Operational Resilience — Cyber resilience requirements for institutions
Current key topics: Operational Resilience and Cybersecurity
Attacks on the financial system can have serious consequences — not only for the affected company, but also for the entire public. Experts at the Bundesbank and security experts at BaFin and the ECB also cite cyber attacks and a lack of resilience to such attacks as the greatest threat posed by increasing digitization in the financial sector. This is one of the reasons why more legal and regulatory frameworks are being created in order to establish uniform standards across the entire financial sector and increase the „operational resilience“.
For both the ECB and BaFin, the focus in 2020 was on “operational resilience” and “cybersecurity”. In addition, the TIBER-EU program was launched at European level, which the Bundesbank implemented as TIBER-DE in September 2020. Alongside this, the EU published its requirements for operational resilience and cybersecurity in October 2020 as part of the Digital Finance Package in the form of DORA (Digital Operational Resilience Act).
The question for those responsible is how these various activities interact and — even more relevant — how efficiently they contribute to the achievement of the objectives.
Revision of MaRisk and BAIT — Operational IT Security
Domestically, BaFin published its approaches to addressing operational IT risks in October with the amendment of MaRisk and BAIT. The importance of the topic is evident in the expansion of the BA IT requirements as part of a new chapter. Implementing the specific requirements formulated there is likely to pose major challenges on smaller and medium-sized institutions, as they are aimed at operating a security information and event management system (SIEM), setting up and operating a security operations center (SOC), as well as regular internal deviation analyses, vulnerability scans, penetration tests and the simulation of attacks (“red teaming”). In practical terms, this requires the establishment of a professional cyber security department as well as independent internal information security structures. This will pose major challenges on the institutions concerned, due to the required expertise and limited resources on the labor market alone. Emergency management — also in a separate new chapter in the BA IT — is addressed as a further focal point.
The TIBER Program of the ECB and the Bundesbank
Back in 2018, the central banks of the European System of Central Banks launched the TIBER-EU (Threat Intelligence-based Ethical Red Teaming) program. TIBER-EU serves as a framework on threat-led penetration testing that financial institutions can use to put their own resilience to cyberattacks to the test. The goal here is to create a “gold standard” of penetration testing. The clear reluctance to participate in TIBER-DE can be explained on the one hand by the complex scope of the project, the significant risks and, on the other hand by the “voluntary nature” of participation. Of course, especially in 2020, many internal forces are tied up elsewhere, also due to the Covid pandemic. The question arises as to whether the institutions subjectively perceive the risk of a cyber attack as critically.
Digital Operational Resilience Act (DORA) of the EU
With the publication of the Digital Finance Package, the EU regulatory framework on digital operational resilience contains a comprehensive legislative proposal for the Europe-wide prevention and reduction of cyber risks. Up to now, national regulations for operational resilience have been in place, but they do not do justice to the cross-border and global use of IT systems and are therefore not very effective. Moreover, this fragmentation also carries the risk of inconsistencies and is also associated with additional high expenses for institutions operating across Europe.
It is therefore highly desirable to strive for uniform regulations with DORA, in particular for risk management, testing, outsourcing emergency and incident management. In addition to improving and optimizing the resilience of the IT systems used, a significant reduction in administrative effort for the institutions will certainly also be achieved.
Increasing Cyber Resilience together
The SRC experts will gladly discuss the new developments and their impact on the legal and regulatory level with you. Together we analyze your need for action and support you in the implementation. We evaluate the amendment of MaRisk and BA IT for your institution, support you in the preparation, execution and analysis of TIBER tests and analyze the planned requirements of DORA. You can draw on our experience from countless penetration tests, banking compliance and information security management projects.