What are the BAIT?
At the end of 2017, the German Federal Financial Supervisory Authority (BaFin) published the Supervisory Requirements for IT in Financial Institutions (Bankaufsichtliche Anforderungen an die IT, BAIT), a binding set of rules for safeguarding IT in the finance industry. The aim was to ensure the secure design of systems and processes and to create transparent governance.
Reading Time: .
- A definition of BAIT
- What do the BAIT contain?
- IT strategy
- IT governance
- Information risk management
- Information security management
- Operational information security
- Identity and access management
- IT projects and application development
- IT operations
- Outsourcing and other external procurement of IT services
- IT service continuity management
- Managing relationships with payment service users
- Critical infrastructure
- What is the impact of BAIT on cybersecurity?
- What you need to know about BAIT
- What makes Myra the right partner for the finance industry
A definition of BAIT
Similar to the Minimum Requirements for Risk Management (Mindestanforderungen an das Risikomanagement, MaRisk), the BAIT also define the statutory requirements of Section 25a of the German Banking Act (Kreditwesengesetz, KWG). Accordingly, the supervisory authority’s catalog of requirements explains how financial institutions must set up appropriate technical and organizational resources for their IT systems. In terms of content, the BAIT build on MaRisk and specify them in greater detail. However, the MaRisk requirements remain unaffected by the BAIT and thus retain their validity. BaFin particularly emphasizes the consideration of information security requirements and an appropriate contingency plan. In addition, the BAIT also address Section 25b KWG since companies in the finance industry are increasingly outsourcing IT services as other external procurement, non-material or material outsourcing. Overall, BaFin sees BAIT as the central component for IT supervision in the banking sector in Germany.
What do the BAIT contain?
The requirements follow the principles of methodological freedom and dual proportionality to ensure proportionality. This means that BaFin defines regulatory guard rails which guide the institutions in the specific design of the measures. In addition, the supervisory authority takes into account the risk profile of the respective company, whereby the business model and the complexity of the risks play a role in addition to the volume of business.
An overview of the individual chapters of the BAIT (version of 16 August 2021) can be found here (the complete version is available for download from BaFin)
Companies in the finance industry and their management must define a sustainable IT strategy and outline specific objectives and measures to be taken to achieve these objectives. The IT strategy should be consistent with the business strategy and contain a variety of content as a minimum:
- Development of the organizational and operational structure of IT
- Development of IT services and other significant dependencies
- Selection of generally established standards and implementation processes
- Embedding of information security in the organization with fundamental statements on training and awareness of information security
- Development of IT architecture
- IT service continuity management giving due consideration to information security requirements
- IT systems run by the organizational units (hardware and software)
Financial institutions use IT governance as the structure to manage and monitor the operation and further development of IT systems on the basis of the IT strategy, including the related IT processes. IT governance as defined by BaFin comprises:
- Establishment of a structure for managing and monitoring related to the operation and further development of the IT systems and related IT processes
- Responsibility for effective implementation lies with the management.
- Resources for IT operations, application development, information risk management, and information security management must be appropriate in terms of both quantity and quality.
- Conflicts of interest and activities that are not compatible within the organizational and operational structure of IT must be avoided.
Information risk management
In modern business and service processes, information is largely processed by data-processing IT systems. The scope and quality of these systems must be based on internal operating needs, business activities, and the risk situation. The aim is to ensure the integrity, availability, authenticity, and confidentiality of data via IT. The following points must be taken into consideration as part of information risk management:
- Definition of the information domain, such as business-relevant information, business and support processes, IT systems, IT processes, network and building infrastructures, and interfaces to partners and service providers
- Protection requirements are the responsibility of the owner of the information and the organizational units to determine.
- Information security management must review the determination of the protection requirements.
- Establishment of a catalog of target measures (definition of appropriate requirements)
- Information risk management coordinates target/actual comparison and risk analysis. Finally, competency-based approval is given for the handling of the determined risks.
- Management must be informed at least once a quarter about the results and about any changes in the risk situation. This also includes information on potential external threats.
Information security management
With an information security management system, institutions make provisions for information security and define the specific implementation in a continuous process. This results in the following requirements:
- Management must adopt an information security policy in line with the strategy and communicate it within the company.
- Information security guidelines and information security processes define in detail the agreed information security policy and specify measures in line with the state-of-the-art for meeting the protection objectives.
- Information security processes include sub-processes, such as for identification, protection, detection, response, and recovery.
- An information security officer must be appointed by management. The information security officer monitors, coordinates, and checks: information security processes, the implementation of measures, compliance, and information security incidents. In addition, duties include initiating and updating the information security policy and regular status reports to management.
- Continuous and appropriate information security awareness and training programs must be established for the staff.
Operational information security
The information security management requirements are implemented in operational information security. The objective is to ensure the integrity, availability, authenticity and confidentiality of data at the system and process level and in other components of the information network. For this purpose, operational information security measures and processes such as vulnerability management, network segmentation and control, system hardening, encryption, multi-level protection concepts as well as perimeter protection must be implemented.
