Supervisory Requirements for IT in Insurance Companies (VAIT)
The Federal Financial Supervisory Authority (BaFin (Bundesanstalt für Finanzdienstleistungsaufsicht)) has formulated clear expectations for the management and organisation of the IT of insurance companies in the form of the Supervisory Requirements for IT in Insurance Companies (VAIT (Versicherungsaufsichtliche Anforderungen an die IT )). On the one hand, VAIT’s goal is to create transparency by comprehensibly translating existing supervisory standards into concrete IT requirements. On the other hand, it aims to increase the IT risk awareness of insurance companies, especially at management level, in order to create risk transparency.
In implementing VAIT, the risks associated with the company’s activities govern the depth to which measure are implemented. This rationale is known as the Principle of Proportionality.
The requirements of VAIT are derived (according to BaFin) from existing regulations, which is why no deadline for implementation is granted. They came into force with the publication of Circular 10/2018 (Rundschreiben 10/2018) on 2 July 2018. Overall responsibility for implementation lies with the entire Board of Management.
The requirements permeate the entire organization from strategy to operation. They are divided into eight domains and comprise 70 individual requirements. Reading time: 6 minutes
In its function as the supervisory body for banks and insurance companies, BaFin has formulated IT requirements for insurance companies and pension funds, as it did for the banking sector (November 2017). In the following, the general conditions, structure and content of the Supervisory Requirements for IT in Insurance Companies are explained in more detail.
A central motive of BaFin for composing the VAIT is – as mentioned above – to sharpen IT risk awareness in companies – with special focus on the management level. BaFin defines IT risk as the existing and future risk of losses due to the inappropriateness or failure of hardware and software of technical infrastructures that could impair the availability, integrity, accessibility and security of these infrastructures or of data (cf.  Gampe, 2018, p. 25).
Furthermore, the VAIT create a concrete framework for the IT design of companies. This contrasts with other regulations, such as the Minimum Requirements for the Business Organisation of Insurance Companies (MaGo (Mindestanforderungen an die Geschäftsorganisation von Versicherungsunternehmen)), which are very general in terms of IT. This specificity gives companies certainty – but with a caveat: the BaFin does not see VAIT as a complete catalogue of requirements. So that IT-related requirements from the MaGo (and other regulations), which are not dealt with in the VAIT, must be implemented as well.
What is the scope of VAIT?
The VAIT are directed at companies that are subject to supervision in accordance with Section 1(1) of the Insurance Supervision Law (VAG (Versicherungsaufsichtsgesetz)), with the exception of special purpose insurance companies in the sense of § 168 VAG and the security fund in the sense of § 223 VAG. This means that the target group consists of primary insurance and reinsurance companies, pension funds, insurance holding companies as well as companies whose main activities are investments in primary insurance or reinsurance companies or pension funds.
When do companies have to meet the VAIT requirements?
As the BaFin sees it, the VAIT do not contain any new requirements, but merely explain or specify existing supervisory requirements (cf.  Gampe, 2018, p. 27). As a result, companies are not granted a transposition period. In other words: With the publication of Circular 10/2018 on 2 July 2018, the VAIT officially came into force.
VAIT and other regulations
The VAIT are linked to other regulatory letters such as legislative texts, circulars and ordinances, which themselves have interdependencies in return and thus form a network of stipulation. Figure 2 gives a rough and simplified overview of these regulations.
The core texts that form the framework for the VAIT circular are the VAG and MaGo. The VAIT provide guidance on the interpretation of the provisions on business organisation contained in the VAG. These provisions, in turn, are summarized as minimum requirements in the MaGo, so that the VAIT constitute a concretisation of the MaGo. As previously discussed, the scope is also taken from the VAG as well.
