BaFin - Navigation & Service

Go to:

BaFin Perspectives - current issue © BaFin / www.freepik.com

Erscheinung:01.08.2018 | Topic Fintechs Digitalisation and Information Security in the Financial and Insurance Sectors as a Focus of Regulatory Requirements

Content

In a globalised financial world in which more and more people pay digitally, transfer money and make their investments online, IT governance and information security now have the same significance for supervisors as ensuring that companies have adequate capital and liquidity. It was therefore a logical step for BaFin to expand on its requirements in this area.

Introduction

In the financial world, information technology (IT) is now no longer merely an secondary requirement for generating income: it has become – and this also makes it vulnerable – the core infrastructure both for all banking processes and for all non-banking processes. BaFin President Felix Hufeld made precisely this point at the BaFin conference “IT Supervision in the Banking Sector” on 16 March 2017.1 IT security is also a socially relevant issue.

Both aspects – IT as the basis for economic activity along all value chains in the financial sector and the reminder that no sustainable and socially acceptable business is possible without information security2 – were the critical factors in BaFin’s decision to develop the ‘Supervisory Requirements for IT in Financial Institutions’ (Bankaufsichtliche Anforderungen an die IT BAIT) together with the Deutsche Bundesbank and in consultation with representatives of the credit institutions and their associations. BaFin published the BAIT on 6 November 2017. The ‘Supervisory Requirements for IT in the Insurance Sector’ (Versicherungsaufsichtliche Anforderungen an die ITVAIT), which were published by BaFin on 2 July 2018, establish similar requirements for the insurance industry.

The BAIT and the VAIT are principle-based and proportionally designed rulebooks whose purpose is to expand on and make more transparent BaFin’s previously more generally formulated requirements addressing IT.

Changing IT requirements in the financial sector

At banks, the value chain has always essentially been focused on processing information, so digitalisation is nothing new for the institutions. In the past, however, the digitalisation of banking transactions mainly happened inside institutions and for a long time out of sight for most customers – despite its importance, especially for payment transactions.

The first online banking offerings (e.g. BTX3) for customers already appeared more than 30 years ago. But it is only in the past 10 to 15 years that cashless payments – including as part of the increasingly popular online banking services – and online brokerage have become established in the retail banking business. Competitive direct banks and the first app-based fully digitalised institutions have ushered in the next technical evolutionary stage in customer interaction.

But digitalisation in banking also means supporting and automating business and IT processes with the help of relevant data and suitable IT systems (hardware and software components) – across all customer channels, the entire information chain in the enterprise and across defined interfaces with third parties.4 It is particularly important in this context for business processes, which in many cases also extend across several business units, to be intelligently networked. Nor should the increasingly in-depth interaction with companies that provide – to a greater or lesser extent – external IT services for the institutions be forgotten.

Supervisory monitoring and inspection practice reveals that many banks still have problems finding technically rational solutions for linking together multiple – or heterogeneous – digitalised business processes. However, this is crucial for digitalisation, which is supposed to provide targeted support for the business. It is not enough just to digitalise individual processes or introduce digital business models in some areas only. Technological progress demands a much stronger focus on innovation and permanent adaptation to dynamically changing customer behaviour.5

In addition to the ubiquitous and growing information and cybersecurity risks, digitalisation also entails strategic risks for banks and their IT service providers because it changes the value chains in the financial services sector.6 Various trends are now emerging in the digitalisation of the banking sector.7

Some of these technological developments (and enhancements) are outlined in the following:

Digitalisation initiatives at the customer interface

Although online banking offerings were developed at an early stage in traditional branch-based banks, they were mostly implemented with at most lukewarm support because the primary focus was on customer footfall in the branches. The quality of digital services has certainly increased considerably in the meantime, but in many cases they are still poorly coordinated with the traditional branch business, even though most customers now expect to be offered services across all distribution channels.8

Direct banks, fintechs9 and crowdfunding platforms, which often only offer a specific slice of the banking business, have been rushing into this gap for several years now. The increasing popularity of these innovative providers has massively ramped up competitive and investment pressure on established players in the banking sector.10 If they want to hold their ground in this environment, they must do more than just invest in technology – for example in implementing mobile apps and omnichannel platforms. Rather, the banks must also quickly adapt their operational structures and governance mechanisms to the new developments.

Process digitalisation

The growing maturity of digital technologies is seeing the emergence of new possibilities to further automate processes that are currently only partially automated – for instance in the lending business (e.g. “credit factory”) and everything to do with account opening (e.g. the “VideoIdent” online identity verification solution).

However, established banks will only be able to compete with new digital competitors in the online business if they also more heavily automate adjacent back-end processes and hence significantly improve their cost structures. Nor is it enough just to develop new solutions for process digitalisation. Those solutions must be integrated swiftly and effectively into the value and process chains – inside the institution and across institutions.

