ISB
Homepage Admin

Certificate Course “Infor­mation Security Officer for Credit Insti­tu­tions” — November 16 to 19, 2021

The German Banking Act (KWG) and MaRisk require banks to ensure the integrity, avail­ability, authen­ticity and confi­den­tiality of data in their IT systems and processes. But secure and efficient IT is also absolutely essential for the economic success of a credit institution.

The new “Banking Super­visory Require­ments for IT” (BAIT) formulate concrete expec­ta­tions. Among other things, the Federal Financial Super­visory Authority calls for the newly estab­lished function of “infor­mation security officer” in its directive. This officer controls the infor­mation security process and reports directly to the management.

In cooper­ation with the publishing house Bank-Verlag, SRC has success­fully completed multiple certificate courses to become an “Infor­mation Security Officer (ISB) for credit insti­tu­tions” since 2016. After the great response and the continuing demand, we are pleased that the Bank-Verlag has made another date for this four-day certificate course possible.

From 16th to 19th November 2021, you will again have the oppor­tunity to train as an “Infor­mation Security Officer (ISB) for Credit Insti­tu­tions” on the premises of Bank-Verlag GmbH in Cologne.

Attention! Online-course

Taking into account the current Covid-19 situation, we offer both the certificate course Infor­mation Security Officer (ISB) for credit insti­tu­tions and the optional basic IT seminar as an online course.

In a team with Heinrich Lottmann (TARGOBANK AG & Co. KGaA) and Alexandros Manakos (HSBC Germany), the SRC experts Dagmar Schoppe, Florian Schumann and Dr. Deniz Ulucay will give a lecture and provide you with compre­hensive infor­mation on the norms and standards according to ISO and IT-Grund­schutz, as well as on all legal/regulatory require­ments relevant for you as an ISB. In addition, the topics of IT risks and emergency precau­tions as well as business conti­nuity management will be addressed.

After passing the final exami­nation, you will receive the certificate “Infor­mation Security Officer for Credit Institutions”.

Optionally, you have the oppor­tunity to acquire the basic IT knowledge required for the course in a one-day intensive seminar on 15 November 2021 in Cologne prior to the event. This seminar deals with the basics, terms, encryption and IT security techniques in infor­mation technology.

Web-Site to the course

Online-regis­tration
DLT for IT service providers in the banking environment
Homepage Admin

SRC expert Botermann | DLT for IT service providers in the banking environment

Crypto assets based on blockchains move many states, companies and the world of banks and their IT service providers.

Distributed ledger technology (DLT for short) is the term used to describe the technology of “distributed cash ledgers”. The key difference: trans­ac­tions are legit­imized in a decen­tralized manner and stored with the partic­i­pants. As a disruptive technology, DLT makes numerous inter­me­di­ation and clearing points redundant. Banks are threatened with the loss of their position as anchors for trust­worthy transactions.

But this is precisely where the prospects for future business models lie, since it is precisely the banks that tradi­tionally have expertise in the safekeeping of confi­dential infor­mation. The decisive technical trust anchor of every trans­action via DLT is the customer’s private key. The trusted management of this private key may prove to be a perspective for the evolution of banks’ business models.

To summarize: DLT appli­ca­tions offer IT service providers in the banking environment good oppor­tu­nities to adapt their own business models and also position themselves for the future. Services in the crypto custody business can be seen as a suitable entry point, which can be expanded and supple­mented in the future.

How can business models in the banking environment be adapted to these devel­op­ments? What oppor­tu­nities does the crypto custody business offer? What technical and regulatory require­ments must be met?

In the articles DLT for IT service providers in the banking environment (german), crypto custody business: starting point for business field expansion (german) and crypto custody business as a business area expansion for banks (german) published in gi GELDINSTITUTE and on cash.online, SRC expert Dr. Benjamin Botermann gives an insight and overview of challenges, oppor­tu­nities and stopler stones of the crypto custody business with distributed ledger technology (DLT).

The SRC experts will follow the exciting devel­op­ments in the field of cryptocur­rency and digital euros for you and support you in the realization of your crypto­custody business. We will be happy to inform you about the possi­bil­ities to get involved in this innov­ative sector.

