BaFin revises MaRisk and BAIT: Higher compliance requirements for banks

SECURITY INSIGHTS | 26 August 2021

The German Federal Financial Supervisory Authority (BaFin) has published the amendments to its Minimum Requirements for Risk Management of Banks (MaRisk) and the Banking Supervisory Requirements for IT (BAIT). Among other things, the guidelines of the European Banking Authority (EBA) on outsourcing (EBA/GL/2019/02) have been implemented and individual requirements from the EBA guidelines on ICT and security risk management (EBA/GL/2019/04) have been incorporated.

The amended MaRisk and BAIT regulations pose new challenges and additional burdens for banks. They must review their processes and, if necessary, adapt them to the new or more specific regulations. This applies in particular to outsourcing.

Appointment of an outsourcing officer becomes mandatory

The amendments to MaRisk AT 9 affect the entire outsourcing cycle. For example, requirements for risk analysis, the structure of the outsourcing agreement, and the management and monitoring of the risks of outsourcing agreements have been expanded and specified. For example, under AT 9 para. 7, BaFin has clarified that, in the case of material outsourcing, the outsourcing agreement documented in text form must also take into account the rights required for “entry, admission or access” in addition to information and audit rights.

In order to centrally bundle the management and monitoring of the risks of outsourcing agreements, outsourcing institutions must appoint an outsourcing officer. In the case of extensive and complex outsourcing arrangements, this officer must be supported by central outsourcing management, which can also be set up on the group or association level. In addition, institutions must maintain and continuously update an outsourcing register containing information on all outsourcing arrangements. The parameters to be recorded in the register are defined in points 54 and 55 of the EBA Guidelines on outsourcing arrangements.

Expanded contingency management regulations increase coordination effort

The revised MaRisk section AT 7.3 and the BAIT contain new and more specific requirements for contingency management. Among other things, they provide for a contingency concept that describes which replacement solutions must be available in a timely manner in the event of an emergency and how a return to normal operations should proceed. The new BAIT chapter “IT Contingency Management,” which is largely based on MaRisk AT 7.3, requires institutions to establish restart, emergency operation, and recovery plans for time-critical processes and activities. The effectiveness of these three types of IT contingency plans must be reviewed at least annually on the basis of an IT test concept.

The extended requirements for contingency management mean a high level of coordination for many banks. When time-critical activities and processes are outsourced, the outsourcing institution and the outsourcing partner must have synchronized contingency plans.

Institutions must increasingly carry out effectiveness checks

The new BAIT chapter “Operational Information Security” also includes extended requirements for designing effectiveness controls for information security measures already implemented in the form of tests and exercises. Specifically, point 5.6 mentions “deviation analyses (gap analyses), vulnerability scans, penetration tests, and simulations of attacks.” The overriding goal is an effective information security management system (ISMS) that ensures the confidentiality, integrity, availability, and authenticity of all data. To this end, institutions must review the security of their IT systems regularly, on an ad hoc basis, and while avoiding conflicts of interest. The results must be analyzed with regard to necessary improvements and risks must be managed appropriately.

Requirements for logging and monitoring increase

In addition, the BAIT amendment specifies the requirements for logging and monitoring, i.e., the logging of events and monitoring in real time, as well as for the detection and analysis of security-relevant incidents. Thus, potentially security-relevant information must be evaluated in an appropriately timely, rule-based, and centralized manner. In addition, it must be available for later evaluation for an appropriate period of time. Here, too, banks incur additional expenses because they have to define, regularly check, and further develop rules for identifying security-relevant incidents.

Specifications are to be implemented immediately

The 6th amendment to MaRisk and the new version of BAIT came into force upon publication on August 16, 2021. With regard to MaRisk, institutions only have to apply the specifications immediately. There is a transition period until December 31, 2021, to implement the amendments through new requirements. Existing or already negotiated outsourcing agreements must be modified by the end of 2022. There is no transitional period for BAIT because it merely spells out existing requirements.

Tighter regulation aims to boost cybersecurity

With the ongoing digitalization of services and operational business, IT security in the financial industry is playing an increasingly important role. In order to increase cyber resilience, supervisory authorities such as BaFin are relying on increasingly tighter regulation and are increasingly putting the issue of cybersecurity at the center of their audits. Therefore, banks and financial service providers will have to deal more intensively than ever with their IT architecture as well as with compliance issues. In this context, service providers for the outsourcing of digital processes represent an attractive option for reducing in-house effort while still optimally covering all IT security and compliance requirements.

Myra meets all BaFin requirements

As an experienced specialist service provider for cybersecurity in the financial sector, Myra Security has long provided support for material and non-material outsourcing in accordance with KWG Section 25, MaRisk AT 9, and BAIT. With our expertise, we support banks in outsourcing and contingency management. Compliance is our day-to-day business. Only recently, we again proved in a voluntary audit of critical infrastructure that we meet the highest security requirements, which means we can comply with even the most stringent effectiveness controls. Our Security Operations Center (SOC) monitors all systems and events 24/7 in real time. We also provide customers with analysis data in real time that is clearly presented on configurable dashboards. Prestigious companies and organizations from the financial industry have been using Myra’s Security-as-a-Service platform for years to cover both their cybersecurity and compliance needs.

Related articles