Furthermore, the requirements for operational information security provide for continuous logging and documentation of security-relevant events or failures. Automated systems are recommended for continuous and detailed data analysis. A permanently staffed Security Operations Center (SOC) may be required for timely analysis and response. To track the effectiveness of the measures taken, institutions must also regularly review the security of IT systems using variance analyses (gap analysis), vulnerability scans, penetration tests, simulations of attacks, and similar methods.
Identity and access management
Using identity and access rights management allows institutions to ensure that access and usage rights are designed in accordance with the organizational and operational requirements of the respective institution. The objective is to ensure that all access and entry rights to the information network are subject to standardized (preferably automated) processes and controls. The granting of rights must be consistent with the respective need for protection and should follow the principle of least privilege (need-to-know principle). In addition, institutions must implement measures such as segregation of duties, logging, and documentation to ensure the traceability of activities, and regular re-certification of rights assignment. To ensure that the specifications of the authorization concept are also adhered to in practice, appropriate technical and organizational measures must be implemented. These include appropriately strong authentication procedures, secure password policies, secure screen savers, data encryption, and tamper-proof logging.
IT projects and application development
When developing, replacing, and implementing IT systems and processes, the impact on the organizational and operational IT structure and the related IT processes must always be taken into account in the event of material modifications and evaluated as part of an impact analysis. Material IT projects and the related risks must be reported to management and taken into account in risk management.
Depending on the protection requirements, appropriate arrangements must be made during application development to ensure the confidentiality, integrity, availability, and authenticity of the data to be processed in a comprehensible manner. Among the appropriate arrangements, BaFin includes system access controls, user authentication, transaction authorization, audit logs, and tracking of security-related events. To verify the integrity of applications, reviewing the source code is recommended. In addition, the development of applications as well as the applications themselves should be documented in detail to enable experts to gain transparent insight into the respective project. Suitable test methods must be developed and used for quality assurance. The scope of testing is based on the functionality of the application, the measures implemented to protect information, and, if relevant, system performance. Penetration tests, for example, can be used to determine whether the measures implemented to protect information are sufficient.
The task of IT operations is to cover the requirements resulting from the business strategy as well as from the IT-supported business processes. This requires continuous and detailed recording of the inventories of all IT components, including configuration data, support and warranty details, information on protection requirements, and acceptable downtimes. Institutions are required to regularly update their inventory of IT systems. As part of lifecycle management, risks posed by outdated systems no longer supported by the manufacturer must be taken into account.
Processes for changes to IT systems must be designed and implemented based on the nature, scale, complexity, and riskiness. This includes newly procured or replaced systems as well as maintenance and security patches. Any changes to IT must be documented, evaluated, prioritized, approved, coordinated, and safely implemented by those responsible. Secure implementation includes, but is not limited to, risk analysis, data backups for the systems concerned, testing of changes and patches prior to going live, as well as recovery plans and restoration options in the event of potential problems.
Disruptions and incidents occurring in IT operations must be recorded, evaluated, and communicated accordingly (e.g., to management or the responsible supervisory authorities) depending on their extent. In addition, process-driven root cause analysis should be used to track the events that occurred and initiate the necessary actions to resolve the incident.
The requirements for IT operations also include specifications for data backup, which are to be set out in a data backup strategy. Here, the requirements for availability, readability, and timeliness of customer and business data, as well as for the IT systems required for their processing, are specified.
It is also up to the institutions to determine the current performance and capacity requirements of the IT systems and to forecast future needs.
Outsourcing and other external procurement of IT services
The BAIT define IT services as all forms of IT procurement. The outsourcing of IT services must be done in accordance with the requirements of MaRisk AT9 – financial services that the respective institution itself typically provides are considered to be outsourced. This also encompasses cloud services such as the provision of computing power, storage, platforms, or software via networked interfaces. In all cases, the outsourcing of IT services is based on a risk assessment, the nature and scope of which are defined by the institution itself.
Other outsourcing of IT services must also be managed and monitored in line with the business strategy, taking the risk assessment into account. Measures derived from risk management must be contractually agreed. These include arrangements relating to information risk management, information security management, contingency management, and IT operations. In addition, necessary exit and alternative strategies must be developed to respond appropriately to the failure of the service provider or a change of provider. The involvement of subcontractors must also be contractually arranged. The relevant risk assessment must be reviewed and amended regularly and on an ad hoc basis.
IT service continuity management
For contingency management, institutions must define specific objectives for increasing resilience and, derived from these, set up a contingency plan process. A contingency plan for disruptions to time-critical activities and processes must also be developed. The plan must also define business continuity and recovery plans. If outsourcing is among the time-critical activities and processes, the responsible service provider must also be included in the plan. Institutions should review the effectiveness and appropriateness of such a contingency plan on a regular basis. For time-critical activities and processes, this is required on an event-driven basis or at least once a year.
