In recent years, the Federal Financial Supervisory Authority (BaFin) has increasingly dealt with IT security issues in the banking sector. In the 2021 amendment to the banking supervisory requirements for IT (BAIT) issued by BaFin, it specifies requirements in particular in the areas of “operational security” and “IT emergency management”. The BAIT amendment 2021 states under point 5.6:
“The security of banks’ IT systems is regularly, to be reviewed on an ad hoc basis and to avoid conflicts of interest.”
With a vulnerability analysis or a penetration test from ProSec As a responsible person, you can fulfill these requirements conscientiously. Our penetration tests can also be booked “as a service”, whereby we test the development of your IT security at regular intervals.
The ever-increasing threat of cyberattacks entails an increase in regulatory security requirements. This increases the challenges and burdens for you as the person responsible for IT security:
...edited or still have it to do. Furthermore, point 5.3 of the BAIT amendment 2021 requires the introduction of security information and event management (SIEM). The 44 test hovers over everything like the sword of Damocles.
...are you happy about all the pentest questions in the ICT questionnaire!
With ProSec's pen testers and IT security consultants, you get reliable, competent and experienced partners with whom you can work on your tasks professionally and efficiently.
More and more banks are outsourcing their IT to data centers due to increasing personnel and technical requirements. At GENO banks, Atruvia AG (formerly GAD or Fiducia) takes care of the IT, and at savings banks, Finanz Informatik (FI).
In addition to these two large service providers, there are other providers of external data centers. Very few banks still operate entirely with their own data centers; many are currently in the migration phase from in-house to external.
But be careful: IT services can be outsourced, but responsibility cannot!
Both BaFin and the European Banking Authority emphasize that “the management of an outsourcing institution can never outsource its responsibilities” (source: BaFin).
ProSec supports you in meeting this responsibility and maintaining control over your IT security!
With a penetration test from ProSec, you meet BaFin's regulatory requirements on the one hand and build real cyber resilience for your bank on the other. We work absolutely independently and always based on our moral compass - we actively practice the term “ethical hackers”.
Our penetration tests are holistically oriented and also close by arrangement physical access security to buildings and, in particular, social engineering. In most cases, real attackers target the weakest link in the security chain: people. Our pentests are not automated, but we start by discussing your current status and working together to find the right scope for your individual pentest.
At the end of the penetration test you will receive from us an action plan according to the RACI matrix and PRINCE2 method with all findings and concrete measures to eliminate the security gaps. We also hold a technical workshop where our pentesters pass on their specialist knowledge to your team and discuss and prioritize the contents of the action plan together with you.
Our stated goal is to work with you to build your bank's cyber resilience as efficiently as possible.
Cyber attacks on the financial sector are not just a German problem. Therefore, in 2018, the European Central Bank (ECB) published a framework that enables companies across Europe to build comparable cyber resilience: This Threat Intelligence-based Ethical Red Teaming (TIBER-EU).
The TIBER Cyber Team (TCT) of the Deutsche Bundesbank is responsible for implementing the framework in Germany (TIBER-DE). The BaFin explainsWho benefits from TIBER-DE tests and who should definitely take advantage of them:
TIBER-DE tests should be open to banks, insurance companies, financial market infrastructures and their most important service providers - on a voluntary basis. However, the most important companies in the financial sector are expected to make use of this innovative tool to contribute to the cyber resilience of the entire sector.
If your company is one of the... “most important in the financial sector” or you would like to take a TIBER-DE test on a voluntary basis, ProSec is the right contact for you!
You've come to the right place if you...
