BaFin - Navigation & Service

Go to:

Covermotiv Risiken im Fokus 2024 AdobeStock GINGER Tsukahara 534089558

5. Risks arising from cyberattacks with serious consequences ⇧

Attacks on corporate IT systems or financial market infrastructures involving the use of malware, for example, are on the increase worldwide (see Figure 1). According to estimates of the Federal Office for Information Security (Bundesamt für Sicherheit in der InformationstechnikBSI), the threat has never been so great. This also applies to the financial sector as the companies operating in this sector are working with two especially attractive goods – money and sensitive data. Cyberattacks have the potential to inflict enormous damage on the companies affected, but they can also substantially restrict the ability of the financial system to operate and endanger financial stability. This is also the case if the targets of such attacks are not the companies themselves but their service providers and, in particular, major multi-client service providers1. DRansomware attacks pose the most serious threat. This is a computer malware that encrypts the victim’s data and only releases it after payment of a ransom. Another variant of such an attack is when criminals extract data via ransomware and threaten to publish the data unless a ransom is paid. Collateral damage can be caused if systems have to be shut down.

Figure 1: Average daily growth of new malware variants

Abbildung 1 Source: Federal Office for Information Security (BSI), The State of IT Security in Germany Figure 1: Average daily growth of new malware variants

Examples from 2023 have shown how quickly such attacks can impact the ability of sections of the financial market to operate. In the USA, an institution in the clearing chain for trades in US Treasuries was a victim of such an attack. This institution’s sole purpose was to act as one of several points in the clearing chain for the US market. But due to the strong infrastructural links between the institution and other market participants, the entire trading and clearing activities of the customers affected were greatly restricted as a result of the cyber attack. It was only possible to avoid major upheavals in the trading segments affected by the attacks by performing complex alternative processes manually. Examples from Germany also highlight the damage potential and risks: in one case, data of bank customers at a service provider responsible for managing account changes were siphoned off. In another case, a supervised company that works together with numerous credit institutions had to shut down its server for a longer period of time due to a cyber attack. During this period, the company was unable to carry out any new business and had to complete each procedure on paper, involving a great deal of manual work. What is more, the attackers extorted personal data held by the company, which it later published on the darknet. Such dealings are known as double extortion.

Another frequent form of attack is the distributed denial of service (DDoS). This involves engulfing the communications networks of a company with data requests. The use of malware or spyware in the form of Trojans, viruses or worms is also on the increase.

The increasing spread of digitalisation has broadened the range for attacks. At the same time, the threat is exacerbated by the activities of effectively organised economic criminals and by cyberattacks that are politically motivated or even government influenced. The latest geopolitical tensions and crises are further heightening the risk of government-influenced cyberattacks, including attacks on the public administration and operators of critical infrastructure in the finance area.

BaFin`s line of approach

  • BaFin will implement the new cross-sectoral EU regulation DORA* by mid-January 2025 as scheduled. This includes, for example, monitoring critical third-party service providers from the field of information and communication technology (ICT) and the reporting system for ICT contractual relationships.
  • In accordance with DORA, BaFin will be established as the reporting hub for ICT-related incidents for the German financial sector. The objective is to use the information thus derived to obtain a more detailed picture of the IT security situation on the German financial market and be in a position to respond effectively to IT incidents.
  • Going forward, BaFin will also create an overview of cyber risks for the financial sector. The objective is to highlight the cyber threats facing the financial industry, expose the vulnerability of the supervised companies and their IT service providers and record the cyberattacks that have taken place (and achieved their goals).
  • BaFin actively supports the National Cyber Defence Centre and is cooperating closely with national and international authorities in order to ensure that it is promptly informed about disruptions and dangers and able to pass this information on to other authorities and supervised companies.
  • Furthermore, BaFin organises national crisis and contingency planning exercises in which the financial industry is also involved. It also participates in international cyber crisis exercises. The objective of these exercises is to ensure that, in a situation of crisis, all participants are able to respond fast and in concert.
  • As stipulated in DORA, threat-led penetration tests (TLPT) are to be mandatory in future at certain companies and institutions.
  • Together with the G7 partners, BaFin is preparing policy papers for the financial sector aimed at further strengthening the sector’s resilience to potential attacks – an example of such a policy paper is “G7 Fundamental Elements of Ransomware Resilience for the Financial Sector”.

* DORA stands for Digital Operational Resilience Act.

1 See Risks arising from market concentration due to the outsourcing of IT services .

More articles

Risks in BaFin's Focus 2024
Foreword by the President

Main Risks in BaFin’s Focus

1. Risks arising from significant increases in interest rates
2. Risks arising from corrections on the real estate markets
3. Risks arising from significant corrections on the international financial markets
4. Risks arising from defaults on loans to German companies
6. Risks arising from inadequate money laundering prevention
7. Risks arising from market concentration due to the outsourcing of IT services

Trends

1. Digitalisation
2. Sustainability
3. Geopolitical turmoil

Download

Complete edition Risks in BaFin’s Focus 2024

Did you find this article helpful?

We appreciate your feedback

Your feedback helps us to continuously improve the website and to keep it up to date. If you have any questions and would like us to contact you, please use our contact form. Please send any disclosures about actual or suspected violations of supervisory provisions to our contact point for whistleblowers.

We appreciate your feedback

* Mandatory field