In his keynote speech to open the conference, Chief Executive Director of Insurance Supervision Dr Frank Grund noted the following: “Today’s event is the first but certainly not the last on IT security in the insurance sector.” He added that this was due to the strong interest shown by supervised entities and the significant relevance of this issue. “Information technology must be considered in each and every process. It should not be seen merely as a cost factor; it should be seen as a business enabler, too. However, there are a number of risks associated with IT,” said Grund. He also noted that these risks have grown recently – e.g. because of the COVID-19 pandemic and the war in Ukraine. “There is only one solution to address these heightened risks,” Grund concluded. “Companies must increase their digital operational resilience.” In other words, they need to be able to withstand threats more effectively, be more adaptable and be able to rapidly deal with any new IT risks.

Amendments to BaFin’s Supervisory Requirements for IT in Insurance Undertakings: an important basis

Andreas Pfeßdorf, a senior advisor in the area of IT supervision, clarified the changes resulting from the amendments to BaFin’s Circular on the Supervisory Requirements for IT in Insurance Undertakings (Versicherungsaufsichtliche Anforderungen an die IT – VAIT). The amended version of the Circular was published in March 2022. By introducing these amendments, BaFin transposed the provisions set out by EIOPA into national law and provided further clarifications on the IT requirements that supervised entities must fulfil. “There are no changes to the fundamental principles of BaFin’s Supervisory Requirements for IT in Insurance Undertakings,” said Pfeßdorf. “Insurers can apply these requirements in line with the principle of proportionality, which is key for smaller companies.” In his talk, Pfeßdorf focused on two new sections: the requirements for operational information security and the requirements for IT contingency management. He also provided further details on new developments in other areas, such as information risk management and outsourcing management.

Responsibility cannot be outsourced to the cloud

Insurance activities and functions are increasingly being outsourced to cloud service providers and are therefore a priority area for BaFin. Jochen Zengler, a senior advisor in the area of insurance supervision, highlighted in his talk that BaFin is engaged in a dialogue with cloud service providers and making an active contribution to national and European rules and regulations. He also announced that the guidance on outsourcing to cloud service providers, which BaFin published back in 2018, would be updated this year. As for the review of contracts for outsourcing activities to the cloud, Zengler clarified the following: “For us, it is important that any outsourcing to the cloud is always part of a comprehensive IT strategy. Undertakings should be able to clearly justify why this step makes sense for them and they should demonstrate how they are managing the risks associated with the cloud.”

Link chart offers overview

Financial entities outsource processes and functions to cloud service providers and many other (IT) service providers; these, in turn, work with other providers for this purpose. This often results in a “chain” of outsourcing arrangements. Dr Sibel Kocatepe, a senior advisor in the area of IT supervision at BaFin, used an outsourcing link chart to illustrate how such chains of outsourcing arrangements between insurers and outsourcing companies can be made visible and be analysed. Such link charts are based on data which supervised entities are required to submit to BaFin, in line with their obligation to report any key outsourcing arrangements to the supervisory authority. In future, this will be done digitally via BaFin's Reporting and Publishing Platform (Melde- und Veröffentlichungsplattform – MVP Portal) – a new channel for the insurance sector. “This will enable us to monitor IT multi-client service providers across all sectors and identify any potential concentration risks,” Kocatepe added.

IT inspections show “room for improvement”

BaFin’s Head of IT Inspections, Renate Essler, offered the audience insight into the work carried out by IT inspectors. BaFin has been conducting IT inspections at insurance undertakings since 2018 in order to identify IT shortcomings and vulnerabilities and to see whether these undertakings have a proper and effective system of governance for their IT systems and processes. The results are often sobering, according to Essler: “Currently, our most serious findings are in the areas of information risk management, access management and IT outsourcing management.” The most positive development can be seen in information security management, she added. The majority of the undertakings that BaFin has inspected so far meet the Supervisory Requirements for IT in Insurance Undertakings “in part” when they are inspected for the first time. Essler’s message for the audience: “There is still considerable room for improvement here.”

IT security knows no borders

The event also made it clear that a national oversight framework for IT multi-client service providers would quickly reach its limits, as effective as it might be. For this reason, European legislators are developing an oversight framework for critical ICT third-party service providers as one key element of the Digital Operational Resilience Act (DORA). Silke Brüggemann, a senior advisor in the field of IT supervision, noted the following: “DORA has given rise to an EU-wide harmonised framework for dealing with ICT risks.” DORA will also contain requirements for ICT risk management, testing digital operational resilience and ICT third-party risk management. In addition, it will include binding rules for the entire financial sector for reporting major ICT-related incidents. “With DORA, it will be possible to oversee critical ICT third-party service providers across the EU consistently and efficiently,” said Brüggemann. She pointed out, however, that this oversight framework is not a replacement for ICT third-party risk management by the financial entity itself.