“The pandemic has permanently increased the threat level in cyberspace”, said Raimund Röseler at BaFin’s “IT Supervision in the Banking Sector” event, which was held entirely virtually for the first time on 27 September. Fortunately, there had only been limited “serious incidents”, BaFin’s Chief Executive Director of Banking Supervision reported. However, the entire financial industry had benefited from a further digital impetus due to the pandemic and social distancing requirements. And the more digital the financial world becomes, he said, the more important the issue of IT security also becomes.

“Hackers and cybercriminals have quickly picked up the scent of this opportunity and discovered new gateways for themselves”, said Röseler. “That is why we have been taking an even closer look at banks’ IT risks than before.” In the peak phase of the pandemic, BaFin monitored the institutions and key IT service providers particularly closely. “IT security must be a top priority for each and every institution”, he emphasised.

Röseler addressed the fact that the European Commission again urgently drew attention last autumn to the high risk of becoming the victim of a cyberattack and reported that attacks on the European financial sector had grown by more than one-third since the outbreak of the pandemic. In Germany too, for example, there had been several DDoS (distributed denial of service) attacks. These attacks overload the bandwidth or resources of a server so much that, in the worst case scenario, it can no longer be accessed. In January 2020, for instance, a service provider of a larger bank fell victim to this sort of attack. There have also been DDoS attacks in the cooperative sector, most recently at the beginning of June when the online banking platform of around 800 credit institutions was attacked. In addition, in recent months BaFin has repeatedly observed blackmail attempts using ransomware, where attackers try to extort a ransom before releasing screens or data. Victims included the service provider of a large German bank and an insurer.

Two fields of action: digital resilience and outsourcing

All this reveals two fundamental fields of action, Röseler said. First, he warned, banks must consistently continue to improve their digital resilience. This is because cybercriminals are creative, always searching for and discovering new ways to make their attacks. “The banks must therefore become more resilient and more adaptable. And they must be in a position to maintain their critical digital operational processes even during a disruption.”

The second field of action, Röseler explained, relates to outsourcing. Outsourcing has become an irreversible trend in the banking sector as well. Not just in light of potential cost savings, but also from a security perspective, BaFin welcomes outsourcing when services – especially in the field of IT – are provided by professional companies, he said. However, not least thanks to the pandemic, it has become evident that breaking up value chains also entails risks, in particular if institutions are heavily dependent on individual service providers. “Even the best, most expensive internal security system is of little use to a bank if the networks of its service providers or second-tier service providers have security gaps – or if they become victims of force majeure.” BaFin will therefore continue to hold those responsible for IT at banks heavily accountable in future, Röseler announced. They will have to maintain accurate records of which services are being outsourced and whom they are being outsourced to.

There is awareness of the problem, but not yet everywhere

Most executives are aware of the problems, Röseler said. And most banks are now investing a lot of money and manpower to make their IT secure. This is undoubtedly one reason why the banking sector has so far been hit less hard by cyber attacks than many other industries.

But unfortunately, as Röseler remarked, this does not hold true for all banks. BaFin still experiences one or two unpleasant surprises – regrettably far too often – when it audits banks’ IT systems. “This will have to change”, Röseler demanded. “It’s time for the banks to take the initiative here. Otherwise we or – even worse – some hackers will seize the opportunity to act.”

DORA: Digital Operational Resilience

In Röseler’s view, the issue of IT security is so crucial that it must be addressed by regulators at least at the European level, perhaps even globally. With the draft of its Digital Operational Resilience Act (DORA), the European Commission sent an important signal in the late summer of last year. The intention behind DORA is to strengthen the digital operational resilience of financial entities and continue to ensure that critical third-party service providers in the area of information and communication technology (ICT) are rigorously and consistently monitored, without in doing so relieving financial entities of their responsibility.

BaFin Senior Advisor Silke Brüggemann explained details of the upcoming regulation, which is designed to create uniform, harmonised rules for the entire financial sector, to the conference attendees. The main regulatory elements relate to safeguarding the digital operational resilience of financial entities, Brüggemann explained: the harmonisation of ICT risk management with the elements ICT governance and ICT risk management framework, the standardisation and expansion of the notification obligations for serious ICT incidents to the entire financial sector, and a European monitoring framework for critical ICT third-party service providers. DORA’s scope is broad: the entities subject to the regulation include, for example, credit institutions and payment service providers, insurance and reinsurance undertakings and investment firms, as well as electronic money institutions, central securities depositories (CSDs) and “crypto custodians”, central counterparties and trading venues.

DORA is a key component of the Digital Finance Package that the European Commission wants to use to increase competitiveness, promote innovation and make the European financial market more modern, more secure and more resilient. However, negotiations are still progressing in both the European Parliament and the Council of the European Union. BaFin is closely involved in the Council’s negotiations under the leadership of the Federal Ministry of Finance. The regulation is expected to come into force at the end of next year.

FISG: Direct access to service providers for BaFin

“It’s there in black and white”, said Röseler: BaFin already has the additional powers given to it by the German lawmakers in the form of the FISG, the German Act to Strengthen Financial Market Integrity (see expert articles on the BaFin website dated 27 July 2021 and 4 August 2021). Starting in 2022, BaFin will be able to directly access the providers to whom banks outsource their key processes and activities. “The FISG gives us some powerful weapons for this purpose – in the form of extended powers to issue orders, for example: whereas up to now we have had to take a circuitous route via the banks, in future we will be able to access the external service provider directly if we want to avoid or resolve an irregularity”, Röseler explained.

