According to a study by Boston Consulting Group, financial services firms are 300 times as likely as other companies to be targeted. Accenture projects cybercrime-related losses of approximately $347 billion for the global financial industry between 2019 and 2023 alone. Meanwhile, in its Risk Barometer for 2021, Allianz lists cyber incidents as the biggest risk factor for the financial industry – ahead of operational failures and pandemic outbreaks.
This intensified threat landscape results, among other things, from the successive digitalization of the financial sector. Over the past few years, assets have become increasingly more digital. Traditional banking business has been expanded to include digital solutions for banking, payment transfer, asset investment, and much more.
This has also increased the number of valuable data records and business processes that draw the interest of cybercriminals. Data from financial services firms and payment providers is traded at premium prices on illegal marketplaces on the darknet.
The digital transformation is also taking place in crime. The number of classic bank robberies is continuously falling, but the number of virtual attacks is growing exponentially as the effort and risk involved become ever smaller. A DDoS attack is available on the darknet for as little as about $15. This lowers inhibitions and attracts many digital bank robbers. In the dangerous mix of script kiddies, politically motivated hacktivists, and state-sponsored cyberspies, cybercriminals pursuing monetary interests lead the field of attackers. According to Verizon, they alone are responsible for over 90 percent of all attacks on the financial industry.
With MaRisk, BaFin provides a comprehensive framework for the management of all material risks of banks and financial service providers. The regulatory framework is based on principles and has a modular structure so that institutions can set up individual and needs-based processes for end-to-end risk management.
Requirements for the structure and safeguarding of IT systems can be found in MaRisk, for example, under AT 7.2 Technical and organisational resources. The regulations aim to ensure the integrity, availability, authenticity, and confidentiality of data. To this end, banks and financial service providers must implement appropriate processes for granting IT authorization. They ensure that employees only have the access rights to data that they actually need to do their jobs. In addition, AT 7.2 provides for the use of monitoring and control processes that include needs-based identification methods and protective measures for IT operations.
Further requirements for IT, which are primarily intended for affiliated service providers for IT outsourcing, are found in AT 9, where BaFin addresses, among other things, the necessary rights and obligations that must apply to the contracting parties in outsourcing. They include, for example, audit and access rights to the service provider’s business premises and data centers, exit management, as well as information on the place of service provision and applicable law.
Similar to MaRisk, the BAIT also define the statutory requirements of Section 25a KWG. In the catalog of requirements, the supervisory authority explains how financial institutions must set up appropriate technical and organizational resources for their IT systems. In terms of content, the BAIT build on MaRisk and specify them in greater detail. However, the MaRisk requirements remain unaffected by the BAIT and thus retain their validity. BaFin particularly emphasizes the consideration of information security requirements and an appropriate emergency concept. In addition, the BAIT also address Section 25b KWG since companies in the financial industry are increasingly outsourcing IT services as other external procurement, non-material or material outsourcing. Overall, BaFin sees BAIT as the central component for IT supervision in the banking sector in Germany.
The BAIT also have a modular structure and, together with the expansion resulting from the upcoming amendment in 2021, comprise twelve chapters: IT strategy, IT governance, Information risk management, Information security management, Operational information security, User access management, IT projects & application development, IT operations, Outsourcing and other procurement of IT services, IT emergency management, Customer relationships with users of payment services (ZAIT), and Critical infrastructures. The chapters can generally be assigned to the three primary areas of governance, management, and operations, with individual chapters covering all areas (cross-cutting tasks). The BAIT have a principle-based structure and are primarily intended to create IT risk awareness by presenting the requirements in a transparent manner. The requirements follow the principles of methodological freedom and dual proportionality to ensure proportionality. This is intended to enable institutions to build individual and needs-based solutions to protect their data and systems.
The threat situation in the financial industry has been steadily worsening for years. The more digital assets banks and financial service providers make available as services via the cloud, the more attractive companies in the industry become as targets for cyber attacks. At the same time, the enlarged virtual attack surface makes it easier for cybercriminals to find security vulnerabilities and susceptible institutions.
European as well as local supervisory authorities are responding to this development with ever stricter and more extensive regulations.
Meeting these requirements for data security, data protection, and compliance while simultaneously fulfilling customers’ wishes for high-performance and convenient services is increasingly becoming a high-wire balancing act.
Special service providers help with the implementation of regulatory requirements. With their industry expertise, they can ensure that digital solutions are set up and operated in a way that meets compliance requirements. Technical expertise can also help avoid a trade-off between data security, data protection and compliance on the one hand, and convenience and performance on the other. Modern technologies make it possible to address all these points concurrently and in line with requirements.