Information technology is of key significance for the institutions and insurance undertakings supervised by BaFin. It forms the basis for their specialised procedures and processes. The continuing digitalisation in the financial and insurance sectors will further accelerate the technological penetration in these industries and drive forward the shift towards interlinking information technology and business processes. This opens up new opportunities for financial market participants. As described above, the catalyst for this development is innovative tech companies that are competing with established players in the financial and insurance sectors. Existing business models are being challenged, since the new competitors use more modern, flexible IT solutions. They can thus operate with a very competitive IT cost structure and put pressure on established providers in terms of offering and pricing.

Supervisory focus on risk

Supervisors must also concentrate on the risks that go hand and hand with the continuing digitalisation. In particular, the threat of cyber attacks intensified further in 2016. One only has to think of the increasing threat of ransomware, where for the most part the victims are blackmailed into paying money, of the growing number of denial-of-service attacks that among other things target the availability of online banking services in particular, and of other targeted attacks against specific companies.

Supervisory practice makes it clear that the issue of IT security must continue to be a top priority for the institutions and insurers themselves, as well as for IT service providers, since there is a significant number of legacy IT systems, some of which are vulnerable with respect to potential system failures. Added to this is the fact that companies in the financial and insurance sectors continue to view IT security primarily from the viewpoint of cost, which fails to do justice to the issue from a supervisory perspective.

In-depth analysis of IT security

In 2016, BaFin continued to intensively analyse issues surrounding IT security in the financial and insurance sectors. Naturally, this also includes comprehensive dialogue with other authorities such as the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik – BSI), but also with industry associations and IT service providers from the financial and insurance sectors and beyond. To be able to assess the overall threat situation from a supervisory perspective, BaFin has regularly analysed all information and warnings available to it and continues to do so.

No serious IT failures

An analysis of the reports received by BaFin since the end of 2015 in respect of serious security incidents in payment transactions showed that there have been no serious IT failures in German payment transactions since the reporting requirement came into force. However, there were reports of failures in the IT processes of individual institutions and IT service providers that had significant effects on the availability and integrity of data.

BaFin is currently represented in a wide range of national and international working groups that deal with digitalisation and the cyber threat situation. Of particular note are the findings of the G7 Cyber Expert Group. At the end of 2016, the expert group issued a report specifying eight fundamental elements to increase cybersecurity in the financial sector. These can be used, for instance, as the basis for institutions to develop and implement a cybersecurity strategy. In Germany, the fundamental elements were published on the website of the Federal Ministry of Finance (Bundesfinanzministerium – BMF) and others. It is recommended that undertakings and institutions implement the eight fundamental elements.

BAIT

At the national level in 2016, BaFin worked together with the Bundesbank to refine the Minimum Requirements for Risk Management (Mindestanforderungen an das Risikomanagement – MaRisk) for banks and, with assistance from the IT expert committee, formulated the Supervisory Requirements for IT (Bankaufsichtliche Anforderungen an die IT – BAIT), which is planned for publication as a separate circular.¹ The aim is for BAIT to play a particular role in increasing the awareness of IT risks both within the institutions themselves and with regard to their IT outsourcing providers, and to present what BaFin expects from institutions in the most transparent way possible. BAIT is scheduled to be made available for public consultation in the first quarter of 2017. The MaRisk update had not been published by the time of going to press.

Footnotes: