Information security & Data protection

Corporate policy on information security & Data protection

Information and communication technology (ICT) risks are a material security risk for the Bank. ICT security risks may arise for example due to unauthorised access to ICT systems and data from within or outside the institution such as through cyber-attacks. 

Aareal Bank AG operates its own management system, the Information Security Management System (ISMS), for the purpose of upholding and monitoring information security. The associated Written Set of Procedural Rules, which applies to Aareal Bank AG (including Aareal Bank Capital Corporation and Aareal Bank Asia Limited), covers information security principles, principles of conduct and the structure of the information security organisation, which serve among other things to avoid ICT security risks. The Chief Information Security Officer (CISO) is responsible for establishing and maintaining the Bank’s internal ISMS. In Addition, Aareal bank operates a Data security management system (DSMS) to maintain and monitor data protection, in which the requirements of the General Data Protection Regulation (GDPR) are implemented.

Aareal Bank Group is supervised by the European Central Bank (ECB). In line with this, Aareal Bank AG defines its ICT security risks using the nomenclature of the European Banking Authority (EBA). This is set out in the EBA/GL/2017/05 Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP) and the EBA/GL/2019/04 Guidelines on ICT and security risk management. 

The Digital Operational Resilience Act (DORA) entered into force on 17 January 2023 and will apply to Aareal Bank Group from 17 January 2025 onward. DORA replaces the requirements that Aareal Bank Group has to meet under BAIT (Bankaufsichtliche Anforderungen an die IT). 

On an international level, the ISO/IEC 27001 standard has become established for implementing ISMSs. It specifies the requirements for setting up, implementing, maintaining and continuously improving an ISMS. Aareal Bank therefore follows the ISO/IEC 27001 standard for its ISMS in addition to the DORA requirements.

Information security policies

Overall responsibility for information security lies with the Management Board of Aareal Bank AG which delegates the task of establishing and maintaining a DORA-compliant information security management system (ISMS) to the Chief Information Security Officer (CISO). 

The information security organisation (IS-Org.) supports the adherence to and improvement of all information security measures. IS-Org comes under the authority of the Chief Risk Officer and consists of the CISO, their deputy and the staff. 

The CISO is responsible for the ISMS and thus for the appropriate handling of cyber risks, among other things. As an element of information risk, cyber risks are a sub-risk type of operational risk. The information security organisation handles information risks in accordance with the risk framework requirements for Aareal Bank Group.

Management of impacts, risks and opportunities on information security

The objective of information risk management is based on Aareal Bank Group’s handling of operational risk, which, in summary, determines that appropriate decisions must be taken with regard to avoiding, accepting or transferring risk positions. “Appropriate” here refers to both the need to make commercial sense and the Bank’s risk appetite. 

An information security management system (ISMS) is operated to protect confidential data and their integrity, authenticity and availability. 

The information security management system (ISMS) described serves to protect confidential data and their integrity, authenticity and availability. The Written Set of Procedural Rules on the ISMS sets out a number of measures to maintain information security. The following key principles are applied in order to protect information security and to achieve the desired level of security. They apply to Aareal Bank AG including Aareal Bank Capital Corporation and Aareal Bank Asia Limited:

• The information, data and systems are constantly reviewed so as to ensure their integrity, authenticity, availability and confidentiality.
• The applicability and effectiveness of security measures are continually reviewed within the framework of the internal control system and the “Three Lines of Defence” model.
• All staff are sensitised to the topic of information security and adequately trained. The training is conducted annually with varying focal topics.
• Staff assigned to Aareal Bank AG by a service provider are adequately trained and instructed as appropriate for the respective area of operation concerned. 
• Aareal Bank supports the exchange of information on cyber threats, utilising and fostering this exchange within the scope of its communication channels with the European Central Bank, Federal Financial Supervisory Authority and the Federal Office for Information Security.

Upholding and continuously improving the level of security through consistent planning, implementation, control and monitoring of measures is a self-contained process. The necessary controls are prepared, approved annually by the responsible Management Board member and then implemented. They are then used as the basis for deciding on the appropriateness of taking security measures for the continuous improvement of information security and on sustainable target achievement.

Aareal Bank AG has implemented an appropriate monitoring and management process for Aareal Bank Group as a whole. Information security is monitored by means of regular controls, audits and ad hoc analyses and investigations. The scope of application for the control universe is the information network which maps all information assets requiring protection. The IS-Org. control plan ensures that the requirements set out in the guidelines are appropriately and effectively met. At the same time, it is reviewed whether the first LoD fulfills the required measures effectively and comprehensively.