Topic Risk management Cyber security: BaFin survey of German insurance undertakings
Insurers and pension funds (Pensionsfonds) tend to be heavily dependent on their information technology (IT) systems and are therefore exposed to cyber risks. The risk of falling victim to cyber crimes has risen sharply in recent years. This is due in particular to the technological developments and increasing interconnectedness of companies, as well as to the increasing professionalisation of cyber criminals. Cyber attacks that have been made public have raised awareness of this issue. Although these attacks have focused on other industries, BaFin has no reason to assume that the insurance industry is less vulnerable.
In order to learn more about how insurers and pension funds handle their cyber risks, BaFin conducted a survey of all German insurance undertakings and pension funds – excluding funeral expenses funds – between August and November 2017. BaFin's intention was also for this survey to signal to the industry that it would be keeping a closer eye on companies’ information technology and their IT service providers going forward. The objective was to identify the typical strengths and weaknesses of companies in order to enable it to set its supervisory sights on the right areas.
At a glance:BaFin survey of German insurance undertakings
The survey covered the following supervisory areas: IT governance, overview of the insurer’s own system landscape, and measures designed to protect against, identify and manage responses to cyber attacks. Furthermore, the companies were asked to draw up a list of their IT service providers. Based on this information, BaFin examined in particular whether there are risk concentrations within the insurance industry, i.e. if IT service providers work for many insurers and pension funds at the same time. Problems affecting these companies could have far-reaching consequences for the industry as a whole, which is why BaFin is keen to keep a close eye on them.
In addition, the survey had a look at end-user computing, i.e. how applications developed or operated by the individual departments at the companies are used. This topic is relevant to risk calculation and the calculation of technical provisions, among other things, and is therefore of considerable interest to BaFin.
The responses received from companies provided a sound foundation of data for analysis. BaFin therefore achieved its primary objective of obtaining an initial picture of the situation in the insurance industry. As expected, there were major differences among the individual participants. While certain – mainly large – companies considered their cyber security to be very strong, others identified greater weaknesses. Every participant had at least taken basic steps towards increased cyber security, although these are in no way sufficient. Overall, the survey revealed that there is considerable room for improvement within the industry as far as cyber security is concerned. The same goes when it comes to end-user computing.
Two points bear raising in particular: first, many insurers – primarily the small ones –do not take a sufficiently systematic approach to cyber security. The management of these companies is called upon to operate in line with common standards, for instance “IT-Grundschutz”, a standard issued by the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik – BSI). Second, companies must better document end-user computing applications. This is necessary to avoid a monopoly on expertise, in other words when employees effectively render themselves irreplaceable due to their specialist knowledge or special abilities. Otherwise, it may be that these applications cannot be used or maintained and expanded as planned.
No excessive risk concentrations were found to affect IT outsourcing activities: BaFin did not identify any IT service providers that work for many insurers and pension funds at the same time.
BaFin aims to begin systematically conducting supervisory IT audits. It will include not only the insurance undertakings and pension funds it supervises, but their outsourced entities. It intends to factor the findings of the cyber survey into its selection of audit candidates and definition of focal points of the audits. The Supervisory Requirements for IT in Insurance Undertakings (Versicherungsaufsichtliche Anforderungen an die IT – VAIT - only available in German) which BaFin recently published (see BaFinJournal April 2018 and July 2018 - only available in German) will represent the basis for assessment.
BaFin division for ad hoc inspections and special topics of insurance undertakings
This article reflects the situation at the time of publication and will not be updated subsequently. Please take note of the Standard Terms and Conditions of Use.