U-turn in German financial supervision: Bafin is focusing on cyber attacks and IT breakdowns as the biggest risks for the financial sector. “We have the feeling that these attacks are getting closer and closer to the heart of the financial system and we have to do everything we can to fend them off,” said Bafin President Mark Branson on Tuesday at the supervisory authority’s annual press conference. “We will create a new cyber situation for the financial sector and simulate hacker attacks even more frequently.”
A year ago, Branson was primarily concerned about general financial stability in Germany – no wonder after the regional banking crisis in the USA and the emergency takeover of Credit Suisse. But now, it seems, the dangers of high key interest rates and the real estate market have been averted for the time being. Now the focus is on the security of the technical systems. “Companies in the financial sector must be resilient – against financial and operational risks,” he demanded.
As an example, he cited the attack by the Clop hacker group last summer. “It exploited a vulnerability in the Move-IT data transfer program,” Branson said. Thousands of companies and their customers worldwide were affected by data leaks. “Including numerous German financial institutions and insurers who work with service providers in customer service who use this program.” In this case, the account details of thousands of customers from ING, Postbank, Deutsche Bank and other institutions who had used a certain account switching service ended up on the darknet – quite a shock for many bank customers.
The Federal Office for Information Security (BSI) has also just warned of an unprecedented threat from cyber attacks. Authorities and companies are affected – including the financial sector. “We are seeing an increasing number of vulnerabilities in software products that make cyber attacks possible,” said Federal Office Chief Claudia Plattner. Criminals also exploit these weaknesses mercilessly in this country, as well as politically motivated attacks by hackers from Russia in response to military aid for Ukraine.
Empty accounts with Commerzbank customers
Bafin is also concerned about outsourcing services to external providers. Criminals recently had a crime at Commerzbank because of… Error by a service provider The accounts of more than a hundred customers were cleared and a double-digit million sum was withdrawn. Commerzbank has compensated the customers, but has since been examining whether it needs to take additional security measures when dealing with external service providers. Bafin will require such precautions from the entire banking sector in the future.
Banks should therefore invest
Hackers recently emptied the accounts of over a hundred Commerzbank customers.
(Photo: Helmut Fricke/dpa)
Don’t neglect cyber defense, says Branson. There is probably enough money: Germany’s major banks are likely to have made their highest profit in 25 years, says the analysis house Barkow Consulting. “It’s not just shareholders who should benefit from the profits. Companies also need to invest more than ever in their operational security and stability,” said Branson. Banks should ensure that systems are protected from attacks.
This is likely to appeal primarily to Commerzbank and Deutsche Bank, both of which have promised a higher dividend and are also buying back shares on a large scale. The banks’ high profits currently come less from flourishing customer lending business or record sales of securities, but rather from unperforming billion-dollar profits. Branson spoke of a special economic situation. The reason: The change in interest rates means that the central banks are paying billions in interest to the banks. The institutions largely distribute these “excess profits” to shareholders. In case of doubt, Bafin can intervene, said Branson, because share buybacks must be approved.
Recently, there has been an increase in IT breakdowns that didn’t even require a hacker. The Deutsche Bank subsidiary Postbank in particular has been struggling with massive problems since an IT migration last year. The bank management wanted to carry out the long-planned migration of Postbank data in a kind of cheap version and had saved on staff in the call centers. In practice, this meant that thousands of customers were unable to access their accounts, sometimes for weeks. And because so many customers complained to Bafin at some point, the supervisory authority even had to send a special supervisor to Deutsche Bank. The problems there have still not been completely solved.