Mr Hufeld, cyber risks were an important topic at the conference on IT supervision in the banking sector. Do we need to worry about the cyber security of the financial system?

It is not an emergency, but yes it is a general concern. The number of attacks on the IT systems of corporations, including those in the financial sector, is increasing. At the same time, the security measures taken by banks, insurers and other financial institutions are not yet of the standard they need to be. We recently carried out a whole series of audits and, as of today, the results are unsatisfactory. Or, to paraphrase my colleague Röseler, under the school marking system, nobody would have got better than a pass mark. There is quite clearly a need for action on this issue.

Where are the weaknesses?

Firstly there are weaknesses in risk management procedures, the precautions taken, both to guard against unintentional errors made by employees and targeted criminal attacks from outside the organisation. A second issue is the quality of service providers to which significant parts of IT management are frequently outsourced, and how to ensure that they are actually capable of guaranteeing the security of IT systems. Ultimately we need a package of measures encompassing hardware protection, software protection and protection from human conduct.

Why is it that the risk has increased so sharply?

Information technology offers huge strategic and operating possibilities. But the fundamental shift currently underway – all facets of digitalisation – not only provides great commercial opportunities for new start-ups and established undertakings, but also entails new risks and provides criminals with new technical possibilities. A favourite according to Europol, Europe's law enforcement agency, is ransomware. This is computer malware that restricts access to data and systems, which is only lifted if a ransom is paid. But phishing is still a huge problem as well. Phishing is an attempt by email to gain sensitive information such as passwords or credit card details, or to install malware on the victim's computer. This is the dark side of digitalisation, and it deserves just as much attention as the opportunities digitalisation provides.

What exactly does BaFin expect from undertakings?

We will clearly define our expectations in BAIT, the Supervisory Requirements for IT, which are currently the subject of a consultation process (only available in German). Of particular importance to us in this context is IT strategy, the management of information security (above all the information security officer in this context), and the external procurement of IT services.

BAIT are based on preliminary work on these matters carried out by the Financial Stability Board (FSB). You see, the risks we are talking about here are ultimately of a global nature. The FSB has developed an entire canon of procedural steps, perspectives and groundwork, which should ultimately enable every institution to address the various aspects of IT security in a structured way and establish appropriate precautionary procedures. I believe we will go a long way if, on that basis, all institutions engage with this issue in detail. There will never be total security, but we can erect much bigger obstacles.