Linkedin Xing
Main Menu
Main Menu
Contact

Consulting BAIT

Consulting BAIT

Amendment of the Banking Supervisory Requirements for IT

On August 16, 2021, the revised “Bankaufsichtliche Anforderungen an die IT” (BAIT) were published in the BaFin circular. The circular implements the “Guidelines on security measures for operational and security risks under the PSD2” and the “Guidelines on ICT and security risk management” of the EBA at national level. In parallel, the “Minimum Requirements for Risk Management” (MaRisk) and the “Payment Services Supervisory Requirements for the IT of Payment and Electronic Money Institutions” (ZAIT) were also amended.

Stricter requirements for credit institutions

With the amendment of BAIT, credit institutions are faced with new and more stringent requirements. In particular, there are three new chapters.

A significant change is the increased consideration of operational IT security. With a separate and new chapter, this moves further into focus. The implementation of the requirements formulated there practically requires the operation of a Security Information and Event Management System (SIEM). This also includes the establishment and operation of a Security Operations Center (SOC). Operationally, regular checks must be carried out, such as deviation analyses (“gap analyses”), vulnerability scans, penetration tests and the simulation of attacks (“red teaming”). The new requirements result in the establishment of a professional cyber security infrastructure and extensive, independent internal information security structures.

Furthermore, IT emergency management also receives its own new chapter. In this, the requirements are consolidated with those from section AT 7.3 of MaRisk in order to obtain uniform national requirements. In addition, the specifications with regard to emergency planning and precautions, BCM, disaster recovery, and backup strategies, also involving service providers, are being tightened up or made more precise.

The third new chapter is the chapter on management with payment service users, which comes from the amended ZAIT. This describes requirements for institutions to actively support and advise their payment service users on security-related risks, especially on the subject of fraud.

Mastering new challenges together

The changes pose major challenges for the institutions affected. This concerns in particular the required know-how and the limited resources on the labor market. We will be happy to advise and support you in the implementation of regulatory requirements for information security and in the preparation of required evidence.

All solutions

Your contact

Please use our general contact form:

Contact us now!

Are you looking for a specific certification?

Find out which certifications SRC GmbH can offer in this area.

All certifications
All certifications

Related topics

Find out more about the topics we support with our services.

All topics
Compliance in banks
Read more

Training on this topic

Experience exciting talks and networking at our event. Register now and become part of the community!

All trainings
All trainings

Our partners in this area

Your career at SRC - Discover your opportunities!
Students & Graduates
Professionals
Overview
Main Menu
Contact
SRC Security Research & Consulting GmbH
Emil-Nolde-Str.7
  • Phone
  • E-Mail
Linkedin Xing

© Copyright – SRC Security Research & Consulting GmbH

Use new technologies
with security.

Main Menu
Contact
Icon-facebook Icon-twitter Icon-youtube-v Icon-instagram-1