Kick-off for the Digital Euro
Homepage Admin

Kick-off for the Digital Euro

After long and intensive discus­sions at the European level, the starting signal for the digital euro was given on 14 July 2021. First, core questions on the impact on financial stability and monetary policy as well as on the legal framework and a possible technical imple­men­tation will be clarified within the framework of a two-year study phase. The goal of the intro­duction of the digital euro is still to meet the “needs of the people in Europe” and to serve as a supplement to already estab­lished payment procedures.

A final decision on the design of the digital euro is then expected after the study phase in mid-2023.

“We will enter into a dialogue with the European Parliament and other European decision-makers and inform them regularly about our findings. Individuals, merchants and the payments sector will also be involved,” said Fabio Panetta (Member of the ECB Executive Board and Chair of the Digital Euro Task Force).

Results of the practical test

The preparatory basis for the landmark decision was the results of a practical test phase over nine months, which examined, among other things, technical aspects of distributed ledger technology (DLT for short), data protection, anti-money laundering and the use of existing systems (e.g. TARGET Instant Payment Settlement — TIPS for short). Energy aspects of possible archi­tecture concepts were also inves­ti­gated with the aim of limiting energy consumption to well below the current require­ments of known cryptocur­rencies, e.g. Bitcoin.

Focus on data protection

Consumer protection and data protection aspects are central aspects of the discussion about the digital euro, in addition to the technical imple­men­tation. For consumers, the digital central bank money repre­sents a direct claim against the central bank, which under certain circum­stances can be limited by a cap in the “wallet”. The compe­tition of the digital euro with cash becomes clear in the discussion about the anonymity of payments. It seems clear that — also with a view to combating money laundering — there will be no completely anonymous digital euro.

Assessment of the German Banking Industry

In a statement, the “Deutsche Kreditwirtschaft” empha­sises the digital euro above all in its preser­vation of the monetary sover­eignty of the Eurozone. The digital euro is assessed as a forward-looking means of payment in a digital economy, which coher­ently comple­ments the existing and proven systems and struc­tures. The aim should be to achieve the greatest possible synergies with existing payment solutions so that access to the digital central bank money can be secured for end consumers. There is a consensus that digital­i­sation is changing payment trans­ac­tions and that the ECB must carefully design the digital euro to ensure financial stability. In order to implement the envisaged activ­ities, high invest­ments are inevitable for both the insti­tu­tions and the economy.

Will cryptocur­rencies become more than specu­lative objects?

Estab­lished cryptocur­rencies such as Bitcoin and Co. are gaining impor­tance as specu­lation objects in asset management, but they are currently rather meaningless in payment trans­ac­tions. Never­theless, the ongoing discussion about private cryptocur­rencies, e.g. Diem from the Facebook universe, has certainly driven the discussion about the Digital Euro.

The SRC experts follow the exciting devel­op­ments in the field of cryptocur­rency and the Digital Euro for you and support you in the reali­sation of your crypto custody service. We will be happy to inform you about the possi­bil­ities to get involved in this innov­ative sector.

CASH.DIGITALWEEK 2021 // Webinar: Cryptocurrencies create market opportunities for banks and financial service providers
Homepage Admin

CASH.DIGITALWEEK 2021 // Webinar: Cryptocur­rencies create market oppor­tu­nities for banks and financial service providers

In a webinar at CASH-DIGITALWEEK 2021, our expert Dagmar Schoppe will explain how cryptocur­rencies can create new market oppor­tu­nities for banks and financial service providers. The date for the webinar is Thursday, 9 September 2021 at 11:00.

Banks and financial service providers tradi­tionally have not only the technical compe­tences to process trust­worthy business trans­ac­tions, but also the necessary expertise to implement regulatory require­ments. This can be used well as an entry point into the market for services related to cryptocur­rencies, because it is precisely the rapidly growing interest in cryptocur­rencies that opens up growing oppor­tu­nities for credit insti­tu­tions to become active in this market and to serve customers here as well.
For this, it is necessary that the insti­tu­tions increase their visibility in this new market segment. Only in this way can they then respond to enquiries from customers, traders as well as service providers. Corporate customers thus also have the oppor­tunity, for example, to offer cryptocur­rencies they have issued themselves or to optimally support their customers’ digital business processes using blockchain technology. With the support of banks and financial service providers, corporate clients can further advance the digital­i­sation of their business processes.

