VAIT amendment published

Cyber risks and IT security are increasingly the focus of oversight as new technologies proliferate.eröffentlicht Consequently, the German Federal Financial Supervisory Authority (BaFin) published its Insurance Supervisory Requirements for IT (VAIT) on March 3, 2022, bringing them into force.


IT security has not only been on the radar of supervisory authorities and legislators since the pandemic, but its relevance has undisputedly been increasing significantly more than anticipated since the beginning of 2020. In the various work programs of regulators at both national and international levels, IT risks are one of the main areas of focus for the coming years.

Consequently, the requirements addressed by the supervisory authorities to IT systems and IT operations are becoming increasingly granular and differentiated. Coupled with the findings from audit practice and the publication of new requirements at the European level, this was a key driver for the amendment of the circular on VAIT. In the final version, it is now clear that BaFin is placing further focus on information security and the appropriate handling of risks resulting from it.

In part, necessary changes resulted from the EIOPA guidelines on security and governance in the area of information and communications technology, which had to be incorporated into the German regulatory landscape. The fact that institutions repeatedly stand out negatively in the implementation of the existing requirements during audits in this context in particular, but also in the area of authorization management and outsourcing, has certainly also been a reinforcing factor for the VAIT amendment.

In addition to increasing regulatory pressure, it is also in the institutions’ own interest to focus more on appropriate IT security. Cyber risks increase with the growth of new technologies and should be considered accordingly, as demonstrated by recent disruptions at various banking institutions as well as overarching issues such as Log4Shell.


Everything new makes the amendment

Instead of nine topics as before, the amendment now also explicitly covers operational information security and IT emergency management, thus moving closer to its big sister Bankaufsichtliche Anforderungen an die IT (BAIT). In addition, the existing chapters of the VAIT were adapted and revised.

In the area of Operational Information Security (Chapter 5), BaFin requires insurance companies under the new VAIT to do the following, among other things:

  • Implementation of operational information security measures and processes, e.g. vulnerability management, segmentation and control, data encryption and multi-level protection of IT systems according to protection needs
  • Early identification of threats to the information network
  • Definition of rules for the identification of safety-relevant events
  • Timely analysis of security-related events and appropriate response to information security incidents
  • Regular review of the security of IT systems, for critical systems at least annually
  • Appropriate management of identified risks

The chapter on IT emergency management (Chapter 10) deals primarily with the following topics:

  • Creation of an IT emergency concept
  • Identification of time-critical processes and activities as well as supporting IT processes via a Business Impact Analysis (BIA)
  • Carrying out a risk analysis for processes and technical equipment identified in the BIA (so-called Risk Impact Analysis).
  • Creation and regular updating of IT contingency plans for time-critical processes based on the individual risk profile and taking into account the protection goals
  • Regular, documented testing of IT contingency plans by means of contingency tests based on a test concept
  • Close coordination of contingency plans with the service provider in the case of outsourcing
  • Proof of availability of a remote data center for time-critical activities and processes in the event of a data center failure

In addition to editorial adjustments, the VAIT amendment further details the following chapters:

  • IT strategy specifications (Chapter 1), e.g. process for monitoring and measuring the implementation of the IT strategy objectives.
  • IT governance requirements (Chapter 2), e.g. regular review of IT governance requirements
  • Information risk management requirements (Chapter 3), e.g., addition to the explanation of risk criteria, regular identification of protection needs for the components of the information network, and ongoing information on threats and vulnerabilities
  • Specifications for information security management (Chapter 4), e.g. exemplary enumeration of contents for the information security guideline as well as introduction of a guideline for regular review of protective measures and definition of a continuous and appropriate awareness and training program
  • Specifications for identity and rights management (Chapter 6), e.g. definition of technical users and explanation of how accesses can be assigned to an acting/responsible person.
  • Specifications for IT projects and application development (Chapter 7), e.g. enumeration of organizational basics for IT projects
  • Specifications for IT operations (Chapter 8), e.g. expansion of the required inventory information to include owners of the IT systems and protection requirements, as well as the eliciting of the performance and capacity requirements of the IT systems
  • Specifications on outsourcing and other service relationships in the area of IT (Chapter 9), e.g. eliciting and evaluation of service requirements


Compared to the draft version, BaFin has made changes to the VAIT in its final version. These include but are not limited to

  • Integration of the outsourcing into the preliminary remark and corresponding omission in chapter 1 on IT strategy.
  • The envisaged involvement of projects in information security management has been reduced to monitoring and influencing compliance (Chapter 4.5)
  • Reduction of the “impact analysis” in the context of significant changes in IT systems to a general “analysis” (chapter 7.1)
  • Reduction of the required elicitation and evaluation of the “functional and non-functional requirements” for the service to the general “requirements” (chapter 9.2)
  • Editorial adjustments

VAIT amendment published

Leave a Reply

Your email address will not be published.