© BaFin / Bernd Roselieb
Erscheinung:25.09.2020 “Hackers are stepping up their pace”
Raimund Röseler, Chief Executive Director of BaFin’s Banking Supervision, talks about banks’ cyber security during the coronavirus crisis, possibilities for sanctioning service providers and the institutions’ general situation during this year of pandemic.
Since the outbreak of the coronavirus crisis, general data traffic in Germany has increased – at by an estimated average of 10 percent, at least as suggested by the activity on the D-CIX internet node in Frankfurt am Main. Bank customers are also likely to have contributed to the increase, as many switched to contactless options while the branches were temporarily closed.
Thanks to digital solutions, the banking industry was able to maintain its operational functions during the lockdown. But it is becoming more and more apparent that digitalisation, having been very abrupt due to the crisis, is being accompanied by a number of challenges – for example, with regard to cyber security. Banks need resilient IT infrastructures; they need to train their staff and develop strategies to counter IT failures. In this article, Chief Executive Director Raimund Röseler discusses these topics.
Mr Röseler, when someone blows up an ATM, it causes a big bang. Do you sometimes wish it were the same with threats from cyber space?
No, definitely not. A big bang can also cause extensive damage, as you know. I’m also quite sure we don’t need a “bang” to raise awareness of cyber risks. As I see it, banks and also the public have long known of the real risk posed by cyber attacks. So I don’t see any lack of awareness.
The financial sector is already a favourite target for cyber criminals. In BaFinPerspectives you recently suggested that the global coronavirus pandemic might even be aggravating the problem. Are hackers taking advantage of the crisis?
Yes, they are. The pandemic has abruptly boosted the trend towards digitalisation in some respects. This is apparent in the growing data traffic and the greater capacity utilisation of IT infrastructure. In this type of stress situation, it’s obvious that hackers are not going to grant us a quiet moment to take a break. No, they are stepping up their pace and developing more and more new malware. But whether it is malware, spam or phishing: we see that the volume is increasing significantly.
On the one hand, hacker activity is on the rise; on the other, the incident reports under the German Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz – ZAG) are not showing any irregularities. How does that fit together?
The ZAG incident reports are very helpful as a statistical tool and a warning system. But they only constitute a subset. Only payment service providers such as banks are required to provide information regarding severe operating or security incidents – not insurers. The number of cyber incidents reported by payment service providers has actually not increased that much. This may also be attributable to the fact that these companies are now on high alert. We as supervisors are at any rate also very vigilant and are also conducting more and more inspections in the IT area.
Let’s take a look at the German banks that are under BaFin’s direct supervision. Are they prepared for the growing threat?
While we are seeing more attacks across the board, they are not by any means always successful. As far as malicious external cyber attacks are concerned, our banks seem to be relatively well prepared. And if hackers happen to successfully penetrate the protective wall, crisis management works well enough on the whole.
Nevertheless, we still find serious shortcomings in IT security when we conduct our inspections at the banks. But we tend to find them in other areas.
Where are these problems?
The fewest serious incidents have been malicious external attacks – since 2018, 14 out of 730 incidents, to be exact. Most damage occurs unintentionally – within the banks themselves. Old hardware and errors in the processes and IT systems play a role, as does human error. We assume that employees are even particularly prone to errors now, in the midst of the coronavirus crisis. The working conditions are different, as are the process workflows.
In the course of our IT inspections at smaller and medium-sized institutions in the past year, we found the greatest shortcomings in the areas of information risk management and access management. There were also significant shortcomings in the areas of information security management and outsourcing management.
Luckily, there have not been any comprehensive, longer-term failures so far. I think that says a great deal in favour of the German banking sector.
Why do we still discover such shortcomings?