The SRC experts are following the exciting devel­op­ments in the field of cryptocur­rency for you. During the webinar “CASH.DIGITALWEEK 2021 // Webinar: Cryptocur­rencies create market oppor­tu­nities for banks and financial service providers”, Dagmar Schoppe, Head of Banking Compliance at SRC, will explain possible strategies and answer partic­i­pants’ questions.

How cryptocurrencies create new market opportunities for banks and financial services providersHow cryptocurrencies create new market opportunities for banks and financial services providers
Homepage Admin

How cryptocur­rencies create new market oppor­tu­nities for banks and financial services providers

“The impor­tance of cryptocur­rencies is growing ever faster. Banks can use their expertise in imple­menting regulatory issues to gain a good starting position in the market for cryptocur­rency services such as key custody. Through their existing compe­tences in dealing with crypto­graphic proce­dures, e.g. in autho­ri­sation, online banking or PIN protection, banks already bring along a large part of the technical prereq­ui­sites for entering this business field.” SRC expert Dagmar Schoppe explains the oppor­tu­nities for banks and financial service providers with regard to the devel­opment of cryptocur­rencies in an article just published on the specialist platform “it-daily.net”.

Are there depen­dencies on the digital euro?

The increasing interest in cryptocur­rencies — in addition to the rapid rise in the euro equiv­alent to a bitcoin observed in recent days — should also be seen in connection with the discussion about the intro­duction of a digital euro. The digital euro — according to the perception in the German banking industry (DK) — is assessed as a forward-looking means of payment in a digital economy that coher­ently comple­ments the existing and proven systems and struc­tures. In this context, the greatest possible synergies should be sought with existing payment trans­action solutions so that access to digital central bank money can be secured for end consumers.

New oppor­tu­nities in the digital­i­sation of business processes

Insti­tu­tions face the challenge of increasing their visibility in this new market segment in order to then be able to respond to requests from customers, retailers as well as service providers. In the medium term, the generally growing interest in cryptocur­rencies can also result in oppor­tu­nities for insti­tu­tions that, for example, offer their corporate customers self-issued cryptocur­rencies to support them in the digital­i­sation of their business processes.

The SRC experts follow the exciting devel­op­ments in the field of cryptocur­rency and the digital euro for you and support you in the reali­sation of your crypto custody service. We will be happy to inform you about the oppor­tu­nities to get involved in this innov­ative sector.

further liter­ature

Homepage Admin

Opera­tional Resilience — Cyber resilience require­ments for institutions

Current key topics: Opera­tional Resilience and Cybersecurity

Attacks on the financial system can have serious conse­quences — not only for the affected company, but also for the entire public. Experts at the Bundesbank and security experts at BaFin and the ECB also cite cyber attacks and a lack of resilience to such attacks as the greatest threat posed by increasing digiti­zation in the financial sector. This is one of the reasons why more legal and regulatory frame­works are being created in order to establish uniform standards across the entire financial sector and increase the „opera­tional resilience“.

For both the ECB and BaFin, the focus in 2020 was on “opera­tional resilience” and “cyber­se­curity”. In addition, the TIBER-EU program was launched at European level, which the Bundesbank imple­mented as TIBER-DE in September 2020. Alongside this, the EU published its require­ments for opera­tional resilience and cyber­se­curity in October 2020 as part of the Digital Finance Package in the form of DORA (Digital Opera­tional Resilience Act).

The question for those respon­sible is how these various activ­ities interact and — even more relevant — how efficiently they contribute to the achievement of the objectives.

