IT security: BaFin specifies IT requirements for the insurance sector
In mid-March, BaFin launched a consultation on its draft circular concerning supervisory requirements for IT in the insurance sector (Versicherungaufsichtliche Anforderungen an die IT – VAIT (only available in German)) (see BaFinJournal of March 2018 (only available in German)). Comments were welcomed until 20 April.
On this page:
- Interpretation of supervisory provisions
- Increasing awareness of IT risks
- IT strategy
- IT governance
- Information risk management
- Information security management
- User access rights management
- IT projects and application development
- IT operations
- IT services
- Further steps and outlook
As with the BAIT, which involve IT requirements for financial institutions (see BaFinJournal of November 2017 and January 2018 (only available in German)), the VAIT are set to become the cornerstone of IT supervision for all insurance undertakings and Pensionsfonds in Germany. VAIT primarily targets the level of senior management.
The undertakings that are within the scope of Solvency II are also subject to the Minimum Requirements under Supervisory Law on the System of Governance of Insurance Undertakings (Aufsichtsrechtliche Mindestanforderungen an die Geschäftsorganisation von Versicherungsunternehmen – MaGo). The VAIT do not apply to special purpose insurance vehicles within the meaning of section 168 of the German Insurance Supervision Act (Versicherungsaufsichtsgesetz – VAG (only available in German)) or guarantee schemes within the meaning of section 223 of the VAG.
The objective of the VAIT is to provide the senior management of insurance undertakings with a clear and flexible framework, particularly in relation to IT resource management, information risk management and information security management. The VAIT are also intended to help increase awareness of IT risks in insurance undertakings and in relation to their IT service providers.
The VAIT clarify what BaFin expects from these undertakings with regard to the management and control of IT operations, including the required access rights management. In addition, the VAIT lay down the requirements for IT project management and application development, which also encompasses end-user computing in business units. Overall, the VAIT address all the issues that BaFin considers to be particularly significant based on the findings of its IT supervisory activities and inspections.
Interpretation of supervisory provisions
The circular contains information on how to interpret the provisions laid down in the VAG on the system of governance of insurance undertakings, which concern the technical and organisational resources of such undertakings. In other words, the circular specifies what BaFin considers to be appropriate technical and organisational resources for ICT, with particular regard to information security requirements. As many undertakings are now obtaining IT services from third parties – either in the form of outsourcing arrangements or other service contracts – the VAIT set out requirements for this as well.
More transparent supervisory requirements should help these undertakings ensure that they have an effective system of governance in the area of IT. However, these principles-based requirements do not encompass all requirements and are thus not exhaustive as to the depth and breadth of regulation. In addition to the specifications set out in the VAIT, all of the undertakings concerned remain obliged to comply with established IT standards and take into account state-of-the-art technology.
When implementing the requirements for the system of governance and the design of structures, IT systems and processes, the principle of proportionality plays a significant role. The requirements are to be met while taking into account the nature, scale and complexity of the risks associated with an undertaking's business activities.
Increasing awareness of IT risks
As mentioned above, one of the key goals of the VAIT and BAIT is to increase awareness of IT risks in undertakings. These requirements are primarily targeted the senior management of undertakings.
BaFin considers IT risk to be any existing or future risk of losses due to inappropriate or faulty hardware or software in technical infrastructures that may limit the availability, integrity, accessibility or security of these infrastructures or data.
The need for risk transparency and the need to address IT risks at all levels of the undertaking is a common thread running through all modules of the VAIT, forming an integral part of the individual IT requirements (see “IT risk awareness”).
As regards the IT strategy, one key requirement is that senior management regularly discuss the strategic implications of various IT aspects for the business strategy. This includes the organisational and operational structure of IT, the outsourcing of IT services and other service contracts, including a strategic approach to end-user computing in business units.
Establishing an IT strategy and deriving measures to achieve strategic objectives to be communicated accordingly within the undertaking highlights the significance of IT for conducting insurance activities. This is necessary in order to increase awareness of IT risks.
Senior management is responsible for defining the requirements governing the organisational and operational structure of IT based on the IT strategy and ensuring that these are amended swiftly should the undertaking's activities or processes change. In addition, senior management has to ensure that these requirements are implemented effectively. This also applies to interfaces to key outsourcing arrangements.
The undertaking has to ensure that suitable staff are available for the following areas in particular: information risk management, information security management, IT operations and application development. BaFin considers this to be key in order to ensure that any risks of inadequate staffing– from a qualitative and quantitative point of view – are identified at an early stage and can be rectified immediately and as far as possible. Conflicts of interest within the organisational and operational IT structure are to be avoided. Adequate staffing is also required here.
