The Heartbleed Bug can lead to access data being exposed (user names, passwords, private codes). Under certain conditions, data that have already been exchanged can be decrypted later on if private codes have been exposed. This can affect all types of services, such as e-mail exchange or online banking. Exposure of this data very rarely leaves traces in the hacked systems. It is therefore unclear as to whether the flaw has previously been exploited.

BaFin wishes to indicate that it has published IT security requirements for the banking, insurance and securities supervision of its supervised companies in its Circulars "Minimum Requirements for Risk Management (MaRisk BA / VA" and "Minimum Requirements for Risk Management for Investment Companies (InvMaRisk)". These specifically request appropriate IT security management with reference to current standards.

In this respect, BaFin generally expects the companies under its supervision to define and implement appropriate IT security measures. Furthermore, the measures must be checked regularly and as required. This may also involve checking crypto concepts, system architectures and implementation of applications.

If significant damage or critical IT security incidents have occurred due to the Heartbleed Bug or similar security flaws (this also includes the time before the Heartbleed Bug was discovered), BaFin expects that the companies under its supervision inform the responsible specialist supervisory body.