German Regulator Reveals €52.7 Billion Hit from Financial Sector IT Incidents

Wednesday, 10/07/2024 | 12:29 GMT by Damian Chmiel
  • BaFin reported a 17.5% increase in IT incidents affecting payment services in 2023.
  • The German regulator highlights growing operational risks, particularly related to IT outsourcing.
bafin

Germany's Federal Financial Supervisory Authority (BaFin) reported a significant increase in IT incidents affecting payment services in 2023, highlighting growing operational risks in the financial sector.

BaFin Reports Rise in IT Incidents Among Financial Firms in 2023

According to data released by BaFin, approximately 235 payment incidents were reported last year, marking a 17.5% rise from 2022. The majority of these incidents, 94.9%, were classified as operational, stemming from internal errors rather than external security breaches.

“From BaFin ’s point of view, IT risks are among the main risks for the financial sector,” the German regulator commented. “Cyber attacks in particular can have serious consequences for financial companies. Concentrations in the outsourcing of IT services increase this risk.”

The regulator's findings reveal that about 78% of incidents resulted from process and system failures, underscoring the importance of robust internal controls alongside strong cybersecurity measures. Despite the overall increase in incidents, security-related events, such as cyber-attacks, accounted for only 5.1% of total reports.

BaFin's report also shed light on the impact of these incidents. In 2023, disruptions affected 7.12 million payment service users and impacted transactions totaling €52.74 billion. However, the authority noted that most incidents affected a relatively small number of users or transaction volumes, with a few severe cases skewing the averages.

The growing trend of IT outsourcing in the financial sector emerged as a key concern. Approximately 40% of reported payment incidents were attributed to service providers rather than the financial institutions themselves. This highlights the potential vulnerabilities created by concentration in IT service outsourcing.

E-banking and Mobile Banking Most Affected

Data from BaFin indicates that the sectors most impacted in the payment industry were e-banking and mobile banking services.

Many incidents were also recorded in the "others" category, which, as emphasized by the regulator, mainly pertained to delays in transaction processing. Regarding the affected functional areas, over 60% of incidents involved clearing and direct or indirect settlements of transactions.

bafin

“On average, an incident affected transactions with a volume of €224 million,” BaFin explained. “Half of all incidents even involved less than €14 million (median value). This shows that a few particularly serious incidents have a strong upward influence on the average value.”

DORA

Looking ahead, BaFin anticipates that the implementation of the Digital Operational Resilience Act (DORA) from January 17, 2025, will strengthen the sector's operational resilience. The new regulation will extend reporting requirements for serious IT incidents across the entire financial sector and establish uniform standards for all financial companies.

“RA extends the reporting requirement for serious ICT incidents to the entire financial sector and defines uniform reporting requirements for all financial companies,” BaFin added.

The regulator expects that the expanded reporting under DORA will provide a more comprehensive view of incidents, enabling swifter responses to ensure financial stability.

Germany's Federal Financial Supervisory Authority (BaFin) reported a significant increase in IT incidents affecting payment services in 2023, highlighting growing operational risks in the financial sector.

BaFin Reports Rise in IT Incidents Among Financial Firms in 2023

According to data released by BaFin, approximately 235 payment incidents were reported last year, marking a 17.5% rise from 2022. The majority of these incidents, 94.9%, were classified as operational, stemming from internal errors rather than external security breaches.

“From BaFin ’s point of view, IT risks are among the main risks for the financial sector,” the German regulator commented. “Cyber attacks in particular can have serious consequences for financial companies. Concentrations in the outsourcing of IT services increase this risk.”

The regulator's findings reveal that about 78% of incidents resulted from process and system failures, underscoring the importance of robust internal controls alongside strong cybersecurity measures. Despite the overall increase in incidents, security-related events, such as cyber-attacks, accounted for only 5.1% of total reports.

BaFin's report also shed light on the impact of these incidents. In 2023, disruptions affected 7.12 million payment service users and impacted transactions totaling €52.74 billion. However, the authority noted that most incidents affected a relatively small number of users or transaction volumes, with a few severe cases skewing the averages.

The growing trend of IT outsourcing in the financial sector emerged as a key concern. Approximately 40% of reported payment incidents were attributed to service providers rather than the financial institutions themselves. This highlights the potential vulnerabilities created by concentration in IT service outsourcing.

E-banking and Mobile Banking Most Affected

Data from BaFin indicates that the sectors most impacted in the payment industry were e-banking and mobile banking services.

Many incidents were also recorded in the "others" category, which, as emphasized by the regulator, mainly pertained to delays in transaction processing. Regarding the affected functional areas, over 60% of incidents involved clearing and direct or indirect settlements of transactions.

bafin

“On average, an incident affected transactions with a volume of €224 million,” BaFin explained. “Half of all incidents even involved less than €14 million (median value). This shows that a few particularly serious incidents have a strong upward influence on the average value.”

DORA

Looking ahead, BaFin anticipates that the implementation of the Digital Operational Resilience Act (DORA) from January 17, 2025, will strengthen the sector's operational resilience. The new regulation will extend reporting requirements for serious IT incidents across the entire financial sector and establish uniform standards for all financial companies.

“RA extends the reporting requirement for serious ICT incidents to the entire financial sector and defines uniform reporting requirements for all financial companies,” BaFin added.

The regulator expects that the expanded reporting under DORA will provide a more comprehensive view of incidents, enabling swifter responses to ensure financial stability.

About the Author: Damian Chmiel
Damian Chmiel
  • 2071 Articles
  • 57 Followers
About the Author: Damian Chmiel
Damian's adventure with financial markets began at the Cracow University of Economics, where he obtained his MA in finance and accounting. Starting from the retail trader perspective, he collaborated with brokerage houses and financial portals in Poland as an independent editor and content manager. His adventure with Finance Magnates began in 2016, where he is working as a business intelligence analyst.
  • 2071 Articles
  • 57 Followers

More from the Author

FinTech

!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}