IT-Security Regulatory Update | January 2023
Focus: IT-Grundschutz-Compendium 2023, risks and trends in 2023
Highlight from January 2023
Publication of the IT-Grundschutz Compendium 2023
The BSI has published its IT-Grundschutz-Compendium in the 2023 edition. Familiarize yourself with the adjustments using the BSI change document!
IT-Grundschutz Compendium Edition 2023
Every year, the BSI publishes an updated version of the IT-Grundschutz-Compendium. 2023 is no exception, and so Edition 2023 was published at the beginning of February.
In the course of the update, the BSI has made the following changes:
- Ten new modules have been added in five layers of the compendium. Among other things, these deal with IT operations (OPS.1.1.1) and outsourcing (OPS.2.3 and OPS.3.2), in which two existing building blocks have been replaced by the newly added ones.
- 21 building modules of the 2022 edition have been extensively adapted. This applies, for example, to the crypto concept (CON.1) and data protection (CON.2), but also to the Active Directory (APP.2.2) and modules relating to premises and infrastructure (INF.1, INF.2 and INF.10).
- A structural revision took place for all modules.
- Furthermore, linguistic adjustments were implemented.
In addition to the modules themselves, the BSI has revised the cross-reference tables. These now only include direct hazards that directly affect the target object.
As usual, the BSI provides the IT-Grundschutz-Compendium in various formats:
- The complete IT-Grundschutz-Compendium in the edition 2023 here;
- the individual modules of the compendium here;
- the structure of the compendium here;
- the version in Word here; and
- the version in xml here.
In addition, BSI has developed the following supporting materials:
- A change document that lists and describes all changes made, here; and
- the revised cross reference tables here.
Source: Federal Office for Information Security – BSI, bsi.bund.de
Focus risks in 2023 from BaFin’s perspective
At this year’s press reception, BaFin’s president outlined some of the risks that will be of particular concern to the authority in 2023. The six focus risks include IT risks, particularly in the context of cyberattacks.
The report sheds light on the fact that the likelihood of disruptions in the IT operations of finance service providers continues to increase. Although a large number of these are triggered internally, this is no reason to give the all-clear; intentionally caused IT incidents have the potential to cause very high damages. Moreover, this risk does not only affect individual institutions. The increasing number of outsourcing arrangements and the growing interconnectedness of institutions among themselves as well as with outsourcing companies, again both with each other and with their subcontractors, are exacerbating this risk. An IT incident at one institution or service provider along the outsourcing chain has the potential to directly or indirectly impact various other financial institutions. The consequences may therefore be felt in large and/or significant parts of the financial system.
Furthermore, one of the trends presented also pays off in terms of IT risk: digitization. And especially the lack of the same. Many institutions operate on outdated IT infrastructures, making them much more vulnerable to IT security incidents, disruptions and failures.
To counter this development and mitigate the growing risk, BaFin is planning close monitoring of multi-client service providers as well as additional audit procedures. Further, it will closely oversee the implementation of DORA’s requirements.
The BaFin press release on the press reception and the focus risks for 2023 can be found here.
Source: © German Federal Financial Supervisory Authority / www.bafin.de
Cyber resilience as a trend for 2023
In addition to BaFin, the EU Commission is also dealing with issues that will be particularly relevant in 2023. In the EU-wide context, the European elections in 2025 are already being considered. Furthermore, ESG and climate-related topics are also a trend that will accompany us in 2023.
Additionally cyber resilience to be particularly relevant. The report approaches the topic through the heat map as well as the cybersecurity of Critical Infrastructures before moving on to the increasing operational resilience of the EU. However, it also looks at the risks to private households that the Cyber Resilience Act is intended to address. In addition, the focus is shifting to the supply chain and high-risk service providers along the supply chain.
Finally, the Commission addresses the skill gap in the cybersecurity sector and addresses various measures to close it.
You can find the analysis of the EU Commission here on their website.
Source: European Commission – ec.europa.eu
The IT-Grundschutz-Compendium in the 2023 edition brings with it some new content and adjustments. As an orientation document in a multitude of topics around IT security, the reading is worthwhile in any case.
The focus topics and risks shared by BaFin and the EU Commission also show the continuing relevance of IT security.
We at ADWEKO are happy to assist you with our expertise in the orientation and implementation of specifications relating to IT security.
The current regulatory developments can be found here.
BSI publishes recommendation on the use of products with digital elements in UP KRITIS
BSI publishes English version of IT-Grundschutz Compendium 2022
EBA publishes Risk Dashboard with data from Q3 2022
FSB publishes feedback on cyber incident reporting consultation
ENISA provides insight into “Awareness Raising in a Box”.
CEP analyzes Cyber Resilience Act