Dr. Markus Held, Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin)
April 18, 2012 11:30
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Dr. Markus Held, Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin)
April 18, 2012 11:30
Dr. Markus Held, Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin)
April 18, 2012 11:30
I would like to introduce Dr. Miel health Marcus course.
Sorry, sorry, sorry. That's Okay. I did this now a second time wrong.
I, I heard one of his presentations first time last year and was very impressed. And I think it's very, I always mentioned that in one of my sessions that the regulators view is very important to us and it also frames a little bit conflicting business requirements, to some extent. And therefore, I think for banks, especially, it's very important to get that view. And I'm very clear that you are here and share your use with this. Thank you. Thank you very much, professor Carol.
Well, I very much like the topic of this track, making it, making information, making information security, a strategic priority. I mean, the question is what's the regulator's view on that? Why should banks make information security?
It, it security a strategic priority. And as the representative of a regulator, my, my answers quite clear. You have to it's the authorities who say you have to do that case clear now that's, that's it.
Well, quite short could talk about little bit different now. Well, actually I had this, this little presentation in mind, which, which started about giving an introduction, talking about it, risks, the role of it strategies. Then go top down from strategies to security to show you what makes sense to start with the strategy.
And then, Then break it down into all the little aspects of it, security, which you find in the bank, but actually you have to do it and that's it. So I'll, I'll hope the presentation anyway. And I'll finish with a summary, which I would've given. If I haven't, hadn't given you the, the clue why it's important right now. So with this presentation, B does not intend to support any solutions, a provider or consulting company. And the presentation as itself is only intended to raise awareness on the meaning of it. Security and banks. Please take note of that.
And let me first introduce you to the buffet itself. People who are not from the banking industry or insurance companies might not know it. It's the drum regulator and supervisory authority of banks, the equivalent to the FSA or the fat in way. And on this screen, you see our main building in bond where the, the banking supervision and insurance supervision is located. And in fact, we can learn a few things from that slide, because if you, if we take a closer look, we will see that at one point in time, someone made the strategic decision that government sites have to be breachable.
You have to have an eye on the reachability of government buildings. If we go further to the buffet site in Frankfurt, you will find our securities supervision there. You will notice the same thing. It's quite reachable, but also you find security features someone made the strategic decision that traffic planning has to include security features. That's a strategic decision, which government made a long time ago, but some engineers got the idea that from that strategic decision, we need to place specific features right here at that place.
Now back to my own division within the B it's BA 58 called it infrastructures and banks, I forgot infrastructure. One in banking. We are doing the work in the fundamental issues division of the B on it supervision. We advise other divisions within B on it, security in banks, not in the buffet itself. And we are closely working with international cooperators, like other authorities around the globe. Now you've got the scope of why B and why myself are interested in this topic, but let's have a closer look at it. Risks as such it risk is a subcategory of operational risk, operational risk.
Is anything, anything that can happen in the normal operations of the bank or, and the other financial company. When you want to make money, you have to do business. You have to do things and things can go wrong.
And in it, things can go wrong very bad. Now it risks are defined in a rather interesting definition by SEPs. That's the predecessor to the European banking authority, a which has been, has been in place for two years, but already in 2006, we find a very good definition of it. Risk. It says it's a subcategory of operational risk, the current or prospective risk to earnings and capital arising from inadequate, inadequate information technology and processing in terms of manageability, exclusivity, integrity, controllability, and continuity.
That's the whole classical it security and also BCM thing, or arising from an inadequate it strategy already. In 2006, we find it strategy in the scope of authorities, an inadequate it strategy or policy, or from inadequate use of the institution's information technology. Now that's a very long definition, and let's break that down into a picture. If we've got a bank, we find it risks on all the levels of a bank on the top. You've got the strategic level. Someone has to make the decisions which govern the whole of the bank in be Cal's presentation.
This morning, we have heard that Doche bank makes strategic decisions for the whole of the corporation somewhere and around the globe. Other decisions are derived from that. When you've got the strategic decisions, they influence the business processes where we also have risks. Something can go wrong in either when someone has the wrong access rights and use that to manipulate things or on lower level, the it processes supporting the business processes can, can go run into problems.
