The German Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht; BaFin) has published expectations – the ‘IT Requirements for Insurance Companies’ (versicherungsaufsichtliche Anforderungen an die IT; VAIT) – that set out how insurers must organise their information technology, especially in regard to the management of IT resources and IT risk management.
However, as the IT requirements are incredibly generic in their formulation, there is room for interpretation, which is causing a great deal of uncertainty in the insurance industry. Failure to meet the requirements ultimately comes with the threat of the regulatory authority imposing severe sanctions.
What’s more, the VAIT are not just limited to the context of IT (elements such as IT strategy, IT governance, information risk management, information security management, user authorisation management, IT projects, IT operations or the outsourcing of IT); they also include the individual specialist departments. Individual data processing, tests and approvals of partners and projects are then also affected by them, for example.
However, IT projects often need to be inexpensive and pragmatic to implement. Insurance companies also don’t want to face public ridicule, which is why VAIT projects also enjoy a large amount of attention at management level.