IT security for banks

With the ongoing digitalization of services and operational business, IT security is playing an increasingly important role for banks and financial service providers. The more the day-to-day business of the financial industry is shifting to digital environments, the more important it is becoming to secure the processes and services used. This transformation is also alarming supervisory authorities, who are increasingly placing the issue of cybersecurity at the center of their reviews. Raimund Röseler, Executive Director of BaFin, describes the situation aptly: “In a globalized financial world, where more and more people are paying or transferring money digitally and many investors are making their investments online, IT governance and information security now have the same priority for the supervisory authority as providing institutions with capital and liquidity.”


Who is threatening bank cybersecurity?

According to a study by Boston Consulting Group, financial services firms are 300 times as likely as other companies to be targeted. Accenture projects cybercrime-related losses of approximately $347 billion for the global financial industry between 2019 and 2023 alone. Meanwhile, in its Risk Barometer for 2021, Allianz lists cyber incidents as the biggest risk factor for the financial industry – ahead of operational failures and pandemic outbreaks.

This intensified threat landscape results, among other things, from the successive digitalization of the financial sector. Over the past few years, assets have become increasingly more digital. Traditional banking business has been expanded to include digital solutions for banking, payment transfer, asset investment, and much more.

This has also increased the number of valuable data records and business processes that draw the interest of cybercriminals. Data from financial services firms and payment providers is traded at premium prices on illegal marketplaces on the darknet.

The digital transformation is also taking place in crime. The number of classic bank robberies is continuously falling, but the number of virtual attacks is growing exponentially as the effort and risk involved become ever smaller. A DDoS attack is available on the darknet for as little as about $15. This lowers inhibitions and attracts many digital bank robbers. In the dangerous mix of script kiddies, politically motivated hacktivists, and state-sponsored cyberspies, cybercriminals pursuing monetary interests lead the field of attackers. According to Verizon, they alone are responsible for over 90 percent of all attacks on the financial industry.


What are the expectations of the banking supervisory authority (BaFin) for IT security?

The German Federal Financial Supervisory Authority (BaFin) is aware of the increasing importance of cybersecurity in the financial industry. On an ongoing basis, the supervisory authority is expanding and specifying the catalog of requirements for banks and financial services in order to adapt the regulatory framework to keep pace with the dynamic developments in IT. In order to operate their digital services in a compliant manner, banks must observe the requirements of the German Banking Act (KWG), the Minimum Requirements for Risk Management (MaRisk), and the Supervisory Requirements for IT in Financial Institutions (BAIT). At the European level, DORA (Digital Operational Resilience Act) will ensure harmonization of the applicable regulatory framework in the future. Above certain transaction thresholds, banks are classified as Critical infrastructures, which makes them subject to even stricter requirements in terms of IT security, data protection, and compliance. These institutions must regularly demonstrate that they are using all available cybersecurity options to protect their systems in order to adequately ensure the integrity, availability, authenticity, and confidentiality of the data.

What is the significance of MaRisk for the IT security of banks?

With MaRisk, BaFin provides a comprehensive framework for the management of all material risks of banks and financial service providers. The regulatory framework is based on principles and has a modular structure so that institutions can set up individual and needs-based processes for end-to-end risk management.

Requirements for the structure and safeguarding of IT systems can be found in MaRisk, for example, under AT 7.2 Technical and organisational resources. The regulations aim to ensure the integrity, availability, authenticity, and confidentiality of data. To this end, banks and financial service providers must implement appropriate processes for granting IT authorization. They ensure that employees only have the access rights to data that they actually need to do their jobs. In addition, AT 7.2 provides for the use of monitoring and control processes that include needs-based identification methods and protective measures for IT operations.

Further requirements for IT, which are primarily intended for affiliated service providers for IT outsourcing, are found in AT 9, where BaFin addresses, among other things, the necessary rights and obligations that must apply to the contracting parties in outsourcing. They include, for example, audit and access rights to the service provider’s business premises and data centers, exit management, as well as information on the place of service provision and applicable law.



What is the significance of BAIT for the IT security of banks?

