The Supervisory Requirements for IT in Insurance Undertakings (VAIT) put forward by Gemany’s Federal Financial Supervisory Authority, abbreviated BaFin, in its Circular 10/2018 specify the minimum requirements under supervisory law on the system of governance of insurance undertakings (Minimum regulatory requirements for the business organization of insurance companies) as well as the requirements under the German Insurance Supervision Act (VAG – insurance supervision law) with respect to the management processes and measures for IT security, IT risks, and IT processes.
The Circular is addressed to all undertakings falling under §1 para. 1 VAG. That includes primary insurers and reinsurers as well as groups of primary insurers and reinsurers for which BaFin holds regulatory oversight.
The VAIT provide a framework for appropriate deployment of information technology (IT) within the organizational and operational structure at undertakings and address the following domains:
1. IT strategy
2. IT governance
3. Information risk management
4. Information security management
5. User access management
6. IT projects and application development
7. IT operations
8. Outsourcing and other IT services
The following elucidates the requirements pertinent to IT strategy, IT governance, information management, information security management, and potential methods for internal auditing in the domains cited above.
IT strategy is the central instrument for steering IT at an undertaking. It establishes clear objectives and general conditions for IT deployment and accordingly needs to be consistent with business strategy.
An IT strategy consistent with the VAIT must primarily touch on the following subjects:
Strategic development of organizational and operational structure (role description, positioning, self-conception of IT)
Outsourcing and other services (dedicated sourcing strategy depends on complexity)
Definition of the standards applied at the undertaking
Responsibility and integration of information security (description of information security’s significance and its embedding in departments as well as collaboration with IT service providers)
Strategic development of architecture (elaboration of a target vision)
IT contingency management
That will make the subsequent operational implementation of IT strategy easier. A TOM encompasses a variety of aspects, such as governance, processes, and organization, and therefore also constitutes the framework for the further aspects of the VAIT.
The VAIT must be followed when elaborating an IT strategy. While it can be challenging to adapt the generic VAIT requirements to an undertaking’s specific situation, you can leverage our many years of experience, especially in regulatory matters, to bolster your IT strategy. We have references and procedural models for TOM implementation as specifically applies to the insurance sector.
IT governance describes the aggregate of guidelines, procedures, and processes at an undertaking to ensure IT complies with internal and external requirements (including business strategy, laws, regulations, etc.). IT governance plays a central role in VAIT implementation.
In order for an insurance undertaking meet its objectives and compliance requirements best as possible, IT governance should, at a minimum, encompass the following aspects:
- Provisions regarding IT organization and operation
- Integrity, availability, authenticity, and confidentiality of data
- Steering of business operation and enhancement to IT systems
- Measures for adequate staffing
- Measures for guaranteeing appropriate technical and organizational furnishings
Rules in IT governance should be derived from IT strategy and implemented with a high degree of efficacy accordingly. Thus, the development of IT strategy and IT governance should always be coordinated under the overall responsibility of the management board.
The execution of structure is oriented toward planning, steering, and transferring the existing organizational and operational structure to the target operating model. This transfer also needs to secure the continual improvement and account for regulatory changes. To that end, ongoing auditing and adjustment measures need to be implemented in IT governance. That is why Q_PERIOR supports our customers not only in the introduction of IT governance, but also in its flexibilization. In collaboration with our customers, we align organizations and processes for swift and efficient reaction to future requirements.
Information risk management (IT risk management)
Information risk management or IT risk management as addressed in the VAIT primarily encompasses the identification, assessment, steering, monitoring, and reporting of IT risks across all levels of the undertaking. The objective is to render significant IT risks transparent and allocate suitable risk-reducing measures, controls, and/or contingency plans.
The implementation of functional IT risk management is essential, as IT is used for nearly all business activities and therefore constitutes the backbone of an undertaking. Yet IT is growing more and more complex, which means there is also increased susceptibility to errors. That susceptibility leads to internal and external threats alike gaining even more potential for impacting IT.
