IT-Security Regulatory Update | October 2022
Focus: IT Security in Germany
Highlight from October 2022
IT security situation in Germany continues to worsen
The BSI takes a critical view of the IT security situation in Germany: more threats exist than ever before. Business face threats from ransomware, vulnerabilities in, open or misconfigured online servers, and the IT supply chain.
A critical look at IT security in Germany
The latest geopolitical developments – as well as the COVID-19 pandemic since 2020 – show how significant digitization and its risks are worldwide, but also in regards to Germany. Accordingly, increasing importance is being attached to IT security and cyber security, which is also reflected politically in investments and legal requirements. After all, both are essential factors for the well-being and protection of our society.
In its report for 2022, the BSI describes the overall IT security situation in Germany and concludes that the threat level is threat level . Resilience, prevention, and risk management have evolved greatly, but unfortunately so have the attackers’ methods. Accordingly, the BSI considers IT security and its improvement to be ongoing and ever-changing topics that must be given appropriate attention by citizens, but also by companies and public authorities.
Key findings from the BSI report include:
- Attacks on permiter systems and DDoS attacks are occurring more frequently.
- The number of malware programs is generally on the rise. Thus, a total of 15 million reports of malware infections were received by authorities.
- Businesses faces the following three top threats: Ransomware, vulnerabilities in, open or misconfigured online servers, and the IT supply chain.
In the first part, the BSI reports on threats to cyber security in Germany, before discussing target group-specific findings and measures in the second part and concluding the report with the bottom line.
You can find the BSI report here on its website.
Source: Federal Office for Information Security – BSI, bsi.bund.de
IT security among ESAs’ oversight priorities for 2023
As they do annually at the end of the year, the European supervisory authorities EBA, ESMA and EIOPA (together ESAs) report on their supervisory priorities for 2023. However, in addition to their own respective industry-specific focus topics, the ESAs also publish a joint supervisory program.
For 2023, the joint committee of supervisory authorities envisions the following priorities:
Sustainable Finance tops the list and is expected to gain further importance in the future. This general trend can also be observed with other authorities. Also on the agenda is the topic of IT security, where the ESAs see further work needed. An example of this is the development of further legal acts in the context of the Digital Operational resilience Act(DORA). Furthermore, consumer protection and financial innovation, cross-sector risk analysis, securitization, rating agencies, financial conglomerates, Fit&Proper and Brexit are on the supervisory agenda in 2023.
The supervisory program of the ESAs for 2023 can be found here on their website.
Source: Joint Committee of the European Supervisory Authorities – JC of the ESAs, esas-joint-committee.europa.eu
Overarching supervisory audit priorities in 2023
Not only are supervisory priorities published toward the end of the year, but the focus for supervisory audit activities is also communicated. Accordingly, in the course of the European Supervisory Examination Programme (ESEP), the EBA publishes the audit priorities for supervisory authorities for the coming year.
Among other things, the focus in 2023 will be on operational resilience and digitalization.
For operational resilience, the EBA looks in particular at information and communication technologies (ICT). These include ICT security risks such as cyber risks, cyber testing, system vulnerabilities, security management and security awareness. Furthermore, availability risks are considered in the form of business continuity plans (BCP). This includes testing the BCP both in terms of implementation of plans by employees and service providers, adequacy of test scenarios, and effective crisis communication to internal and external stakeholders. Finally, the increase in data quality in risk aggregation is considered within the institution and in relation to the authority.
In the case of transition risks to digitization, the EBA focuses in particular on the impact of a company’s digitization intentions on its business model and risk profile.
The supervisory authorities’ audit priorities for 2023 can be found here on the EBA website.
Source: European Banking Authority – EBA, eba.europa.eu
The increasingly high risk situation requires ongoing active engagement and adaptation in all IT security topics. Institutions should monitor the topics, continue to build resilience, and prepare for the materialization of risks.
With our experience, we at ADWEKO are happy to assist you with our expertise in optimizing process flows and implementing the topics relating to IT security.
The current regulatory developments can be found here.
EIOPA set building a safe and sustainable EU as a strategic goal for the next three years
ESMA focuses on digital innovation, among other things, in 2023
ESMA publishes 5-year strategy with 5 focus topics
EBA presents overarching audit priorities for resolution authorities in 2023
BaFin publishes minutes of the MaRisk expert committee of 24 June 22
EDPB publishes biennial report of the Coordinated Supervision Committee.
beck-online considers a possible right of action for consumer protection associations without a specific affected party in the context of data protection
European Parliament publishes briefing on Data Act
beck-online reports on U.S. president’s executive order for possible successor to Privacy Shield
European Commission looks at implementation status of the Data Protection Regulation for EUIBs