Source: Bundesanstalt für Finanzdienstleistungsaufsicht
BaFin has identified a number of IT deficiencies, some of them serious, since the publication in summer 2018 of its VAIT, the Insurance Supervisory Requirements for IT (see info box). Since then, the supervisory authority has inspected 16 undertakings, including large and smaller primary insurers, pension funds and reinsurers. None of these undertakings fully complied with the VAIT at the time of the inspection. The good news is that the undertakings are using the IT inspections as an opportunity to further implement the VAIT.
Definition:Insurance Supervisory Requirements for IT
BaFin published its circular on Insurance Supervisory Requirements for IT (Versicherungsaufsichtliche Anforderungen an die IT – VAIT) in July 2018 and expanded it in March 2019 to include a section on critical infrastructure . The VAIT contain information about how BaFin interprets the provisions laid down in the German Insurance Supervision Act (Versicherungsaufsichtsgesetz – VAG) on the system of governance of insurance undertakings, which concern the technical and organisational resources of such undertakings.
The key aim of the VAIT is to provide the management boards of the undertakings with a flexible and practice-oriented framework for their IT structures, in particular for the management of IT resources and for IT risk management. In times of ever-increasing digitalisation, the VAIT form an essential building block in the effective supervision of the insurance sector.
BaFin identified severe findings regarding information risk management and information security management in most of the insurance undertakings inspected. The classification “serious” is the highest category in BaFin’s assessment scale, following “minor”, “moderate” and “substantial”. In some cases, BaFin did not find any internal processes within the undertakings that were sufficient to identify and assess information risks. Added to this, the undertakings often did not determine the level of protection required for the information. They were therefore limited in their ability to appropriately manage information risks.
Detecting IT security incidents more quickly
In information security management, there was often a lack of automated processes aimed at detecting IT security incidents quickly to allow countermeasures to be taken in a timely manner. For example, BaFin noted that although insurance undertakings automatically monitored operating systems and network activities, they often did not include other important software applications and hardware components. This resulted in a security risk for the undertakings’ entire IT systems.
In user access management, BaFin identified “substantial” findings in more than half of the undertakings inspected. In numerous cases, the undertakings had no requirements in place regarding the granting of access rights. In other cases, the undertakings did not regularly review the access rights that had already been granted. As a result, these undertakings were unable to adequately monitor and manage user and access rights for software applications, databases and network access. They therefore ran the risk of being unable to prevent, or at least subsequently detect, unauthorised access to confidential information.
Improving monitoring of external IT service providers
The inspections revealed deficiencies in many insurance undertakings with regard to their monitoring of external IT service providers. Since insurers often rely on external service providers to perform many different kinds of IT services, it is essential that they are aware of the risks involved. In particular, in the case of IT services not covered by the concept of outsourcing under supervisory law, such as the procurement of hardware and software, insurers often failed to conduct a prior risk analysis and therefore did not comply with their obligation to identify and manage risks.
BaFin’s inspections also showed that, up to now, a small number of insurance companies have transferred extensive portions of their business processes to cloud service providers. Nonetheless, the clear tendency towards outsourcing more data storage and processing power to cloud providers can also be seen in the insurance industry. BaFin will pay closer attention to this aspect in future inspections.
BaFin requested the undertakings to address the deficiencies and close IT security gaps. In addition, it expects all undertakings to seize the opportunity to further improve their IT security with the aid of the VAIT. A panel of experts set up by BaFin, consisting of supervisors alongside representatives of insurance undertakings and of their industry associations, provides a platform for close professional cooperation. The panel supports the industry in implementing the VAIT and addresses relevant issues in the field of IT and cyber security. BaFin plans to conduct the next round of inspections in 2021 and 2022.
“With a name like ‘sure’”: article by Dr Frank Grund, Chief Executive Director for Insurance and Pension Funds Supervision, in BaFinPerspectives Issue 1 2020 (“Cyber security”)
“Hackers are stepping up their pace”: interview with Raimund Röseler, Chief Executive Director of Banking Supervision, expert article on the BaFin website dated 25 September 2020
BaFin Division for IT Inspections and Inspection/Supervision Support
BaFin Division for Governance incl. ORSA (Qualitative), Risk Management; Interface with Directorate IT Supervision (GIT
Dr Frank Grund, Chief Executive Director of Insurance and Pension Funds Supervision, on the IT inspections carried out by BaFin.
:“Insurers are a favourite target for cyber attacks”
Dr Frank Grund, the results of the IT inspections carried out at selected insurance undertakings were rather mediocre. What does that say about IT security in Germany’s insurance industry as a whole?
The inspections we carried out do not constitute a representative study. But, given that we looked at very different undertakings and found that there was not a single “model student” among them, we are using our inspections as an opportunity to appeal to insurers once again to do their homework. In other words: to implement the VAIT in full.
Have insurers often been the target of cyber attacks?
Insurers are a favourite target for cyber attacks. That won’t come as a surprise to anyone: insurance undertakings accept funds and deal with substantial sums of money, as well as vast amounts of highly sensitive data. We can currently only speculate as to the exact number of attacks that actually strike insurers. This is in part due to the fact that, unlike in the banking sector, there is no reporting requirement for the insurance industry as a whole. However, “DORA” envisages the establishment of a reporting requirement for the entire financial sector. The “Digital Operational Resilience Framework for financial services” is a legislative proposal by the European Commission. The proposal was published only recently, on 24 September 2020, and is currently still being negotiated by the member states.
What is your overall assessment of the situation?
Insurers are still faced with a serious threat. It is therefore all the more important that insurers develop a protective armour against outside threats. But alongside deliberate external attacks, insurers must also prevent internal security incidents. Accidental security glitches within an undertaking or on the part of service providers must be detected, rectified and, at the very latest, prevented before they can happen again. We will soon see whether undertakings have learnt from our inspections, since we are planning to conduct not only inspections of additional undertakings, but also follow-up inspections of the undertakings we have already visited. In my view, BaFin’s VAIT are showing the insurance industry the right way forward.
This article reflects the situation at the time of publication and will not be updated subsequently. Please take note of the Standard Terms and Conditions of Use.