Digital finance and IT risk

Developments 

By international standards, Norway is among the most digitalised countries in Europe and scores particularly high when it comes to the use of digital financial services. There is a high rate of innovation within financial services. Greater use of open interfaces (APIs), cloud services and artificial intelligence has paved the way for new products and business models. At the same time, new regulation has facilitated new services and increased competition.  

Finanstilsynet observes a changing threat picture. The threat from actors looking for security holes in widely used software which, if exploited, may result in information leaks and/or unauthorised changes in firms’ systems and infrastructure, appears to be increasing. These attacks often have a global reach and take place across sectors. Cybercrime motivated by financial gain is also increasing. In 2021, there were many cases of phishing/smishing, often with an element of social engineering. Various forms of ransomware attacks continued in 2021. These are attacks in which the attacker succeeds in encrypting or otherwise rendering the firm's data and systems inaccessible and demands a ransom to end the attack.  

Any attacks that affect the financial infrastructure could have serious consequences. The high degree of interconnectedness within the financial system also means that a single serious incident – in Norway or internationally – could lead to a more widespread crisis with the risk of financial instability if efforts to limit its consequences fail. Preventive measures help reduce the risk of serious incidents.

Supervision and analyses

Supervision

In 2021, Finanstilsynet carried out a number of inspections of institutions’ IT operations. At the inspections, Finanstilsynet may uncover breaches of laws and regulations as well as identify vulnerabilities that pose risks of serious incidents in the financial sector. The inspections carried out in 2021 addressed areas of importance to the management of the institutions’ IT risk, including outsourcing, emergency preparedness, IT infrastructure and security. Supervision in the IT area is often in the form of separate IT inspections. IT risk can also be part of broader inspection at an institution. The inspections carried out in 2021 are described in further detail in the reports for the various supervised sectors. 

Risk and vulnerability analysis

Finanstilsynet performs an annual risk and vulnerability analysis of the financial sector’s use of IT. The Risk and Vulnerability Analysis 2021 was published and presented at a webinar in May 2021. According to the report, Norway’s financial infrastructure is robust. Finanstilsynet believes that vulnerabilities in the institutions’ defences against cybercrime and in their IT operations are the two most important threats associated with the institutions’ use of IT, although the risk of information leaks is also a key threat.

Regulations

Digital finance

Digital finance is an important part of several regulatory processes in the EU relating to financial services. A package of proposed regulations, as part of the EU's digital finance strategy, was presented in autumn 2020 and was under political consideration in the EU in 2021. The package includes new regulations on 

• crypto assets – Markets in Crypto Assets (MiCA) 
• a pilot regime for market infrastructure based on blockchain technology   
• IT security – Digital Operational Resilience Act (DORA).  

The purpose of the measures is to strengthen Europe's competitiveness and innovation in the financial sector. Consumers will be given more choices and opportunities within financial services and payments, while ensuring consumer protection and financial stability.  

Administrative enforcement 

Incident reporting 

Financial institutions shall report serious and critical IT incidents to Finanstilsynet. Although the number of reported security incidents increased somewhat in 2020 and 2021 compared with previous years, this has thus far not led to serious incidents among institutions in the Norwegian financial sector. However, the incidents have uncovered vulnerabilities that, if successfully exploited, could have caused significant harm.  

Finanstilsynet did not observe particularly serious instances of non-conformance in the operation of the payment systems in 2021, but problems with the BankID app and code devices, following the change of operations service provider, resulted in significant instability in a number of users’ access to the BankID service towards the end of the year.  

Finanstilsynet reported six incidents to the Ministry of Finance in 2021. 

Security incidents

20 security incidents were reported by various types of financial institutions. Many of these concerned a vulnerability in a so-called logging utility (Apache Log4j) uncovered in December 2021. The vulnerability affected all sectors and was considered to be highly critical, as it enabled malware to be run on an infected server without the need for usernames and passwords. A number of attempts to exploit the vulnerability were observed, but to Finanstilsynet’s knowledge, no one has succeeded in accessing the IT systems of Norwegian financial institutions. In cooperation with their service providers, the institutions checked whether they used the vulnerable component, made the necessary updates to their IT systems and implemented measures to monitor and handle any attempts to exploit the vulnerability. 