Similar to MaRisk, the BAIT also define the statutory requirements of Section 25a KWG. In the catalog of requirements, the supervisory authority explains how financial institutions must set up appropriate technical and organizational resources for their IT systems. In terms of content, the BAIT build on MaRisk and specify them in greater detail. However, the MaRisk requirements remain unaffected by the BAIT and thus retain their validity. BaFin particularly emphasizes the consideration of information security requirements and an appropriate emergency concept. In addition, the BAIT also address Section 25b KWG since companies in the financial industry are increasingly outsourcing IT services as other external procurement, non-material or material outsourcing. Overall, BaFin sees BAIT as the central component for IT supervision in the banking sector in Germany.

The BAIT also have a modular structure and, together with the expansion resulting from the upcoming amendment in 2021, comprise twelve chapters: IT strategy, IT governance, Information risk management, Information security management, Operational information security, User access management, IT projects & application development, IT operations, Outsourcing and other procurement of IT services, IT emergency management, Customer relationships with users of payment services (ZAIT), and Critical infrastructures. The chapters can generally be assigned to the three primary areas of governance, management, and operations, with individual chapters covering all areas (cross-cutting tasks). The BAIT have a principle-based structure and are primarily intended to create IT risk awareness by presenting the requirements in a transparent manner. The requirements follow the principles of methodological freedom and dual proportionality to ensure proportionality. This is intended to enable institutions to build individual and needs-based solutions to protect their data and systems.

Showing the interrelationship of BAIT, DORA and MaRisk.

What impact does DORA have on the IT security of banks?

The Digital Operational Resilience Act provides for the introduction of a comprehensive regulatory framework at the EU level that includes regulations on digital operational resilience for all supervised financial institutions. In essence, DORA aims to harmonize the applicable regulatory framework across the EU. For this reason, the catalog of requirements essentially comprises the specifications from established regulations such as the EBA guidelines, MaRisk, and the BAIT. Thanks to DORA, the same regulatory requirements will apply to companies in the financial sector throughout Europe in the future. In the long term, there could be a single EU hub for reporting critical IT incidents.


How can TIBER-EU tests increase the IT security of banks?

The TIBER-EU Framework for “threat-led penetration testing” was adopted in 2018. The name is an acronym and stands for “Threat Intelligence-based Ethical Red Teaming.” The framework defines the criteria financial entities can use to have their cyber defenses tested by contracted white hat hackers. The tests are designed to uncover vulnerabilities and security vulnerabilities in systems, processes, and even the premises of institutions. The security awareness of employees is also put to the test as part of the tests, for example in the form of phishing attacks or social engineering. The German implementation, TIBER-DE, was adopted in 2019 by the German Federal Ministry of Finance (BMF) and Deutsche Bank as a service offering for banks, insurance companies, financial market infrastructures, and their service providers. However, participation is voluntary and not required by the supervisory authority.

Person in suit standing on stairs


What options do banks have for implementing IT security and compliance?

The highest level of technical expertise and industry experience is required to ensure continuous availability, stability, data security, data integrity, and data protection in the sensitive financial sector. Hardly any company currently manages all IT projects in-house, as the effort and costs for hardware, software, and personnel are immense. Special service providers help to overcome this challenge by providing IT processes as (material) outsourcing or external procurement. The prerequisite is that the service provider meets the high compliance requirements resulting from KWG, MaRisk, the BAIT, DORA (in the future), as well as the General Data Protection Regulation (GDPR), and the IT Security Act. They also apply to affiliated service partners and their subcontractors.


IT security for banks at a glance

The threat situation in the financial industry has been steadily worsening for years. The more digital assets banks and financial service providers make available as services via the cloud, the more attractive companies in the industry become as targets for cyber attacks. At the same time, the enlarged virtual attack surface makes it easier for cybercriminals to find security vulnerabilities and susceptible institutions.

European as well as local supervisory authorities are responding to this development with ever stricter and more extensive regulations.

Meeting these requirements for data security, data protection, and compliance while simultaneously fulfilling customers’ wishes for high-performance and convenient services is increasingly becoming a high-wire balancing act.

Special service providers help with the implementation of regulatory requirements. With their industry expertise, they can ensure that digital solutions are set up and operated in a way that meets compliance requirements. Technical expertise can also help avoid a trade-off between data security, data protection and compliance on the one hand, and convenience and performance on the other. Modern technologies make it possible to address all these points concurrently and in line with requirements.