Topic Risk management Critical infrastructure
Article from BaFin's 2017 annual report
Operators in the financial sector: identification and requirements
Major attacks on corporate IT systems have laid bare the vulnerability of critical infrastructure (see info box "Critical infrastructure"). As early as 2015 – even before the European Directive on Security of Network and Information Systems (NIS Directive)1 entered into force – German legislators created corresponding regulations, which they inserted into the German Act on the Federal Office for Information Security (Gesetz über das Bundesamt für Sicherheit in der Informationstechnik) by way of the German IT Security Act (IT-Sicherheitsgesetz).
In the Regulation Amending the German Regulation on the Identification of Critical Infrastructure (Änderungsverordnung zur BSI-Kritis-Verordnung)2 of 21 June 2017, legislators have specified in greater detail the criteria according to which financial sector companies qualify as operators of critical infrastructure.
Critical infrastructure
Critical infrastructure within the meaning of the Act on the Federal Office for Information Security comprises facilities, systems or parts thereof belonging to the energy, information technology and telecommunications, transport, health, water, food, finance or insurance sectors and are essential for the functioning of society, because their failure or disruption would lead to considerable supply shortages or risks to public safety and security in Germany.
Pursuant to sections 8a and 8b of the Act on the Federal Office for Information Security, operators of critical infrastructure therefore have to meet a number of requirements. They have to identify themselves as operators of critical infrastructure by notifying the Federal Office for Information Security of a point of contact within the company that has to be reachable around the clock.
Moreover, they have to demonstrate every two years that they have taken appropriate organisational and technical measures to avoid disruptions to the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes.
The Regulation on the Identification of Critical Infrastructure has identified the following services in the financial sector as critical: cash supply, card-based and conventional payment transactions in the banking sector, clearance and settlement of securities and derivatives transactions as well as the contract management, benefit, claim and payment systems of insurance undertakings.
Joint supervision of operators of critical infrastructure in the financial sector
Banks, insurance undertakings, payment institutions and IT services providers qualifying as operators of critical infrastructure are subject to supervision by both the Federal Office for Information Security and BaFin. BaFin and the Federal Office for Information Security try to keep any additional workload that could result from this dual responsibility to a minimum as far as legally possible. The aim is to pool the technical expertise of the Federal Office for Information Security and BaFin's operational supervisory powers to ensure resources are used efficiently.