Last Updated: January 6, 2022
Around the world, regulators are recognizing the magnitude of risk posed by unmanaged end user computing (EUC) applications, such as spreadsheets. Spreadsheet blunders can range from embarrassing to catastrophic. With billions in the balance, it’s no wonder that orders to prevent them are now coming from the top.
This is especially relevant to the insurance sector. The financial security of millions of policyholders depends on the rigor with which models are managed. A manual, ad hoc approach is simply not good enough anymore, and it seems that the authorities agree.
What is VAIT & Who Does it Apply To?
In 2018, Germany’s Federal Financial Supervisory Authority, BaFin, issued the Versicherungsaufsichtliche Anforderungen an die IT, or VAIT, requirements. VAIT sets out requirements relating to information security and information technology for the insurance industry.
VAIT applies to all undertakings subject to supervision in accordance with section 1(1) of the German Insurance Supervision Act, Versicherungsaufsichtsgesetz (VAG). It also applies to any insurance group with undertakings in other EU or European Economic Area states for which BaFin is the group supervisor.
EUC-Specific Requirements
VAIT includes dedicated requirements for end user computing (EUC) applications. Points 14, 15, 18 and 42 to 57 of the VAIT regulations are specified as applying to EUC applications. At a high level, these requirements may be grouped into four categories:
- Inventory
The ability to create and maintain a risk-based inventory of EUC applications. - Version Control
The ability to enforce and monitor varying levels of change/ release (version) control based on the risk classification of the EUC application. - Change Management
The ability to monitor EUC applications to identify unauthorized changes and facilitate approval workflows. - Access Control
The ability to control and limit access to critical EUC applications and those which contain confidential or personally identifiable information (PII).
How Apparity Helps
Apparity was designed to manage and control EUC applications within highly regulated industries, especially banking, insurance and the utility sector. Apparity’s standard functionality allows insurance companies to automate and evidence all of the EUC-specific requirements of VAIT.
Inventory
- Discovery Module
Automatically create and maintain an inventory of EUC files, including key file details. - Structural Complexity Algorithm
Determine the complexity of each identified file using custom evaluation parameters. - Registration
Qualitative assessment of file impact to capture relevant data from file owners. Enables a risk-based inventory based on both complexity and impact. - Connection Explorer
Visually chart connections between discovered files. Provides a clearer understanding of upstream & downstream dependencies.
Version Control
- Versioning
Automatically capture and track all file copies while allowing user comments to enable collaboration and audit trails. - Version History
View, export, and restore a file to a previous version or copy of a file. - Zero Loss Fingerprinting
Monitored files are always tracked, regardless of file save location or how it is named. Ensures there are never ‘lost copies’ of a file.
Change Management
- Change Logs
Real-time and in-session view of all critical changes made to a file. Filtering and sorting helps identify potential mistakes or unauthorized changes. - Noise Filtering
Users only see critical changes that are relevant to them configured against company EUC policy. - Automated Review and Approval Workflow
Ensures critical changes are properly signed off with included audit trails.
Access Control
- File Access & Modification Reports
Track and log all users who update critical files. - Unexpected Change Warnings
Flag any changes made by non-Apparity users who might be outside the controls framework. - Apparity checks & monitors against all Existing Access Control frameworks. Ensures access will never be granted to a file unless the user has access to the original file location.
- Automated PII identification
Allows teams to understand which files have sensitive data that should not be accessible to broader audiences.