The Capital Management Supervisory Requirements for IT, abbreviated KAIT, are administrative instructions published with a circular of the Federal Financial Supervisory Authority (BaFin) for the secure design of IT systems as well as the associated processes and related requirements for IT governance at German capital management companies. They were published by BaFin in circular 11/2019 (WA) dated 1 October 2019. It applies to capital management companies within the meaning of Section 17 of the German Capital Investment Code (KAGB).
The KAITs specify the legal requirements of the capital management companies ("KVGs") within the meaning of § 17 of the German Investment Code (Kapitalanlagegesetzbuch - KAGB). They are norm-interpreting administrative regulations that represent a self-binding obligation of the German supervisory authority vis-à-vis the capital management companies.
In the Capital Management Supervisory Requirements for IT, the supervisory authority formulates a framework for the technical and organisational equipment of the companies - in particular for the management of IT resources and for IT risk management. Since capital management companies are increasingly procuring IT services from third parties, the KAIT now requires - regardless of whether this is the main service or a supplementary ancillary service to another main service - a mandatory risk analysis in advance, for example.
Similarly, KAIT now requires § 2(8) and § 4(26) to be implemented in information security at least state of the art, covering at least the topics of identification, protection, detection, response and recovery.
In addition, BaFin now requires that the information on the use of cloud services from the leaflet "Orientierungshilfe zu Auslagerungen an Cloud-Anbieter" (KAIT § 8 paragraph 64) be taken into account.