Revision of MaRisk and BAIT — Opera­tional IT Security

Domes­ti­cally, BaFin published its approaches to addressing opera­tional IT risks in October with the amendment of MaRisk and BAIT. The impor­tance of the topic is evident in the expansion of the BA IT require­ments as part of a new chapter. Imple­menting the specific require­ments formu­lated there is likely to pose major challenges on smaller and medium-sized insti­tu­tions, as they are aimed at operating a security infor­mation and event management system (SIEM), setting up and operating a security opera­tions center (SOC), as well as regular internal deviation analyses, vulner­a­bility scans, penetration tests and the simulation of attacks (“red teaming”). In practical terms, this requires the estab­lishment of a profes­sional cyber security department as well as independent internal infor­mation security struc­tures. This will pose major challenges on the insti­tu­tions concerned, due to the required expertise and limited resources on the labor market alone. Emergency management — also in a separate new chapter in the BA IT — is addressed as a further focal point.

The TIBER Program of the ECB and the Bundesbank

Back in 2018, the central banks of the European System of Central Banks launched the TIBER-EU (Threat Intel­li­gence-based Ethical Red Teaming) program. TIBER-EU serves as a framework on threat-led penetration testing that financial insti­tu­tions can use to put their own resilience to cyber­at­tacks to the test. The goal here is to create a “gold standard” of penetration testing. The clear reluc­tance to partic­ipate in TIBER-DE can be explained on the one hand by the complex scope of the project, the signif­icant risks and, on the other hand by the “voluntary nature” of partic­i­pation. Of course, especially in 2020, many internal forces are tied up elsewhere, also due to the Covid pandemic. The question arises as to whether the insti­tu­tions subjec­tively perceive the risk of a cyber attack as critically.

Digital Opera­tional Resilience Act (DORA) of the EU

With the publi­cation of the Digital Finance Package, the EU regulatory framework on digital opera­tional resilience contains a compre­hensive legislative proposal for the Europe-wide prevention and reduction of cyber risks. Up to now, national regula­tions for opera­tional resilience have been in place, but they do not do justice to the cross-border and global use of IT systems and are therefore not very effective. Moreover, this fragmen­tation also carries the risk of incon­sis­tencies and is also associated with additional high expenses for insti­tu­tions operating across Europe.

It is therefore highly desirable to strive for uniform regula­tions with DORA, in particular for risk management, testing, outsourcing emergency and incident management. In addition to improving and optimizing the resilience of the IT systems used, a signif­icant reduction in admin­is­trative effort for the insti­tu­tions will certainly also be achieved.

Increasing Cyber Resilience together

The SRC experts will gladly discuss the new devel­op­ments and their impact on the legal and regulatory level with you. Together we analyze your need for action and support you in the imple­men­tation. We evaluate the amendment of MaRisk and BA IT for your insti­tution, support you in the prepa­ration, execution and analysis of TIBER tests and analyze the planned require­ments of DORA. You can draw on our experience from countless penetration tests, banking compliance and infor­mation security management projects.

Cryptocurrencies ECB Digital Euro
Homepage Admin

Cryptocur­rencies — When and how will the Digital Euro emerge?

The European Central Bank’s (ECB) public consul­tation on the Digital Euro concluded on January 12, 2021. Based on the state­ments received, a funda­mental decision on the contin­u­ation of this major project is expected in the summer of 2021. In this context, the devel­op­ments of the private sector cryptocur­rencies Bitcoin and Diem (formerly Libra) are also considered. Other central banks’ activ­ities, e.g. in Sweden regarding the “E‑Krona” as well as in China, will certainly have an impact in this regard as well.

Statement of the German Banking Industry Committee

In its statement on the Digital Euro, the German Banking Industry Committee expressed its support for the ECB’s activ­ities and pledged its assis­tance with the design and project planning.

“For the German Banking Industry Committee, the intro­duction of a Digital Euro by the Eurosystem has the potential to strengthen Europe’s compet­i­tiveness, depending on how it is designed. However, it also carries the risk of funda­men­tally changing the geometry of the European banking system. Banks in Germany and Europe play a key role in the economic cycle and make an indis­pensable contri­bution to the efficient supply of financial resources to companies and consumers. That alone is why it is important to involve the banking industry in the consid­er­a­tions of a digital currency at an early stage.”

