BaFin Perspectives Issue 1 | 2020 Cyber security Cyber security a challenge for the public sector and the financial industry Contents Foreword 10 I. Current threat landscape and discussion on effective measures 12 Digitally helpless? A brief survey of IT security in Germany 13 The threat landscape in cyberspace is alarming; the sophistication of many cyberattacks has increased. For instance, a significant risk is posed to users in government, business and society by Emotet, the most dangerous malware in the world. A survey of the threats from cyberspace by the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik – BSI). Tim Griese 1 Introduction 13 2 Types of threat 14 2.1 Ransomware 14 2.2 Identity theft 14 2.3 Botnets 14 2.4 Malware 14 3 An integrated value chain protecting government, business and society 15 “ Cyber criminals are relatively lazy” 16 In this interview, Arne Schönbohm, President of the Federal Office for Information Security (BSI), joined Felix Hufeld, President of the Federal Financial Supervisory Authority (BaFin), to talk about hacker attacks, virtual risks and strategies to ensure protection against these threats. Interview with the Presidents of the BSI and BaFin 16 4 | BaFin Perspectives The supervision of information security and cloud computing needs to be harmonised across Europe 23 As Germany’s financial supervisory authority, BaFin attaches great importance to the harmonisation and convergence of supervisory requirements for information security and cloud computing at the national and European level. The European Commission and the European Supervisory Authorities are also increasingly focusing on the harmonisation and convergence of supervisory standards, making a significant contribution towards strengthening digital operational resilience in the European Union. Silke Brüggemann and Sibel Kocatepe 1 Introduction 23 2 Harmonisation of regulatory requirements in Germany: BAIT, VAIT and KAIT 25 3 Harmonisation of regulatory requirements for information security at financial entities in Europe 26 4 Harmonisation of regulatory requirements for outsourcing to cloud service providers 30 5 Conclusion 33 II. Cyber resilience and crisis management – a task for institutions and supervisors 34 How German banks are gearing up for the fight against cybercrime 35 Cyber risk poses a serious challenge for the banking industry as a whole. Although credit institutions have considerable expertise to protect their IT infrastructures, closer international cooperation is what is needed the most in order to win the technological race against professional cybercriminals now and in the future. Banks, the security industry and both national and supranational authorities must all pull together. Andreas Krautscheid and André Nash 1 Introduction 35 2 Decades of expertise - banks have been involved since day one 37 3 Human behaviour as a risk factor 38 4 Growing importance of information-sharing and networks 38 5 Regulatory measures must be harmonised 40 6 National and international cooperation is needed to win the technological race 41 BaFin Perspectives | 5 Solutions to problems that do not exist yet 42 In the age of cyber risks, fake news and the coronavirus pandemic, there is an even greater need for financial institutions to protect themselves against cyber attacks. Banks as a whole – from the executive board and business segments down to each individual staff member – must be prepared for a crisis scenario. Carrying out IT system checks does not go far enough. Professor Dr. Igor Podebrad 1 Cyber resilience as a key element of IT security strategy 42 2 Cyber risks must be managed in the same way as all other material risk types 43 3 Clients’ cyber resilience is taken into account in the risk evaluation 44 4 Cyber regulation should not be allowed to get out of hand 45 5 Cyber security under threat from new technologies 46 Cyber resilience with TIBER-DE – A future framework for ethical hacker attacks on financial entities in Germany 47 Banks, insurers, financial market infrastructures and their critical service providers are to be offered the opportunity to conduct TIBER-DE tests on a voluntary basis. The participation of the largest entities in the above sectors is expected to contribute significantly to the cyber resilience of Germany’s entire financial sector. Silke Brüggemann, Dr. Miriam Sinn and Christoph Ruckert 1 Introduction 47 2 Implementation in other countries 49 3 National framework: TIBER-DE 50 4 Conclusion 55 “The danger is real. And it is growing.” 