A further factor is that in many places, they have to deal with outdated and/or overly complex IT systems. Many institutions also have significant deficits in their IT governance, as supervisors have established. In many cases, governance-related requirements are not effectively implemented and their operationalisation is not adequately monitored.11

New dynamics in IT projects

What customers expect from banks when it comes to the use of modern technologies also applies increasingly to the IT project organization and the software development process implemented in this connection at the institutions and their IT service providers: they must be fast, lean and adaptable at short notice – in short: agile.

More than 35 per cent of banks now say that they use Scrum to organise their IT development projects, while about 30 per cent rely on Kanban.12 Both of these agile software development approaches offer an opportunity to significantly change software components in the development process. For example, an operational basic version of an application can already be available at most in a few weeks, rather than months.

Despite all the buzz about innovative software development, however, it pays to remember that a crucial condition for secure IT operation is that – in addition to suitable, functional hardware – there is also a need for software that has been developed, as far as possible, in such a way that security measures augment the conventional software development process. As a general rule, this is the only way to ensure that sufficient attention is paid to security, regardless of whether an agile or another approach is chosen for development.13 A condition for this, however, is that security is integrated as an explicit requirement in the development process (“security by design”), and that holistic security measures are incorporated, implemented, tested and approved by the relevant functions, starting with initialisation and before the system goes live.

Say goodbye to your own data centre – Is the cloud “as a service” a solution?

More than 50 per cent of the companies surveyed in the financial sector say they are already working on streamlining their data centres and consolidating their IT infrastructure.14 This is also being made possible by the increased use of external cloud services, to which applications, platforms as well as security solutions, for example, are being redeployed. Especially with “as a service” concepts15, companies can both standardise and accelerate their IT architecture.16 However, redeploying the processing of what may include highly sensitive data to the cloud also involves a considerable security risk, both to the security of the cloud’s (i.e. the cloud operator’s) IT systems and to the security of the data to be processed or stored in the cloud (i.e. the cloud user’s data).17

Fundamental international supervisory requirements for IT

Financial market supervisors already addressed the requirements for IT infrastructure at an early stage, focusing initially on governance requirements in particular. In its 2010 report18, the Senior Supervisors Group, which reports to the Financial Stability Board (FSB) and represents the supervisory authorities of the ten countries that supervise the world's largest banks, emphasised the importance of strong IT governance and defined what is a core requirement from BaFin’s point of view: the IT strategy must be a pivotal part of the business strategy. In this respect, BaFin expects the necessary requirements for digital transformation to be based on business policy principles and anchored strategically, since the IT architecture can only be strategically enhanced using a holistic, enterprise-wide approach.

Many IT regulatory requirements have arisen in the recent past, among other things because banks’ internal processes running on their technical systems were or are not (yet) sufficiently integrated and automated. Examples of these include data aggregation and reporting processes that are relevant for managing a bank (key requirements here are to be found in BCBS 23919, which were implemented in the latest revision of the German Minimum Requirements for Risk Management (Mindestanforderungen an das RisikomanagementMaRisk)).

Definition of:Information security and cybersecurity

  • Information security includes greater protection of information, in and with IT, but also without and beyond IT.21
  • Cybersecurity deals with all aspects of security in information and communication technology. The scope of classical IT security is expanded to include the entire cyberspace, which covers all information technology relating to the Internet and comparable networks and includes communication based on them, applications, processes and processed information.22

Industry and supervisors are also increasingly becoming aware of another aspect in the wake of digitalisation, namely information security and cybersecurity20 (see info box “Definition of information security and cybersecurity”).

Beyond the realm of information security, cybersecurity also has a political dimension because in many cases it proves to be extremely difficult to identify the real attackers after a cyberattack so that effective measures can then be taken against them.23

Because of the overriding importance of cybersecurity for the financial sector, the G7 Cyber Expert Group presented a report on the fundamental elements for effective assessment of cybersecurity in the sector, which was adopted by the G7 finance ministers and central bank governors on 12 October 2017.24 BaFin is currently examining the extent to which the BAIT need to be adapted or expanded in order to meet the requirements of the G7 report, such as requirements for contingency management25 and corresponding exercises.

IT-related regulation by the EBA

Because digitalisation is not a national issue, it is essential to develop a Europe-wide common understanding and consistent regulatory requirements on the topic. The European Banking Authority (EBA), in which BaFin is also represented at various levels, is responsible for harmonising supervisory practice in the European Union (EU).

The EBA published guidelines on the SREP (Supervisory Review and Evaluation Process) on 7 July 2014.26 The SREP includes an assessment of key indicators, the business model, governance and capital and liquidity risks. The EBA defined the term “IT risk” for the first time in its SREP Guidelines (see info box “Definition of IT risk”).

Definition of:IT risk

According to the EBA SREP Guidelines [GL/2014/13], information and communication technology (ICT) risk means “[…] the current or prospective risk of losses due to the inappropriateness or failure of the hardware and software of technical infrastructures, which can compromise the availability, integrity, accessibility and security of such infrastructures and of data.”27

In order to validate and assess IT risk within the SREP even more precisely, the EBA issued additional guidelines28 to supplement and further specify the assessment of ICT risk on 11 May 2017. In addition to the general SREP, it has developed an ICT SREP for significant institutions (SIs) and one for less significant institutions (LSIs).

