Industry-Specific
Security Standards

VAIT – New requirements on the way

BaFin published its circular on insurance supervisory requirements for IT (VAIT) in July 2018 and expanded it in March 2019 to include the section on critical infrastructure. Now an amendment is pending, which is to include the requirements of the European Supervisory Authority (EIOPA) for the management of information technology and information security from October 2020. 

Initial BaFin audits revealed various IT security deficiencies in previous implementations of VAIT –  including serious ones, the highest level in BaFin's assessment scheme – in most insurance companies' information risk and information security management. In some cases, BaFin found no internal processes at the companies that were sufficient to identify and assess information risks. In addition, companies often did not define with sufficient precision how sensitive certain information was.

Information security management often lacked procedures to identify IT security incidents quickly enough so that countermeasures could still be initiated in good time. For example, BaFin found that while insurance companies automatically monitored operating systems and network activity, they often did not include other key software applications and hardware components. This created a security risk for the company's entire IT. 

 In addition, the audits uncovered weaknesses at many insurance companies with regard to the monitoring of their external IT service providers. Since insurers award many different IT contracts to external service providers, they need to be aware of the associated risks. Particularly in the case of IT services that are not covered by the regulatory definition of outsourcing, such as procurement of hardware and software, insurers in numerous cases failed to conduct a prior risk analysis and thus did not fulfill their obligation to conduct effective risk management.

BAIT and ZAIT – Supervision becomes concrete

Together with the minimum requirements for risk management (MaRisk in German), BaFin has published the final versions of the banking supervisory requirements to IT (BAIT in German) and the payment services regulatory requirements for IT (ZAIT in German) on August 16, 2021. In both amendments, the supervisory body describes the safeguards it now expects for secure information processing and information technology at banks and/or payment and e-cash institutes. 

For banks and leasing companies, the implementation level of BAIT is increased by three additional chapters

• Operational information security.
• IT emergency management and
• Management of the relationships with payment service users.

Moreover, the existing chapters have been supplemented and elaborated. 

For payment and e-cash institutes, BaFin has created legal security with ZAIT but also increased the implementation effort at the same time.

We analyze what the new requirements from the amendments BAIT and ZAIT mean for our customers, derive necessary adjustments and assist our customers in the implementation in the respective management systems.

ISO/SAE 21434 Road Vehicles – Cybersecurity Engineering 

Increasing digitalization in vehicles and networking of vehicle components with each other, as well as the pervasive use of software in vehicles, are increasing the attack surface for cyber attacks on motor vehicles. Against this background, ISO/SAE 21434 "Road vehicles – Cybersecurity engineering" was developed as a standard for cybersecurity in motor vehicles jointly by expert groups from ISO (International Organization for Standardization) and SAE (Society of Automotive Engineers) and published by ISO in August 2021. 

ISO/SAE 21434 addresses, among other things, the increasing dependency between "safety" and "security". “Safety" generally refers to operational safety, i.e., the protection of people and the environment from physical damage caused by the plant/machine. "Security", on the other hand, refers to information security, i.e., the protection of data/information. Due to the high degree of digitalization, especially of safety components in motor vehicles, "safety" can only be achieved if "security" is guaranteed.

At EU level, various committees are developing a certification for a "Cybersecurity Management System", which is to become mandatory for the type of approval of vehicles in the future. ISO/SAE 21434 is to become the technical standard for demonstrating conformity to regulatory requirements, at least in part. The standard defines numerous requirements for the development, production, operation, maintenance and recycling phases. It takes into account components (electronic parts and software) of vehicles produced in series, as well as spare parts and accessories. It does not address any infrastructure outside the vehicle (server, cloud services, OTA, diagnostic systems...).

One focus of the standard is appropriate risk management methods. In addition, however, companies need wide-ranging cybersecurity skills and expertise to implement the standard. The spectrum here ranges from cybersecurity management to vulnerability and security incident management to penetration testing.

The experts at security advisors provide support in all phases of implementation. They use tried-and-tested methods such as target/actual analyses, security assessments or audit simulations. They work with a high level of detail with an eye for the big picture and find practical and future-proof solutions.

TISAX

The ENX Association, an association of European automotive manufacturers, suppliers and associations at European level, launched the "Trusted Information Security Assessment Exchange" (TISAX for short) label in 2017. The label serves as proof to the automotive industry that a supplier has a certain level of security and must be renewed every three years. To obtain the TISAX label, a company must submit a self-disclosure to a recognized testing service provider. This self-disclosure is then reviewed by the auditors. For the highest level of the label, auditors will also conduct interviews and on-site visits.

Automotive manufacturers are increasingly demanding the TISAX label from their suppliers. Although the effort required to achieve a TISAX label is lower compared to establishing an ISMS according to ISO 27001 or IT-Grundschutz, it should not be underestimated.

Read more: Our recommendations for a successful TISAX audit.

Hospital Future Act (Krankenhauszukunftsgesetz (KHZG) - Information security is a crucial part 

The Hospital Future Act passed by the Bundestag and Bundesrat in 2020 provides the hospital landscape with 4.3 billion euros for investments to expand digital infrastructures, IT security, modern emergency capacities and special forms of treatment in the event of a pandemic.

To this end, the KHZG includes eleven funding categories, among which IT security can be found both in category 10 and as a cross-cutting issue in all funding projects.

The position of data protection and IT security is explicitly emphasized in the KHZG and must be included in all applications at 15 percent of the effort. 

The application of this 15 percent clause is not always easy. In addition, KRITIS hospitals face the question of funding, as this may not come directly from the KHZG funds.

Our services:

We offer consulting on appropriate security according to KHZG and the implementation of the subsidies and funding plans such as:

• Gap analyses and action plans 
• Risk management and risk reduction 
• Data protection management and implementation 
• Awareness and training measures 
• Business continuity management in accordance with IT-basic protection 
• Penetration tests and security audits
• and much more