IT security: BaFin specifies requirements for the banking industry
- Interpretation of supervisory standards
- Improving awareness of IT risks
- IT strategy
- IT governance
- Information risk management
- Information security management
- User access management
- IT projects and application development
- IT operations
- Outsourcing and other external procurement of IT services
- Further development of the BAIT
At the start of November, BaFin published the Supervisory Requirements for IT in Financial Institutions (Bankaufsichtliche Anforderungen an die IT – BAIT, see BaFinJournal November 2017 (only available in German)). The BAIT have now become the cornerstone of IT supervision for all credit and financial services institutions in Germany. The requirements are directed at the management boards of such companies.
The objective of the BAIT is to create a comprehensible and flexible framework for the management of IT resources, information risk and information security. They also aim to contribute towards increasing awareness of IT risks throughout the institutions and in relation to external service providers. Furthermore, they provide transparency about what banking supervisors expect from the institutions with regard to the management and monitoring of IT operations, including the user access management that this necessitates as well as requirements for IT project management and application development. Overall, the BAIT address those subject areas which BaFin has identified as particularly important based on its experience of IT inspections.
Interpretation of supervisory standards
As with the Minimum Requirements for Risk Management (Mindestanforderungen an das Risikomanagement – MaRisk) at banks revised at the end of October (see BaFinJournal November 2017 (only available in German)), the BAIT interpret the statutory requirements set out in section 25a (1) sentence 3 no. 4 and no. 5 of the German Banking Act (Kreditwesengesetz – KWG). They specify what BaFin considers to be adequate technical and organisational resources for IT systems, particularly in relation to the requirements for information security and suitable contingency management.
Because institutions are increasingly using the IT services of third parties, both by means of outsourcing IT services and through external procurement, the interpretation provided by the BAIT also extends to section 25b of the KWG. The referencing of specific MaRisk items ensures that the relationship between the BAIT and the general supervisory requirements for risk management is upheld. In particular, the BAIT address topics where BaFin's IT inspections have identified substantial deficiencies in recent years (see graphic 1).
IT deficiencies identified
The BAIT are also intended to assist the institutions in ensuring that there is proper business organisation in place with regard to IT. Nonetheless, the principle-based requirements set out in the BAIT should not be viewed as an exhaustive catalogue of requirements. In this regard, the banks are obliged to implement the BAIT requirements based on established standards pursuant to AT 7.2 of the MaRisk.
Furthermore, one of the essential features of the BAIT is that the principle of dual proportionality applies without restriction. This principle stipulates that both the management instruments of the bank and the intensity of monitoring by banking supervisors should be proportional to the bank's risks.
Improving awareness of IT risks
One on the primary objectives of the BAIT is to improve awareness of IT risks at institutions, especially at management levels. Banking supervisors understand the term "IT risk" as meaning all risks to the institution's financial position and financial performance that arise from deficiencies relating to IT management, the availability, confidentiality, integrity and authenticity of data, the internal control system for IT organisation, the IT strategy, IT guidelines and IT topics in the rules of procedure, or the use of information technology (see BaFinJournal November 2013 (only available in German)).
The need to bring about risk transparency and to address IT risk at all levels of the institution is a common thread throughout all eight modules of the BAIT and is an integral component of the individual IT requirements (see graphic 2).
Improving risk awareness with the BAIT
The central requirement with regard to the IT strategy is that the management board must regularly deal with the strategic implications of IT's various aspects for the institution's business strategy. In addition to developing the institution’s organisational and operational IT structure along with that for the outsourcing of IT services, this also includes, for example, the strategic approach to dealing with end-user computing (EUC) in organisational units.
Deciding on an IT strategy and the resulting measures to achieve its goals – which have to be published internally within the institutions – also provides clarity with regard to the importance of IT for banking business. Such clarity is necessary for IT risk awareness.
The management board is responsible for ensuring that the provisions on IT governance are implemented effectively within the institution and in relation to third parties. It must also ensure that the functions of information risk management, information security management, IT operations and application development are appropriately staffed.
