Grain Overlay
July 2, 2018

Insurance supervisory requirements for IT (historical)

Insurance supervisory requirements for IT (historical)

Management Summary

With the Insurance Supervisory Requirements for IT (VAIT), the Federal Financial Supervisory Authority (BaFin) has set clear expectations for the management and organization of insurance companies' IT. On the one hand, the aim of VAIT is to create transparency by translating existing supervisory standards into concrete IT requirements in a comprehensible manner. On the other hand, the IT risk awareness of insurance companies is to be raised, particularly at management level, in order to create risk transparency.
When implementing the VAIT, the risks associated with the company's activities should be taken as a benchmark for the depth of compliance. This proportionality is defined as Proportionality principle known.
According to BaFin, the VAIT requirements are derived from existing regulations, which is why no implementation deadline has been set. You are entitled to use the Circular 10/2018 entered into force on 02.07.2018. Overall responsibility for implementation lies with the company's Management Board.
The requirements permeate the entire organization, from strategy to operations. They are divided into eight domains and comprise 70 individual requirements.

Introduction

In its function as the supervisory body for banks and insurance companies, BaFin has now formulated IT requirements for insurance companies and pension funds, as it did previously for the banking sector (November 2017). The framework conditions, structure and content of the Insurance supervisory requirements for IT (VAIT) is explained in more detail.

Motivation

As mentioned at the beginning, one of BaFin's key motives for formulating the VAIT is to raise IT risk awareness in companies - with a particular focus on the management level. BaFin defines IT risk as "the existing and future risk of losses due to the inappropriateness or failure of the hardware and software of technical infrastructures that may affect the availability, integrity, accessibility and security of these infrastructures or data" ([1] Gampe, 2018, p. 25).
The VAIT also create a concrete framework for the design of companies' IT. This contrasts in particular with other standards, such as the Minimum requirements for the business organization of insurance companies (MaGo), which are very general when it comes to IT. This concretization gives companies security - but with a caveat: BaFin does not see the VAIT as a comprehensive catalog of requirements. This means that IT-related requirements from the MaGo (and other regulations) that are not dealt with in the VAIT must be implemented in addition to these.

Organizational matters

Who is the VAIT aimed at?

The VAIT are aimed at companies that are subject to supervision in accordance with Section 1 (1) Insurance Supervision Act (VAG), with the exception of special purpose insurance companies within the meaning of Section 168 VAG and the guarantee fund within the meaning of Section 223 VAG. This means that the group of addressees is made up of primary insurance and reinsurance companies, pension funds, insurance holding companies and companies whose main activity is investments in primary insurance or reinsurance companies or pension funds.

Integrity

On the one hand, the term integrity refers to the correctness of data, in the sense that data is both complete and unchanged. For example, the manipulation of a customer's bank details constitutes a breach of integrity. In a broader sense, integrity also includes information such as metadata and therefore also relates to the date of the last change to a document, among other things.
On the other hand, integrity also refers to the correct functioning of IT systems.

When do companies have to comply with the VAIT requirements?

According to BaFin, the VAIT do not contain any new requirements, but "merely clarify or specify existing supervisory requirements" ([1] Gampe, 2018, p. 27). Consequently, companies are not granted an implementation period (analogous to BAIT). In other words: With the publication of the Circular 10/2018 The VAIT officially came into force on 02.07.2018.

VAIT and other regulations

The VAIT are linked to other regulatory documents such as legal texts, circulars and ordinances, which themselves are interdependent and thus form a network of requirements. Figure 2 provides a rough and simplified overview of these regulations.
The core texts that provide the framework for the VAIT circular are the VAG and the MaGo. The VAIT provide guidance on the interpretation of the provisions on business organization in the VAG. These provisions are in turn summarized as minimum requirements in the MaGo, so that the VAIT are to be understood as a concretization of the MaGo. As previously discussed, the group of addressees is also taken from the VAG.

Responsibility for implementation

A significant innovation in the VAIT is a break with the division of responsibilities of the Executive Board. The requirements set out in the circular, which make the Executive Board responsible, apply to all members of the Executive Board. It is not possible to reallocate or delegate responsibility to individual or several managing directors.

Proportionality principle

When implementing the VAIT, a principle is applied that is already anchored in Solvency II, the VAG and the MaGo: the Proportionality principle. The requirements should be met in an appropriate manner, depending on the nature, scope and complexity of the risks associated with the company's activities (see Section 296 (1) VAG). In other words, the depth of implementation is proportional the company's risk profile. Various indicators can point to a weak risk profile. For example, the size of the company and number of employees, but also the customer base, influence the risks.
For companies with a less pronounced risk profile, the Proportionality principle simpler structures, IT systems or processes will suffice. However, once established, structures, IT systems and processes are not cast in cement and may need to be adapted and further developed in line with a company's changing risk profile, for example as the company grows.

Contents

Structure of the VAIT

In its current version (Circular 10/2018), the circular comprises 70 requirements, which are divided into 8 topic modules. Some requirements are additionally supplemented by explanatory notes, which, for example, make minimum demands on the documents or processes required in the requirement.
The above-mentioned topic modules overlap proportionally with the company levels or abstraction levels GovernanceControl system and Operative - from abstract to concrete (see Figure 3). While the IT strategy module, for example, deals with general strategic objectives, the user authorization management module formulates clear requirements for authorization concepts.

VAIT requirements

The following is an overview of the requirements formulated in the individual subject areas of the VAIT.

IT strategy

The central postulate of the first topic module is the definition of an IT strategy that is consistent with the business strategy and has a level of detail that depends on the company's risk profile. Minimum contents of the IT strategy are also defined. These include IT organizational structure and IT process organization, outsourcing of IT services or procurement of IT, information security and internally operated or developed IT systems.