For example, if something bad happens and you don't react properly when your incident management doesn't work and on a even lower level, the applications themselves can be wrong. That is not an issue, whether it's insourced or outsourced, whether it's on a classical host system or on a fashionable cloud system, which might in a way also be implemented in the host system. But that doesn't matter here. Risks can happen on all levels from the strategic level to the system level, But Risks can be connected if you make a wrong strategic decision that can trigger problems and business processes.
Now these business processes are implemented in applications and they are supported by our team processes. Thus risks can be connected. They are not in our way and not in every way connected, but decisions on one level influence decisions on another level, thus, you have to start at the top at the strategic level. Now Buffet has published its legislation on it supervision since 2006, it's called the minimum requirements for risk management or binding. And as physical management, in fact, the ma risk as we call it tackles every aspect of risk management in the ban.
Nearly every aspect, there might be something out of scope, but let's, let's assume that it tackles all issues. So it's quite long document about 30 pages, and we've got one page which directly handles it. Security. That's not much, I mean, just one page on it security. But the thing is that this whole legislation is written in a way that's principled based. And that several aspects of it are connected with each other. We also have a part on strategies. And so since these strategies have to capture risks and it risks are part of op risks of operational risks. So it also applies there.
Now let's just assume we've write an it strategy down. What does it mean? It's a strategy for handing our risks in it, but also for a vision for where we want to go in the next few years for say a few years, that's a typical scope would be three or up to five years, but what you find in practices that changes over time, or it doesn't change in some cases, but what role does it take? Why do we write down what we want to do with it? Let's assume we've got a map. It landscape.
We've got our processes, our systems, our applications, and on the other, on the other side, we've got our risks that, that threaten the company. It's business risks, it's op risks, whatever we've got requirements coming from business side, we've got requirements coming from regulation. And the question is, what are the business goals? What are the business targets? What are the business objectives? And let's transform that into it objectives. So it's the road ahead that we want to go. And this road ahead makes it easier or even enables the it department or the it group and the subgroup.
And in the case of larger companies, to find a way where to go and along this way, you've got some security and planning itself. Some, some safety, my decisions are based on those decisions, which, which business would've taken, and that makes it easier to plan.
Now, this planning is especially important for those places, which are critical to you from a strategy. You cannot identify the places where you have to place your strongholds and strongholds in that case.
I mean, that's, that's a term from military as well as, as well as strategy. You cannot, you cannot protect everything in the same way. You cannot say that.
Well, we cannot move anything into, into say the cloud or, or a different system for it's too dangerous to place it there. Cause you say that for business reasons, we have to do it in some ways, but some things we cannot place there and other things we can place there, but we, we have to protect it very strongly. And so the question is, where do you need your strongholds? And then you place them there.
Now, once you've derived from the strategic level, so strategic level of the company, the business strategy, and it strategy, you can take this strategy and discuss it. First, the strategic document will be, will be discussed in the executive management and the executive board, which will then say that it's right. We accept that. That's the document, which governs our it in the next couple of years. Well in the next year, it last. So after that, the executive management can discuss that with a supervisory function in that case, the supervisory board, but also there's other supervisors.
That's the supervisors from authorities who need it as an input to, to get an idea. What, what is the company doing in the next few years? Where are they heading? It's also very important tool for auditors, especially auditors from the Bunes bank, quite happy. If there is a proper it strategy in place for it gives them a clue.
What to, what questions to ask now, that's quite bad. Isn't that?
I mean, if, if auditors get a good idea, which questions they could ask a bank. Well, that's, that's not really nice.
I mean, if auditors have a good idea where problems might be, what is really important, is that good? Actually, it is good because those auditors are, are of the opinion that they will Look at things until they find the problems. And the more time they need to find those problems, the more other problems will arise on the way. And so it re basically reduces stress on both the company and the auditors.
If they have a good idea where to look, if they have a good idea, which is important and which they can leave out now talking about auto tests and it assessments in the case of B works like that. Well, I also see that I should have assessed the slide more carefully for grammar, but let's, let's assume that B has a role, which is similar to a state attorney. A state attorney would usually order the police to inspect some places or a company. Now banks are, of course not in the same role as those people who are inspected by the police.