Paragraph 5 of the May 2017 ICT SREP Guidelines aims to ensure the convergence of supervisory practices in the assessment of ICT risk under the SREP. The Guidelines contain assessment criteria that the competent authorities should apply to the supervisory assessment of institutions’ ICT governance and strategy and to the supervisory assessment of their ICT risk exposures and controls.

In addition, the supervisory authorities must assess whether the institution’s general governance and internal control framework duly cover the ICT systems and related risks and if the management body adequately addresses and manages these aspects, as ICT is integral to the proper functioning of an institution. In particular, the supervisory authorities must assess

  • whether the institution has an ICT strategy that is adequately governed and in line with the institution’s business strategy,
  • whether the institution’s internal governance arrangements are adequate in relation to the institution’s ICT systems,
  • and whether the institution’s risk management and internal control framework adequately safeguards the institution’s ICT systems.

On the basis of Title 5 of the July 2014 EBA SREP Guidelines, supervisors should also assess whether the institution has an appropriate and transparent corporate structure that is “fit for purpose”, and has implemented appropriate governance arrangements. With regard to the ICT systems and in line with the EBA Guidelines on Internal Governance29 , they should assess whether the institution has a robust and transparent organisational structure that clearly defines responsibilities for ICT. This also applies to the management body and its committees. They must also assess whether key persons responsible for ICT, such as the Chief Information Officer (CIO) and the Chief Operating Officer (COO), have adequate direct or indirect access to the management body. This aims to ensure that the management body also knows and addresses the risks associated with ICT.

As the importance of IT outsourcing for business performance continues to grow, but also in light of the associated security risks, the Guidelines require the supervisory authorities to assess whether the institution’s ICT outsourcing policy and strategy considers the impact of ICT outsourcing on the institution’s business and business model.

Supervisory requirements for the IT of institutions with a German banking licence

In Germany, too, IT supervision has increasingly moved into the focus of supervisory activities. As far back as 2012, BaFin established an “IT infrastructure of banks” division. In early 2018, it established the “IT Supervision/Payment Transactions/Cybersecurity” group, with which that division was merged. Among other things, this group is responsible for policy issues relating to cybersecurity, supervision of payment and electronic money institutions, IT-related inspections and policy issues relating to IT supervision. Since then, IT supervision has been implemented on a cross-sectoral basis, and is described in the following using the example of the German Banking Act (KreditwesengesetzKWG):

The general principle for the supervision of institutions in section 6 (2) of the KWG reads: “BaFin shall counteract undesirable developments in the lending and financial services sector which may endanger the safety of the assets entrusted to the institutions, impair the proper conduct of banking business or provision of financial services or entail major disadvantages for the economy as a whole.”

BaFin interprets this as meaning that the “assets entrusted to the institutions” today are generally data that are processed and stored in IT systems. Impairment of the proper conduct of banking business or provision of financial services can therefore always be assumed if, as a minimum,

  • the availability of IT systems is inadequate, i.e. if the IT systems are not operational as intended and data is not processed correctly,
  • data integrity cannot be fully guaranteed, i.e. if the correctness of the data (data integrity) and/or the correct functioning of the IT system (system integrity) cannot be assured, or
  • confidentiality cannot be assured, i.e. if the data to be protected can be manipulated without authorisation and without being detected.

BaFin’s general responsibilities under section 6 of the German Banking Act are specified in greater detail in section 25a (1):

Section 25a (1) of the German Banking Act (KWG)

This section sets out that “an institution shall have in place a proper business organisation which ensures compliance with the legal provisions to be observed by the institution as well as business requirements. The management board is responsible for ensuring the institution’s proper business organisation; it shall take the necessary measures to formulate the applicable internal guidelines except where such decisions are taken by the supervisory body. A proper business organisation shall comprise, in particular, appropriate and effective risk management, [...]; risk management shall comprise, in particular, [...]
4. adequate staffing and technical and organisational resources;
5. the definition of an adequate contingency plan, especially for IT systems, [...] ."

In the BAIT, BaFin has specified its understanding of a proper business organisation as it affects IT.

Interpretation of supervisory requirements by the BAIT

General comments

Like the MaRisk30, which were revised at the end of October 2017, the BAIT represent an interpretation of the legal requirements of section 25a (1) sentence 3 nos. 4 and 5 of the KWG. As the institutions are increasingly making use of IT services provided by third parties, for example because they are outsourcing IT services, the BAIT also include section 25b of the KWG in this interpretation. Among other things, this governs the treatment of outsourced activities and processes. The relationship between the BAIT and the general banking supervisory requirements for risk management is ensured by references to specific paragraphs in the MaRisk.

In the first version now available, the BAIT address in particular issues where BaFin identified material deficiencies in its inspections in recent years. Examples of such issues include IT strategy and governance, information security, access management and application development, as well as the procurement of IT services from third parties by means of IT outsourcing or the external procurement of IT services.

