Created by BaFin in 2017, BAIT communicates what BaFin expects of a proper IT organisation in banks in relation to the internal IT systems as well as the IT services the institutions purchase from third parties.¹ BAIT is above all intended to raise the awareness of IT risk throughout the institutions – including with respect to their relationship with IT outsourcing providers.

BaFin is planning to publish the corresponding Supervisory Requirements for IT in Insurance Undertakings and Pension Funds (VAIT) in mid-2018. BaFin carried out an industry survey in the second half of the year 2017 in order to get an initial overview of how insurance undertakings and pension funds handle their exposure to cyber risk. This was aimed at identifying the typical strengths and weaknesses of the undertakings.

The survey was at the same time a way to let the industry know that BaFin considers IT risk, which includes cyber risk, material and will therefore examine this risk at the supervised undertakings even more closely in future.²

Cloud computing at insurance undertakings

A key issue that Insurance Supervision has been working on in great detail since 2017 is the use of cloud computing. As with any outsourcing arrangement, the insurance undertaking remains responsible for meeting all supervisory requirements and obligations in such a case. Furthermore, outsourcing must not restrict the undertaking's management and control options or BaFin's review and supervision rights. Banking Supervision is also giving close attention to the issue of cloud computing. Here, the same supervisory requirements apply with regard to outsourcing as is the case with insurance undertakings.