The amendment of BAIT for 2021 means new requirements for credit institutions. In contrast, BaFin faces the challenge of implementing the Guidelines on security measures for operational and security risks under the PSD2 and the EBA’s Guidelines on ICT and security risk management in Germany. This is to be completed by December 31, 2020 with an amendment to the BAIT (banking supervisory requirements for IT). Initial drafts have already been discussed and commented on by the institutions and associations.
BAIT 2021 puts the focus on IT security
With a separate and new chapter, operational IT security is moving further into focus. The requirements formulated there can only be met with a security information and event management system (SIEM). This also includes the establishment and operation of a Security Operations Center (SOC). Operationally, regular reviews are required. These include
- Internal variance analyses
- Vulnerability Scanning
- Penetration tests
- the simulation of attacks (“red teaming”)
The new requirements of BAIT 2021 result in the establishment of a professional cyber security infrastructure. This means extensive and independent internal information security structures.
The management assumes overall responsibility
It is noticeable that the draft does not only refer to the responsibility of the management. Management is even required to explicitly acknowledge its overall responsibility for information security. This also includes regular information about its concerns and the decision to deal appropriately with security risks.
Requirements for IT emergency management are consolidated
We expect further changes in the area of IT emergency management. The requirements from BAIT will be consolidated with those from section AT7.3 of MaRisk. This will result in uniform national requirements. We also expect the requirements regarding emergency planning and preparedness, BCM, disaster recovery and backup strategies to become stricter and more precise. In our view, outsourcing to service providers will also be covered by the new version.
Banks face major challenges
According to the SRC experts for banking compliance, the expected changes will pose major challenges for the affected institutions. This concerns in particular the required know-how and the limited resources on the labor market.
