Operational resilience: BaFin puts even greater focus on cybersecurity

SECURITY INSIGHTS | 1 December 2021

The German Federal Financial Supervisory Authority (BaFin) has set its medium-term targets for the years 2022 to 2025. “Operational resilience” is one of the ten topics it lists. In doing so, the supervisory authority is once again underscoring the importance of information security in the modern financial industry.

BaFin wants to put even sharper focus on minimizing cyber risks in order to strengthen the operational stability and security of banks, insurance companies, and their technology platforms in particular.

“On the operational side, cyber risks are the number one risk for me. Their intensity is increasing, and they may well reach systemic dimensions.”

BaFin President Mark Branson, BaFin Journal November 21

Against this backdrop, the financial supervisory authority advocates audits along the entire value chain, primarily concerning material outsourcing activities. BaFin therefore wants to audit the relevant outsourcing service providers directly. The aim is to proactively expose and address any vulnerabilities in the IT security of these companies.

“Those who fail to plug holes in IT security run the risk of incurring heavy losses, putting their reputation on the line, and, in the worst case, undermining the stability of the financial system,” stressed BaFin President Mark Branson at the Euro Finance Week in Frankfurt am Main. Operational security is just as important to supervision as financial resilience, he said.

In focus: IT security of banks, insurance companies, and service providers

IT and cyber risks are already part of the 2021 supervisory priorities. By including these issues in its medium-term objectives, BaFin is underscoring the importance of cyber resilience for the financial industry. For the institutions and service providers under supervision, this means that IT security in compliance with the regulations is now required more than ever. For material outsourcing in particular, only service providers that meet all regulatory requirements and do not shy away from a direct BaFin audit can therefore be considered.

Related articles