IT governance

The management is responsible for defining the objectives set out in the IT strategy for the IT organizational structure and IT process organization in accordance with the risk profile in regulations and ensuring the implementation of these regulations. Furthermore, requirements are placed on the staffing, knowledge and experience of employees as well as the technical and organizational equipment in information risk and information security management, IT operations and application development. The aim is to minimize personnel-related risks in these areas. Conflicts of interest within the IT organizational structure and IT process organization must also be avoided.

Information risk management

The company must introduce and implement an information risk management system. Identification, assessment, monitoring and control processes must be set up. These include the identification of IT risks and the determination of protection requirements. The company must define requirements for implementing the protection objectives in accordance with the identified protection requirements and document them in a catalog of target measures.
In addition, IT risk criteria must be defined on the basis of which a risk analysis must be carried out. Risk management must report the results of the risk analysis to the management at least once a year and have them approved.

Information security management

In line with the strategy, the management must adopt an information security guideline that describes the organization of information security management. Based on the guideline, guidelines and information security processes must be defined to ensure that the protection goals are achieved.
Furthermore, the company must establish the function of information security officer. This function deals with all matters relating to information security within the company and vis-à-vis third parties and reports to the management. For example, it monitors compliance with information security objectives and measures.

User authorization management

The company must set up a user authorization management system as part of which authorization concepts must be defined for all IT systems that are consistent with the protection requirements of the respective system. Authorization management is accompanied by technical and organizational measures that prevent the requirements of the concepts from being circumvented.
The creation, modification, deactivation and deletion of authorizations must be documented and go through approval and control processes. Authorizations must also be checked regularly and on an ad hoc basis and recertified or adjusted if necessary.

IT projects and application development

The company must define an appropriate organization and processes for IT projects and application development. This includes evaluating the impact of IT projects on the IT organizational structure and IT process organization as well as the associated IT processes as part of an impact analysis. In particular, a portfolio view of IT projects must be created, for example to be able to assess risks due to dependencies between different projects. Projects must be managed in terms of their risk and reporting obligations to the management must be introduced for critical projects.
In the area of application development, processes must be defined for determining requirements, quality assurance, documentation, post-production monitoring, testing, acceptance, release and others. Furthermore, precautions must be taken to ensure that the protection goals of confidentiality, integrity, availability and authenticity are achieved after go-live.

IT operations

The company must set up classic ITIL service support functions: Configuration, change, incident and problem management. For this purpose, a configuration management database (CMDB) is to be created in which the components of the IT systems and their relationships are managed. This allows the IT system portfolio to be managed, including risks from outdated systems.
The processes for change management must be designed depending on the risk profile and include orderly acceptance, documentation, evaluation under implementation risks, prioritization, approval and implementation of changes.
In incident management, processes for appropriate recording, evaluation, prioritization (with regard to resulting risks) and escalation must be established. In addition, the processing, root cause analysis and solution finding, including follow-up, must be documented. Service Support must also draw up criteria for communicating information about faults to the management.
Finally, a data backup concept must be drawn up that specifies data backup procedures and formulates requirements for the availability, readability and up-to-dateness of data based on the business processes. Regular tests must be carried out to ensure that these requirements are met.

IT services

A risk analysis must be carried out before outsourcing IT services, using cloud services and other service relationships in the area of IT services. This risk analysis must be taken into account both in the contract design and in the operational risk management process.
Furthermore, the company must manage the other service relationships in the area of IT services, taking into account the risk analysis, and monitor whether the services owed are being provided. A complete, structured contract overview is to be introduced for this purpose.

Conclusion

VAIT is changing the role of information technology within insurance companies and pension funds. IT has been extensively upgraded. BaFin no longer sees IT merely as a means to an end. It is not merely a function that supports the actual business function (here: insurance services), but a key element that is given special attention.
This re-evaluation is necessary and timely insofar as IT is not only increasingly penetrating all levels of a company, but is also being offered as a service within the company and to customers. Furthermore, IT does not merely facilitate the insurance business or make it more efficient, but insurance services can no longer be provided without the support of IT. This means that information technology harbors great risk potential.

Outlook

The VAIT have a modular structure. BaFin has already stated that it would like to use this flexibility to continuously adapt and supplement the VAIT to future changes and additions to international and national requirements. For example, a module is planned Critical infrastructureswhich exclusively covers operators of critical infrastructures (according to Amendment Ordinance to the BSI Criticism Ordinance) and will presumably interpret or specify requirements from the IT Security Act.
Secondly, BaFin is examining whether procedures from the paper Key elements of cyber security in the financial sectorpublished by the G7 states in October 2016, are to be integrated into the VAIT. This is controversial insofar as, for example, the sixth element Recovery (restoration) is only dealt with superficially in the current version of the VAIT. A (partial) implementation of the Essential elements therefore has the potential to expand the scope of VAIT.

Sources

[1] Gampe, Jens: "IT-Sicherheit: Aufsicht konkretisiert IT-Anforderungen an die Versicherungswirtschaft". In: BaFin Jounral, April 2018. https://www.bafin.de/SharedDocs/Downloads/DE/BaFinJournal/2018/bj_1804.pdf?__blob=publicationFile&v=4 (02.07.2018)
[2] Federal Financial Supervisory Authority: "Circular 10/2018: Insurance supervisory requirements for IT (VAIT)". https://www.bafin.de/SharedDocs/Downloads/DE/Rundschreiben/dl_rs_1810_vait_va.pdf?__blob=publicationFile&v=4 (02.07.2018)