But the role in that case is in that way is similar to the legal system or to the law enforcement system. That we've got two official, two official officer, which are working together to have a four I principle even at the supervisory level. So buffin the, the assessments, the buns bank performs. The assessment for the buns bank also has a close, has a close relationship with banking as such, there's a bank itself. So the buns bank knows what to look for. And B will also send representatives. In some cases, the assessments are all individually planned on the individual circumstances.
And the reports are then written by wooden plank and analyzed by B. Now in, in such an assessment, one of the first things that will often happen in, in an it assessment is that the auditors will ask for an it strategy and they will read it. Have some questions, have a meeting with the bank, will see a presentation on the it strategy, ask questions, discuss it with a bank, and then we'll revise and adapt their own assessment strategy.
They will usually have a look at the it strategy as such not to say that you've got something wrong there, but to understand what the bank is about to understand what's important to the bank. The bank cannot delegate that to the authorities and the authorities don't know better than the bank what's important to the bank. But the really important thing is that the authority understands what the bank needs. What is important to the bank, how the bank is working on that. And also the strategy processes have written it twice. Why?
Because you have a look at the business strategy processes and at the process for devising an it strategy or other sub strategies. If it's there, if it's necessary. And after that, this whole analysis of the strategy processes will give you an indication.
What, What is the place of the, the it strategy and the overall working of the bank. And from that, from that you can devise in a way measures to counter your it risks. As I've said, we want to go down top down from strategies to security. Now we've got the link between the business strategy and the it strategy. And from the it strategy, we want to derive Counter Measures against our risks. Now in the MI risk institutes are enforced to have a business strategy, a risk strategy for all material risks, including it risk cannot be delegated. Institutes need the strategy process.
The strategies have to be discussed with the supervisory board and strategies are to be published within the Institute like that. That should be obvious, but the thing is, it's not paper where it's not something which you just write down and place it, place it in a folder and take it folder and place it somewhere under the desk. And forget. It's something that people have to know about.
Now, the basic process looks like that. Like planning of the strategy, you implement the strategy, you assess the implementation and you revise the strategy. That's Very similar to the things we do in it security. And in fact, in fact, Those chapters of the ma risk, which talk about it, security start with something that looks very much strategic. It's the regulation ma risk 87.2 part one, the scope and quality of the institution's technical facilities and related processes have to be based on the institution's operational needs, business, active activities, and risk situation.
So these are things which are the way encoded in the strategies, both the business, strateg, the risk strategies and the technical strategies, CIT strategies, and they form the scope and quality of a banks. It, and if you think about it, that's what the banks want. That's not just what the auditors want or what supervisors want, but banks want their it to support their business goals. That's also important to us, but we want it in a secure way.
So once we've arrived, the it landscape from the strategy, we also to ensure that the systems and processes are confidential, that the integrity of the data, the confidential confidentiality of the data, your ity, the availability of the data are insured. And the it strategy is very important tool to have enough foresight where you want to go, remember your strongholds, you need to have an idea which points are important to you. So let's sum it up. What have we learned? We have learned a very old lesson, Karl from close.
It's a very famous theorist of military strategy wrote that a prince or general can best demonstrate his genius by managing a campaign exactly. To suit his objectives and his resources doing neither, too much, not too little. Now that's the book on war, but as we've all learned, as we all know, war has ended by the institution of state. We don't have the M which Thomas hops would've written about, but Within A, within our society, we have adversaries. We have threats. We have threats coming from the inside. We have threats coming from the outside.
We even have those regulatory threats, which, which probably I'm part of, but a prince are general or a business manager. And it security manager can face that threats. A prince of general can demonstrate their genius by managing their environment, their processes, to suit the objectives, To suit the resources they're doing exactly the right thing, to address the threats, to counter the threats, Tomo, to move their it infrastructure forward. And the common goal, the common objective of, of supervisors, regulators, and banks.
It's this, it's a security. And if you ask yourself the question, why the heck, why the heck is this guy talking all about it, strategies in this, this clout environment, in this, this conference about, about identity management, the thing is the problems we see in some cases already start at this strategic level. You need to have a clear strategic decision, which parts of your it processes you want to handle in the cloud, which, and which you don't. You need to have a clear decision.
