BaFin keep a close eye on the Insurance IT infrastructure
Best practices Management Agile
10 mins read
September 9, 2023

BaFin keeps a close eye on the Insurance IT infrastructure — here is what you can do

It’s not just banks: the IT supervisors at BaFin have had their sights at the infrastructure of Insurance companies as well. While making banks step up their infrastructure or risk fines, BaFin are doing the same to insurance companies. Let’s explain what the extra attention from BaFin means for your insurance business and what options you have.

Robert Weingartz
Denis Matusovskiy

What are the BaFin requirements for Insurance companies?

Much like with banks, BaFin split their requirements into key categories. They closely follow articles of MaRisk that govern minimum requirements for risk management.

IT deficiencies idenitified

Figure: IT deficiencies identified; © BaFin

IT strategy

BaFin explicitly requires that management not just come up with an IT strategy, but makes its target measurable for supervisory board and regulatory review. The strategy should be consistent with the company’s business goals and reviewed on a regular basis. 

Management has direct responsibility for the implementation of the strategy.

Our testing strategy template will be a great aid for the QA part of your IT strategy. It summarises 20 years of our experience in Enterprise software testing with a practical, ready-to-apply guide. Download it below.

testing strategy template

Get regulators-proof testing strategy template

IT governance

This section refers to the obligation of proactively monitoring development of IT systems. Insurance companies can’t afford to have their IT departments understaffed or underqualified. There should be a sufficient budget for development-related costs to meet the IT strategy. 

Adaptability to new requirements is a major component of IT governance.

Information risk management

All IT risks should be identified on a consistent basis and categorised from low to very high. The infrastructure should have protections against risks where possible, and residual risks need to be properly managed.

Yearly written risk analysis reports are mandatory.

Information security

Companies need to have a defined information security policy that is frequently updated to meet new risks. There should be plans to prevent security incidents, address them adequately, and communicate with affected parties while remedying the issue.

An information security officer is appointed to oversee this effort.

User access management

Following up on information security, BaFin requires adequate information access policies. Everyone should have access only to information relevant to their function. Access level can’t be changed without the approval of a supervisory unit. 

Role-level access leaves more room for liability compared to individual privileges.

IT projects & application development

This section formalises the modern process of software development. You should have clear functional and non-functional requirements, document the development process, conduct source code reviews, and set up a single source of truth for each project.

Software can’t be released or updated without testing. Test documentation is mandatory.

IT operations

This section governs day-to-day IT work. One of the key requirements is storing and updating inventory data on your infrastructure. Data backups are also a must, and you may be required to store them at several locations.

High-risk and low-risk change approval protocols are mandatory. 

IT outsourcing

Our experience of serving Banking and Insurance companies says: IT outsourcing is fine until it is not. Risk analysis findings and proper contract structure are key criteria to stay in BaFin’s good books.

Information security risks should be addressed in any and all outsourcing agreements.

What Insurance companies are at risk of BaFin scrutiny?

The highlights from BaFin requirements paint a portrait of an Insurance company risking sanctions from BaFin:

  1. Using legacy software that can’t adapt to new requirements
  2. Disorganised test management (=tests in Excel) and lacking test documentation
  3. Neglected user access restrictions or even no restrictions
  4. Informal, case-to-case change deployment
  5. Subpar risk identification and no response protocols
  6. Lack of up-to-date high-level overviews of risks and development process

While some problems will take more time to address than others, BaFin audits are inevitable and so are resulting demands to modernise your IT setup. It is better to act proactively than scramble to address identified faults.

How can Insurance companies meet BaFin IT requirements fast?

If you look at the requirements closely, you will find a pattern. Most of the requirements relate to what your QA & development tools can or cannot do. Some ALMs are more adaptive than others, e.g. offering REST API so you can connect modern tools even 20 years later. Some test management tools have better traceability by visualising proper test coverage. Adopting modern tools means you meet a lot of BaFin requirements for Insurance companies. 

Meet aqua, a German AI-powered test management solution that has specialised in highly regulated industries for over 10 years. It is used by 15+ Enterprise-sized Banking and Insurance companies as well as 20+ government agencies. The client portfolio even includes BaFin. 

Here is how adopting aqua TMS addresses all key requirements to Insurance companies from BaFin:

IT strategy
  • Advanced reports to track IT progress
  • KPI alerts for measurable targets listed in the IT strategy

IT governance
  • Unlimited scalability: your projects won’t get too big
  • Free licences for manual QA specialists

Information risk management
  • Visualised test coverage for every requirements
  • Risk-based AI test prioritisation

Information security
  • On-Premise deployment
  • Isolated Cloud option
  • SSO support
  • Secure file sharing

User access management
  • Project-level permissions
  • 60+ individual user permissions
  • Unlimited custom roles

Development & QA
  • End-to-end test management solution
  • Manual & automated QA
  • ALM functionality for a single source of truth

IT operations
  • Custom workflows to enforce procedures
  • Jenkins integration to set up a CI/CD deployment pipeline
  • Backups and rollbacks for Enterprise customers
  • Free choice of server locations for deployment

  • Suspicious activity detection
  • External report sharing to work with consultants
  • REST API to set up isolated data access

Make your QA & development BaFin-ready

Schedule a demo call


BaFin’s increased scrutiny is a threat to Insurance companies that use legacy tools without proper security, consistent deployment process, and user access controls. Passing regulatory audits requires both up-to-date procedures and modern tools to follow them. Luckily, aqua is a tool that was designed for strict compliance. 

On this page:
See more
Speed up your releases x2 with aqua
Start for free
closed icon