The BAIT are designed in particular to help the management of institutions and – indirectly through outsourcing agreements – IT service providers ensure a proper business organisation, including in terms of the organisational and operational structure of IT and the use of IT systems. However, the principle-based requirements of the BAIT should not be seen as an exhaustive list of requirements. In this respect, in accordance with AT 7.2 of the MaRisk the institutions and their IT service providers are still required to base their implementation of the BAIT requirements on generally established standards and to implement them effectively.

Additionally, an essential characteristic of the BAIT is that the principle of dual proportionality applies without restriction.

Heightening IT risk awareness

A critical objective of the BAIT is to heighten IT risk awareness in the institutions and in particular at management levels. The relevant term “IT risk” was already defined above31. The need to create risk transparency and to address IT risk at all levels of the institution runs through all eight topic modules of the BAIT and is an integral part of the requirements in the individual paragraphs.

IT strategy – II. 1. of the BAIT

In terms of IT strategy, the focus is on the requirement for management to deal regularly with the strategic implications of the various aspects of IT for the business strategy. In addition to the institution’s organisational and operational structure of IT, this also includes handling end-user computing (EUC) in the organisational units, strategic statements on the external procurement of IT services (outsourcing of IT services or external procurement of IT services) und basic requirements for contingency management, for example.

The management board must define the IT strategy in a cyclical process and resolve and publish it internally in the institution after discussing it with the supervisory board. The measures defined in the strategy for achieving the strategic objectives also establish clarity about the importance of IT for conduct of banking business. In addition, BaFin also expects strategic statements in particular about IT risk awareness, as well as references to compliance with the information security requirements in the institution and with regard to third parties.

Governance – II. 2. of the BAIT

IT governance is the structure used to manage and monitor the operation and further development of IT systems, including the related IT processes on the basis of the IT strategy. The management board is responsible for the effective implementation of the IT governance arrangements within the institution and with regard to third parties. It is also responsible for ensuring that in particular information risk and information security management, IT operations and application development are appropriately staffed. In BaFin’s view, this is particularly important because it enables the risk of the qualitative or quantitative understaffing of these areas to be identified at an early stage and rectified as soon as possible.

Information risk management – II. 3. of the BAIT

As part of information risk management, the institution must identify the level of protection required for relevant data or information. Target measures must be defined on this basis and compared with the actual measures that have been effectively implemented. The resulting transparency of the risk situation, the derivation of risk-reducing measures and the monitoring of their effective implementation, as well as the management board’s awareness of the identified residual risk, constitutes the central requirement for heightening IT risk awareness in the institution and with regard to IT service providers.

To ensure that relevant IT-related risks can be adequately managed in addition to IT risk, BaFin expects the institutions to have an up-to-date overview of the components of the defined information domain32, as well as their dependencies and interfaces. The institution should be guided in this respect in particular by internal operating needs, business activities and the risk situation. To be able to discharge its management responsibilities, the management board must be informed regularly, but at least once a quarter, above all about the results of the risk analysis and any changes in the risk situation.

Information security management – II. 4. of the BAIT

Information security management makes provisions for information security, defines corresponding processes and manages their implementation. BaFin considers information security to be part of the second line of defence in the three-lines-of-defence model (see figure 1 “Three-lines-of-defence model”); it both monitors and supports the operational first line of defence.

Figure 1: Three-Lines-of-Defence model

Figure 1: Three-Lines-of-Defence model Own data, based on the three-lines-of-defence-model, BIS Occasional Paper No. 11, 2015, Bank for International Settlements (BIS). Figure 1: Three-Lines-of-Defence model

The management board is responsible for agreeing and publishing an information security policy within the institution that reflects the identified risk situation. The protection requirements defined as part of information risk management are to be specified in greater detail in information security guidelines.

BaFin believes that the information security officer (ISO)33 or – at larger institutions – the information security management system (ISMS)34 is primarily responsible for implementing, complying with and overseeing the institution’s provisions for information security, both internally and in respect of third parties, on the basis of the supervisory requirements and the relevant standards. For this reason, the information security officer function must be independent in terms of organisation and process so that information security can be evaluated and – if necessary – information security incidents can be processed without conflicts of interest. The ISO reports to the management board regularly (at least once a quarter) and on an ad hoc basis.

Particularly in view of the increasing cyber risk, BaFin expects appropriate staff and financial resources to be available for this function in terms of both quantity and quality – as can be inferred from section 25a of the KWG in conjunction with AT 7.1 of the MaRisk and the relevant standards (BSI Standard 200-2, p. 40 et seq., ISO/IEC 27001: 2013, 4.4). Of course, BaFin also observes the principle of proportionality and has elaborated special exemption options in particular for small institutions.

User access management – II. 5. of the BAIT

Rights to access precisely defined parts of IT systems are necessary for certain tasks to be performed. They are also a central element for creating IT security. The user access rights concept must therefore be documented in writing as part of user access management. The organisational units must be involved in the development of the concept. The user access rights concept must apply the need-to-know principle, meaning that access rights are only approved and set up if they are needed to perform a concrete task. This also applies to the recertification process, which reviews whether access rights granted are still required. If this is no longer the case, the access rights must be effectively removed.35

IT projects and application development – II. 6. of the BAIT

The management and monitoring of IT projects must in particular take account of risks in relation to duration, use of resources and quality. The management board must ensure that a general overview is prepared of IT project risks and risks resulting from the interdependencies between different projects.

