The impact of potential cyber attacks on company IT systems or employees using social engineering is becoming ever more business critical. By mid-2017, over half of all German companies had been affected by cyber attacks, and companies in the financial and insurance sector have been hit more often than average at around 60 per cent. Both national organizations such as the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik or BSI) and international organizations like the International Monetary Fund (IMF) view the increasing number of cyber attacks as a danger to financial stability.

Political and legal institutions and organizations set out basic requirements for IT and IT security on a national level. As the federal agency in the business division of the German Ministry of the Interior, the BSI defines various companies as critical infrastructure companies (KRITIS). In doing so, the organization is pursuing the goal of establishing strong resilience among critical services in the face of a range of threats along with a sense of responsibility as regards the national IT Security Act.

Additional IT security requirements apply to financial service providers in addition to the requirements set out by the IT Security Act. On the one hand, the Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistung or BaFin) sets minimum requirements for risk management (MaRisk BA), meaning that high standards of evaluation have already been set in terms of implementing IT security. This applies especially in relation to risk management among banks. There are also requirements from a banking perspective relating to IT (BAIT). Like the MaRisk BA, these are based on the German Banking Act (section 25a, paragraph 1 of the Act) and define further management requirements for business and risk strategies and their monitoring system. They apply as binding recommendations for action to improve IT security and modernization, e.g. for optimizing IT infrastructure and IT service continuity management. In addition, aspects aimed at improving information risk management, creating a risk-conscious culture and raising awareness among employees are also relevant. An information security officer with the relevant personnel is tasked with this in order to help guarantee this point. In general, a principle-oriented and qualitative framework is issued, which allows for individual scope in terms of implementation, and ensures that a whole range of opening clauses permit smaller institutions to carry out the requirements in a flexible manner. The focus here, however, remains on the high availability of the payment system, successful performance on the market, and on the way, the sustainable security of existence. The BAIT requirements are set out in the current 02/2017 consultation. In retrospect, this results in a type of dual supervision for financial service providers, which links technical specialist knowledge (BSI) with industry-specific specialist supervisory knowledge (BaFin).

On consulting the requirements of the MaRisk and BAIT with the ISO 27001 standards and the IT basic protection, the following can be determined: In addition to risk-oriented and data-protection relevant aspects, it also contains specifications and expectations relating to preventative protection from attacks for information security management systems. MaRisk and BAIT set out appropriate IT systems in order to meet the operational requirements, business requirements and requirements for effective risk management of a bank. IT systems and personnel should help to ensure availability, authenticity and confidentiality of data with respect to the appropriate requirement for protection. Specific measures aimed at carrying this out can be found in the ISO 27001 set of measures. Furthermore, the BaFin together with the BAIT specifies IT strategy standards required for a long period of time along with information risk management. From this point on, the IT strategy will be viewed as a basic requirement for successfully configuring information risk management. Because of this development, many banks are having to modernize their existing IT architecture and infrastructures. Banks are finding that they have to adjust or totally overhaul the appropriate processes and standards for implementing their IT strategy, which can only be guaranteed by creating new responsibilities (e.g. Chief Data Officer) and increasing the IT budget.

Specific goals of an ISMS:

1: Identifying and assessing information risks

2: Introducing and developing a risk management system

3: Identifying the information requiring protection

4: Developing protective measures

5: Establishing an awareness of the importance of security in the company

6: Continual improvement of measures (PDCA cycle)

Previous aspects have resulted in many banks now being faced with introducing an information security management system. For the currently defined KRITIS companies, the IT SiG will also require the introduction of an information security management system conforming to DIN ISO/IEC 2700 along with the appropriate certification. In addition, an ISMS supports banks in managing and fulfilling further regulatory and legal requirements within the framework of compliance, such as Basel II, MaRisk or the AktG. Institutions can therefore use the ISMS as a coherent set of methods, guidelines and rules which, with continuous monitoring and improvement, contributes to an increase in information security. More precisely, the ISMS sets out processes and guidelines for companies in order to guide, monitor and continually improve information security in accordance with the PDCA cycle (Plan-Do-Check-Act).

Up until now, banks have been free to have ISMS certification in accordance with the IS0/IEC 27001. However, this both takes time and costs money. Companies that are still aiming for certification have the option of consulting either internal employees with the relevant expertise, or external advisors on the implementation. It may also be helpful to test the achievements for effectiveness and degree of implementation in some type of independent pre-examination. Following the high initial effort, a body authorized by the German Accreditation Body (Deutschen Akkreditierungsstelle GmbH or DAkkS) such as the TÜV Süd can carry out the certification throughout phase I [1], phase II [2] along with the audit. This certification can provide proof to business partners or customers that IT security holds a corresponding status. The certification will cease to be valid after three years and must be reattained. Up until now, banks have been free to have ISMS certification in accordance with the IS0/IEC 27001. However, this both takes time and costs money. Companies that are still aiming for certification have the option of consulting either internal employees with the relevant expertise, or external advisors on the implementation. It may also be helpful to test the achievements for effectiveness and degree of implementation in some type of independent pre-examination. Following the high initial effort, a body authorized by the German Accreditation Body (Deutschen Akkreditierungsstelle GmbH or DAkkS) such as the TÜV Süd can carry out the certification throughout phase I1, phase II2 along with the audit. This certification can provide proof to business partners or customers that IT security holds a corresponding status. The certification will cease to be valid after three years and must be reattained.

The following two approaches form the basis for certification:

ISO 27001 (native)
The native approach to certification is largely process-oriented, and a core element of the ISMS is a risk analysis to identify and handle risks. It also contains around 150 measures for which the company must account. No concrete recommendations for implementation are set out in the native procedure.

ISO 27001 based on IT basic protection
The process based on IT basic protection is action-oriented. Typical threats are assessed by the BSI itself, meaning that no separate risk analysis is required. If there is an increased need for protection, however, an additional risk analysis is relevant. Compared with native procedures, 1100 concrete measures with a comprehensive, time-intensive implementation are defined based on IT basic protection.

1: Pre-audit/ audit: Inventory, as-is analysis, evaluation of documentation, testing of effectiveness

2: Certification: Certification, proof of conformity with functionality

3: Monitoring/ re-certification: Annual monitoring audits, re-certification after three years

Many companies already have an awareness of cyber attacks as a growing danger, but despite this, companies are faced with a number of challenges when it comes to implementing specific measures, which can range from a fast and effective implementation all the way to a lack of responsibility and specialist skills in IT security. Companies often lack personnel who are tasked exclusively with IT security, but these skills and expertise are required in order to effectively prevent cyber attacks. A further critical success factor in terms of cyber security is the general extent to which management and personnel are prepared to change. If they are not willing to do so, this may prevent the relevant changes from being carried out, for example due to fear of a cultural shift or of a possible destabilization of the company. Alongside the cyber attacks themselves, there is a danger here that the increasing demands of information security and risk management will not be met. If the requirements are no longer met as a result of missing processes, documentation or responsibilities, the consequences can be far-reaching, from contractual and legal violations to a damaged reputation. The final point should not be underestimated, as it has a direct impact on business success. After all, IT security has since developed into a significant competitive factor.

We provide a comprehensive security portfolio as part of our business and IT consultation. With our specialist expertise, we support you in defining an effective IT strategy to prevent cyber attacks. We support you on your path towards ISMS certification and attaining the BAIT requirements. What makes us stand out? We help to create an increased awareness of information security in your company and work with you to evaluate your IT security, your business continuity management along with data protection and IT risk management.

[1] Comprehensive document checking and compliance testing of the ISO 27001 requirements

[2] Determining readiness for the certification audit