All of a bank’s traditional business, from deposit and lending business to payment transactions, are handled through complex core banking systems. Branch operations depend just as much on data centres as online or mobile banking. In trading business, there is an increasing use of algorithmic trading systems (algo trading, high-frequency trading). IT systems calculate key indicators for risk management and controlling in addition to aggregating and processing them; reporting also takes place electronically. Internal and external communication depend on IT as do numerous specialised applications supporting the institutions’ individual business strategies – from real estate management to sales software. Business and customer data usually exist exclusively in electronic form.

Banking business today is especially also information processing. An institution cannot achieve economic success without efficient IT, a realisation that is also reflected in the German Banking Act (Kreditwesengesetz – KWG). It prescribes in section 25a (1) that institutions must have in place adequate technical and organisational resources as well as an adequate contingency plan, particularly for their IT systems. In accordance with the KWG and the Minimum Requirements for Risk Management (Mindestanforderungen an das Risikomanagement – MaRisk), institutions must see to it that their IT systems and IT processes secure the integrity, availability, authenticity and confidentiality of data. These aspects are known in practice as “IT security”. The term “information security” is often used synonymously.

In recent years, BaFin has stepped up its efforts in the area of IT security with banks. Special audits have helped to raise awareness of IT security amongst the institutions. At the end of October, BaFin invited representatives from the banking industry to an informational event on this subject that met with great interest. In addition, the supervisory authorities maintain an ongoing dialogue with selected IT service providers to ensure that IT security amongst the institutions remains at a high level despite changing framework conditions.

Value proposition and costs

In many institutions, the organisational units that enjoy a particularly high standing are those whose value proposition can be easily measured, such as the treasury and distribution departments. Since IT is rather seen as a cost factor, the organisational units responsible for IT tend to be the first to be subjected to rigid cost-cutting programmes. It is only when business operations are hampered or even paralysed by IT problems – for example in core banking processes, in online banking or in the calculation of market risks – that banks become aware that the value proposition of the other units is hardly conceivable, not to mention impossible, without the advantages and benefits provided by IT.

As further advances in IT are made, IT systems are becoming increasingly complex and the volume of data and degree of specialisation are growing. That in turn has significantly increased the risk of no longer being able to safely control these systems. Further exacerbating this is the threat of attacks on IT systems. Technical advances and increasing threats are moreover calling for rising investments in IT, especially in IT security. In times of high cost pressures, many institutions are finding it increasingly difficult to make available the financial resources for this.

IT risks

By the term “IT risk”, which is not defined in the MaRisk, banking supervision understands all risks to the net assets and results of operations of the institutions arising from shortcomings relating to the IT management or IT control, the availability, confidentiality, integrity and authenticity of the data, the internal control system of the IT organisation, the IT strategy, guidelines and aspects pertaining to rules of procedure as well as the use of information technology. BaFin thus follows the definition defined by the Committee of European Banking Supervisors (CEBS)¹⁾ in 2006 in its Guidelines on the Application of the Supervisory Review Process under Pillar II. IT risks thus fall under operational risks.

The security and quality of IT processes and IT systems define a company’s IT risk potential. To ensure IT security, the institutions are required to establish an IT security management function. Although the MaRisk do not explicitly specify this requirement, it is derived from the list of protection categories of IT security and the reference to the established standards in AT 7.2., notably those of the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik – BSI) and ISO 27001. But it is not only AT 7.2 and the requirements of continuity management in AT 7.3 of the MaRisk that are relevant when it comes to IT risks. Institutions are also required, for example, to observe the provisions on strategies in AT 4.2, on change processes in AT 8 and on outsourcing in AT 9. Banking supervision thus takes a holistic view when it comes to IT risks. IT security management is merely one of many components used to establish the reliability of IT systems.