BaFin can also impose sanctions directly on the relevant service provider. And if institutions engage external service providers in third countries outside the euro area, there has to be an authorised agent for service on whom BaFin can serve examination orders at short notice, for example. Additionally, there is again an obligation to notify material outsourced activities and processes, which gives BaFin a comprehensive overview of outsourcing arrangements and the associated (concentration) risks.

Notification requirement for outsourcing

BaFin expert Dr Frank Beekmann explained the background to the notification requirement to the conference attendees. “Digitalisation offers greater opportunities for outsourcing activities and processes”, he said. Initially, this leads to special risks for the outsourcing institutions. However, he continued, the more that is outsourced, the more important – and hence critical – the service providers’ role becomes. “A concentration on ‘multi-client service providers’ that work for several banks harbours risks for the market as a whole.” That is why it is important for BaFin to obtain an overview of outsourcing relationships, Beekmann said. This will enable the supervisors to identify multi-client service providers, assess the risks and monitor critical multi-client service providers.

The background to the notification obligation standardised by the FISG includes the guidelines of the European Banking Authority (EBA) on outsourcing arrangements. In the case of material outsourced activities and processes, these stipulate that banks and payment service providers must notify BaFin of any intention to outsource, the implementation of the outsourcing, significant changes and serious incidents. They also have to maintain a register with information about outsourcing arrangements. With the exception of serious incidents, the notifications must be filed with BaFin via the MVP reporting and publishing platform. BaFin will expose the corresponding reporting regulation for public consultation in the near future.

MaRisk, BAIT and ZAIT

To further strengthen risk management and information security in the financial sector, BaFin was already active in recent months: in August, it published amendments to the Minimum Requirements for Risk Management (Mindestanforderungen an das Risikomanagement – MaRisk) at banks, the Supervisory Requirements for IT in Financial Institutions (Bankaufsichtliche Anforderungen an die IT – BAIT) and the Supervisory Requirements for IT in Payment Services and Electronic Money Institutions (Zahlungsdiensteaufsichtliche Anforderungen an die IT – ZAIT) (see expert articles on the BaFin website dated 29 September 2021 and 14 October 2021).

The background to the BAIT amendment and the development of the ZAIT was the implementation of the EBA Guidelines on ICT and security risk management. Experience from the supervisory practice of BaFin and the Deutsche Bundesbank was also incorporated into the circulars. Beekmann explained the most important of the total of about 150 changes requiring the banks’ compliance without implementation deadlines. The chapters on operational information security (5), IT contingency management (10) and managing relationships with payment service users (11) are completely new. There have also been a number of amendments, some of them comprehensive, in other chapters (see info box).

One of the objectives of the requirements in chapter 5 is for banks to identify security-related events even more reliably, conduct a more targeted analysis of these events and periodically review the effectiveness of their information security measures. The BAIT clarify the requirements of AT 7.3 of MaRisk for IT systems in chapter 10. The institutions must have a range of IT contingency plans for time-critical activities and processes. “And – what is just as important – they must test these plans to ensure that they will also function in the worst-case scenario.“ Finally, among other things, chapter 11 requires the banks to keep their payment service users comprehensively informed, for instance about risks, security updates and options, for example to change payment limits. “Of course, the same principle applies here: we will conduct principle-based supervision and ensure that proportionality is maintained”, Beekmann affirmed.

Findings from inspection practice

In light of the amendments to MaRisk and BAIT, Rainer Englisch from the Deutsche Bundesbank described in detail the areas in which the supervisory authorities have found the most significant deficiencies in their IT inspections over the past ten years. He reported that the inspection teams most frequently uncover shortcomings at the banks in the areas of outsourcing and other external procurement of IT services (21 percent). Although this is not primarily an IT issue, Englisch explained, it is still closely related to the issues where the supervisors have also identified significant deficiencies particularly frequently: information risk management (17 percent), information security management (16 percent) and identity and rights management (13 percent). Englisch also addressed the risks that arise when banks do not comply with supervisory requirements in these areas.

Bundesbank expert Andreas Vogel summarised the initial findings of the Supervisory Review and Evaluation Process (SREP) for information and communication technology at “less significant institutions” (LSIs) that are directly supervised by BaFin. He reported that the institutions surveyed consistently estimate their IT risks to be medium to high. They see the greater risks in IT outsourcing, security and availability. The institutions also estimate their “maturity level” for dealing with these risks as high. However, Vogel reported, many of them still consider information risk and information security management as well as operational information security to be in particular need of improvement. He pointed out in this context that experience has shown that the supervisory assessment is often considerably lower than the institution’s own assessment. He therefore called on the institutions to explain their self-assessment in detail so that the supervisors can understand it.

The ICT SREP for LSIs was originally planned for 2020, but was postponed by a year because of the COVID-19 pandemic. The process is planned to be continuously updated on the basis of the findings and in dialogue with the industry. The LSI ICT SREP is based on the EBA Guidelines on ICT Risk Assessment under SREP.

“IT security is a high-speed endurance run”

“We all need to be clear about one thing”, said BaFin Chief Executive Director Röseler summing up the remarks: “IT security is not a quick sprint but – in the truest sense of the word – a high-speed endurance run. The digital transformation of the financial sector still has a long way to go. We’ve only just entered the first bend.”