What are the BaFin requirements for Insurance companies?
Much like with banks, BaFin split their requirements into key categories. They closely follow articles of MaRisk that govern minimum requirements for risk management.
Figure: IT deficiencies identified; © BaFin
BaFin explicitly requires that management not just come up with an IT strategy, but makes its target measurable for supervisory board and regulatory review. The strategy should be consistent with the company’s business goals and reviewed on a regular basis.
Management has direct responsibility for the implementation of the strategy.
Our testing strategy template will be a great aid for the QA part of your IT strategy. It summarises 20 years of our experience in Enterprise software testing with a practical, ready-to-apply guide. Download it below.
Get regulators-proof testing strategy template
This section refers to the obligation of proactively monitoring development of IT systems. Insurance companies can’t afford to have their IT departments understaffed or underqualified. There should be a sufficient budget for development-related costs to meet the IT strategy.
Adaptability to new requirements is a major component of IT governance.
Information risk management
All IT risks should be identified on a consistent basis and categorised from low to very high. The infrastructure should have protections against risks where possible, and residual risks need to be properly managed.
Yearly written risk analysis reports are mandatory.
Companies need to have a defined information security policy that is frequently updated to meet new risks. There should be plans to prevent security incidents, address them adequately, and communicate with affected parties while remedying the issue.
An information security officer is appointed to oversee this effort.
User access management
Following up on information security, BaFin requires adequate information access policies. Everyone should have access only to information relevant to their function. Access level can’t be changed without the approval of a supervisory unit.
Role-level access leaves more room for liability compared to individual privileges.
IT projects & application development
This section formalises the modern process of software development. You should have clear functional and non-functional requirements, document the development process, conduct source code reviews, and set up a single source of truth for each project.
Software can’t be released or updated without testing. Test documentation is mandatory.
This section governs day-to-day IT work. One of the key requirements is storing and updating inventory data on your infrastructure. Data backups are also a must, and you may be required to store them at several locations.
High-risk and low-risk change approval protocols are mandatory.
Our experience of serving Banking and Insurance companies says: IT outsourcing is fine until it is not. Risk analysis findings and proper contract structure are key criteria to stay in BaFin’s good books.
Information security risks should be addressed in any and all outsourcing agreements.
What Insurance companies are at risk of BaFin scrutiny?
The highlights from BaFin requirements paint a portrait of an Insurance company risking sanctions from BaFin:
- Using legacy software that can’t adapt to new requirements
- Disorganised test management (=tests in Excel) and lacking test documentation
- Neglected user access restrictions or even no restrictions
- Informal, case-to-case change deployment
- Subpar risk identification and no response protocols
- Lack of up-to-date high-level overviews of risks and development process
While some problems will take more time to address than others, BaFin audits are inevitable and so are resulting demands to modernise your IT setup. It is better to act proactively than scramble to address identified faults.
How can Insurance companies meet BaFin IT requirements fast?
If you look at the requirements closely, you will find a pattern. Most of the requirements relate to what your QA & development tools can or cannot do. Some ALMs are more adaptive than others, e.g. offering REST API so you can connect modern tools even 20 years later. Some test management tools have better traceability by visualising proper test coverage. Adopting modern tools means you meet a lot of BaFin requirements for Insurance companies.
Meet aqua, a German AI-powered test management solution that has specialised in highly regulated industries for over 10 years. It is used by 15+ Enterprise-sized Banking and Insurance companies as well as 20+ government agencies. The client portfolio even includes BaFin.
Here is how adopting aqua TMS addresses all key requirements to Insurance companies from BaFin:
|Information risk management||
|User access management||
|Development & QA||
Make your QA & development BaFin-ready
BaFin’s increased scrutiny is a threat to Insurance companies that use legacy tools without proper security, consistent deployment process, and user access controls. Passing regulatory audits requires both up-to-date procedures and modern tools to follow them. Luckily, aqua is a tool that was designed for strict compliance.