Digitalisation is a key future issue, including for insurers and institutions for occupational retirement provision (IORPs): it is difficult to imagine the day-to-day business of insurance companies and their customers without IT. This development also brings new risks – for example with regard to information security or outsourcing.

What does this mean for supervision? At the event “IT Supervision of Insurers and Pension Funds”, which was held by BaFin on 21 June 2022, participants received answers to this question. BaFinJournal also reported on the event.

Dr Grund, in recent years, insurance supervision has focussed on topics such as the low interest rate environment, Solvency II, or the impacts of the flood disaster in the Ahrtal region. Attention is now being turned to IT security: what is the reason for this?

The impression that IT security is a new issue is not correct; this has been on our radar for some time now. Back in 2018, we set out our expectations regarding the IT business organisation of insurers in our Supervisory Requirements for IT in Insurance Undertakings (Versicherungsaufsichtliche Anforderungen an die IT – VAIT) – and, of course, we monitor how the industry is implementing these requirements. At the EU level, too, IT security is certainly a top priority. This can be seen, for example, in the Guidelines on information and communication technology security and governance and the Guidelines on outsourcing to cloud service providers, both issued by the European Insurance and Occupational Pensions Authority (EIOPA). The Digital Operational Resilience Act (DORA), which is currently the subject of negotiations at the European level, also shows that IT security is an important issue for supervision. And the more digital the financial world becomes, the more IT security will gain in importance.

Is this also reflected in BaFin's supervisory strategy?

In our medium-term objectives and in the “Risks in BaFin’s Focus”, we reiterated how important it is for us that financial entities are able to deal with the risks that result from digitalisation. The Covid-19 pandemic and, more recently, the war in Ukraine have further exacerbated these risks.

Do you view digitalisation as a challenge, a problem?

Digitalisation transforms business models. That is a fact. On the positive side, digitalisation can contribute to improving the efficiency of processes, can create new opportunities to generate income, or can allow companies to make use of innovative IT services that are provided by companies with specialised knowledge.

...but?

As with almost every other form of technological progress, digitalisation too has its weaknesses. It may sound banal, but the risks start with internal IT glitches. Outsourcing is another critical area. Here, new dependencies and concentration risks can emerge. The latter is often the case with cloud providers when several financial companies make use of the same major provider. The more IT services that are outsourced by financial companies, and the more services the IT service providers themselves outsource to other companies, the harder it becomes to control the fragmented value chains.

And then there is the risk of cyber attacks. Due to the increased use of digital services, the Covid-19 pandemic has left companies increasingly vulnerable in cyberspace, as a result of staff working from home, for example. And attackers exploit these vulnerabilities: insurers are a favourite target for cyber attacks

You mentioned the war in Ukraine. What is the impact of the war on the issue of IT security?

The war in Ukraine has increased the risk of cyber attacks in particular. Thankfully, since the beginning of the war, we have observed almost no successful attacks in the German financial sector. However, it is important that we are even more vigilant than before. Attacks in other sectors and other countries show how high the risk is.

To what extent are current IT problems due to cyber attacks?

Reports of IT incidents show that around 97% of all incidents are caused by internal difficulties, i.e. they are not a result of cyber attacks. These are cases where an update hasn’t worked, or a service provider was unavailable, for example.

But that doesn’t mean we can relax – for two reasons: firstly, the effects of an internal incident can be severe, too, if the incident results in a substantial disruption to business operations.

Secondly, as I said, the war in Ukraine is further exacerbating the situation. We are of the view that, in general, the risk of cyber attacks is increasing.

BaFin also conducts IT inspections of insurers and IORPs.

Since 2018, we have been conducting IT inspections at insurance companies from all insurance classes. As I said, insurers can make very interesting targets for cyber attackers. They have large amounts of customer data, in particular sensitive personal data such as medical information or proprietary information, for example regarding the pricing of insurance policies. We have found that there is room for improvement with regard to insurers’ IT security – particularly in the areas of information risk and information security management. We will discuss this at our conference tomorrow.

What are the implications for supervision?

Our primary objectives are to safeguard the stability and integrity of the financial system and to protect consumers. One thing is clear: we expect insurers to make structural changes. IT incidents must be identified, resolved and – ideally – prevented. With our inspections, we want to find out where things are going wrong. Only then can we assist the supervised companies in meeting our requirements.

What is it precisely you are demanding of companies?

With the chapters “Operational information security” and “IT contingency management” in the revised VAIT, which we published at the beginning of March, BaFin made some very important additions, set new priorities and provided clarification with regard to responsibilities and controls for information risk management and requirements for physical information security. These additions are to be implemented in the near future.

We are currently also seeing very rapid developments in the issue of fragmented value chains. It is becoming increasingly difficult to manage and monitor outsourcing and sub-outsourcing – this is a challenge for insurers and IORPs, but also for supervisors. We have also come to realise that we need more and better data in order to monitor risks that result from outsourcing and sub-outsourcing – across all segments of the financial sector. BaFin has therefore implemented a uniform electronic reporting system for all sectors. This allows us to analyse the outsourcing landscape and to appropriately address potential risks. We expect companies to submit their data quickly and completely.

Companies are also required to report severe incidents concerning outsourcing to BaFin. But the report alone is not enough. Insurers and IORPs need a Plan B for the event that one of their service providers is unavailable.

New requirements have also been set out at the international level.

Well, IT risks don’t stop at national borders. This is why we need cross-border regulations, as well as cross-border supervision. Based on the FinTech action plan and a subsequent consultation by the European Commission, DORA for example will harmonise the requirements for ICT security (information and communication technology security) throughout Europe by means of an EU regulation. The focus of these requirements is on the concept of “digital operational resilience”.

What does resilience have to do with IT security?

We expect institutions to be more resilient, i.e. more robust but also more adaptable in the way they deal with the risks of digitalisation. So, we are talking about the operational resilience of digital systems here. Companies need to adjust to new IT risks quickly and make sure they have the necessary defence mechanisms in place. We are, so to speak, operationalising this form of resilience through the national and European regulations I mentioned earlier.

DORA harmonises these requirements at the European level. The regulation provides a comprehensive ICT risk management framework, a reporting system for major ICT-related incidents and an oversight framework for ICT service providers. This oversight framework places critical ICT third-party service providers under stringent, uniform European supervision. Of course, this does not mean financial institutions that rely on ICT third-party companies to provide services would be freed of responsibility!

To what extent can BaFin monitor whether these expectations are met?

We have done our homework and made the necessary structural changes to adapt to the new challenges. Alongside a special division for IT inspections, we have also created a further unit that is responsible for monitoring IT multi-client service providers and for crisis prevention. Staff members in this area will also analyse the relevant data we are receiving in a structured, electronic form on the basis of the Regulation on Reporting of Outsourcing by Insurers (Versicherungs-Ausgliederungsanzeigenverordnung), which will enter into force in the coming weeks. This enables us to set supervisory priorities in this area in the future.

You mentioned that BaFin monitors and provides assistance to companies in meeting their obligations. What does this support look like?

We have published a guidance notice to provide information on outsourcing to cloud service providers. We also aim to provide assistance to companies with our event “IT Supervision of Insurers and Pension Funds”. During this event, we will demonstrate, with a practical focus, how companies can implement our requirements – which can sometimes be quite technical – in their day-to-day operations. Participants will have the opportunity to ask questions and engage in a dialogue with BaFin staff. I am delighted that this offer has been met with considerable interest, which promises an animated and constructive discussion.