Whether you want to make a cloud computing at all, you need to have a clear decision how far you want to go with your it, with your identity management. And if you don't want to go far, what else can you do to counter the threats?
So, first of all, you need to, you need to have an idea where you want to go and then you can implement your security. And that's basically it for compliance reasons. I will also say that. Thank you. Any questions? Buffet does not support any specific solutions provider or consulting company, but take it serious, take it security serious, and then we're all happy. Thank you very much. Have you got any questions? Thank you, Marcus was again, very insightful. And now I understand why you liked the title, making information security as strategic topic.
I think strategy played a very important role and was center of your presentation. We should definitely take the time for some questions.
And again, I, I will start off if you allow, how to, what extent is your view around that strategy should be the starting point of our thinking, even, and we talk about information security. How much is this view aligned with other regulators views?
Do you, do you talk to them? Do you, do you reconcile your requirements with others? Yes.
Well, first of all, the requirements defined by B also devised of from basil two in that case. And if you talk to other regulators to other supervisors, then you get a clear indication that although there are slight differences in assessment processes, that the basic idea that you usually make a top down approach to understand the company still is the way to go. And in that case, strategy is a tool to understand, to better understand the company, to explicate knowledge about the internal workings about the directions.
Okay, thank you. I've seen a handover here Again. Matthew Gardner from RSA, again, regulators are usually associated with carrying a stick.
You know, you must, you must do this. Are there things that boffin does or could do? That's the carrot essentially rewarding, good, essentially a rewarding, good practices to thus and sent banks to, you know, to do better security. You mean rewarding bank for doing that job?
Well, I mean, for example, if I think of the us, there's tiny banks and there's giant banks. Yeah. And they're from an it security point of view, some would be very immature, some would be mature. And how do you incent banks to be mature other than just hitting them with a stick?
Well, usually we don't have to hit. And I think the thing is that, as I've said, we always have a look at the individual circumstances of a bank. This is a principles based regulation, which means that we don't say, well, there's this huge list of, of rules. You've got that one. You've got that, that, that, that, that, and say, that's, that's it.
I mean, we apply the, the principles to the individual circumstance of a bank. So if, if we have a look at a very small bank, the principles apply in a different way than, than in the case of, of Doche. For instance, in, if you just have a look at the numbers, a small bank has very much smaller. It usually, which is under their own direct control, but has outsourced many, many parts of its it in many cases, but also shares shares the, the, the service provider with other small banks. So that's a, that's a case where also the banks have to communicate.
And so the regulation applies to all banks, but the way in which it applies depends on the circumstances. So the, the strategy doesn't have to look the same for, for all banks.
It's, if you're a small bank, you probably will have a, have a slightly, slightly less sheets in, in your strategy, but it'll be fine as well. And there any further questions Then I have, I have one, one last question. Yes. You mentioned also that that, that regulation from, from the fin is a principle based yes. Quite high level regulation. Yeah. Sometimes we banks wish that you become a bit more concrete for good, for good reasons. I'll give you one example.
So obviously since it's part of, of, of ISO and the good practices of information, security management, we are all asked to classify our information. So obviously now each bank, even the smaller ones have to think about how can we do this and what kind of classes and all that right now, we are not working in isolation. So we have to interact with each other, with our clients, et cetera.
Now, what are we doing if these classification concepts are not aligned with each other? So, so, so we've seen that conflicts and here, obviously the banks wish a bit more guidance, a bit more, let's say frame frameworks, which help us to survive here.
Well, I don't pretend to be smarter than you. So the thing is B in itself is not a bank. What we can do is we can have a look at what banks do and try to find problems and to tackle these problems. But the business of the banks is the best run by the banks and themselves. And that also applies in these concepts.
Once, once regulation is very much broken down, into very specific, very specific issues, then perhaps we would see exactly the different problem. Exactly the opposite problem. So I think there's no best solution to that, but I think that the current regulation has the advantage of really covering all major issues. We find in banks right now.
And it's, it is an art to apply it, but it works. I Thank you for the answer.
Finally, looking around for further questions.