Digital attacks against banks and financial services providers pose major challenges not only on that sector but also on the legislator and the financial supervisory authorities. In 2017, nearly 10 billion cyberattacks occurred worldwide. Apart from spam and phishing, the main threats to digital security included targeted hacking attacks. A company’s own employees often turn out to be the main security risk.
Requirements of the GDPR have to be fulfilled
Banks also have to define the processing of their customers’ personal data in compliance with the requirements of the General Data Protection Regulation. This includes both data privacy compliance and data processing security. Infringements of these rules may be punishable by fines of up to 20 million euros or 4% of the global annual turnover. In case of a privacy breach, the data subjects may also demand compensation of non-material damage.
The well-established minimum requirements for risk management (MaRisk) have recently been supplemented by the supervisory requirements for IT in financial institutions (BAIT). The background of these new requirements is that banks and financial services providers are increasingly outsourcing processes that do not form part of their core business. BAIT are intended to make the expectations and supervisory practice transparent and to outline possible risks.
Avoid security gaps in critical infrastructures
The Act on the Federal Office for Information Security (BSI Act) also addresses the issue of IT security. According to the act, operators of critical infrastructure have to take appropriate organizational and technical precautions to avoid disruptions of the availability, integrity, authenticity, and confidentiality of their information technology systems, components or processes. Operators of critical infrastructures include companies of the energy, finance and insurance, nutrition, water, health, transportation and traffic as well as information technology and telecommunications sectors.
However, technical measures will not be sufficient. Organizational and legal measures also need to be taken. Banks and other companies should conduct complete screenings of their business procedures to check them for security gaps.
Protection of banks, financial services providers, and FinTechs
Together with our technical partners, we will be able to arm your company against cyberattacks. We can shape your outsourcing contracts and privacy provisions in compliance with the current regulations.