Meet BaFin requirements with penetration tests from ProSec

Build cyber resilience

Standards & Certifications

BAIT and MaRisk amendment 2021

In recent years, the Federal Financial Supervisory Authority (BaFin) has increasingly dealt with IT security issues in the banking sector. In the 2021 amendment to the banking supervisory requirements for IT (BAIT) issued by BaFin, it specifies requirements in particular in the areas of “operational security” and “IT emergency management”. The BAIT amendment 2021 states under point 5.6:

“The security of banks’ IT systems is regularly, to be reviewed on an ad hoc basis and to avoid conflicts of interest.”

With a vulnerability analysis or a penetration test from ProSec As a responsible person, you can fulfill these requirements conscientiously. Our penetration tests can also be booked “as a service”, whereby we test the development of your IT security at regular intervals.

BAIT novella 2021
BAIT novella 2021

Never be afraid of a 44-year audit by BaFin again

The ever-increasing threat of cyberattacks entails an increase in regulatory security requirements. This increases the challenges and burdens for you as the person responsible for IT security:

Pentest Physical Scenario 1

You have probably recently completed the ICT questionnaire...

...edited or still have it to do. Furthermore, point 5.3 of the BAIT amendment 2021 requires the introduction of security information and event management (SIEM). The 44 test hovers over everything like the sword of Damocles.

After a penetration test with ProSec...

...are you happy about all the pentest questions in the ICT questionnaire!

With ProSec's pen testers and IT security consultants, you get reliable, competent and experienced partners with whom you can work on your tasks professionally and efficiently.

IT outsourced: Out of sight, out of mind?

More and more banks are outsourcing their IT to data centers due to increasing personnel and technical requirements. At GENO banks, Atruvia AG (formerly GAD or Fiducia) takes care of the IT, and at savings banks, Finanz Informatik (FI).

In addition to these two large service providers, there are other providers of external data centers. Very few banks still operate entirely with their own data centers; many are currently in the migration phase from in-house to external.

But be careful: IT services can be outsourced, but responsibility cannot!

Both BaFin and the European Banking Authority emphasize that “the management of an outsourcing institution can never outsource its responsibilities” (source: BaFin).

The regulations for outsourcing in KWG §25b are taken up in the BAIT.
The regulations for outsourcing in KWG §25b are taken up in the BAIT.

ProSec supports you in meeting this responsibility and maintaining control over your IT security!

Our common denominator: the well-being of our customers

Regardless of whether they are GENO banks, savings banks or other banks, the main thing for all of you is to secure and expand the assets of your customers in their interest. ProSec, in turn, has set itself the goal of advancing IT security in Germany for the benefit of all people.

Our commitment to the common good is the ideal basis for a solution-oriented one
and collaborative partnership.

We have extensive experience in planning and executing projects to meet BAIT and MaRisk requirements and have a team of motivated, highly qualified penetration testers where checking your IT security is in the best hands.

Penetration test from ProSec: BaFin-compliant and a real help for your IT

With a penetration test from ProSec, you meet BaFin's regulatory requirements on the one hand and build real cyber resilience for your bank on the other. We work absolutely independently and always based on our moral compass - we actively practice the term “ethical hackers”.

Our penetration tests are holistically oriented and also close by arrangement physical access security to buildings and, in particular, social engineering. In most cases, real attackers target the weakest link in the security chain: people. Our pentests are not automated, but we start by discussing your current status and working together to find the right scope for your individual pentest.

At the end of the penetration test you will receive from us an action plan according to the RACI matrix and PRINCE2 method with all findings and concrete measures to eliminate the security gaps. We also hold a technical workshop where our pentesters pass on their specialist knowledge to your team and discuss and prioritize the contents of the action plan together with you.

Our stated goal is to work with you to build your bank's cyber resilience as efficiently as possible.

PSN developers office

Next Step: Red Teaming according to the TIBER-DE Framework

Cyber ​​attacks on the financial sector are not just a German problem. Therefore, in 2018, the European Central Bank (ECB) published a framework that enables companies across Europe to build comparable cyber resilience: This Threat Intelligence-based Ethical Red Teaming (TIBER-EU).

The TIBER Cyber ​​Team (TCT) of the Deutsche Bundesbank is responsible for implementing the framework in Germany (TIBER-DE). The BaFin explainsWho benefits from TIBER-DE tests and who should definitely take advantage of them:

TIBER-DE tests should be open to banks, insurance companies, financial market infrastructures and their most important service providers - on a voluntary basis. However, the most important companies in the financial sector are expected to make use of this innovative tool to contribute to the cyber resilience of the entire sector.

If your company is one of the... “most important in the financial sector” or you would like to take a TIBER-DE test on a voluntary basis, ProSec is the right contact for you!

At a glance:

You've come to the right place if you...

  • ... responsible for the fulfillment of BAIT and MaRisk requirements are
  • ... looking for experienced and reliable partners for the required tasks Vulnerability scanning and penetration testing are
  • … the necessary regularity the tests you want to fulfill through the “Pentest as a Service” option
  • ... real cyber resilience through red teaming TIBER-DE want to build a framework
  • ... value a professional, comprehensive and solution-oriented approach Documentation of the findings including recommended measures
  • … at the Prioritization and planning of measures You would like to benefit from support from qualified and experienced penetration testers
  • ... a realistic penetration test included Social Engineering and possibly physical entrance tests want to carry out