Precautions must already be taken in the course of application development to ensure the confidentiality, integrity, availability and authenticity of the data to be processed in that program. The objective of these requirements is to reduce the risk that the application is unintentionally modified or deliberately manipulated. Attention is drawn again at this point to the remarks on integrating the relevant security measures in the sense of security by design.

In addition, from BaFin’s perspective it always makes sense to categorise end-user computing (EUC) applications that the organisational units develop or operate into risk classes and to evaluate this classification regularly. BaFin also expects each institution to document all EUC applications in a central register, especially applications that are important for banking processes, risk management and monitoring or accounting.

IT operations – II. 7. of the BAIT

IT operations primarily fulfil the requirements resulting from the implementation of the business strategy and from the IT-supported business processes, and in doing so also manage the portfolio of IT systems appropriately. Furthermore, IT operations should also take up technical innovations according to the requirements of the organisational units and – if appropriate in project form – transfer them to IT production.

The corresponding processes for changing IT systems must be designed and implemented depending on their nature, scale, complexity and riskiness (proportionality). This also applies to newly procured or replaced IT systems as well as to security-related subsequent improvements (security patches). As part of product lifecycle management, the risks stemming from outdated IT systems must also be monitored. However, this is only possible if all components of the IT systems, including inventory data and the interdependencies of the managed objects, are managed appropriately. Medium-sized and large institutions should generally use a configuration management database (CMDB), small ones at least an inventory register. The information collected must be updated regularly and on an ad hoc basis.

In the event of unscheduled deviations from standard operations, suitable criteria for informing the management board in advance of possible causes of this disturbance, the contingency measures to be taken to maintain or restore business operations, and the rectification of the deficiencies must be documented in writing. As part of contingency management36 in accordance with AT 7.3 of the MaRisk, documented contingency tests must be carried out and evaluated regularly at the institution and, if necessary, together with significant IT service providers, and any weaknesses and deficiencies identified must be rectified.

Outsourcing and other external procurement of IT services – II. 8. of the BAIT

If an institution uses IT services, the same generally applies as for the use of services: the institution must verify whether this involves outsourcing within the meaning of section 25b of the KWG. If this is the case, it must meet the requirements of section 25b of the KWG and AT 9 of the MaRisk, and the institution must perform an advance risk analysis. The risks from other external procurement of IT services, the definition of which can also be found in AT 9 of the MaRisk, must also be assessed in advance. This is the only way the institution can determine its complete risk situation and identify concentration risks in externally procured IT services. BaFin also expects the measures derived from the relevant risk analysis to be incorporated into the design of the individual contracts with external service providers. In the case of significant outsourcing of IT services, the requirements of AT 9 number 7 of the MaRisk must be complied with; this also applies of course to cloud computing.37

Implementation of the BAIT

The BAIT entered into force with their publication on 6 November 2017. BaFin did not provide for an implementation period or transitional periods because the BAIT do not impose any new requirements on the institutions and their service providers. The relevant requirements of the German Audit Report Regulation (PrüfbV) including the BAIT will be taken into account for the first time in the audit of the 2018 annual financial statements. Since the beginning of 2018, inspections under section 44 of the KWG with an IT focus have also been based on the BAIT.

Possible revisions to the BAIT

The modular design of the BAIT gives BaFin the necessary flexibility for future revisions or additions. BaFin has already announced on several occasions that the topic of “IT contingency management including test and recovery procedures” is to be integrated into the BAIT.

It is also currently examining whether the BAIT need to be adapted to the “G7 Fundamental Elements of Cybersecurity”38 and the “Guidelines on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2)”.39

In close cooperation with the Federal Office for Information Security (Bundesamt für Sicherheit in der InformationstechnikBSI), BaFin is also considering a special module on critical infrastructures (KRITIS) to supplement the BAIT. This special module will apply exclusively to those banks and IT service providers that are operators of critical infrastructures in the financial and insurance sector within the meaning of section 2 (10) of the German BSI Act. It will formulate the necessary requirements that these operators of critical infrastructures must fulfil in order to comply with the relevant requirements of section 8a (3) of the BSI Act.

