Cyber risks

BaFin President Felix Hufeld made it clear how important this issue was in his welcome address (only available in German): “Cyber attacks are not just the stuff of science fiction movies. They are a very serious part of every day’s life.” Information technology today is not just incidental in the financial sector for the generation of income, but is fundamental to all processes. This also means it is vulnerable to attack. "In the movies, the bad guys often make it tough for the good guys. They have better weapons, faster cars and usually seem to be a step ahead in terms of IT capabilities." In real life, neither supervisory authorities nor credit institutions can afford to allow the dark side of digitalisation to gain and exploit an advantage, warned Hufeld. The fact that more than 1,000 people registered for the conference confirmed that IT security experts and bank representatives are aware of the problem.

Raimund Röseler, Chief Executive Director of Banking Supervision, highlighted the fact that additional steps now had to be taken. It was a cause for concern to him that IT inspections at institutions often ended with poor results. "Under the school marking system, hardly any of the banks would have come away with more than a pass mark." Cyber risks would therefore appear at the top right of a matrix. In other words: high probability, major consequences. "During my first few years working in the banking sector, the catchphrase was still 'banking is people'. Nowadays it is 'banking is technology'. And this includes all of the associated vulnerabilities," said Röseler. A dialogue between all stakeholders, including at events such as this one, was therefore extremely important.

Supervisory Requirements

Among the presentations given by representatives of BaFin and the Deutsche Bundesbank, the proposed Supervisory Requirements for IT (Bankaufsichtliche Anforderungen an die IT – BAIT) generated particular interest. BaFin is currently carrying out consultations regarding these requirements. The circular will give more substance to the IT-related sections of the Minimum Requirements for Risk Management (MaRisk), thereby making it clear what BaFin and the Bundesbank expect in terms of IT security within institutions.

"We will thereby establish a flexible and practice-based framework for managing IT resources and IT risk management," explained Renate Essler of BaFin and Dr Michael Paust of the Bundesbank. They discussed the basic principles and structure of BAIT. BAIT cover eight areas: IT strategy, IT governance, management of information risk, information security and user access rights, IT projects and the development of applications, IT system operation including data security, and outsourcing and other external procurement of IT services.

The plan was to publish the circular in mid-2017. "BAIT will help to increase awareness of IT risks and IT security across the board in the banking sector," said Chief Executive Director Röseler. He pointed out that senior management was responsible for implementing and complying with BAIT.

Security of payments

Also on the agenda was the Second Payment Services Directive (see BaFinJournal March 2016, only available in German), which was the subject of a presentation by BaFin experts Dr Felix Reinshagen and Tobias Schmidt. They explained that the various objectives of the Directive were somewhat at odds with one another: enhancing competition and innovation in the area of payments while at the same time improving security and consumer protection. "Now that's a challenge."

The European Banking Authority (EBA) recently published draft regulatory technical standards on strong customer authentication and common and secure communication (see BaFinJournal March 2017, only available in German), which aim to strike a fair balance between these requirements. The matters addressed by the speakers included the cases in which strong authentication was necessary and the exceptions provided for in the EBA draft. It remained to be seen, however, whether the European Commission would make changes to the regulatory standards.

Critical infrastructure

Dr Jens Gampe and Dr Sebastian Silberg (both of BaFin) presented important aspects of the new German Regulation on the Identification of Critical Infrastructure pursuant to the Act on the Federal Office for Information Security (Verordnung zur Bestimmung Kritischer Infrastrukturen nach dem BSI-Gesetz). In particular, the system categories and thresholds listed in the Regulation were the criteria used to determine which financial sector undertakings would be subject to the obligations incumbent upon operators in the future. In the banking sector, for example, it would depend on how many million payment transactions were settled through a single "system" within the meaning of the Regulation.

They also discussed "UP KRITIS" (only available in German), a public-private partnership between operators of critical infrastructure, their associations and the competent government agencies. The aim is to ensure access to critical infrastructure for the population. The finance and insurance sectors are part of the critical sectors.

Bundesbank practice in the context of IT supervision and inspections

Workshop participants also gained an insight into Bundesbank practice in the context of IT supervision and inspections. Jörg Bretz of the Bundesbank's Regional Office in Hesse presented key issues and common findings from IT inspections, turning particular attention to the issues of cyber security and cloud computing. Among the particular challenges faced by institutions were managing the risks associated with increasingly complex value and supply chains as well as meeting the requirements for transparency of internal processes and the control mechanisms of cloud providers.

Bretz also touched on the challenges existing in the international context, particularly within the European regulatory framework with the Single Supervisory Mechanism (SSM) of the European Central Bank, the EBA and the national competent authorities. Difficulties primarily arose due to the diverse range of languages, a differing understanding of terms and different regulatory cultures. In the meantime, however, joint auditing experience had been gained, which could be used as a building block.