Banking supervisors consider this to be important so that any risk of inadequate staffing in these areas, be it qualitative or quantitative, can be identified at an early stage and remedied as quickly as possible. For the same reason, the BAIT contain the requirement that activities that are not compatible with each other are to be avoided within the organisational and operational IT structure.
Information risk management
As part of its information risk management, each institution must ascertain its respective protection requirements, determine target measures based on them and compare these to the measures which have been successfully implemented. The transparency this creates vis-à-vis the risk situation along with the need for the management board to accept the residual risk is the main requirement aimed at improving IT risk awareness within the institution and in relation to IT service providers.
Information security management
With consideration for the risk situation ascertained, the management board must define an information security policy and publish this internally. The protection requirements defined as part of information risk management must be fleshed out in the form of information security guidelines.
Furthermore, the function of information security officer is the key component for maintaining and monitoring information security both within the institution and in relation to third parties. In terms of organisation and processes, this function must be independent so that information security can be evaluated free of any conflicts of interest. This also improves the IT risk awareness of the management board and all employees at the institution.
User access management
As part of user access management, the concept for access rights must be specified in written form and adhere to the "need-to-know" principle. This principle means that access rights are only to be granted if they are needed to fulfil a specific task. This also contributes towards improving IT risk awareness.
The same can be said of the recertification process, in which the access rights granted are checked and any deviations from the need-to-know principle are detected.
IT projects and application development
The management and monitoring of IT projects must give particular consideration to the risks relating to such projects' duration, use of resources and quality. The management board must ensure that a full overview of the IT project risks and those risks that arise from interdependencies between different projects is compiled.
Even when applications are first being developed, precautions must be taken to safeguard the confidentiality, integrity, availability and authenticity of the data to be processed. These provisions serve to reduce the risk of any unintentional alteration or intentional manipulation of applications.
In BaFin’s view, EUC applications developed or operated by an institution's organisational units should be divided into risk classes. This achieves transparency within the institution in relation to the risks arising from the use of such applications. Furthermore, banking supervisors expect the institution to maintain a central register of all EUC applications, especially those that are important for banking business processes, for risk management and monitoring or for accounting purposes.
Awareness about IT risks is also significantly raised by taking the risks that arise from outdated IT systems into account. In order for product lifecycles to be managed accordingly, it is nonetheless necessary for the components of the IT systems, including inventory data, to be subject to the appropriate administration. To this end, the institutions should use a configuration management database (CMDB).
Suitable criteria must be set for informing the management board about unplanned deviations from regular operations (disruptions), their causes, about the contingency measures taken to maintain or re-establish business operations and about the remedying of deficiencies. This enables the board to manage IT risk in an appropriate manner.
Outsourcing and other external procurement of IT services
Any outsourcing of IT services has to fulfil the requirements set out under AT 9 of the MaRisk and must be evaluated in a risk analysis. The risks from any other external provision of IT services must also be evaluated, as otherwise it is not possible to comprehensively ascertain the risk situation or detect concentration risks in the area of IT services. Furthermore, the measures determined from the risk analysis influence the formulation of the contracts.
Note:No implementation period
Because the BAIT contain no new requirements for the institutions or their IT service providers but rather merely explain and provide detail for existing requirements, no implementation period is provided for.
Further development of the BAIT
The modular structure of the BAIT allows banking supervisors the flexibility needed to adjust or expand the overall text should new national or international requirements necessitate this in future. For example, BaFin is currently examining whether the Fundamental Elements for Cyber Security, published by the G7 in October 2016, can be implemented by adjusting the BAIT.
In addition, BaFin – in collaboration with the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik – BSI) – will add a special module to the BAIT for operators of critical infrastructures within the meaning of section 2 (10) of the German BSI Act (see BaFinJournal August 2017 (only available in German)) if appropriate. The aim here is for the module to include the requirements needed to fulfil the provisions of the BSI Act.
A further addition to the BAIT dealing with IT contingency management, including test and recovery procedures, is being planned as well.
In the context of the planned Europe-wide harmonisation of supervisory requirements for the management of IT risks in financial institutions, BaFin will be actively drawing the BAIT into the discussion process.
This article reflects the situation at the time of publication and will not be updated subsequently. Please take note of the Standard Terms and Conditions of Use.