Library Update: VAIT

The Alyne library has just been updated with new content to meet the requirements published by the German Financial Regulator BaFin for governing IT in regulated insurance companies, known as VAIT.

The update has been provided, as with all previous library updates, to existing and new Alyne customers alike. The new content includes a Control Set containing 166 Control Statements and a corresponding Assessment Set. We also added some new Control Statements, specific to VAIT, to the Alyne library to appropriately cover this regulation.

VAIT (Versicherungsaufsichtliche Anforderungen an die IT) is similar to its banking counterpart, BAIT (Bankaufsichtliche Anforderungen an die IT), in that it defines specific requirements for IT departments in regulated insurance companies, rather than banks. The majority of the VAIT text is in fact identical to BAIT, however instead of requiring companies to comply with MaRisk (which applies to the banking industry), VAIT includes 14 extra requirements. In doing so, VAIT essentially creates a level playing field between insurance and banking regulation for IT.

Notable Requirements

The role of the Chief Information Security Officer is significantly strengthened and is now a mandatory role for regulated insurance organisations. Importantly, the CISO position is required to be held by a single person. Reporting, responsibilities and oversight of secure software development have also been defined in significant detail. Unsurprisingly, identity and access management, secure operations and outsourcing remain focus topics. Notably, VAIT requires each technical user account to be assigned to a responsible person.

More Transparent IT Governance

Insurance organisations are required to put a more transparent IT Governance Framework in place and increase controls management diligence. The IT Governance controls framework shall be linked to mature information risk management processes and information security management practices. For Alyne customers, these requirements are easily implemented. Alyne's control framework, linked to multiple standards, laws and regulations, is fully integrated into an assessment and risk management capability, exactly as intended by this new regulation.

Contact our sales team at to learn how Alyne can help your VAIT initiative or learn about how you can experience Alyne’s capabilities in a Proof of Concept.

Myriam Huber

Related Posts

Library Update: KAIT

The Alyne Content Library has recently been updated with a Control Set covering KAIT (Kapitalverwaltungsaufsichtliche Anforderungen an die IT) – the German BaFin's supervisory requirements for IT in Fund and Asset Management, defined in the 11/2019 (WA) circular in the version as of October 1, 2019.
Read more

Library Update: Health Insurance Portability and Accountability Act (HIPAA)

The Alyne team has recently rolled out a brand new addition to the Content Library with a comprehensive mapping of The Health Insurance and Accountability Management Act (HIPAA). This mapping covers not only section 164.3xx (Security Standards), but also the rules outlined in section 164.4xx (Breach Notification) and section 164.5xx (Privacy Aspects).
Read more

Introducing SOX-in-a-Box: Alyne's Internal Control over Financial Reporting (ICFR)

We are very excited to introduce Alyne's new Internal Control over Financial Reporting (ICFR) Control Set, which further expands on Alyne's extensive Library of Financial Controls. In this article, you will gain insight into how Alyne's out-of-the-box ICFR Capabilities can provide your organisation with an extensive health check for SOX and SOC 1 compliance.
Read more