IT governance

According to AT 3 of the MaRisk, the senior management is responsible for all material risks. It would be wrong to conclude that the requirements of IT risk control are satisfied simply by establishing an IT security management function. For IT security management to be effective at all, the senior management must reasonably control the IT organisation in general as well. This means having an IT strategy adequately reflecting and adapted to the business model and implemented within the IT organisation. Its implementation must be reviewed pursuant to AT 4.2 and 4.3 of the MaRisk. The IT strategy is an important source of information for the IT audit function and for integrating IT into the risk and return management function.²⁾

Depending on the nature, scope, complexity and risk potential of the business activities, the institutions are therefore also required in their business strategy to make statements on the envisaged structure of IT. As part of the business strategy, the IT strategy is subject to the same requirements as the business strategy itself. That creates planning certainty for the IT organisation, which in turn allows for tactical IT planning and IT resource planning effectively serving the institution’s business objectives.

IT security management

Pursuant to AT 7.2 item 2 of the MaRisk, IT security must be based on “established standards”, not e.g. only on “standards for information security management systems”. It is not enough to meet standards on paper such as ISO 27000. Rather, the IT processes and IT systems in their entirety must allow for implementation of the strategic objectives of IT security. If for example the standards of BSI and ISO cited by way of example do not cover certain aspects that are necessary to guarantee an adequate level of security, the institution must take further measures which may be based on other standards. BSI and ISO require the nature and scope of protective measures to be selected on the basis of what economic consequences breaches of IT security would have. The institutions must themselves review which measures are necessary.

A core requirement in IT security management – as in other risk types – is a careful risk analysis. The institutions must identify the level of protection required for the information handled in the business processes and the IT systems concerned. They have to compare the target of the security requirements with the security measures that have already been implemented by them. This allows for residual risk analysis and risk monitoring. The specialists in charge decide which IT risks are accepted. The senior management assume responsibility for residual IT risks, and who are therefore required to keep themselves informed of IT risks also in quarterly risk reports remitted to the senior management.

Mathematical models alone do not suffice

Furthermore, IT risks have to be viewed within the management of operational risks. However, it is difficult to control IT risks using mathematical models. Although it is perfectly correct to include them in the models for operational risks, this alone is not sufficient: IT risks depend to a substantial extent on the security and quality of the IT processes and the IT products used. This primarily calls for qualitative assessments.

To attain the necessary quality needed for secure processes and systems, the institution must follow up the measurement of IT risks with specific technical and organisational measures. The IT security management function initiates these measures which are then implemented by the IT organisation and, where applicable, by other organisational units.

If for example a strict user authorisation management function is implemented with regular re-certifications, this is an important component of IT security but one that is not sufficient in and of itself. The IT systems must also actually be adapted and configured in such a way that the authorisations cannot be circumvented.

Reliable IT operations and professional IT service management

The stable functioning of IT operations is as much a prerequisite for the availability of banking processes as the professional management of the IT services. That is why it is necessary to integrate IT operations and IT service management into the internal control system. The MaRisk in several places also emphasise the importance of a functioning release, change and configuration management (e.g. AT 7.2 item 3, AT 8.2 item 1, AT 7.2 item 4).

IT operations are only reliable if IT is quickly restored in the event of serious disruptions, human or technical errors. For that reason, well-defined, adequately tested emergency concepts are indispensible.

Materialised IT risks must be noticed in time, and for that a well-functioning monitoring of IT operations must be in place. That equally rings true when it comes to problem and incident management, including the handling of security incidents, thus closing the circle between IT operations / IT service management and IT security management.

Software development and procurement

Software risks, i.e. deficits in software, are a major category of IT risks. They arise in software development regardless of whether a software programme is developed by the institution itself or provided by suppliers. That is why it is necessary to integrate software development and software procurement into the internal control system.

Careful planning, which includes identifying and analysing requirements as well as planning quality assurance and testing, is a basic precondition for reliable software development. BaFin requires the institutions to apply a standard process covering the planning, development, testing and implementation of the software in the production environment (AT 7.2 item 3 of the MaRisk). To ensure data security, this process, too, has to be based on established standards.

