In March 2017, the German Federal Financial Supervisory Authority (BaFin) held their third conference covering IT supervision for banks. At the conference in Bonn, BaFin President Felix Hufeld told the more than 400 attendees that cyber-risks are one of the most substantial facing the German financial sector. Cybersecurity risks are indeed immense, as banks are susceptible to theft, data breaches and denial of service attacks. In a recent study from KPMG, 38% of responding German companies reported to having been a victim of cyber-crime in the past two years. One in twenty reported losses of more than 1 million euros due to cyber-attacks.
The monetary costs for businesses are obvious. However, for the financial sector the costs can be farther reaching. Since financial institutions, public and private, play a critical economic function, the fallout from a cyberattack on an institution can trickle down into the rest of the economy and society. For this reason, cybersecurity has become a significant concern for financial regulators around the world. At the 2017 Frankfurt Finance Summit, Felix Hufeld will join Dr. Andreas Dombret, Executive Board Member of the Deutsche Bundesbank, for a panel discussion on the challenges of cybersecurity and innovation.
At the March conference on IT security, BaFin introduced new additions that will be made to the Minimum Requirements for Risk Management (MaRisk) concerning IT Security. The German regulator worked in cooperation with Deutsche Bundesbank on the forthcoming guidelines, called Bank Supervision Requirements for IT (BAIT), which are expected for the middle of 2017. BAIT aims to help banks understand the supervisory expectations regarding cybersecurity strategy. The guidelines will place new pressure on management boards to assume responsibility for strategically managing cyber-risks. At an event in 2016, Dr. Andreas Dombret referenced these responsibilities, explaining, “We therefore demand that banks clarify what is at stake and how the risks are supposed to be governed. This is called a cyber strategy, and every bank is required to have a convincing one.”
Not just German regulators are demanding higher cybersecurity standards from the financial sector. The New York State Department of Financial Services (DFS) has outlined new cybersecurity requirements for financial services companies which came into effect in March 2017. Amongst other items, the new regulations establish requirements for formal cybersecurity programs, incident reporting, and data encryption. Additionally, the New York regulators place the ultimate responsibility for cybersecurity with management boards and requires the employment of a Chief Information Security Officer charged with overseeing and implementing the cybersecurity program and enforcing its policies. The USA’s federal regulators are following suit and currently drafting regulations that would place stricter standards on sector-critical firms.
In January 2017, Jens Weidmann, President of the Deutsche Bundesbank, clearly explained that increasing reliance of market infrastructures on digital technologies has made the global financial system even more vulnerable to cyber-risks. Weidmann maintains that “The damage unleashed by successful attacks goes beyond the financial loss incurred. Cyber-attacks can potentially undermine peoples’ trust in the financial system.” This trust is critical to banks and financial services ability to serve their important role in society. Thus, it is understandable that cybersecurity falls within the purview of financial regulators and for them to set clear requirements, just as they would capital requirements, for example. Weidmann concluded by saying, “to avoid jeopardising the positive impact of digital finance, it will be crucial to address these risks and for banks to manage their IT and cyber risks with as much diligence as they do their traditional banking risks.”
These regulatory questions regarding cybersecurity will be addressed at the seventh Frankfurt Finance Summit, titled Europe Reloaded – Challenges for the Financial Sector. Felix Hufeld and Dr. Andreas Dombret will be joined by panel moderator and international economist Cornelia Meyer to discuss the challenges of cybersecurity and innovation.