IT-Security Regulatory Update | NOvember 2022

Focus: Notification of outsourcing to BaFin

← The ADWEKO Finance Academy is launched Application Management Services (AMS) at an automotive bank in Stuttgart - a trusting collaboration →

Highlight from November 2022

Good things come to those who wait…

On November 29, the notification regulations for banks, insurance companies, capital management companies and payment service providers came into force. They deal with the notification of important outsourcings to BaFin.

“Stay up to date with our monthly regulatory update on IT Security Management!”

Entry into force of the notification requirements for outsourcing in the financial sector

True to the motto “good things come to those who wait”, the disclosure regulations under the German Banking Act (KWG), the Insurance Supervision Act (VAG), the Capital Investment Code (KAGB) and Payment Services Supervision Act (ZAG ) were published on November 28 and were already eagerly awaited. They entered into force on November 29, 2022.

The notification regulations govern the conditions under which information relating to outsourcings must be reported to BaFin. For some market participants, this is merely an extension of the existing reporting requirement, while others are facing this requirement for the first time. The list of information to be reported is extensive and includes, for example, information about the service provider, the outsourcing agreement and the outsourced activity itself.

You can find the legal texts here:

1. for notifications according to KWG:
Fourth Regulation Amending the Disclosure Regulations

2. for advertisements according to VAG:
Insurance Outsourcing Disclosure Regulations

3. for notifications according to KAGB:
KAGB Outsourcing Disclosure Regulations

4. for advertisements according to ZAG:
ZAG Disclosure Regulations

Detail of a black, white illuminated laptop keyboard

In order to support institutions in their outsourcing reporting in accordance with the new requirements, BaFin has published information on the procedure. Thisinformation is available for banks, insurance companies, capital management companies and payment service providers on the BaFin website.

There you will find further information on the scope of the reporting obligation and implementation of the notification as well as on the registration and use of the MVP portal.

Source: © German Federal Financial Supervisory Authority / www.bafin.de

IT risks and IT outsourcing in the focus of the EU

The European Parliament recently addressed the developing as well as the geopolitical risks in the financial market and the priorities of the SSM that can be derived from them.

On the side of developing risks, among others cyber risks are addressed. They result from the current circumstances, but also from a growing dependence of financial institutions on IT service providers. The latter, in particular, contributes to more interconnected risks that make assessing risk exposure a challenge for institutions. The established methods for risk measurement and management are not designed for this and therefore cannot achieve comprehensive coverage. Accordingly, Parliament sees a need for adapted or new approaches to risk management that combine qualitative and quantitative approaches. Because the origin of risks and the way they are interrelated are highly institution-specific, the SSM should also take an institution-specific approach to supervision, according to the Parliament’s position.

Additionally, IT risks, especially those related to cyberattacks, are also in focus from a geopolitical risk perspective. Between 2015 and 2021, the number of cyberattacks tripled, according to the ECB. Digitalization and increasing remote working are simultaneously enhance the vulnerability to such attacks. Mirroring Blackrock’s assessment, European regulators also see cyber risk as one of the most pressing geopolitical risks. Consequently, the ECB’s supervisory priorities already include vulnerabilities from IT outsourcing as well as cyber resilience. Accordingly, a new cyber incident reporting system was introduced, as well as closer monitoring of outsourcings and the operational risk management. The Digital Operational Resilience Act (DORA) is intended to significantly increase the resilience already achieved in this way, but it is not due to be implemented until 2024. Consequently, Parliament calls on the ECB to focus more on IT security and to be more active in its supervisory activities.

You can find the parliamentary report on the growing risks here, the report on geopolitical risks here on its website.

Source: © European Union, 2022 – EP, europarl.europa.eu

ENISA analyzes major threats to the single market

In its Threat Landscape for 2022, ENISA identifies the biggest threats and trends in IT security in the single market for the time frame from July 2021 to July 2022 and assesses their consequences.

According to the report, ransomware, malware, social engineering, data threats, availability threats (DDoS and Internet), misinformation, and supply chain attacks are the top threats. Its report takes a closer look at each threat and presents readers with techniques, significant incidents and trends, as well as support for mitigating such attacks.

According to the observations, it is becoming apparent that the geopolitical influence on IT security is increasing and new and hybrid threats will have a high effect. At the same time, the capabilities of attackers are increasing, as they focus progressively on ransomware and availability attacks. The attackers themselves are often state-sponsored, cybercriminals or hired hackers, beside them so-called hacktivists are active as well.

The Threat Landscape of ENISA can be found here on their website.

Source: European Union Agency for Cybersecurity – enisa.europa.eu

The notification obligation of important outsourcings is a requirement that will pose challenges for institutions. It makes sense to report outsourcings to BaFin in a timely manner; the outsourcing or contract registers can be used for this purpose.

We at ADWEKO are happy to assist you with our expertise in reportig your outsourcings to the supervisory authorities.

The current regulatory developments can be found here.

SRB publishes work program for 2023
FSB publishes annual report on financial stability 2022
European Parliament publishes overview of the application deadlines of the Digital Services Act
European Parliament publishes overview of application deadlines of the Digital Markets Act

European Parliament publishes briefing on NIS2
European Parliament publishes briefing on DORA
European Parliament informs about change of digital operational requirements in financial services legislation
Banking association reports on the impact of uniform cyber defense across Europe
ECB Publishes Financial Stability Report with Special Feature on IT Security
CPMI and IOSCO report on cyber resilience of financial market infrastructure.

ECJ rules on data erasure under GDPR when data is passed on by the controller
ECB joins Gaia-X to strengthen EU digital sovereignty
European Parliament publishes briefing on Digital Services Act

EIOPA publishes methodology for stress test with focus on IT
BSI citizen survey on cyber security

Cookie	Duration	Description
cookielawinfo-checkbox-analytics		This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional		The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary		This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others		This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance		This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy		The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.