At first glance, the cases of carelessness are trivial: no back-up system, poor access management. Ultimately, though, it comes down to these questions: “Have I backed up my data?” and “Who is entitled to access the data?” In these days of ever-increasing digitalisation, these issues are not trivial at all. And many things have already changed for the banks in a positive sense. There is still plenty of room for improvement, however. This is also due to the fact that the institutions’ IT systems are, in some cases, already very old.
But errors occur not only at the banks, but also at the IT service providers to whom services are outsourced. That is where it becomes a particular challenge for us as supervisors.
At a glance:Use of end-of-life systems at banks
Numerous significant institutions (SIs) under the supervision of the European Central Bank (ECB) have critical business processes running on systems that have reached their end of life (EOL). The ECB communicated the fact on 24 July. Prior to its announcement, it had evaluated about 100 IT risk questionnaires (ITRQ) for the first quarter of 2019. Viewing EOL systems to be a challenge for IT security, the ECB has set itself the supervisory objective of reducing the banks’ dependency on such systems.
Does this mean it would be better to stop outsourcing?
No, that’s not what I mean. Outsourcing is not bad per se. Quite the opposite, in fact: I would prefer data to be stored in the cloud of a service provider who is a security expert rather than on an old server in the basement of the bank. The supervision rights are the problem.
In what way?
We currently have only one point of contact when it comes to IT security for outsourced services: the banks, not the service providers. You can imagine how impressed a global bigtech company is when a small regional German bank says, “Our supervisor wants you to remedy this and that shortcoming”. We need ways to supervise the service providers directly.
What would that look like?
If a service provider says, “We don’t want to remedy this or that security shortcoming”, then we should be able to impose sanctions. We hope we will be able to address this issue at the European level during Germany’s presidency of the Council of the European Union.
How does it look for German banks in general right now in light of the coronavirus pandemic?
Better than we feared at the onset of the crisis – thanks to the government programmes and the measures taken by the European Central Bank and the supervisory authorities. Our special COVID-19 stress test has just shown that a majority of the German LSIs are largely stress-resilient – and would be even in the event of a sharp fall in gross domestic product.
But it is evident for everyone: the pandemic is not over. It will therefore continue to affect the institutions’ balance sheets, too. We cannot yet say what the exact extent of the impact will be. I am very certain, however, that there will be an increase in credit defaults. They won’t leave the German banking sector unscathed, of course, even if it has become a good deal more resilient due to the regulatory reforms following the crisis in 2007/2008. It is also probable that one institution or the other will not survive the current crisis. But I don’t presently see the German banking system as a whole to be at risk.
So this or that bank might have to exit the market while other institutions pay out dividends?
The institutions should continue to be restrictive in dealing with dividend payments. We don’t have the means to prohibit banks from paying out dividends if their profit forecast is positive for the long term and if they also continue to have sufficient capital buffers in an ongoing stress phase. Many institutions in such a stable situation are refraining from making dividend payments, however.
Thank you for your time, Mr Röseler.
At a glance :What is a cyber incident?
A cyber incident is an incident caused maliciously or unintentionally that compromises the cyber security of an information system or the security of the data processed or violates security guidelines, security processes or conditions of use.
A malicious cyber incident can be an external attack or even sabotage within the undertaking. This does not include internal breakdowns, i.e. failures caused inadvertently by employees. Such internal breakdowns are also subsumed under the term “cyber incident”.
The German Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz – ZAG) does not address cyber incidents, but rather serious operational or security incidents. While it basically means the same thing, the term “cyber incident” does not refer only to payment service providers, but rather to the entire financial sector.
Section 54 sentence 1 of the ZAG requires payment service providers to inform BaFin without undue delay of a serious operational or security incident.
Recommended links
Expert article on the COVID-19 stress test for less significant institutions (LSIs)
Expert article “14 September – Not just another day”
BaFinPerspectives Issue 1 | 2020 about cyber security
Guidance on outsourcing to cloud service providers
Please note
This article reflects the situation at the time of publication and will not be updated subsequently. Please take note of the Standard Terms and Conditions of Use.
