Cyber risks and IT security are increasingly in the focus of supervision with new technologies on the rise. Consequently, the German Federal Financial Supervisory Authority (BaFin) published its Insurance Supervisory Requirements for IT (VAIT) on March 3, 2022, thus bringing them into force.
VAIT AMENDMENT FOCUSES ON IT SECURITY AND IT SECURITY RISKS
IT security has not only been on the radar of supervisory authorities and legislators since the pandemic, but its relevance has undisputedly been increasing significantly more than anticipated since the beginning of 2020. In the various work programs of the regulatory authorities at both national and international level, IT risks are one of the Main areas for the coming years.
Consequently, the requirements addressed by the supervisory authority to IT systems and IT operations are becoming more and more granular and differentiated. Coupled with the findings from audit practice and the publication of new requirements at the European level, this was a key driver for the amendment of the circular on VAIT. In the final version, it is now clear that BaFin is placing further focus on information security and the appropriate handling of risks resulting from it.
In some cases, necessary changes resulted from the EIOPA Guidelines on Safety and Governance in the field of information and communications technology, which had to be incorporated into the German regulatory landscape. The fact that institutions repeatedly stand out negatively in the implementation of the existing requirements during audits in this context in particular, but also in the area of authorization management and outsourcing, has certainly also been a reinforcing factor for the VAIT amendment.
However, in addition to increasing regulatory pressure, it is also in the institutions’ own interest to focus more on appropriate IT security. Cyber risks increase with the growth of new technologies and should be considered accordingly, as demonstrated by recent disruptions at various banking institutions as well as overarching issues such as Log4Shell.
THE CHANGES AT A GLANCE
Everything new makes the amendment
Instead of nine subject areas as before, the amendment now additionally explicitly covers the operational information security as well as the IT Emergency Management and thus moves closer to its big sister Bank Supervisory Requirements for IT (BAIT). In addition, the existing chapters of the VAIT were adapted and revised.
In the Operational Information Security topic area (Chapter 5), BaFin requires insurance companies under the new VAIT to do the following, among other things:
- Implementation of operational information security measures and processes, e.g. vulnerability management, segmentation and control, data encryption and multi-level protection of IT systems according to protection needs
- Early identification of hazards of the information network
- Definition of rules for the identification of safety-relevant events
- Timely analysis of security-related events and appropriate response to information security incidents
- Regular review ofIT system security, for critical systems at least annually
- Appropriate Management of identified risks
The chapter on IT emergency management (Chapter 10) deals primarily with the following topics:
- Creation of an IT emergency concept
- Identification of time-critical processes and activities as well as supporting IT processes via a Business Impact Analysis (BIA)
- Carrying out a risk analysis for processes and technical facilities identified in the BIA (so-called Risk Impact Analysis).
- Creation and regular updating of IT contingency plans for time-critical processes based on the individual risk profile and taking into account the protection goals
- Regular, written documentation Testing of the IT contingency plans by means of contingency tests based on a test concept
- Close coordination of contingency plans with the service provider in the case of spin-offs
- Proof of availability of a sufficiently remote data center for time-critical activities and processes in the event of a data center failure
In addition to editorial adjustments, the VAIT amendment further details the following chapters:
- Specifications for IT strategy (Chapter 1), e.g. process for monitoring and measuring the implementation of the objectives of the IT strategy
- IT governance requirements (Article 2), e.g. regular review of IT governance requirements
- Specifications for Information risk management (Chapter 3), e.g., addition of explanation of risk criteria, regular identification of protection requirements for the components of the information network, and ongoing information on threats and vulnerabilities
- Specifications for information security management (Chapter 4), e.g., exemplary enumeration of contents for the information security guideline as well as introduction of a guideline for regular review of protective measures and definition of a continuous and appropriate awareness and training program
- Specifications for Identity and rights management (Chapter 6), e.g. definition of technical users and explanation of how accesses can be assigned to an acting/responsible person.
- Specifications for IT projects and application development (Chapter 7), e.g. list of organizational principles for IT projects
- Specifications for IT operations (Chapter 8), e.g. expansion of the required inventory information to include owners of the IT systems and protection requirements, as well as the survey of the performance and capacity requirements of the IT systems
- Specifications on outsourcing and other service relationships in the area of IT (chapter 9), e.g. survey and evaluation of service requirements
CHANGES BETWEEN CONSULTATION VERSION AND FINAL VERSION
Compared to the previously known draft, BaFin has still made some changes to the VAIT. These include but are not limited to
- Integration of the spin-off into the preliminary remark and corresponding omission in chapter 1 on IT strategy.
- The envisaged involvement of projects in information security management has been reduced to monitoring and influencing compliance (Chapter 4.5)
- Reduction of the “impact analysis” in the context of significant changes in IT systems to a general “analysis” (chapter 7.1)
- Reduction of the required elicitation and evaluation of the “functional and non-functional requirements” for the service to the general “requirements” (chapter 9.2)
- Editorial adjustments