The objective of the BAIT is to create a comprehensible and flexible framework for the management of IT resources, information risk and information security. They also aim to contribute towards increasing awareness of IT risks throughout the institutions and in relation to external service providers. Furthermore, they provide transparency about what banking supervisors expect from the institutions with regard to the management and monitoring of IT operations, including the user access management that this necessitates as well as requirements for IT project management and application development. Overall, the BAIT address those subject areas which BaFin has identified as particularly important based on its experience of IT inspections.

Interpretation of supervisory standards

As with the Minimum Requirements for Risk Management (Mindestanforderungen an das Risikomanagement – MaRisk) at banks revised at the end of October (see BaFinJournal November 2017 (only available in German)), the BAIT interpret the statutory requirements set out in section 25a (1) sentence 3 no. 4 and no. 5 of the German Banking Act (Kreditwesengesetz – KWG). They specify what BaFin considers to be adequate technical and organisational resources for IT systems, particularly in relation to the requirements for information security and suitable contingency management.

Because institutions are increasingly using the IT services of third parties, both by means of outsourcing IT services and through external procurement, the interpretation provided by the BAIT also extends to section 25b of the KWG. The referencing of specific MaRisk items ensures that the relationship between the BAIT and the general supervisory requirements for risk management is upheld. In particular, the BAIT address topics where BaFin's IT inspections have identified substantial deficiencies in recent years (see graphic 1).

IT deficiencies identified

Figure: IT deficiencies identified; © BaFin

The BAIT are also intended to assist the institutions in ensuring that there is proper business organisation in place with regard to IT. Nonetheless, the principle-based requirements set out in the BAIT should not be viewed as an exhaustive catalogue of requirements. In this regard, the banks are obliged to implement the BAIT requirements based on established standards pursuant to AT 7.2 of the MaRisk.

Furthermore, one of the essential features of the BAIT is that the principle of dual proportionality applies without restriction. This principle stipulates that both the management instruments of the bank and the intensity of monitoring by banking supervisors should be proportional to the bank's risks.

Improving awareness of IT risks

One on the primary objectives of the BAIT is to improve awareness of IT risks at institutions, especially at management levels. Banking supervisors understand the term "IT risk" as meaning all risks to the institution's financial position and financial performance that arise from deficiencies relating to IT management, the availability, confidentiality, integrity and authenticity of data, the internal control system for IT organisation, the IT strategy, IT guidelines and IT topics in the rules of procedure, or the use of information technology (see BaFinJournal November 2013 (only available in German)).

The need to bring about risk transparency and to address IT risk at all levels of the institution is a common thread throughout all eight modules of the BAIT and is an integral component of the individual IT requirements (see graphic 2).

Improving risk awareness with the BAIT

Figure: Improving risk awareness with the BAIT; © BaFin

IT strategy

The central requirement with regard to the IT strategy is that the management board must regularly deal with the strategic implications of IT's various aspects for the institution's business strategy. In addition to developing the institution’s organisational and operational IT structure along with that for the outsourcing of IT services, this also includes, for example, the strategic approach to dealing with end-user computing (EUC) in organisational units.

Deciding on an IT strategy and the resulting measures to achieve its goals – which have to be published internally within the institutions – also provides clarity with regard to the importance of IT for banking business. Such clarity is necessary for IT risk awareness.

IT governance

The management board is responsible for ensuring that the provisions on IT governance are implemented effectively within the institution and in relation to third parties. It must also ensure that the functions of information risk management, information security management, IT operations and application development are appropriately staffed.

Banking supervisors consider this to be important so that any risk of inadequate staffing in these areas, be it qualitative or quantitative, can be identified at an early stage and remedied as quickly as possible. For the same reason, the BAIT contain the requirement that activities that are not compatible with each other are to be avoided within the organisational and operational IT structure.

Information risk management

As part of its information risk management, each institution must ascertain its respective protection requirements, determine target measures based on them and compare these to the measures which have been successfully implemented. The transparency this creates vis-à-vis the risk situation along with the need for the management board to accept the residual risk is the main requirement aimed at improving IT risk awareness within the institution and in relation to IT service providers.

Information security management

With consideration for the risk situation ascertained, the management board must define an information security policy and publish this internally. The protection requirements defined as part of information risk management must be fleshed out in the form of information security guidelines.

Furthermore, the function of information security officer is the key component for maintaining and monitoring information security both within the institution and in relation to third parties. In terms of organisation and processes, this function must be independent so that information security can be evaluated free of any conflicts of interest. This also improves the IT risk awareness of the management board and all employees at the institution.

User access management

As part of user access management, the concept for access rights must be specified in written form and adhere to the "need-to-know" principle. This principle means that access rights are only to be granted if they are needed to fulfil a specific task. This also contributes towards improving IT risk awareness.

The same can be said of the recertification process, in which the access rights granted are checked and any deviations from the need-to-know principle are detected.

IT projects and application development

The management and monitoring of IT projects must give particular consideration to the risks relating to such projects' duration, use of resources and quality. The management board must ensure that a full overview of the IT project risks and those risks that arise from interdependencies between different projects is compiled.

Even when applications are first being developed, precautions must be taken to safeguard the confidentiality, integrity, availability and authenticity of the data to be processed. These provisions serve to reduce the risk of any unintentional alteration or intentional manipulation of applications.

In BaFin’s view, EUC applications developed or operated by an institution's organisational units should be divided into risk classes. This achieves transparency within the institution in relation to the risks arising from the use of such applications. Furthermore, banking supervisors expect the institution to maintain a central register of all EUC applications, especially those that are important for banking business processes, for risk management and monitoring or for accounting purposes.

IT operations

Awareness about IT risks is also significantly raised by taking the risks that arise from outdated IT systems into account. In order for product lifecycles to be managed accordingly, it is nonetheless necessary for the components of the IT systems, including inventory data, to be subject to the appropriate administration. To this end, the institutions should use a configuration management database (CMDB).

Suitable criteria must be set for informing the management board about unplanned deviations from regular operations (disruptions), their causes, about the contingency measures taken to maintain or re-establish business operations and about the remedying of deficiencies. This enables the board to manage IT risk in an appropriate manner.

Outsourcing and other external procurement of IT services

Any outsourcing of IT services has to fulfil the requirements set out under AT 9 of the MaRisk and must be evaluated in a risk analysis. The risks from any other external provision of IT services must also be evaluated, as otherwise it is not possible to comprehensively ascertain the risk situation or detect concentration risks in the area of IT services. Furthermore, the measures determined from the risk analysis influence the formulation of the contracts.

Further development of the BAIT

The modular structure of the BAIT allows banking supervisors the flexibility needed to adjust or expand the overall text should new national or international requirements necessitate this in future. For example, BaFin is currently examining whether the Fundamental Elements for Cyber Security, published by the G7 in October 2016, can be implemented by adjusting the BAIT.

In addition, BaFin – in collaboration with the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik – BSI) – will add a special module to the BAIT for operators of critical infrastructures within the meaning of section 2 (10) of the German BSI Act (see BaFinJournal August 2017 (only available in German)) if appropriate. The aim here is for the module to include the requirements needed to fulfil the provisions of the BSI Act.

A further addition to the BAIT dealing with IT contingency management, including test and recovery procedures, is being planned as well.

In the context of the planned Europe-wide harmonisation of supervisory requirements for the management of IT risks in financial institutions, BaFin will be actively drawing the BAIT into the discussion process.