Regulatory requirements may seem onerous and excessive in some cases - but in the case of VAIT they make perfect sense. Anyone who operates IT systems and applications in a company must also properly document them according to the current VAIT directive. Despite the directive coming into force in March 2022 90% of the companies concerned still meet its requirements only partially or not at all (cf. BaFin "IT Supervision of Insurance Companies and Pension Funds", as of 21.06.2022). Now it is time to act: Compliance with the requirements should be tackled not only in order to maintain legal security and avoid the threat of penalties, but also to optimise the company with data support.
What is the VAIT?
The VAIT (Insurance Supervisory Requirements for IT) are administrative instructions that were first published by the Federal Financial Supervisory Authority (BaFin) in 2018. The regulatory requirements concretise the legal requirements of the Insurance Supervision Act (VAG; §§ 23-32) or the Minimum Requirements for the Business Organisation of Insurance Companies (MaGo). The aim is to ensure consistent application. The most recently published amendments are in the Version from 03.03.2022 recorded. The following Requirement areas are defined in the VAIT:
- IT strategy
- IT Governance
- Information risk management
- Information Security Management
- Operational information security
- Identity and rights management
- IT projects and application development
- IT operations
- Outsourcing of IT services and other service relationships in the area of IT services
- IT emergency management
- Critical infrastructures
BaFin focuses on a binding basis for the management of IT, which should also raise IT risk awareness in the companies vis-à-vis their IT service providers. Common standards (e.g. encryption procedures and legal management systems) are to be taken into account appropriately. Regulatory compliance should not only result in successful audits, but also contribute to the active management and control of an insurer's IT risks and increase the companies' cyber security. All insurance and reinsurance companies, as well as pension funds, are affected by the VAIT.which are subject to supervision by BaFin.
Why are so many lagging behind in VAIT implementation?
For insurance companies, the VAIT requirements primarily mean an increase in documentation and control requirements for IT. They also require greater transparency of the information processed in the IT systems and the associated processes. In this respect, the insurers are often Staff shortages and capacity bottlenecks are not able to fulfil the regulatory requirements regarding their system landscape on their own. This is exacerbated by the fact that frequently No central responsibility for achieving VAIT compliance is in place. However, incomplete or non-existent regulatory compliance can result in severe penalties and even reputational damage.
In addition to the carrier systems of the insurers, any individual data processing (IDV) of the departments must henceforth also be documented in a compliant manner. This additional workload can often not be covered independently by the departments.
Drive VAIT implementation forward
We have a Catalogue of measures which is intended to contribute to VAIT compliance either in its entirety or - depending on the degree of compliance in the company - in parts:
- Are the systems to be audited implemented in a VAIT-compliant manner?
- Are the required VAIT documents available?
- What deficiencies can be identified in the present documentation?
Definition of measures
- What measures are used to achieve VAIT compliance?
- How is it ensured that the measures are future-proof?
- Modification of IT systems (e.g. user authorisation management)
- Implementation of security features (e.g. automated log data evaluation to combat threat scenarios)
- Complete revision of the VAIT documentation
We will be happy to accompany you on your way to VAIT compliance. Do not hesitate to contact us if you have any questions. We will also be happy to support you in meeting the required specifications regarding BAIT, KAIT and ZAIT. If you are interested in this topic, we look forward to your participation in our free webinar.
The cooperation with Alexander Thamm GmbH is highly satisfactory. [at] has successfully supported us in the regulatory-compliant introduction of new IT services and products and convinces with a structured and proactive approach.Chief Data Officer of one of the top 10 insurance companies in Germany