In turn, contingency plans for all time-critical activities and processes are derived from the continuity plan. These contingency plans sometimes include information on restart, emergency operation, and recovery of the respective processes. Institutions must review the effectiveness of the plans at least once a year on the basis of an IT testing concept. Institutions must also demonstrate redundant backup of their data centers. In the event of a failure, time-critical activities must be able to be operated from another location for a reasonable period of time until normal IT operations are restored.
Managing relationships with payment service users
The measures required by Section 53 of the Payment Services Supervision Act (“Zahlungsdiensteaufsichtsgesetz”, ZAG) to adequately manage relationships with payment service users require institutions to, among other things, allow users to deactivate individual functions and to define upper limits. Payment service users must also be given the option of being alerted to successful and failed transactions as well as updates to security procedures. Communication channels must also be provided for security-related questions, customer notices, and questions of any kind related to the payment services provided.
The requirements in module twelve are directed specifically to operators of critical infrastructure according to the BIS Act (BSI-KritisV). In it, BaFin expands the BAIT to include special requirements that serve to achieve the critical infrastructure protection (CIP) objectives with regard to security of supply. Critical services in the finance sector include cash supply, card-based payment transactions, conventional payment transactions, and the clearing and settlement of securities and derivatives transactions.
According to the BAIT, institutions relevant to critical infrastructure must clearly tag critical infrastructure components within the information domain to include the relevant interfaces, in a configuration management database (CMDB) for example. In this area, too, the BAIT requirements and other supervisory regulations must be fully applied. In addition, institutions must observe the CIP objective in information risk and information security management and adopt appropriate measures to achieve this objective. In particular, appropriate mitigation measures must be taken for risks in accordance with state-of-the-art technology.
When cooperating with service providers, it must be ensured that the CIP objective also complies with the requirements of the KWG, MaRisk, and BAIT when services are outsourced. In addition, measures must be taken as part of emergency preparedness planning to ensure that institutions can allow critical services to be maintained even in an emergency situation.
Institutions must provide verification to the BSI at least every two years that the necessary measures to protect critical services have been properly taken. Verification can be provided as part of the annual audit.
What is the impact of BAIT on cybersecurity?
With the ongoing digitalization of services and operational business, IT security in the finance industry is playing an increasingly important role. In order to increase cyber resilience, supervisory authorities such as BaFin are relying on increasingly tighter regulation and are increasingly putting the issue of cybersecurity at the center of their audits. Therefore, banks and financial service providers will have to deal with their IT architecture and compliance issues more intensively than ever before. In this context, service providers for the outsourcing of digital processes represent an attractive option for reducing in-house effort while still optimally covering all IT security and compliance requirements.
What you need to know about BAIT
The Supervisory Requirements for IT in Financial Institutions (BAIT) set out a binding set of rules for safeguarding IT in the finance industry. Like MaRisk, the BAIT also define the statutory requirements of Section 25a KWG. The objective of the regulatory requirements is to secure the IT systems of German banks in an efficient and forward-looking manner and to set high standards for cyber resilience. In addition, the BAIT are intended to promote company-wide IT risk awareness in the institutions themselves and with respect to outsourcing service providers. In twelve modules, the BAIT cover the key areas of operational IT, the specific management and control of processes and service providers, as well as strategic governance. This gives banks a practical framework for managing and operating their IT systems and for ensuring efficient and secure interaction with affiliated partners. The latter must meet the same high standards as the banks themselves. Outsourcing is, therefore, a significant challenge, particularly in the case of material outsourcing, which only experienced service providers can manage.
As a specialist service provider for cybersecurity in the financial sector, Myra Security has long provided support for material and non-material outsourcing in accordance with KWG Section 25, MaRisk AT 9, and BAIT. With our expertise, we fully support banks in outsourcing and contingency management. Compliance is our day-to-day business. Our Security Operations Center (SOC) monitors all systems and events 24/7. Prestigious companies and organizations from the financial industry have been using Myra’s Security-as-a-Service platform for years to cover both their cybersecurity and compliance needs.
What makes Myra the right partner for the finance industry
- GDPR-compliant specialist provider with industry expertise (Sparkassen-Finanzportal, DSV IT Service, savings banks and direct banks, financial service providers, German Federal Government, critical infrastructure)
- Investment-secure technology: fully automated attack mitigation, high-performance delivery, maximum scalability
- Audit-proof: Myra meets all requirements for material outsourcing according to Section 25b of the Banking Act (KWG), MaRisk AT9, and BAIT.
- Myra already meets all of the requirements of the planned EU Digital Operational Resilience Act (DORA) for risk management, reporting, testing, and outsourcing.
- Maximum certified quality: ISO 27001 based on IT-Grundschutz (IT baseline protection), PCI-DSS certified, BSI-KRITIS certified, BSI C5 attestation (in progress), Trusted Cloud