Risks in BaFin’s Focus 2022: Supervisory Authority Wants to Intensify Dedicated IT Audits

Considerable Potential for Harm

Cyber incidents caused by external or internal attacks and technical failures have serious repercussions. Depending on the extent, the impacts can range from specifically quantifiable revenue losses and severe harm to the company’s image to a threat to financial stability per se, which could even have a negative effect on the real economy. As BaFin reports, internal incidents currently predominate from a quantitative viewpoint. However, the potential harm from concentrated external attacks is extremely high.

Cyber Risks Will Continue to Rise

BaFin anticipates a further intensification of the threat situation in the future. This is partly due to ongoing digitalization, which is constantly increasing the virtual attack surface of the companies under supervision. Other factors include the increase in work being done from home since the onset of the COVID-19 pandemic and the trend toward using third-party providers. And while the attack surface is growing, cybercriminals are at the same time escalating their attacks on the financial industry – including attacks from foreign governments.

Intensification of Controls and Enforcement of Standards

BaFin intends to respond to the heightened threat situation by intensifying dedicated IT audits. The need for further action will hinge on the results of these audits. In addition, compliance with supervisory IT requirements and standards is to be increasingly audited and enforced.

For the companies under supervision, this development means that IT security in compliance with the regulations is now required more than ever. For material outsourcing in particular, only service providers that meet all regulatory requirements and do not shy away from a direct BaFin audit can therefore be considered.