With respect to other reported security incidents, small financial institutions were overrepresented. The reported incidents included virus attacks on email servers and malicious code infections in text editors. Only one denial-of-service attack was reported in 2021. Several banks reported particularly aggressive phishing campaigns. 

A key provider of services to the financial sector was subject to a ransomware attack in February, but this did not affect institutions in the financial sector. 

Finanstilsynet is in dialogue with Nordic Financial CERT (NFCERT) about most of the security incidents. In order to reach financial institutions that are not members of NFCERT, Finanstilsynet published information about the vulnerability of the Log4j logging utility on its website. 

Operational incidents

With the exception of an operational incident at Danske Bank on 13 October, there were no operational incidents in 2021 of particularly long duration. However, there were incidents in which several banks reported recurrent instability and periodic unavailability of payment services due to operational problems at a service provider. Finanstilsynet considers the problems with the BankID app and code devices following Vipps' shift of operations services provider to be very serious. Finanstilsynet has followed this up through frequent meetings with Vipps (BankID) and letters to the banks.  

Finanstilsynet has followed up an incident where staff at a service provider had searched for customer data in breach of the 'need to know' principle. Finanstilsynet has also followed up incidents related to delayed payment and delayed settlement in the securities area.  

Banks and payment institutions reported 14 incidents of non-conformance in the electronic AML transaction monitoring. Ten operational incidents related to problems with account servicing payment service providers' dedicated interfaces were reported for trusted third parties’ access to customers' payment accounts.  

Reporting of incidents by type of institution: 

• 16 incidents from debt collection agencies 
• 12 incidents from insurers
• 215 incidents from banks
• 7 incidents from payment institutions
• 3 incidents from finance companies 
• 39 incidents from the securities sector 

Contingency preparedness 

BFI

Finanstilsynet heads, and is the secretariat for, the Financial Infrastructure Crisis Preparedness Committee (BFI). The BFI held three meetings in 2021. A review of the current status and measures related to the Covid-19 pandemic were on the agenda at all of the meetings. One emergency preparedness exercise was conducted in the BFI in 2021 under the auspices of Eika Gruppen.  

SRM

Finanstilsynet has been designated as sectoral response body in the financial market area in accordance with the framework of the Norwegian National Security Authority (NSM) for handling IT-related security incidents. Finanstilsynet performs this role in cooperation with Nordic Financial CERT (NFCERT). As part of this effort, Finanstilsynet and NFCERT had regular meetings every four weeks throughout 2021.  

Vital societal functions

In 2021, the Ministry of Justice and Public Security commissioned the Norwegian Directorate for Civil Protection (DSB) to revise its overview of vital societal functions in the report Vital Functions in Society (2016). Along with Norges Bank, Finanstilsynet provided feedback to the revision of those parts of the framework that concerned the financial sector.

Collaboration on IT security and financial infrastructure

TIBER-NO

In autumn 2021, Norges Bank and Finanstilsynet decided to establish a framework for security testing of critical functions in the Norwegian financial sector. The cooperation is based on the European TIBER framework – Threat Intelligence-based Ethical Red-Teaming. The purpose of the framework is to promote financial stability by increasing the resilience of critical functions in the Norwegian financial sector against cyberattacks. The framework also allows testing of non-critical functions. In spring 2021, the proposed framework for TBER-NO was circulated for comment. A process is also underway to identify critical functions and the institutions responsible for such functions. Norges Bank will organise and staff a ‘TIBER Cyber Team’ (TCT-NO) to manage and operationalise TIBER-NO and have formal responsibility for managing the framework. A steering group led by Norges Bank, where Finanstilsynet is also a member, will be responsible for the overall testing.  

Interaction with the Norwegian National Security Authority

Finanstilsynet is a partner at the National Cyber Security Centre (NCSC) and participated in regular meetings at the NCSC in 2021 where status reports for the national digital threat picture were reviewed. 

Finanstilsynet participates in the National Security Authority's cooperative forum for supervisory authorities that supervise ICT security in their sector (SIG ICT). The forum was established in 2021. 

The financial infrastructure

Finanstilsynet cooperates with Norges Bank on the supervision and surveillance of the financial infrastructure in Norway, including through reports, risk assessments and joint supervision. Finanstilsynet's follow-up of the customer-oriented part of the payment system is part of Norges Bank's monitoring of the overall payment system.