Critical infrastructures are organizations and facilities that are important to the state and whose failure or impairment would result in lasting supply bottlenecks, significant disruption to public safety or other dramatic consequences.
This naturally includes the financial, monetary and insurance sector with banks, insurance companies, financial service providers and stock exchanges. The implementation plan "UP KRITIS: Public-Private Partnership for Critical Infrastructure Protection - Principles and Objectives", which was revised in February 2014, is therefore relevant. [1] On the other hand, the draft IT Security Act of August 2014, which is part of the German government's Digital Agenda [2], is another regulation. This is considered a controversial regulation [3] with new reporting obligations and supervisory elements. [4]
Key points of the IT Security Act
The law affects all "operators of critical infrastructures". In accordance with Section 10 (1) of the Act on the Federal Office for Information Security, the Federal Ministry of the Interior is to determine who these are in a statutory order. Among other things, it must first consult with representatives of affected trade associations.
The draft provides for a reporting obligation for companies in the event of an attack on their digital systems. The reports are to be made directly to the Federal Office for Information Security (BSI), whereby a pseudonymous report is generally sufficient. However, naming is to be required if the so-called "critical infrastructure" fails or is disrupted.
Furthermore, companies are to define security standards for their respective sectors within a period of two years. Specifically, the energy, information technology and telecommunications, transport and traffic, health, water, food, finance and insurance sectors are under discussion.
It is also envisaged that certain companies and institutions will be obliged to provide information in the event of system malfunctions, where a failure could have far-reaching consequences, not only for data protection. In addition to banks, energy networks and hospitals, administrative authorities and telecommunications networks are also likely to be affected.
Finally, the jurisdiction of the Federal Criminal Police Office (BKA) is to be extended to numerous cybercrimes for which the federal states were previously responsible. [5]
New supervision
The aim of strengthening the importance and competencies of the BSI is taken into account several times in the draft. One pillar of this concept is the establishment of the BSI as a supervisory authority for the aforementioned measures taken by companies.
In this context, the draft also requires companies to submit a list of all security audits, inspections and certifications to the BSI at least every two years, including any security deficiencies discovered in the process. In addition, in the event of security deficiencies, the BSI should also be able to demand their immediate rectification. [6]
Hosting in vogue
In addition to the innovative further development of business functionalities, IT security is a focus topic for afb due to the overall increase in requirements. 90% of our customers also make use of afb's operational services. It goes without saying that we follow recognized best practice standards such as ITIL, COBIT, BSI and ISO standards to increase transparency and security.
This gives our customers the professionalism they need to remain "state of the art" at all times, while also giving them the freedom to concentrate fully on the demanding core business of retail finance and leasing.