Information risk management
In the context of information risk management, each undertaking has to determine their own protection requirements. Target measures are to be defined on this basis and compared with the measures that have effectively been implemented, making adjustments where necessary.
A more transparent risk situation and senior management’s acceptance of residual risk are key in order to raise awareness of IT risks in undertakings and in relation to their IT service providers.
Information security management
While taking the risk situation into account, senior management is responsible for agreeing on and appropriately communicating an information security policy within the undertaking. On the basis of this information security policy, more specific information security guidelines and information security processes, including identification, protection, discovery, response and recovery sub-processes, are to be established while taking into account the latest developments in technology.
In BaFin’s view, information security officers play a key role in ensuring compliance with the requirements and monitoring information security within the undertaking and with regard to third parties. Information security officers need to be independent from an organisational and operational point of view to avoid conflicts of interest when evaluating information security. This also increases awareness of IT risks among senior management and all employees within the undertaking.
User access rights management
Undertakings have to set up a user access rights management system. They have to ensure that access rights are used as defined in the undertaking’s organisational and operational requirements. The user access rights concept has to be defined in writing, ensuring that staff are only granted the rights they need to perform their activities. This, too, helps to increase awareness of IT risks.
The same applies to the recertification process, in which granted access rights are regularly reviewed. With this process, deviations from the aforementioned requirements can be identified and access rights can be changed if necessary.
IT projects and application development
IT projects have to be managed appropriately, with particular regard to risks in relation to their duration, use of resources and quality. In addition, the portfolio of IT projects has to be monitored and managed appropriately. It should also be noted that risks may result from interdependencies between different projects as well.
When developing applications, appropriate steps are to be taken to ensure that the confidentiality, integrity, availability and authenticity of the data to be processed in the programme are transparently assured in line with protection requirements. This also helps to reduce the risk of unintentional changes or deliberate manipulations of the application.
With regard to applications developed or operated by end users in business units, BaFin considers it necessary that undertakings define a suitable procedure to classify and categorise applications on the basis of protection requirements and provide rules on how to handle such applications. This provides the required level of transparency in relation to risks resulting from end-user computing applications.
In addition, BaFin expects undertakings to maintain a central register of all critical and key applications. This register has to at least include the applications used to identify, assess, monitor or manage risks, those used to report on these risks and those that are significant for performing any other insurance-related activities.
Taking into account the risks that may arise by operating outdated IT systems – whether hardware or software – also helps to significantly raise awareness of IT risks. However, (product) lifecycle management can be achieved in this way only if the components of IT systems, including portfolio data, are managed accordingly. Undertakings for which it is necessary to apply the principle of proportionality should keep a digital repository, such as a configuration management database (CMDB).
In order to minimise damage to the undertaking and its reputation, appropriate criteria are to be determined to inform senior management of any unscheduled disruptions to standard operations, their causes, the emergency measures used to restore or recover operations and remedy the fault in question. This allows the undertaking to have an appropriate overview of IT risks at all times.
Before outsourcing IT services or entering into other IT service contracts, risks assessments have to be performed. This is the only way for undertakings to fully assess the risk situation and identify concentration risks in connection with IT services.
In addition, BaFin expects the measures derived from such risk assessments to be incorporated into contractual arrangements.
NoteNo deadlines for implementation
The VAIT do not include any new requirements for undertakings and their IT service providers, but rather explain or specify supervisory requirements that already exist, which is why no implementation deadlines have been set.
Further steps and outlook
The modular structure of the VAIT provides BaFin with the required flexibility for making adjustments or additions if this turns out to be necessary as a result of new international or national requirements.
For example, BaFin is currently examining whether the fundamental elements of cybersecurity that the G7 countries published in October 2016 can be implemented in the form of amendments to the VAIT. These cover multiple areas, such as IT emergency management and test and recovery procedures. In cooperation with the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik – BSI), BaFin plans to draw up a special module entitled "Critical infrastructure" (see BaFinJournal of August 2017 (only available in German)) and incorporate this into the VAIT. This is intended to only apply to operators of critical infrastructures within the meaning of the amending regulation (only available in German) to the Federal Regulation Specifying Critical Infrastructure in accordance with the BSI (BSI-Kritisverordnung – BSI-KritisV (only available in German)), without resulting in any additional costs.
BaFin is also planning to publish an English translation of the VAIT in the near future. In the context of plans to harmonise the requirements for IT systems in the insurance sector across the EU, BaFin will introduce the VAIT as part of the discussion process.
Dr Jens Gampe
BaFin Division for Policy Issues relating to IT Supervision and Inspections