ITSM Regulatory Update | October 2022

Focus: IT Security in Germany

Highlight from October 2022

IT security situation in Germany continues to worsen

The BSI takes a critical view of the IT security situation in Germany: more threats exist than ever before. Business face threats from ransomware, vulnerabilities in, open or misconfigured online servers, and the IT supply chain.

“Stay up to date with our monthly regulatory update on IT Security Management!”

A critical look at IT security in Germany

The latest geopolitical developments – as well as the COVID-19 pandemic since 2020 – show how significant digitization and its risks are worldwide, but also in regards to Germany. Accordingly, increasing importance is being attached to IT security and cyber security, which is also reflected politically in investments and legal requirements. After all, both are essential factors for the well-being and protection of our society.

In its report for 2022, the BSI describes the overall IT security situation in Germany and concludes that the threat level is threat level . Resilience, prevention, and risk management have evolved greatly, but unfortunately so have the attackers’ methods. Accordingly, the BSI considers IT security and its improvement to be ongoing and ever-changing topics that must be given appropriate attention by citizens, but also by companies and public authorities.

Mouse cursor hovers over text "Security%on black background

Key findings from the BSI report include:

  • Attacks on permiter systems and DDoS attacks are occurring more frequently.
  • The number of malware programs is generally on the rise. Thus, a total of 15 million reports of malware infections were received by authorities.
  • Businesses faces the following three top threats: Ransomware, vulnerabilities in, open or misconfigured online servers, and the IT supply chain.

In the first part, the BSI reports on threats to cyber security in Germany, before discussing target group-specific findings and measures in the second part and concluding the report with the bottom line.

You can find the BSI report here on its website.

Source: Federal Office for Information Security – BSI, bsi.bund.de

 

IT security among ESAs’ oversight priorities for 2023

As they do annually at the end of the year, the European supervisory authorities EBA, ESMA and EIOPA (together ESAs) report on their supervisory priorities for 2023. However, in addition to their own respective industry-specific focus topics, the ESAs also publish a joint supervisory program.

For 2023, the joint committee of supervisory authorities envisions the following priorities:

Sustainable Finance tops the list and is expected to gain further importance in the future. This general trend can also be observed with other authorities. Also on the agenda is the topic of IT security, where the ESAs see further work needed. An example of this is the development of further legal acts in the context of the Digital Operational resilience Act(DORA). Furthermore, consumer protection and financial innovation, cross-sector risk analysis, securitization, rating agencies, financial conglomerates, Fit&Proper and Brexit are on the supervisory agenda in 2023.

The supervisory program of the ESAs for 2023 can be found here on their website.

Source: Joint Committee of the European Supervisory Authorities – JC of the ESAs, esas-joint-committee.europa.eu

Overarching supervisory audit priorities in 2023

Not only are supervisory priorities published toward the end of the year, but the focus for supervisory audit activities is also communicated. Accordingly, in the course of the European Supervisory Examination Programme (ESEP), the EBA publishes the audit priorities for supervisory authorities for the coming year.

Among other things, the focus in 2023 will be on operational resilience and digitalization.

For operational resilience, the EBA looks in particular at information and communication technologies (ICT). These include ICT security risks such as cyber risks, cyber testing, system vulnerabilities, security management and security awareness. Furthermore, availability risks are considered in the form of business continuity plans (BCP). This includes testing the BCP both in terms of implementation of plans by employees and service providers, adequacy of test scenarios, and effective crisis communication to internal and external stakeholders. Finally, the increase in data quality in risk aggregation is considered within the institution and in relation to the authority.

In the case of transition risks to digitization, the EBA focuses in particular on the impact of a company’s digitization intentions on its business model and risk profile.

The supervisory authorities’ audit priorities for 2023 can be found here on the EBA website.

Source: European Banking Authority – EBA, eba.europa.eu

 

The increasingly high risk situation requires ongoing active engagement and adaptation in all IT security topics. Institutions should monitor the topics, continue to build resilience, and prepare for the materialization of risks.

With our experience, we at ADWEKO are happy to assist you with our expertise in optimizing process flows and implementing the topics relating to IT security.

talk to

Pia Streicher!