Digitalization is advancing. Many companies including banks and financial service providers are moving towards a paperless office or to multi-channel distribution via the internet, mobile apps, etc. On the one hand, more rapid communication with the customer is enabled through larger server and storage capacities, faster computers and data cables and thus, correspondingly faster response times. On the other hand, however, such change also brings with it virtually daily attacks from hackers on the computer systems, i.e. on the operating and application software of German banks.
If you look at IT security in the finance sector, banks and other financial service providers are in particular an attractive target. Hackers have zeroed in on not only stealing the bank’s money, but also essentially also customer data. A typical financial institution is attacked an estimated 80 to 100 times per year and the number of cyber attacks at global and national level is continuing to rise. The variety of attack methods via various access points poses a high risk and can cause significant disruptions to operational processes, such as for example operational interruptions, data loss or data protection violations, reputational damage, loss of assets, even so-called “cyber liabilities”, the liability claims from the customers concerned. These hacker activities are now also recognized as very serious dangers by the regulatory authorities (European Central Bank, Federal Financial Supervisory Authority (BaFin) and the German Federal Bank) – completely separated from the future requirements on the operators of critical infrastructures which some larger banks also have to deal with at present. This perception is even more so present if there is also the impression that the IT security systems of the banks suffer from deficiencies. The supervisors of the European Central Bank, the Federal Bank and the BaFin came to this conclusion when testing the IT systems, as BaFin President Felix Hufeld reports in an Interview in the BaFin Journal. As a result, you must certainly expect higher capital requirements for such cases owing to existing IT deficiencies. The cyber risk can therefore now be considered one of the major risks for the German financial sector. Even though banks are only mentioned in the previous context, it can be assumed that corresponding tests will also be carried out in due course for other regulated companies such as financial service providers or insurers.
The term “cyber” basically means computer-controlled processes or virtual worlds generated by them. The following attacks, amongst others, may come up as cyber risks:
When considering these examples, it quickly becomes clear that external hardware components are used in most cyber-attacks, for example a previously-modified USB stick or a small Trojan program, which is for example slipped into the internal IT circuit with the help of an email. External attackers therefore always require internal access to influence the bank’s technology in this manner. In this respect, it may be assumed that the cause of such a risk is 70% “internal”.
For this reason, a major focus should be put on the internal risk situation, or awareness. For the topic of awareness, it is also necessary to for example actually also live by the BSI principles. When operational errors occurs, this should not have any personal consequences for employees since mistakes will otherwise not be mentioned where possible. The following principle is better: If something happens, internal training should for example be carried out to avoid mistakes recurring. Deliberate errors are naturally excluded from such a principle.
The measures to be implemented are, however, not only limited to the company per se, but also relate to its outsourced services. The access possibilities are increased to this effect because banks are increasingly shifting more IT areas to specialized providers. This means that the external service providers commissioned by banks transfer special activities such as for example software development to further external service providers which thus increasingly puts a focus on bank supervision.
In addition to the already embedded publication on the minimum requirements for risk management (MaRisk), there is a further circular from the BaFin on the bank supervisory requirements for IT (BAIT). The awareness of cyber risks should also be increased thereby at management level which, in addition to specifying an IT strategy also for example includes implementing suitable damage management.
As is often the case, the devil is in the detail. Q_PERIOR stands by you as a reliable partner with specialist and IT experts and will accompany you during the implementation process of your IT security. There is a lot that you can do with regard to the audit. We focus on testing and consultancy on the topic of awareness owing to the significant “internal” risk situation. This includes:
Testing and consultancy on strategy:
Testing / consultancy on IT security:
Testing / consultancy on IT security: