Informationssicherheit in der Finanzwirtschaft: Cloud-Dienstleister mit ISO/IEC 27001-Zertifikat sind die sichere Wahl Teil 3

Information security in the financial industry: Cloud service providers with ISO/IEC 27001 certification are the safe choice Part 3

Companies in the financial sector must comply with numerous regulations to protect data and IT systems. In addition to the GDPR, the requirements from BAIT, VAIT and KAIT are particularly relevant here.

BaFin administrative regulations

The administrative regulations issued by the Federal Financial Supervisory Authority (BaFin) provide the framework for the technical and organizational equipment of IT in companies in the financial sector in Germany. BaFin thereby also provides regulations for information security and IT governance in order to increase IT security and raise awareness of the risks associated with IT. In principle, the requirements of BAIT, VAIT and KAIT are based on the IT Security Act and ISO 27001. Here is a brief explanation of the terms:

  • BAIT: Banking Supervisory Requirements on IT (BAIT) for Banks and Credit Institutions
  • VAIT: Insurance Supervisory Requirements for IT (VAIT) for insurance companies
  • KAIT: Capital Management Supervisory Requirements for IT (KAIT) for investment companies

These three administrative regulations expand on and in some cases supplement existing requirements, for example from the German Banking Act, the German Insurance Supervision Act, and the BaFin administrative instructions MaRisk (Minimum Requirements for Risk Management), MaGo (Minimum Requirements for the Business Organization of Insurance Companies), and KAMaRisk (Minimum Requirements for the Risk Management of Capital Management Companies).

The requirements are divided into the following eight areas:

  • IT Strategy
  • IT governance
  • Information security management (including information security officer function)
  • Information risk management
  • User rights access management
  • IT projects and application development
  • IT operations
  • Outsourcing of IT services

Optional ninth requirement area

This requirement area relates to Critical Infrastructures for those providers who, due to their services and size, are subject to the BSI CRITIS regulation and must meet special information security requirements. Critical infrastructures (CRITIS) are organizations and facilities with important significance for the state community, the failure of which would result in supply bottlenecks or other dramatic consequences. These include, for example, hospitals, energy and water suppliers, and telecommunications companies.

BAIT, VAIT and KAIT largely coincide in terms of content, with the exception of critical infrastructure. KAIT does not include this aspect, as the area of activity is not classified as critical. Bafin regularly updates these three regulations in response to the latest technological developments and the changing attack vectors of cybercriminals.

One example here is the amendment to BAIT dated August 16, 2021, with some extensions and adjustments. New to this is, for example, the chapter “Operational Information Security” with requirements for effectiveness controls for already implemented measures for higher information security. These include, for example, vulnerability scans, penetration tests and simulations of attacks.

Also new is the chapter “IT Emergency Management” with the establishment of restart, emergency operation and recovery plans for time-critical processes and activities. According to BAIT, banks must now check annually on the basis of an IT test concept whether these three types of IT contingency plans are effective. In addition, there are stricter requirements for the detection and analysis of security-relevant events, security awareness training, risk management or physical security.

Information security in the financial industry: recommendations for greater cloud security

  • Encryption of the data stored in the cloud and the data transport. The encryption keys should remain with the customer and not in the cloud
  • Solutions such as cloud firewalls analyze data transfers and secure them
  • Devices that can access the cloud should also be secure (especially mobile devices)
  • Multi-factor authentication with password, smart cards, security tokens or biometric factors (fingerprint, iris scan, voice recognition)
  • Role-based access control with coordinated user rights. Users should only be able to access data that they actually need
  • Regular backup of cloud data

Click here for the first part and here for the second part of the blog article series.

If you have any questions about information security or data protection, please contact your aigner business solutions GmbH team. Simply use our contact form for this purpose. You can also reach us by phone at our headquarters in Hutthurm on +49 (0) 8505 91927 – 0 or at our branch office in Munich on +49 (0) 89 413 2943 – 0.

This post is also available in: German