Karl-Peter Schackmann-Fallis, Executive Member of the Board of the German Savings Banks Association.

Predom­i­nantly positive tenor

The tenor of the German Banking Industry Committee statement is mostly positive. The Digital Euro is considered to be a pioneering payment method in a digital economy, which coher­ently comple­ments the existing and proven systems and struc­tures. The aim should be to achieve the greatest possible synergies with existing payment trans­action solutions in order to ensure access to digital central bank money for end consumers. There is consensus that digiti­zation is changing payment trans­ac­tions and that the ECB needs to carefully design the Digital Euro to ensure financial stability. To implement the targeted activ­ities, high invest­ments are inevitable for both insti­tu­tions and the economy. But the use of modern tokenization solutions, e.g. through Distributed Ledger Technology (DLT), enables the imple­men­tation of innov­ative payment solutions. In this context, the use of smart contracts and micro­pay­ments, services such as “Blockchain as a Service”, “Smart Contracts as a Service” or payment offers in the Internet-of-Things (IoT) are conceivable.

Need for clarification

It is considered critical that the proven two-tier banking system with central bank and commercial banks could be called into question. According to the German Banking Industry Committee, this constel­lation is essential for money market stability, the supply of loans to companies and private individuals, and the accep­tance of and trust in the payment methods issued. The estab­lished banking system is seen as a crucial component for ongoing economic growth.

Another open question is to what extent a Digital Euro is to be regarded as a crypto-asset in the sense of MiCA (Proposal for a regulation on Markets in Crypto-assets) and what impli­ca­tions this might have. The German Banking Industry Committee has also issued a statement on the ECB’s proposed regulation.

There is a need for further clari­fi­cation with regard to some regulatory issues. In this context, the German Banking Industry Committee proposes an orien­tation towards existing standards. All parties involved should at least comply with the require­ments of

From the German Banking Industry Committee‘s point of view, legal certainty, uniform speci­fi­ca­tions for a token-based fiat money and an appro­priate regulatory standard are the basic prereq­ui­sites for consumer accep­tance and trust in the Digital Euro.

Courses of action for payment institutions

The discussion on the Digital Euro has to be seen in the context of the general increase in the impor­tance of cryptocur­rencies. Many companies have long since recog­nized that Distributed Ledger Technology can help to efficiently digitize complex supply relation­ships. It is therefore a logical conse­quence that there is also growing interest in using this new technology to process payments as well. In the future, it will certainly not only be central bank-issued cryptocur­rencies that will be used. For payment insti­tu­tions, the generally growing interest in cryptocur­rencies increas­ingly results in the need to offer their own customers storage of and trading in cryptocur­rencies. In addition, oppor­tu­nities may also arise for insti­tu­tions that offer their corporate customers self-issued cryptocur­rencies to support them in the digital­ization of their business processes.

The SRC experts will keep an eye on the exciting devel­op­ments in the field of cryptocur­rency and the Digital Euro for you and support you in the realization of your crypto storage service. We will gladly inform you about the options to get involved in this innov­ative sector.

TIBER-DE
Homepage Admin

TIBER-DE | Increasing the cyber resilience of the financial system

Digiti­sation of the financial sector — Chances & cyber risks

The increasing digital­i­sation of the financial sector not only provides new oppor­tu­nities, but also leads to increased cyber risks. In particular, attacks on the financial system can have serious conse­quences not only for the affected company, but also for the entire public. For this reason, the central banks of the European System of Central Banks have already launched the TIBER-EU (Threat Intel­li­gence-based Ethical Red Teaming) programme in 2018. TIBER-EU serves as a framework for threat-based penetration tests.

In the summer of 2019, the Deutsche Bundesbank and the German Federal Ministry of Finance (BMF) decided to implement TIBER-DE as a national framework for financial companies to test their own resis­tance to cyber attacks. This imple­mention has now taken place.

To whom is TIBER-DE addressed?

TIBER-DE partic­u­larly addresses critical companies in the financial sector, such as large banks and insurance companies and their IT service providers and payment service providers. In its TIBER imple­men­tation, the Deutsche Bundesbank empha­sises that the purpose of conducting TIBER-DE tests is to “establish a network of national companies belonging to the target group in order to improve the cyber-resis­tance of the financial sector in a sustainable and cooper­ative way, together and by conducting TIBER-DE tests.

