Opera­tional Resilience — Cyber resilience require­ments for institutions

Current key topics: Opera­tional Resilience and Cybersecurity

Attacks on the financial system can have serious conse­quences — not only for the affected company, but also for the entire public. Experts at the Bundesbank and security experts at BaFin and the ECB also cite cyber attacks and a lack of resilience to such attacks as the greatest threat posed by increasing digiti­zation in the financial sector. This is one of the reasons why more legal and regulatory frame­works are being created in order to establish uniform standards across the entire financial sector and increase the „opera­tional resilience“.

For both the ECB and BaFin, the focus in 2020 was on “opera­tional resilience” and “cyber­se­curity”. In addition, the TIBER-EU program was launched at European level, which the Bundesbank imple­mented as TIBER-DE in September 2020. Alongside this, the EU published its require­ments for opera­tional resilience and cyber­se­curity in October 2020 as part of the Digital Finance Package in the form of DORA (Digital Opera­tional Resilience Act).

The question for those respon­sible is how these various activ­ities interact and — even more relevant — how efficiently they contribute to the achievement of the objectives.

Revision of MaRisk and BAIT — Opera­tional IT Security

Domes­ti­cally, BaFin published its approaches to addressing opera­tional IT risks in October with the amendment of MaRisk and BAIT. The impor­tance of the topic is evident in the expansion of the BA IT require­ments as part of a new chapter. Imple­menting the specific require­ments formu­lated there is likely to pose major challenges on smaller and medium-sized insti­tu­tions, as they are aimed at operating a security infor­mation and event management system (SIEM), setting up and operating a security opera­tions center (SOC), as well as regular internal deviation analyses, vulner­a­bility scans, penetration tests and the simulation of attacks (“red teaming”). In practical terms, this requires the estab­lishment of a profes­sional cyber security department as well as independent internal infor­mation security struc­tures. This will pose major challenges on the insti­tu­tions concerned, due to the required expertise and limited resources on the labor market alone. Emergency management — also in a separate new chapter in the BA IT — is addressed as a further focal point.

The TIBER Program of the ECB and the Bundesbank

Back in 2018, the central banks of the European System of Central Banks launched the TIBER-EU (Threat Intel­li­gence-based Ethical Red Teaming) program. TIBER-EU serves as a framework on threat-led penetration testing that financial insti­tu­tions can use to put their own resilience to cyber­at­tacks to the test. The goal here is to create a “gold standard” of penetration testing. The clear reluc­tance to partic­ipate in TIBER-DE can be explained on the one hand by the complex scope of the project, the signif­icant risks and, on the other hand by the “voluntary nature” of partic­i­pation. Of course, especially in 2020, many internal forces are tied up elsewhere, also due to the Covid pandemic. The question arises as to whether the insti­tu­tions subjec­tively perceive the risk of a cyber attack as critically.

Digital Opera­tional Resilience Act (DORA) of the EU

With the publi­cation of the Digital Finance Package, the EU regulatory framework on digital opera­tional resilience contains a compre­hensive legislative proposal for the Europe-wide prevention and reduction of cyber risks. Up to now, national regula­tions for opera­tional resilience have been in place, but they do not do justice to the cross-border and global use of IT systems and are therefore not very effective. Moreover, this fragmen­tation also carries the risk of incon­sis­tencies and is also associated with additional high expenses for insti­tu­tions operating across Europe.

It is therefore highly desirable to strive for uniform regula­tions with DORA, in particular for risk management, testing, outsourcing emergency and incident management. In addition to improving and optimizing the resilience of the IT systems used, a signif­icant reduction in admin­is­trative effort for the insti­tu­tions will certainly also be achieved.

Increasing Cyber Resilience together

The SRC experts will gladly discuss the new devel­op­ments and their impact on the legal and regulatory level with you. Together we analyze your need for action and support you in the imple­men­tation. We evaluate the amendment of MaRisk and BA IT for your insti­tution, support you in the prepa­ration, execution and analysis of TIBER tests and analyze the planned require­ments of DORA. You can draw on our experience from countless penetration tests, banking compliance and infor­mation security management projects.