Digitalisation of the insurance industry

Digitalisation as one of the key strategic topics in the insurance industry

As well as optimising internal enterprise processes and increasing efficiency, digitalisation in the insurance sector is primarily concerned with improving contact with customers.40 In recent years, insurance companies have already streamlined and automated many of their business processes – internally and in distribution. The internal automation ratio can be significantly increased in particular by automating manual process steps in the direction of application, contract and claim processing that is as fully digital as possible. Costs can also be reduced through economies of scale. Many standardisable processes such as contract portfolio management and claims management are already highly automated.41

Another focus of digitalisation in the insurance industry is on the design of customer interfaces. The digital transformation of insurers can only succeed if customer loyalty and customer satisfaction can as a minimum be maintained or, better still, significantly increased. To achieve this, it is essential to provide customers with measurable value added – in the best case, an optimal customer experience from customers’ point of view.42

New challenges in insurance distribution – cyber insurance

Various studies show that cyber threats have been recently moving further to the fore both internationally43 and on the risk agenda of German companies. The current Allianz Risk Barometer published by Allianz Global Corporate & Speciality SE (AGCS) shows that cyberattacks are now in second place of the most feared corporate risks.44

The German insurance industry has also responded to this situation by developing a cyber insurance product that takes various forms.45 The German Insurance Association (Gesamtverband der deutschen Versicherungswirtschaft e.V.GDV) has published – non-binding – general insurance policy conditions (“AVB Cyber”) that impose extremely far-reaching requirements on applicants wishing to insure this risk.46

Supervisory Requirements for IT in the Insurance Sector (VAIT)

It should come as no surprise that BaFin also expects the industry that can insure cyber risks to comply with and effectively implement the basic requirements for IT governance, IT risk and information security management, application development and the operation of IT systems. In mid-March of 2018, BaFin issued the draft Circular on Supervisory Requirements for IT in the Insurance Sector (VAIT)47 for consultation. On 2 July 2018, it published the VAIT.

In the same way as the BAIT for the banking sector, the VAIT will constitute the central element of IT supervision for all insurance companies and Pensionsfonds (companies) referred to in numbers 2 and 3 of the preliminary remarks on the VAIT.48

Interpretation of the VAG by the BAIT

The VAIT interpret sections 23, 26 and 32 of the VAG, for example.

The Circular contains guidance on interpreting the provisions of the German Insurance Supervision Act (VersicherungsaufsichtsgesetzVAG) governing business organisation, to the extent that they relate to companies’ technical and organisational resources (see info box “Interpretation of the VAG by the VAIT”).

The VAIT thus specify what BaFin understands to be the appropriate design of IT systems (hardware and software components) and the associated IT processes, with particular regard to information security requirements. As many companies now obtain IT services from third parties in the form of outsourcing or other service relationships, the relevant requirements are also formulated in the VAIT.

The VAIT aim to make transparent what BaFin requires of companies and their IT service providers. This is designed to help them ensure a proper and effective business organisation, including with regard to IT. However, as the VAIT do not cover all the requirements, and the granularity and scope of the requirements are not exhaustive, all companies are obliged to apply generally established IT standards and take into account state-of-the-art technology, above and beyond the detailed specifications contained in the VAIT.

The principle of proportionality also plays a significant role in the implementation of the requirements of the VAIT for business organisation and hence also in the design of structures, IT systems or enterprise processes. The requirements must therefore be met in a way that takes account of the nature, extent and complexity of the risks associated with the company’s activities.

The need to create risk transparency and to deal with IT risk at all levels of the company and its IT service providers also runs through all topics covered by the VAIT.

Summary

Digitalisation has already triggered considerable, and in some cases far-reaching, change in the financial and insurance industries and will continue to do so. Many customers want to be able to interact with banks and insurers anywhere, anytime. The expectations they have of companies in terms of the security and integrity of their data are correspondingly high. This is leading to intense competition between established providers and innovative new competitors.

Banks and insurers possess two raw materials that are needed in a digital world – trust and data. The increasing deployment of Big Data (BD) and Artificial Intelligence (AI) that is currently also observable in the financial market poses huge challenges to both industry and the regulators, as well as – and in particular – customers. Despite all the necessary pressure for change, companies would be well advised for economic considerations alone to think hard about the extent to which they really want to leverage the full potential of the new technologies, for example when monetising personal data with the help of BDAI applications. Otherwise, they run the risk in some cases that reputational damage could outweigh the benefits.

BaFin’s primary mission is to safeguard the proper functioning, stability and integrity of the financial system. It discharges this mission, for example, by imposing supervisory requirements on the business organisation of companies that require permission to operate on the financial market. It goes without saying that digital change is also not leaving the supervisory authorities unscathed. They must regularly assess what new legal and technical requirements the wave of innovation currently being experienced by society and industry is placing on regulation and supervision. No one can give a conclusive answer at the moment, but this makes it all the more important to continuously confront such issues and to ensure a constant exchange between authorities, business and researchers.

It will necessarily be a task for society as a whole to strike a balance between the returns expected by companies, the necessary monitoring of compliance with governance and cybersecurity requirements by supervisors, and the informational self-determination of consumers, and to ensure this in the long term.