In order to counter such threats, VAIT justifiably requires that the tasks, competences, responsibilities, controls, and communication channels associated with IT risk management be suitably defined and aligned with one another. Within the scope of the requisite identification, assessment, steering, and monitoring processes, it is necessary to determine the level of protection and protective measures needed for the respective IT operations and to define measures for managing the remaining residual risks.
The challenges for undertakings include:
- performing ongoing risk analysis based on predefined IT risk criteria
- coordination, steering, monitoring, and documentation of risk-reducing measures and controls
- approval of the findings from risk analysis and their transfer to the management process for operational risks (OpRisk)
This implies that significant IT risks and key controls will feed into the internal control system (ICS) within the scope of OpRisk management.
This makes it possible to leverage synergies, reduce expenditures, and render results capable of comparison. We look forward to deploying the expertise we have garnered from countless conceptualization and implementation projects to provide you with support in implementing, optimizing, and/or linking methods and assessments at your undertaking.
Information security management
Information security, and by extension information security management, is a significant component to the business policy at an undertaking. Information as well as the processes and systems implemented for processing information should be named here as fundamental values. To protect these values, it is necessary to ensure the security, confidentiality, availability, integrity, and authenticity of data.
Today, most information is largely created, stored, transported, or further processed with IT. That makes it indispensable to have reliable information processing and suitable information security management.
Information security management under VAIT specifies rules on information security, defines corresponding processes, steers their implementation, and follows an ongoing process encompassing the phases of planning, implementation, performance monitoring, and optimization. The significant VAIT core requirements pertaining to information security management are:
The creation of an information security guideline in writing. That guideline must be in alignment with the undertaking’s strategies and adopted by the management board and duly communicated within the organization.
Definition of more specific information security guidelines and information security processes for the sub-processes of identification, protection, discovery, response, and recovery on the basis of the information security guideline.
Establishment of the function of information security office. This monitoring function ensures internally as well as with respect to third parties that the objectives and measures laid out in IT strategy, the information security guideline, and information security guidelines are transparent and that compliance with them is reviewed and monitored.
The primary function of information security processes is the attainment of predefined protection objectives. That includes the prevention of potential information security incidents as well as identification of and reaction to information security incidents that have already occurred.
Q_PERIOR will support you in defining a strategy for preventing information security incidents and work with you to evaluate your information security processes. Upon request, we will also accompany you along the path to ISMS certification and create greater awareness for information security at your undertaking via sensitization training.
Potential focal points during internal auditing
The VAIT lay out the regulatory frame for IT at an insurance undertaking and therefore embody a suitable benchmark for internal auditing. Its explicit naming of topics has effects on the risk-oriented audit approach as well as on potential focal points during internal audits.
This yields questions on how an audit universe needs to look under the VAIT and what audits need to cover. The following shows examples of some of the audit items that can be derived from the VAIT:
Derivation from business strategy
Development of IT organization and operation
Outsourcing of IT services
Information risk management (IT risk management)
Provisions on information risk management
Risk management system, including risk inventory
Risk management report
Integration into the central risk management system and/or internal audit system
Information security management
Information security guideline, information security guidelines, and information security processes
Information security officer and potential conflicts of interest
Information security report
Information security incidents and effects on information security
Q_PERIOR will provide you with support in planning and executing IT audits in compliance with the VAIT requirements.
The regulatory depth and scope of VAIT is not exhaustive
In elucidating the current legal foundations via the VAIT, the BaFin is looking to account for the growing significance of IT and the associated growing IT risks. Risks should be rendered transparent and controllable, and the awareness for IT risks should be raised with respect to one’s own organization and external IT service providers alike.
The requirement of creating transparency in the risk situation and studying IT risks across all organizational levels is reflected in all VAIT domains and represents an integral component to the individual requirements.
However, these principle-oriented requirements are not an exhaustive catalog and therefore do not exhaustively represent regulatory depth or scope. Accordingly, every undertaking will still have obligations beyond the specifications laid out in the VAIT to implement common IT standards and account for state-of-the-art technology.