The Insurance Supervisory Requirements for IT, abbreviated VAIT, are administrative instructions published with a circular of the Federal Financial Supervisory Authority (BaFin) for the secure design of IT systems as well as the associated processes and related IT governance requirements at German insurance special purpose vehicles. They were published by BaFin in Circular 10/2018 (VA) of 2 July 2018 and updated in March 2019. This does not apply to special purpose insurance companies within the meaning of section 168 of the Insurance Supervision Act (VAG) and the protection funds within the meaning of section 223 VAG.
The VAIT concretise the legal requirements of the Insurance Supervision Act (VAG), §§ 23-32. They are norm-interpreting administrative regulations that represent a self-binding obligation of the German supervisory authority towards the insurance companies.
For companies subject to the scope of application of the supervisory system Solvency II, also known as Solvency II, the requirements contained in the Minimum Requirements for the Business Organisation of Insurance Undertakings (MaGo for short) remain unaffected.
In the Insurance Supervisory Requirements for IT, the supervisory authority formulates a framework for the technical-organisational equipment of the companies - in particular for the management of IT resources and for IT risk management. Since the insurance special purpose vehicles are increasingly procuring IT services from third parties, the VAIT now requires - regardless of whether this is the main service or a supplementary ancillary service to another main service - a mandatory risk analysis in advance, for example.
Similarly, VAIT § 27 now requires at least the state of the art to be implemented in information security.