56 External attacks, internal disruptions – when companies in the financial sector are hit by cyber incidents, good crisis management is needed. And BaFin also has a role to play. Interview with Raimund Röseler 56 6 | BaFin Perspectives Supervising critical infrastructure in the finance sector – an overview of the status quo 62 The Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik – BSI) oversees the IT security of the systems at critical infrastructure operators – including those from the finance and insurance sector. This article provides an overview of how these checks are performed at present and what operators need to do in this context. Dr. Wolfgang Finkler 1 Introduction 62 2 Overview of regulated supervised critical infrastructure entities in the finance sector 63 3 Support for critical infrastructure operators 64 4 Lessons learned to date from the verifications submitted by critical infrastructure operators 66 5 Next steps and conclusion 67 III. Insuring cyber risk 68 With a name like “sure” 69 Dr. Frank Grund on insurers’ IT security, how they deal with hidden cyber risks and the role of cyber insurance policies. 1 Insurers – security ensured? 69 1.1 Insurers as targets for cyber attacks 69 1.2 Strengthening their own defences 70 1.3 Achilles’ heel 71 2 Third-party cyber incidents – a risk for insurers 73 2.1 Hidden risks 73 2.2 Cyber insurance policies 73 3 IT security at BaFin 75 BaFin Perspectives | 7 Cyber insurance becomes a crisis manager 76 Cyber crime poses a high risk to Germany’s companies. However, surprisingly few companies take out cyber insurance to protect themselves against the consequences of hacker attacks. Insurers consider the segment a future growth market. Dr. Christopher Lohmann with Melanie Schmitz, Frank Huy, Oliver Schulze and Udo Wegerhoff 1 Introduction 76 2 Fear of cyber attacks among SMEs 77 3 Damage caused without the attacker ever having set foot in the company 78 4 How cyber insurance helps 79 5 Support in the event of a crisis 79 6 Creating a new (cyber) insurance product 80 7 IT security does not come overnight: obligations to produce evidence 81 8 The level of protection insurance customers need 81 9 How cyber insurance policies are setting standards 82 10 Risks and opportunities for cyber insurers 83 11 Conclusion: support through the cyber ecosystem 83 Imprint 86 8 | BaFin Perspectives © iStock/in-future BaFin Perspectives | 9 Foreword Millions in lost earnings, painful losses in productivity at financial institutions – even customer trust is ultimately on the line. Around the globe, cybercriminals are attacking the IT security systems of banks, insurers and other financial services providers in order to gain access to sensitive data, such as names, addresses, telephone numbers, passwords and account numbers. They insert malware into the IT systems of financial institutions to demand a ransom, threatening to bring entire IT systems to a standstill. Such scenarios have become commonplace, which is why the attention of all staff and appropriate IT security measures are needed. © BaFin/Bernd Roselieb © BaFin/Bernd © Bundesamt für Sicherheit in derInformationstechnik In Germany alone, the overall economic losses caused by cybercrime have doubled to over EUR 100 billion in the last two years therefore decided to jointly publish this according to estimates provided by the digital BaFinPerspectives issue, entitled “Cyber association Bitkom. Cybercriminals have got security – a challenge for the public sector their eye on the financial industry, and there and the financial industry”. BaFin and the BSI are attacks on financial institutions almost on have been working in close cooperation for a daily basis. many years. We regularly discuss IT security in the financial sector, share information on Given the high level of professionalism among technology trends and standardisation, and these cybercriminals, we believe that it is assess current situations, too. Both of these necessary to make room for a more in-depth federal authorities provide their expertise, discussion on this topic and to connect allowing new information and insights to key players in the industry and the public be taken into account in their joint work on sector. This is because trust and effective critical infrastructures, covering banks, insurers cooperation – from prevention right up to and service providers, among others. crisis management in the event of a cyber attack – is essential to allow Germany, as a We hope you will find it interesting to read. financial centre, to become more resilient to cyber threats. On behalf of the Federal Financial Supervisory Authority (BaFin) and the Federal Office Felix Hufeld Arne Schönbohm for Information Security (BSI), we have President of BaFin President of the BSI BaFin Perspectives | 11 I Current threat landscape and discussion on effective measures 12 | BaFin Perspectives Digitally helpless? A brief survey of IT security in