiveness (not compliance on paper)

This makes truthful information more economically attractive for both parties.

Nuance: why this is difficult in practice

Reducing asymmetry requires not only technical measures, but above all a different information relationship between the fund and the PUO. Directors want deeper insights based on their fiduciary responsibility, but they depend on the same PUO for that information. Transparency thus becomes partly a matter of negotiation.

Incentive review also requires care. What sounds logical in the literature can be perceived as mistrust in the relationship. Governance is therefore always a balance between control and cooperation.

DORA helps to request additional information, but does not solve the core problem: the knowledge remains with the PUO, the responsibility with the fund. Directors must therefore actively focus on “verifiable information” and not just on reports.