To make it possible for applications to actually support business activities, it is necessary for the institutions to carefully research and analyse specialist banking requirements. Where applicable, they may also have to take account of non-functional requirements forming the basis of secure and qualitatively adequate IT operations, such as the requirements to be met in terms of confidentiality of data. In the actual software development, controls must be in place to prevent products of inferior quality. This ensures both the implementation of specialist banking requirements as well as the reliability and trustworthiness of the software.

Additional protection measures

Although the MaRisk do emphasise that a new software product must undergo final testing and acceptance before being put into service, the institutions may have to take additional measures depending on the risk potential of the software. The MaRisk moreover explicitly require the separation of the development and production environment.

If third parties supply software, BaFin expects the bank to use the same level of care as in its own software development, particularly in the area of risk analysis. This concerns the terms drafted for the contract as well as the documentation of acceptance and careful testing in which both the functionality and the security and reliability of the system are taken into account.

Implementation at institutions and at IT service providers

One challenge is to uphold IT security at a high level even when the framework conditions change – for example as a result of changes in the business strategy, new products, a restructuring or new legal requirements – and the budget is limited. Many institutions have outsourced their IT either partly or wholly. What is decisive for them is to integrate the IT service provider when they set up and implement the IT security management function.

If all institutions of a group decide to procure software and IT operations from the same IT service provider, that is where the IT risks will be concentrated. That makes it all the more vital to effectively control the service provider. For that reason, the institution must possess its own technical expertise, for example to be able to comprehend and, where necessary, respond to the IT risk reports submitted by the service provider.

Requirements to be met by service providers

The service providers are indirectly subject to banking supervision: since they have to report to the credit institutions, they also have to implement their requirements. Data centres in particular – like the internal IT organisation of the institutions – face high cost pressures, but this must not result in disproportionately high risks being taken that would impact the institutions.

With institutions and service providers there are frequently organisational changes in IT. In that respect, too, the defined level of IT security must be maintained.

Outlook: Supervisory practice

Both nationally and internationally, IT security is of strategic importance for all critical infrastructures – and thus also for the banking industry. This is increasingly being recognised by policymakers: for example, the German government already in 2012 developed a cyber security strategy for Germany, and a German IT security act as well as an EU directive on cyber security are in the offing. BaFin, too, will continue to step up its efforts in the area of IT security in the banking industry, amongst other things by addressing special issues in an in-depth manner (for example, a circular on trading in algorithms was already released for consultation) and by auditing banks even more thoroughly.

One particular challenge for banking IT is the necessity to be able to deliver correct risk data without delays. The bigger and more complex an institution or institution group is, the more difficult it becomes to ensure that all data are delivered immediately and correctly – a fact that became particularly clear in the financial crisis. The Basel Committee on Banking Supervision (BCBS) therefore established at the beginning of 2013 new requirements for risk data aggregation and risk reporting which institutions are required to implement by 2016. IT security is a vital prerequisite for the trustworthiness of the data and their availability. It is also increasingly having an influence on retail clients’ trust in essential banking services, such as payment transactions.

IT is also becoming increasingly important because threats are also on the rise. Hackers in particular are becoming increasingly professional in their operations. Given the profits that organised criminals can obtain by means of fraud, industrial espionage or sabotage, this trend in all likelihood will continue to gather pace. Massive hacker attacks on large US institutions and on companies from other sectors such as aircraft construction and the steel industry give an idea of what might also happen to German institutions should they fail to take timely countermeasures.

Footnotes

F11) Committee of European Banking Supervisors. Predecessor to European Banking Authority (EBA).

2) For information on the special features of the IT audit function with regard to the IT security process, see BSI Guideline for information security audit and section 6 of ISO 27001. For information on the special features of IT control with reference to the IT security process, see BSI-Grundschutzkatalog M 2.336 (IT Basic Protection Catalogue M 2.336), the HA (High Availability) Compendium G 3 of the BSI and section 7.2 f. of ISO 27001.