- VAIT provide guidance on the interpretation of the provisions on business organisation in the VAG relating to technical and organisational equipment
- VAIT specify the IT requirements covered in MaGo
- The recipients of MaGo are all companies subject to supervision under Solvency II
- MaGo provides guidance on the interpretation of the provisions on business organisation in the VAG
- MaGo provides guidance on the interpretation of the provisions on business organisation in the CDR 2015/35
- Commission Delegated Regulation to Solvency II
- VAG serves to transpose Solvency II into German law
*CDR 2015/35: Commission Delegated Regulation (EU) 2015/35
Responsibility for Implementation
A serious variation in the VAIT is a break with the division of management responsibilities. Those requirements set out in the Circular, which are the responsibility of the Management Board, apply to all members of the Management Board. Responsibility cannot be allocated to one or more Board Members, let alone delegated.
Principle of Proportionality
A principle already enshrined in Solvency II, the VAG and MaGo is applied in the implementation of VAIT: the Principle of Proportionality. The requirements of VAIT shall be met in an appropriate manner, depending on the nature, scope and complexity of the risks associated with the company’s activities (cf. Section 296(1) VAG). In other words, the depth of implementation is proportional to the company’s risk profile. Various indicators may portend a weak risk profile. For example, the size of the company and the number of employees, but also the customer base influence the risks.
For companies with a weaker risk profile – in accordance with the Principle of Proportionality – simpler structures, IT systems or processes may be sufficient. However, once established structures, IT systems and processes are not made for eternity and may have to be further developed and adapted to a company’s changing risk profile, for example when the company grows.
Structure of the VAIT
The current version of the Circular (10/2018) contains 70 requirements, which are divided into 8 topic modules. In addition, some requirements are supplemented by explanatory remarks, which, for example, make minimal demands on the documents or processes requested in the requirement.
The aforementioned topic modules overlap with the corporate levels Governance, Management and Operations, where Governance requirements are more abstract whereas Operations requirements are specific and concrete (see Figure 3). For example, while the IT Strategy module deals with general strategic goals, user authorization management formulates clear guidelines for authorization concepts.
The following provides an overview of the requirements formulated in the individual areas of VAIT.
The central postulate of the first topic module is the definition of an IT strategy that is consistent with the business strategy and has a depth of detail that depends on the company’s risk profile. In addition, minimum contents of the IT strategy are defined. These include IT structures and IT procedures organisation, outsourcing of IT services or procurement of IT, information security as well as IT systems operated or developed in-house.
The management is responsible to established provisions (Regelungen) based on the goals set out in the IT strategy concerning IT structures and IT procedures organisation in accordance with the risk profile and to ensure the implementation of these provisions. Furthermore, demands are made on staffing, knowledge and experience of the employees as well as the technical and organisational equipment in information risk and information security management, IT operations and application development. Conflicts of interest within the IT structures and IT procedures organization must also be avoided.
Information Risk Management
The company must introduce and implement a management of information risk. Identification, evaluation, monitoring and control processes must be set up. These include the identification of IT risks and the definition of protection requirements. The company must define provision for the implementation of the protection goals in accordance with the determined protection requirements and document them in a catalogue of measures.
In addition, IT risk criteria must be defined on the basis of which a risk analysis is to be carried out. Risk management must report the results of the risk analysis to management at least once a year and have the results approved.
Information Security Management
In line with the strategy, management must adopt guiding principles for information security describing the organisation of information security management. Based on these principles, guidelines and information security processes must be defined to ensure that the protection goals are achieved.
Furthermore, the company must establish the function of the information security officer. This function deals with all aspects of information security within the company as well as vis-à-vis third parties and reports these to the management. For example, it monitors implementation of goals and measures relating to information security.
User Authorisation Management
The company must set up user authorisation management as a part of which authorisation concepts must be defined for all IT systems that are consistent with the protection requirements of the respective system. Authorisation management is accompanied by technical and organizational measures to prevent circumvention of the specifications of those concepts.
The setup, modification, deactivation and deletion of authorisations must be documented and run through approval and control processes. Likewise, authorisations must be regularly and on occasions checked and recertified or, if necessary, adjusted.
