Following the Minimum Requirements for Risk Management (MaRisk), Germany’s Federal Financial Supervisory Authority has now published the Supervisory Requirements for IT, also known as BAIT. This additional set of rules defines binding IT security requirements for banks.

BAIT is the Banking Supervision’s first response to the challenges of an increasingly digitized world of finance. It provides hands-on guidelines for organizing IT in financial institutions with a focus on managing IT resources and IT risk management. The provisions defined in the Minimum Requirements for Risk Management (MaRisk) remain valid and must be further implemented. 

 

BAIT focuses on four main topics:

 

1.     IT strategy
Defining objectives and actions by top management, documenting the target state and status quo, improving the IT infrastructure, strengthening IT security

 

2.     Information risk management
Fulfilling MaRisk requirements, implementing an internal control system, analyzing the necessary structures and protection, analyzing risks, evaluating residual risks, implementing a reporting system

 

3.     Information security management
Appointing an IT security officer, conducting organizational measures, developing guidelines and concepts, defining rules for information security breaches

 

4.     User permissions management
Defining clear access rights to systems and unique user identification, conducting regular audits, analyses and reports

 

Unlike in the case of a new law, these requirements correspond to existing laws and regulations. Financial institutions, therefore, should soon check which specifications they have yet to fulfill and take appropriate actions. 

 

Challenges for top management

A systematic approach to managing risks is an essential core competency of financial institutions and an important part of a successful corporate strategy. This makes enterprise management more complex than ever – especially in light of the high expectations on efficiency. To address these requirements, banks must develop processes and establish standards for modern, efficient enterprise management. Governance, risk and compliance (GRC) processes are taking on a more important role in this regard. GRC sets the guidelines for transparent, sustainable enterprise and performance management that weighs risks and opportunities to generate value. Companies with a comprehensive GRC concept also have more resources to utilize opportunities because they have a better understanding of the risks and contingent liabilities. 

 

 

 

Source: istockphoto.com/de/portfolio/bluejayphoto