The amendment of BAIT for 2021 means new requirements for credit institutions. In contrast, BaFin faces the challenge of implementing the Guidelines on security measures for operational and security risks under the PSD2 and the Guidelines on ICT and security risk management of the EBA in Germany. This is to be completed by 31 December 2020 with an amendment to the BAIT (banking supervisory requirements for IT). First drafts have already been discussed and commented on in the institutes and associations.
BAIT 2021 focuses on IT security
With a separate and new chapter, operational IT security is moving further into focus. The requirements formulated there can only be fulfilled with a Security Information and Event Management System (SIEM). This also includes the establishment and operation of a Security Operations Centre (SOC). Regular operational checks are required. These include:
- internal deviation analyses
- Vulnerability scans
- Penetration tests
- the simulation of attacks (“Red Teaming”)
The new requirements of BAIT 2021 lead to the establishment of a professional cyber security infrastructure. This means extensive and independent internal information security structures.
The management assumes overall responsibility
It is noticeable that the draft already refers not only to the responsibility of the management. The management is even required to explicitly acknowledge the overall responsibility for information security. This also includes regular information about their concerns and the decision to deal with security risks appropriately.
Requirements for IT emergency management are consolidated
We expect further changes in the area of IT emergency management. The requirements from BAIT will be consolidated with those from section AT7.3 of MaRisk. This creates uniform national requirements. In addition, we expect to tighten and specify the requirements with regard to emergency planning and prevention, BCM, disaster recovery and backup strategies. In our view, outsourcing to service providers will also be covered by the revised version.
Financial institutions face major challenges
According to the assessment of the SRC experts for bank compliance, the expected changes will pose great challenges for the affected institutions. This concerns especially the required know-how and the limited resources on the labour market.