IT-Projects and Application Development
The company has to define an appropriate organisation and processes for IT projects and application development. This includes assessing the impact of IT projects on the IT structures and IT procedures organisation as well as the associated IT processes within the framework of an impact analysis. In particular, a portfolio view of IT projects must be created. This allows for instance to assess risks due to the dependencies of different projects. Projects must be controlled with regard to their risk and reporting obligations to the management must be introduced for critical projects.
In the area of application development, processes for requirements determination, quality assurance, documentation, post-production monitoring, testing, acceptance and approval and others must be defined. Furthermore, precautions must be taken to ensure that protection goals such as confidentiality, integrity, availability and authenticity are achieved after going live.
The company needs to set up ITIL service support functions: configuration, change, incident and problem management. For this purpose, a Configuration Management Database (CMDB) shall be maintained in which the components of the IT systems and their relationships are managed. This allows control of the IT system portfolio including risks from outdated systems.
The change management processes must be structured according to the risk profile and include an orderly acceptance, documentation, evaluation under implementation risks, prioritisation, approval and implementation of changes.
In incident management, processes for appropriate recording, evaluation, prioritisation (with regard to resulting risks) and escalation must be established. In addition, the processing, root-cause analysis and solution finding, including tracking, must be documented. Service Support also has to develop criteria for the reporting of information about malfunctions to the management.
Finally, a data backup concept must be drawn up, which specifies data backup procedures and formulates requirements for the availability, readability and topicality of data on the basis of the business processes. Compliance with these requirements must be tested regularly.
A risk analysis must be carried out before outsourcing IT services or using cloud services and other service relationships in the area of IT services. The risk analysis must be taken into account both in the drafting of contracts and the management process of operational risk.
Furthermore, the company must control other service relationships in the area of IT services, including risk analysis, and monitor whether services owed are provided. To this end, a complete, structured contract overview shall be introduced.
The VAIT demonstrate that the BaFin’s view of information technology within insurance companies and pension funds has changed. IT has undergone a far-reaching upgrade. BaFin no longer understands IT as a means to an end. It is not merely a support function for the core business (i. e. insurance services), but an element that now receives special attention.
This re-evaluation is necessary and timely inasmuch as IT increasingly penetrates all levels of a company and is offered as a service both within the company and to the customer. It has become a product.
In addition, IT not only makes insurance business easier or more efficient, it is vital in providing insurance services. This means that a large risk potential derives from information technology.
The VAIT have a modular structure. BaFin has already stated that it will make use of this flexibility in order to constantly adapt and supplement VAIT to future changes and extensions of international and national regulations (cf.  Gampe, 2018, p. 28). Firstly, the BaFin is planning a module on Critical Infrastructures (Kritische Infrastrukturen), which exclusively concerns operators of Critical Infrastructures (in accordance with BSI-KritisV) and will presumably concretise requirements from the IT Security Law (IT-Sicherheitsgesetz).
Secondly, BaFin is examining whether procedures from the paper Fundamental Elements of Cyber-security for the Financial Sector, which were published by the G7 states in October 2016, will be integrated into VAIT. This is explosive in that, for example, the sixth element of the paper Recovery is hardly treated in the current version of VAIT. Therefore, a (partial) implementation of the Fundamental Elements has the potential to considerably expand the scope of VAIT.
Sources Gampe, Jens: “IT-Sicherheit: Aufsicht konkretisiert IT-Anforderungen an die Versicherungswirtschaft”. In: BaFin Journal, April 2018. https://www.bafin.de/SharedDocs/Downloads/DE/BaFinJournal/2018/bj_1804.pdf?__blob=publicationFile&v=4 (02/07/2018)
 Bundesanstalt für Finanzdienstleistungsaufsicht: “Rundschreiben 10/2018: Versicherungsaufsichtliche Anforderungen an die IT (VAIT)”. https://www.bafin.de/SharedDocs/Downloads/DE/Rundschreiben/dl_rs_1810_vait_va.pdf?__blob=publicationFile&v=4 (02/07/2018)