What happens in a TIBER-DE test?

In a TIBER-DE test, commis­sioned hackers (“Red Team”) use infor­mation from a threat intel­li­gence provider (“spy”) to test the cyber resis­tance of a company. The primary goal is to identify security gaps in the production systems (“critical functions”) within the framework of an attack scenario that is as real as possible. The TIBER-DE test consists of three phases, which are presented here in a shortened form:

  • In the prepa­ration phase the initi­ation, the kick-off, the deter­mi­nation of the test scope and the procurement takes place. In particular, the corre­sponding contracts with all parties involved are concluded, the test scope is deter­mined and the financial super­visory authority is informed about the intended TIBER-DE test.
  • In the test phase, infor­mation on the threat situation is collected and the Red Team penetration test is conducted on the basis of the previ­ously defined test scope.
  • Finally, the final phase includes the prepa­ration of the test reports, a replay and feedback, a remedi­ation plan for found vulner­a­bil­ities as well as a final report and the attes­tation including the transfer of results.

Risks of the TIBER-DE Test

The TIBER-DE test targets the productive systems with the “critical functions” of an institute in order to realis­ti­cally evaluate their cyber-resis­tance. However, this is also accom­panied by risks, e.g. regarding the confi­den­tiality, integrity or avail­ability of the data or systems. In any case, the institute has to perform a detailed risk analysis and take appro­priate measures to minimise the risks before a TIBER-DE test is performed.

Furthermore, companies are confronted with organ­i­sa­tional, technical and data protection challenges. Critical business processes have to be identified, defensive measures have to be estab­lished and documented. In addition, TIBER-DE tests must be coordi­nated with the various stake­holders concerned, e.g. service providers. Furthermore, a confi­den­tiality oblig­ation must be observed by all parties.

Currently the partic­i­pation in TIBER-DE tests is based on a voluntary basis. Along with the not incon­sid­erable risks this seems to be the reason for the hesitation to perform a TIBER-DE test.

Team up for a successful TIBER-DE test

The experts of SRC can prepare a TIBER test together with you. This includes the company-wide scoping of the critical business processes to be tested and support in estab­lishing compliant reporting channels and processes to control and execute TIBER tests. This means that the internal prepa­ra­tions are now in place to have a TIBER-compliant penetration test performed by a service provider. With the experience gained from countless penetration tests, bank compliance and infor­mation security management projects, we are happy to support you through the entire process of a TIBER test.

Homepage Admin

IT compliance through the intro­duction of an ISMS

Increasing compliance requirements

“The depen­dency of core and value-added processes on the IT infra­structure and the IT systems operated there is constantly increasing at credit insti­tu­tions. This means that the associated compliance require­ments are also increasing almost to the same extent”. In an article that has just been published on the specialist platform “Security Insider”, SRC expert Dagmar Schoppe explains the different regulatory and legal require­ments that determine the daily business of credit insti­tu­tions and how IT compliance is improved by the intro­duction of an ISMS.

Value creation processes are threatened

The protection of these value-added processes through compliance with regulatory and legal require­ments, e.g. from BAIT, MaRisk or the IT Security Act, is a very topical issue. After all, the danger of hacker attacks is a real and current threat. This is one of the reasons why IT security is one of the central audit focuses of the BaFin. The TIBER-EU programme, which is intended to strengthen the resilience of the financial world against cyber attacks, also aims in this direction.

Holistic infor­mation security management system creates security

For a holistic approach to the protection of corporate values, the various organ­i­sa­tional and technical aspects must be combined into a holistic concept. This leads to the intro­duction of an infor­mation security management system, e.g. on the basis of ISO 27001.

The experts of the SRC division Banking Compliance will gladly advise you on regulatory and legal require­ments and their imple­men­tation, e.g. by intro­ducing an infor­mation security management system (ISMS) or by carrying out TIBER tests. SRC is a member of the Cyber-Alliance.