Risks in BaFin’s Focus 2022: Supervisory Authority Wants to Intensify Dedicated IT Audits
SECURITY INSIGHTS | 21 March 2022
The German Federal Financial Supervisory Authority (BaFin) has published its key risks for the year 2022. As in the previous year, cyber risks play a key role. To counter the threat of attacks and serious IT failures, BaFin announced intensified IT audits for institutions and companies under supervision.
In its publication, BaFin emphasizes that cyber risks are among the rapidly growing threats in the financial sector. Essential processes of the companies under supervision are almost universally dependent on functioning IT. BaFin has repeatedly pointed out the central importance of cybersecurity in the financial industry in the past. Such as in the topics of focus for 2021 (then known as “Supervisory Priorities”) or the medium-term targets for the years 2022 to 2025.
Cyber incidents caused by external or internal attacks and technical failures have serious repercussions. Depending on the extent, the impacts can range from specifically quantifiable revenue losses and severe harm to the company’s image to a threat to financial stability per se, which could even have a negative effect on the real economy. As BaFin reports, internal incidents currently predominate from a quantitative viewpoint. However, the potential harm from concentrated external attacks is extremely high.
BaFin anticipates a further intensification of the threat situation in the future. This is partly due to ongoing digitization, which is constantly increasing the virtual attack surface of the companies under supervision. Other factors include the increase in work being done from home since the onset of the COVID-19 pandemic and the trend toward using third-party providers. And while the attack surface is growing, cybercriminals are at the same time escalating their attacks on the financial industry – including attacks from foreign governments.
BaFin intends to respond to the heightened threat situation by intensifying dedicated IT audits. The need for further action will hinge on the results of these audits. In addition, compliance with supervisory IT requirements and standards is to be increasingly audited and enforced.
For the companies under supervision, this development means that IT security in compliance with the regulations is now required more than ever. For material outsourcing in particular, only service providers that meet all regulatory requirements and do not shy away from a direct BaFin audit can therefore be considered.