Author

Dr. Jens Gampe
Division for Policy Issues relating to IT Supervision and Inspections,
Federal Financial Supervisory Authority (BaFin)

Footnotes:

  1. 1 https://www.bafin.de/dok/9045758 (only available in German).
  2. 2 DTCC & Oliver Wyman, Large-scale cyber-attacks on the financial system – A case for better coordinated response and recovery strategies, http://www.oliverwyman.com/our-expertise/insights/2018/mar/large-scale-cyber-attacks-on-the-financial-system.html.
  3. 3 Abbreviation for a German videotex service.
  4. 4 Röseler, Banking wird sich ganz radikal ändern, Treiber des Wandels ist die Digitalisierung (Banking will see radical change and the driver of change is digitalisation), in: Zeitschrift für das gesamte Kreditwesen, no. 7/2018, page 25 et seq.
  5. 5 COREtransform: White Paper – Primat des Technologischen – Regulatorik im Spannungsfeld zwischen Gestalten und Verwalten (White Paper – Primacy of technology – The tension between designing and managing regulatory activities), https://transform.core.se/de/about/insights/knowledge-work/white-paper/.
  6. 6 BaFin, Big Data meets artificial intelligence – Challenges and implications for the supervision and regulation of financial services, pages 7 et seq. and 62 et seq.
  7. 7 Deutsche Bank Research, Fintech reloaded – Traditional banks as digital ecosystems, http://www.dbresearch.de/PROD/RPS_EN-PROD/PROD0000000000451937/Fintech_reloaded_%E2%80%93_Traditional_banks_as_digital_ (only available in German).
  8. 8 Stollarz, Digitisierung in der Finanzbranche ist kein Selbstzweck (Digitalisation in the financial sector is not an end in itself), in: Börsen-Zeitung online, 28 April 2018, page B5.
  9. 9 There is currently no generally accepted definition of the term "fintech”. As a combination of the words financial services and technology, fintechs are generally understood to be start-ups that offer specialised and particularly customer-centric financial services based on technology-driven systems.
  10. 10 Deutsche Bank Research, Start-ups beflügeln Märkte mit digitalen Technologien (Start-ups inspire markets with digital technologies) (Fintech #7), https://www.dbresearch.de/PROD/RPS_DE-PROD/PROD0000000000447700/Start-ups_befl%C3%BCgeln_M%C3%A4rkte_mit_digitalen_Technolog.PDF (only available in German), retrieved on 11 May 2018.
  11. 11 See Chapter 6.4., Governance – II.2. BAIT
  12. 12 IT Finanzmagazin, 70 Prozent der Banken und Versicherer entwickeln mit agilen IT-Methoden wie Scrum oder Kanban (70 per cent of banks and insurers use agile IT methodologies such as Scrum or Kanban), https://www.it-finanzmagazin.de/70-prozent-der-banken-und-versicherer-entwickeln-mit-agilen-it-methoden-wie-scrum-oder-kanban-35438 (only available in German), retrieved on 11 May 2018.
  13. 13 Schild, Heise Online – Sichere Softwareentwicklung nach dem "Security by Design"-Prinzip, https://www.heise.de/developer/artikel/Sichere-Softwareentwicklung-nach-dem-Security-by-Design-Prinzip-403663.html (only available in German), retrieved on 11 May 2018
  14. 14 Bain & Company, Mehr Tempo, weniger Altlasten: IT-Architektur im digitalen Zeitalter (More speed, fewer legacies: IT architecture in the digital age), http://www.bain.de/en/publikationen/articles/it-architektur-im-digitalen-zeitalter.aspx.
  15. 15 Alongside Software as a Service (SaaS) and Platform as a Service (PaaS), Infrastructure as a Service (IaaS) is one of the three service models in cloud computing. The service generally includes the provision of data centre infrastructure by a cloud provider. The resources are accessed through private or public networks. Examples of components of the infrastructure provided under IaaS include servers, computing and network capacity, communication devices such as routers, switches or firewalls, storage space as well as data backup and archiving systems.
  16. 16 IT Finanzmagazin, Studie zur IT-Architektur: Banken & Versicherer haben wachsende technologische Defizite (IT Architecture Study: Banks & insurers have growing technology deficits), https://www.it-finanzmagazin.de/bain-studie-zur-it-architektur-banken-versicherer-haben-wachsende-technologische-defizite-45983 (only available in German), retrieved on 11 May 2018.
  17. 17 com! Professional, Sicherheit in der Cloud funktioniert anders (Security in the Cloud works differently), https://com-magazin.de/praxis/cloud/sicherheit-in-cloud-funktioniert-1469946.html (only available in German), retrieved on 11 May 2018.
  18. 18 Senior Supervisory Group, Observations on Developments in Risk Appetite Frameworks and IT Infrastructure, https://www.newyorkfed.org/medialibrary/media/newsevents/news/banking/2010/an101223.pdf, retrieved on 11 May 2018.
  19. 19 Basel Committee on Banking Supervision, Principles for effective risk data aggregation and risk reporting.
