IT security & outsourced activities and processes according to MaRisk AT 9

IT security & outsourced activities and processes according to MaRisk AT 9

In the MaRisk (Minimum Requirements for Risk Management) regulations, the Federal Financial Supervisory Authority (BaFin) has set out a strict set of rules that banks and financial service providers must comply with when outsourcing processes like IT security. Special requirements apply specifically to outsourced activities and processes.

Prevent DDoS attacks now

Learn more about Myra Security solutions for the financial industry

Learn more

Auf einen Blick

1. The BaFin definition of outsourced activities and processes according to MaRisk
2. Based on risk analysis
3. Outsourcing management for complex outsourcing
4. Despite outsourcing: Responsibility remains with the institute
5. The highest demands on service providers
6. Contractual requirements for material outsourced activities and processes (MaRisk AT 9, No. 7)
7. Compliance with MaRisk AT 9 & section 25a KWG: Myra Security is ready

01

The BaFin definition of outsourced activities and processes according to MaRisk

Companies in the financial industry must comply with strict guidelines when outsourcing IT. In BaFin’s Minimum Requirement for Risk Management (MaRisk), outsourced activities and processes are “activities and processes relating to the execution of banking business, financial services or any of an institution’s other usual services that would otherwise be provided by the institution itself.” According to section 25b of the Banking Act (KWG), institutions are required to make appropriate arrangements in order to avoid incurring excessive additional risks, regardless of the type of outsourcing. “Outsourcing shall impair neither the proper execution of such business and services nor the business organisation within the meaning of section 25a (1).”

02

Based on risk analysis

Based on risk analysis, the institution must determine whether each service outsourced constitutes “material outsourced activities and processes.” Material outsourced activities and processes are of those services defined by the institution itself as material in terms of risk. Risk analysis must take place prior to outsourcing and be repeated on an ongoing basis. However, MaRisk does not lay out what specifically this involves. BaFin recommends a reanalysis of material outsourced activities and processes be made once per year and every three years for non-material outsourced activities and processes.

Once the institution classifies individual activities and processes as material in the risk analysis, they must be handled in compliance with the (minimum) requirements of MaRisk. Outsourced activities and processes that are not regarded as material in terms of risk are subject to the general requirements relating to a proper business organization pursuant to section 25a (1) of the Banking Act (KWG).

03

Outsourcing management for complex outsourcing

In the case of larger institutions, which have to manage many types of outsourcing, this is done via central outsourcing management, which prepares an annual report on all material outsourced services and processes for the supervisory authority. BaFin also stipulates that institutions must ensure the implementation and further development of outsourcing management and corresponding control and monitoring processes. Ongoing documentation of outsourced activities and processes as well as coordination and review of risk management must also be ensured.

04

Despite outsourcing: Responsibility remains with the institute

Despite the outsourcing of processes, responsibility always remains with the management of the client, i.e. with the management of the company engaged in outsourcing. For this reason, MaRisk also takes safeguards to ensure the continuity and quality of the outsourced activities and processes after termination of the service provider. The same applies to the exit process, such as when changing service providers. According to MaRisk, however, the management board’s management tasks cannot be outsourced.

05

The highest demands on service providers

To comply with the regulatory requirements for material outsourced activities and processes, financial institutions always take great care in choosing their service providers. The strict requirements for the services being provided are also continuously reviewed by the companies. The Interpretation guidelines for MaRisk (PDF) written by the DSGV (German Savings Banks and Giro Association) and the MaRisk experts of the Sparkassen-Finanzgruppe define the criteria for selecting external service providers as follows:

The business processes of the outsourcing company are organized to be efficient and effective.
The staff meets the qualitative requirements for the provision of services.
The remuneration system complies with the statutory requirements.
By outsourcing, processes can be handled at the same or higher level of quality compared to the in-house solution.
The service company is also able to take the institution’s individual concerns and specific processes into account.
There must be measurable quality criteria based on Service Level Agreements (SLAs).
To ensure that outsourcing is being monitored, the outsourcing company must provide detailed reports.
The outsourcing company conducts itself in compliance with the legal requirements.

Discover our tailor-made Security-as-a-Service solutions for IT infrastructures and web applications.

Request a free demo now

06

Contractual requirements for material outsourced activities and processes (MaRisk AT 9, No. 7)

The services to be provided, auditing rights, powers to give instructions, and notice periods must be specified in a comprehensive outsourcing contract to formally ensure the continuity and quality of the outsourced processes. Furthermore, the contractual relationship must also include rules covering subcontracting, which is when the service provider in turn hires a subcontractor to perform the services. Particular attention is paid to the possible right to reserve approval and the obligation to provide information along the entire supply chain up to the institution.

07

Compliance with MaRisk AT 9 & section 25a KWG: Myra Security is ready

Myra unconditionally meets all of the requirements for outsourced activities and processes set out in MaRisk AT 9 & section 25a KWG. Prestigious companies and organizations from the financial industry have been using Myra’s Security-as-a-Service platform for years, covering both their cybersecurity and compliance needs.

More information about Myra Security solutions for the financial industry is available here

Want to learn more about our solutions, use cases and best practices for attack defense? In our download area you will find product sheets, fact sheets, white papers and case studies.

Go to download section

About the author

Björn Greif

Editor

About the author

Björn started his career as an editor at the IT news portal ZDNet in 2006. 10 years and exactly 12,693 articles later, he joined the German start-up Cliqz to campaign for more privacy and data protection on the web. It was then only a small step from data protection to IT security: Björn has been writing about the latest trends and developments in the world of cybersecurity at Myra since 2020.