Reading Time: .
Appointment of an outsourcing officer becomes mandatory
The amendments to MaRisk AT 9 affect the entire outsourcing cycle. For example, requirements for risk analysis, the structure of the outsourcing agreement, and the management and monitoring of the risks of outsourcing agreements have been expanded and specified. For example, under AT 9 para. 7, BaFin has clarified that, in the case of material outsourcing, the outsourcing agreement documented in text form must also take into account the rights required for “entry, admission or access” in addition to information and audit rights.
In order to centrally bundle the management and monitoring of the risks of outsourcing agreements, outsourcing institutions must appoint an outsourcing officer. In the case of extensive and complex outsourcing arrangements, this officer must be supported by central outsourcing management, which can also be set up on the group or association level. In addition, institutions must maintain and continuously update an outsourcing register containing information on all outsourcing arrangements. The parameters to be recorded in the register are defined in points 54 and 55 of the EBA Guidelines on outsourcing arrangements.
Expanded contingency management regulations increase coordination effort
The revised MaRisk section AT 7.3 and the BAIT contain new and more specific requirements for contingency management. Among other things, they provide for a contingency concept that describes which replacement solutions must be available in a timely manner in the event of an emergency and how a return to normal operations should proceed. The new BAIT chapter “IT Contingency Management,” which is largely based on MaRisk AT 7.3, requires institutions to establish restart, emergency operation, and recovery plans for time-critical processes and activities. The effectiveness of these three types of IT contingency plans must be reviewed at least annually on the basis of an IT test concept.
Institutions must increasingly carry out effectiveness checks
Requirements for logging and monitoring increase
Specifications are to be implemented immediately
Tighter regulation aims to boost cybersecurity
With the ongoing digitization of services and operational business, IT security in the financial industry is playing an increasingly important role. In order to increase cyber resilience, supervisory authorities such as BaFin are relying on increasingly tighter regulation and are increasingly putting the issue of cybersecurity at the center of their audits. Therefore, banks and financial service providers will have to deal more intensively than ever with their IT architecture as well as with compliance issues. In this context, service providers for the outsourcing of digital processes represent an attractive option for reducing in-house effort while still optimally covering all IT security and compliance requirements.
Myra meets all BaFin requirements
As an experienced specialist service provider for cybersecurity in the financial sector, Myra Security has long provided support for material and non-material outsourcing in accordance with KWG Section 25, MaRisk AT 9, and BAIT. With our expertise, we support banks in outsourcing and contingency management. Compliance is our day-to-day business. Only recently, we again proved in a voluntary audit of critical infrastructure that we meet the highest security requirements, which means we can comply with even the most stringent effectiveness controls. Our Security Operations Center (SOC) monitors all systems and events 24/7 in real time. We also provide customers with analysis data in real time that is clearly presented on configurable dashboards. Prestigious companies and organizations from the financial industry have been using Myra’s Security-as-a-Service platform for years to cover both their cybersecurity and compliance needs.