In-house errors are often to blame for serious IT incidents at banks. According to a first-time analysis published by BaFin, only in every 20th case are cyberattacks the reason why financial institutions feel compelled to make a report to financial supervisors. Nonetheless, the authorities emphasise that the threat level remains very high. In total, 235 reports from banks regarding serious IT failures and cyberattacks were received by supervisors last year, marking a 17.5% increase compared to the previous year.

Notably, security incidents, primarily cyberattacks deemed successful by hackers, account for only 5% of all reported incidents. 95% are attributed to IT errors and human error.

Jens Obermöller, Head of the IT Supervision/Cybersecurity Group at BaFin, attributes this to banks being relatively well-equipped in terms of IT security. „Compared to companies in other sectors, their systems often have a higher maturity level, for example in IT risk management, business continuity management, and in implementing attack defense mechanisms.“

This is also due to its status as a regulated sector, which has a long-established history in IT security „According to our observations, increasingly it's not the banks themselves but rather service providers in the value chain that serve as entry points for cybercriminals“, Obermöller told Börsen-Zeitung. „Nevertheless, there remains a high level of threat in the banking sector“, he continues. „Partly due to its interconnected nature. And then third-party service providers also come into play, where we must seriously advance resilience levels.“

This refers to the outsourcing of more and more IT services to external providers of all kinds and sizes. Whether to well-protected cloud providers like Amazon or Google, or to smaller, sometimes more vulnerable service providers, such as account switching services. For example, last year, service provider Majorel fell victim to a hacker attack. Records including customer names and account numbers from ING Deutschland, Deutsche Bank, and Postbank were stolen, and later surfaced on the dark web.

The causes for the payment incidents reported in 2023 were 40% attributable to outsourcing companies rather than banks, writes Benedikt Queng, a speaker in the IT Supervision/Cybersecurity Group, in an article in BaFin-Journal about last year's IT incidents.

Who has to report IT incidents, and when, is set out in a BaFin circular, implementing the requirements of the second Payment Services Directive (PSD2) into national law. Specific thresholds apply. Only when these are met must an incident be reported to BaFin.

Queng lists among other reporting criteria the number of affected customers and transaction volume, but also negative press, and an accumulation of complaints on social media channels. The requirements are divided into low and high impact levels. „An obligation to report exists if an IT incident affects either three criteria with low impact or one criterion with high impact.," he explains.

According to BaFin, a total of around 1,300 institutions are subject to the reporting obligation for IT incidents. These include approximately 1,040 savings banks and cooperative banks. Finanz Informatik and Atruvia report on behalf of their respective group. Excluded are fund companies, securities firms, insurance companies, or leasing companies.

Statistics provide no information on attempted attacks, nor on incidents and attacks that fall below the BaFin radar, i.e., that do not reach the reporting thresholds. „We see few successful attacks with serious impacts on payment services. However, successful attacks can have serious consequences for the affected company and the financial markets. What companies defend against daily in terms of attacks, we do not see in the data“, Queng emphasises. „Yet the risk of being attacked is enormously high.“

So far, hybrid activities by Russia against Western targets in the aftermath of the war in Ukraine have not resulted in increased cyber attack numbers on the financial sector, explain the supervisors. One reason are the high reporting thresholds. And secondly, the number of financial institutions subject to mandatory reporting is limited.

The hacker attack on Deutsche Leasing – regardless of who ultimately committed it – was therefore not subject to reporting obligations, just like the one on Provinzial Versicherung almost exactly a year ago. Additionally, Obermöller notes that it is more difficult for cyber attackers to succeed with banks, as they are relatively well protected.

When the new regulatory framework Digital Operational Resilience Act (Dora) comes into force on January 17, 2025, reporting obligations will extend to almost all financial institutions in the European Union, including insurers, crypto custodians, and exchanges. Supervisors are convinced that Dora will further strengthen the digital resilience of the financial sector.

Dora not only expands the circle of those obligated, but also harmonises requirements for IT risk management and the monitoring of critical IT third-party providers, and standardises and tightens reporting obligations for IT incidents. Implementation will also replace the PSD2 incident reporting system with reporting obligations under Dora, BaFin notes.

Increasingly important to counteract the growing threat, Obermöller also considers cyber crisis exercises, such as those held by the major Western industrialized countries (G7). „The issue of crisis response will become more important. Here, oversight can create added value and contribute to further strengthening crisis management in the industry.", he says. For instance, the G7 Cybersecurity Expert Group held a coordination exercise in April, enabling financial institutions in G7 countries to quickly coordinate and respond to cyber attacks. Representing Germany were BaFin, Bundesbank, and the Federal Ministry of Finance.