  20. 20 Steffens, Hacker-Jagd im Cyberspace – Grundlagen und Grenzen der Suche nach den Tätern (Hunting hackers in cyberspace – Principles and limitations of the search for the culprits) in: c’t 14/2017, page 122.
  21. 21 See BSI Standard 200-2, page 12.
  22. 22 BSI, https://www.bsi.bund.de/DE/Themen/Cyber-Sicherheit/cyber-sicherheit_node.html (only available in German), retrieved on 30 July 2018.
  23. 23 Geiß, Völkerrecht im „Cyberwar“ (International law in “Cyberwar”), http://www.ipg-journal.de/schwerpunkt-des-monats/neue-high-tech-kriege/artikel/detail/voelkerrecht-im-cyberwar-859/ (only available in German), retrieved on 11 May 2018.
  24. 24 See Federal Ministry of Finance: https://www.bundesfinanzministerium.de/Content/EN/Standardartikel/Topics/Financial_markets/Articles/2017-10-27-Cyber-Security-download.pdf?__blob=publicationFile&v=2.
  25. 25 Lawrence, Cybersimulation: Der Teufel, den man kennt (Cybersimulation: The devil you know), in: Herbert Frommes Versicherungsmonitor, https://versicherungsmonitor.de/2018/05/03/cybersimulation-der-teufel-den-man-kennt/ (only available in German), retrieved on 11 May 2018.
  26. 26 EBA Guidelines EBA/GL/2014/13.
  27. 27 EBA Guidelines EBA/GL/2014/13, loc. cit., page 17.
  28. 28 EBA Guidelines EBA/GL/2017/05. The abbreviation “ICT” stands for information and communication technology.
  29. 29 EBA Guidelines EBA/GL/44.
  30. 30 Circular 09/2017 (BA) – Minimum Requirements for Risk Management (MaRisk), only available in German.
  31. 31 See info box “Definition of IT risk”.
  32. 32 An information domain includes, for example, business-relevant information, business processes, IT systems as well as network and building infrastructures.
  33. 33 See BSI Standard 200-2, page 40 et seq.
  34. 34 See ISO/IEC 27001: 2013, 4.4.
  35. 35 See BSI, IT-Grundschutz: M 2.8 Assignment of access rights.
  36. 36 See BSI-Grundschutz 100-4 or ISO 22301:2012.
  37. 37 See BaFinJournal April 2018, page 29 et seq.
  38. 38 See Chapter 3.
  39. 39 EBA Guidelines EBA/GL/2017/17; Payment Services Directive 2.
  40. 40 Versicherungsforen Leipzig, Digitalisierung der Customer Journey bei Versicherungen in der DACH-Region (Digitalisation of the customer journey at insurers in the DACH region), https://www.liferay.com/documents/10182/171894549/Digitalisierung%20der%20Customer%20Journey%20bei%20Versicherungen%20in%20der%20DACH-Region (only available in German), retrieved on 11 May 2018.
  41. 41 Bain & Company, Digitalisierung der Versicherungswirtschaft: Die 18-Milliarden-Chance (Digitalization of the insurance industry: The multi-billion opportunity), page 21,http://www.bain.de/Images/161202_Bain-Google-Studie_Digitalisierung_der_Versicherungswirtschaft.pdf, retrieved on 11 May 2018.
  42. 42 IT Finanzmagazin, Whitepaper der Versicherungsforen Leipzig & NICE: Kunden und Digitalisierung treiben die Assekuranz (White paper of the Leipzig insurance forums & NICE: Customers and digitalisation are driving the insurance industry), https://www.it-finanzmagazin.de/whitepaper-der-versicherungsforen-leipzig-nice-kunden-und-digitalisierung-treiben-die-assekuranz-31078 (only available in German), retrieved on 11 May 2018.
  43. 43 datensicherheit.de: Cyber-Sicherheitsvorfälle: Neuer KASPERSKY-Bericht über Folgekosten liegt vor (Cyber security incidents: New KASPERSKY report on follow-up costs now available), https://www.datensicherheit.de/aktuelles/cyber-sicherheitsvorfaelle-neuer-kaspersky-bericht-ueber-folgekosten-liegt-vor-25899 (only available in German), retrieved on 11 May 2018.
  44. 44 Allianz Risk Barometer 2018, https://www.allianzdeutschland.de/allianz-risk-barometer-2018/id_79713564/index, (only available in German), retrieved on 11 May 2018.
  45. 45 VersicherungsJournal.de, Signal Iduna bringt Cyber-Schutzschild auf den Markt (Signal Iduna launches cyber shield product on the market), https://www.versicherungsjournal.de/versicherungen-und-finanzen/signal-iduna-bringt-cyber-schutzschild-auf-den-markt-131904.php, (only available in German), retrieved on 11 May 2018.
  46. 46 GDV: AVB Cyber, relevant here: A 1-16 (and specifically A 1-16.2 a), https://www.gdv.de/resource/blob/6100/d4c013232e8b0a5722b7655b8c0cc207/01-allgemeine-versicherungsbedingungen-fuer-die-cyberrisiko-versicherung--avb-cyber--data.pdf, (only available in German).
  47. 47 https://www.bafin.de/dok/10622504 (only available in German).
  48. 48 See BaFinJournal April 2018, page 24 et seq.

Additional information

Please note

Did you find this article helpful?

We appreciate your feedback

Your feedback helps us to continuously improve the website and to keep it up to date. If you have any questions and would like us to contact you, please use our contact form. Please send any disclosures about actual or suspected violations of supervisory provisions to our contact point for whistleblowers.

We appreciate your feedback

* Mandatory field