Financial regulator steps up controls on IT and cybersecurity


Banks, insurers, and financial service providers must prepare for tighter controls by the German Federal Financial Supervisory Authority (BaFin), especially with regard to IT and cybersecurity. The area of “IT and cyber risks” is one of three main priorities that BaFin has set for 2021.

“The main objective was and is to mitigate the consequences of the pandemic for companies in the financial market and for financial stability,” states the foreword of the brochure that has now been published, laying out BaFin’s supervisory priorities for 2021. As a result of the pandemic, IT and cyber risks have become an even greater focus of supervisory activity because the digital services offered by financial institutions are being used more than ever before in a time of restricted social interaction. At the same time, digital business models are continuing to gain ground.

Increasing risk from cyberattacks and internal incidents

IT systems are becoming increasingly important for the business activities of lending institutions, which means that the issue of cybersecurity is also gaining in importance. The financial supervisory authority classifies data theft and cybercrime-related system failures as “particularly relevant risks.” After all, IT disruptions or cyberattacks can result in systemic effects in addition to financial losses and lasting damage to the reputation of the affected companies. BaFin also sees increasing potential for risks in internal deficiencies and vulnerabilities in IT systems. The consequences of poor decisions in IT strategy are comparable to those of cyberattacks. Outdated systems that can only be maintained to a limited extent and insecure software are conducive to failures and data loss.

BaFin also sees increasing potential for risks in internal deficiencies and vulnerabilities in IT systems. The consequences of poor decisions in IT strategy are comparable to those of cyber attacks. Outdated systems that can only be maintained to a limited extent and insecure software are conducive to failures and data loss.

Outsourcing of IT services the focus of supervisory oversight

The outsourcing of IT services as material activities and processes within the meaning of Section 25b of the German Banking Act (KWG) is becoming increasingly important for banks and savings banks. Therefore, BaFin intends to pay particular attention to outsourcing as part of its risk-oriented supervision. The government agency announced that it will systematically be asking outsourcing financial entities what measures they are taking to limit IT and cyber risks this year. Less significant institutions (LSIs), which are directly subject to BaFin supervision, must outline what they have done and are doing to protect their IT systems from cyberattacks and internal incidents. For example, banks should be able to demonstrate how they are ensuring that their banking portal is permanently available so that customers are able to access their online account at any time. This requires seamless documentation.

New IT regulations for payment and e-money institutions

In its supervision of payment and e-money institutions, BaFin is increasingly focusing on auditing IT and data security. With the “Payment Services Supervisory Requirements for IT” (ZAIT), such institutions can expect a new set of rules that implements the guidelines of the European Banking Authority (EBA) for assessing IT risks.

Both conceptually and in terms of content, the ZAIT are closely based on the familiar IT requirements BaFin imposes on banks (BAIT), insurance companies (VAIT), and capital management companies (KAIT). In addition to IT strategy and IT governance requirements, they also include regulations on information risk management, information security management, and outsourcing.

Insurance supervision increasingly assessing IT governance and IT infrastructure

The insurance and securities supervisory authority will also be paying particular attention to IT and cybersecurity in 2021. For insurers, the focus will be on assessing the IT governance and IT infrastructure of the companies being supervised. Meanwhile, the securities supervisory authority wants to closely examine how its “Capital Management Supervisory Requirements for IT” (KAIT) are being met in asset management.

Consequences of the Wirecard scandal

According to BaFin, cyber risks will also be the focus of special audits and a new “focus supervision” to which institutions or groups of institutions of particular relevance will be subject in the future. These include, for example, very complex or internationally interlinked companies or those with an innovative business model. This focus of supervision is a direct response to the Wirecard scandal, which exposed weaknesses in the supervisory structures. In the future, a flexible BaFin task force will be able to conduct independent forensic audits.

Trend toward tighter regulation continues

In view of the heightened threat situation, BaFin’s move to ramp up its IT and cybersecurity controls is understandable. In its Risk Barometer 2021, the Allianz financial services company currently lists cyber incidents as the biggest risk factor for the financial industry. Last year, 23 percent of all cyberattacks targeted financial institutions. The number and intensity of DDoS attacks in particular are on the rise. The trend toward tighter regulation in the financial sector, which requires institutions to demonstrate greater commitment to IT security, data protection, and compliance, will continue in the future. With the planned EU Digital Operational Resilience Act (DORA), a new EU regulation that will place further requirements on financial entities is already in the starting blocks. Therefore, banks and financial service providers will have to deal with their IT architecture and compliance issues more intensively than ever before. In this context, external service providers for the outsourcing of digital processes represent an attractive option for reducing in-house effort while still optimally covering all IT security and compliance requirements.

Myra meets all BaFin requirements

As an experienced specialist service provider for cybersecurity in the financial sector, Myra Security has long provided support for material and immaterial outsourcing in accordance with KWG Section 25, MaRisk AT9, and BAIT. In addition, we already meet the risk management, reporting, testing, and outsourcing requirements relevant for DORA. Prestigious companies and organizations from the financial industry have been using Myra’s Security-as-a-Service platform for years to cover both their cybersecurity and compliance needs.

More information about Myra’s custom solutions for the financial industry is available here

Related articles