Digital finance and IT risk

Developments

By international standards, Norway is among the most digitalised countries in Europe and scores particularly high when it comes to the use of digital financial services. There is a high rate of innovation within financial services. Greater use of open interfaces (APIs) and artificial intelligence has paved the way for new products and business models. At the same time, new regulation has facilitated new services and more intense competition. An increasing number of firms are using cloud services, which may contribute to streamlining, cost savings and increased security. Moving core systems to cloud-based solutions may be a comprehensive and challenging process, and the firms must base their decisions to do so on sound risk assessments.  

Finanstilsynet observes that the threat picture is constantly changing, partly as a result of the war in Ukraine. The threat posed by actors looking for security holes in widely-used software appears to be increasing. Such security holes entail a risk of information leaks or unauthorised changes in firms’ or their suppliers' systems and infrastructure. Cyberattacks often hit firms globally and across sectors. Cybercrime motivated by financial gain is also on the rise.  

In 2022, there were many cases of phishing/smishing, attempting to trick people into revealing payment or login information. Ransomware attacks are also a threat. Such attacks could make firms’ systems unavailable pending payment of a specified amount. 

Any attacks that affect the financial infrastructure could have serious consequences. The high degree of interconnectedness within the financial system means that a single serious incident at a market participant could quickly lead to an extensive failure in critical services and thus have wide-ranging social consequences. 

The work on digital resilience, emergency preparedness and disaster recovery plans is gaining in importance. Firms and authorities initiate measures to mitigate the risk of serious incidents and limit the damage if an incident occurs. In addition, they are constantly working to improve emergency preparedness and disaster recovery solutions.  

Supervision and analyses

Supervision

At on-site inspections, Finanstilsynet may uncover breaches of laws and regulations and identify vulnerabilities that pose a risk of serious incidents in the financial sector. The inspections carried out in 2022 focused on areas of importance to the management of the institutions’ IT risk, including outsourcing, emergency preparedness, IT infrastructure and security. IT risk is often addressed at separate IT inspections but can also be part of broader inspection at an institution. The inspections carried out in 2022 are described in further detail in the reports for the various supervised sectors. 

Risk and vulnerability analysis

Finanstilsynet performs an annual risk and vulnerability analysis of the financial sector’s use of IT. The Risk and Vulnerability Analysis 2022 was published and presented at a webinar in May 2022. According to the report, Finanstilsynet finds Norway’s financial infrastructure to be robust. Finanstilsynet believes that vulnerabilities in the institutions’ defences against cybercrime constitute the most important threats associated with the institutions’ use of IT. Vulnerabilities in relation to IT operations, access management and information leaks are also key risks. 

Regulations

Digital Operational Resilience – DORA

In November 2022, as part of its digital finance strategy, the EU adopted the Digital Operational Resilience Act (DORA) as part of a larger digital finance package. The regulation will enter into force in the EU in January 2025 and is expected to be incorporated into the EEA Agreement.  

The purpose of the regulation is to ensure digital operational resilience in the financial sector. The regulation sets uniform requirements for the security of the networks and information systems of institutions and organisations operating in the financial sector and their suppliers. In 2022, the European Supervisory Authorities (EBA, ESMA and EIOPA) started working on supplementary rules, aiming for them to be ready by the time the regulation enters into force. Finanstilsynet is involved in this process.  

Markets for crypto assets – MiCA

On 30 June 2022, the European Commission and the Council reached a provisional agreement on a new EU Market in Crypto-Assets (MiCA) regulation, which is expected to be ratified in spring 2023. The regulation introduces an obligation for a number of new providers to obtain approval from national or European supervisory authorities prior to initiating business in various virtual assets. Such approval can only be granted once additional requirements have been met. These include requirements for professionalism, clear marketing communication, organisation, complaints handling procedures, rules relating to conflicts of interest, notification to the competent authority of changes in the provider’s management body, specific requirements for the storage and safeguarding of client funds and provisions on outsourcing. The regulation is expected to enter into force in the EU in 2025 and to be incorporated into the EEA Agreement and also be applicable in Norway. Both the EBA and ESMA were working to prepare for the upcoming regulations during 2022. Finanstilsynet contributed to this work. 

Administrative enforcement

Serious and critical IT incidents

Institutions subject to the ICT Regulations or equivalent regulations must report serious and critical operational and security incidents to Finanstilsynet. The number of security incidents reported in 2022 was on the same level as in 2021. 284 incidents were reported in 2022, of which 19 were security incidents and 265 were operational incidents. Some of the incidents were serious for the institutions that were affected, but none of the security incidents had an impact on the financial infrastructure or had serious consequences for the large financial institutions.  

Finanstilsynet reported seven serious incidents to the Ministry of Finance.  

Security incidents

The 19 security incidents reported in 2022 occurred in different types of financial institutions. One institution reported that the vulnerability in the logging utility Log4j, which became known in December 2021, had been exploited to gain access to one of the institution's servers connected to the internet. The institution found no indications of unauthorised access before the server was shut down. 

A denial-of-service attack (DDoS attack) against Nordea on 1 March 2022 which prevented access to the bank's services for much of the day, was closely monitored. So did DDoS attacks against a number of Norwegian entities, including some financial institutions, in the period 29 June–5 July. The attacks had only limited consequences. It is often unclear who is behind such attacks.  

In December, a data provider in Sweden was hit by a security incident that caused it to shut down its network for several days. This had consequences for at least seven Norwegian financial institutions, including banks, insurers and fund management companies. One of these found traces of the attack on its own servers. Several of the Norwegian entities were also affected when their electronic systems for screening and transaction monitoring were put out of operation as a result of the shutdown at the supplier.  

Other security incidents concerned hacking of employees’ email addresses, forging of payment instructions and phishing attacks against the institution's email address. 

Finanstilsynet is in dialogue with Nordic Financial CERT (NFCERT) about most of the security incidents. If security incidents occur at institutions that are not members of NFCERT, Finanstilsynet advises them to share information about the security incident with NFCERT. 

Increased attention is focused on the risk of security incidents that affect several countries at the same time and may entail systemic risk for the financial sector. The European Systemic Risk Board (ESRB) has advised the European Supervisory Authorities to develop a framework for coordinated response to such cross-border security incidents. The framework will be developed as part of the implementation of DORA, and work on this was initiated in late 2022. 

Operational incidents

None of the 265 reported operational incidents in 2022 were of particularly long duration, but some of them affected access to payment services concurrently in a number of banks and Vipps in periods of two to five hours.  

On the morning of 16 May, there were problems with card payments in a number of shops and retail outlets. Neither BankAxept nor international cards worked. Offline backup solutions requiring signature worked for merchants that had activated this. The incident received a lot of media attention. The cause of the incident was a network change made at Nets. Some merchants, including Vinmonopolet, had not taken the backup solution into use. Moreover, there turned out to be a technical failure at one of the terminal providers, which made the consequences of the incident even more serious. 

In May, there was an incident at Euronext Securities/VPS where a participant lacked sufficient liquidity to cover its obligations. An unauthorised restart resulted in calculation errors, and the wrong amount was withdrawn from a liquidity bank. The error had limited consequences but could potentially have been very serious.  

A total of 12 operational incidents of non-conformance in institutions’ electronic anti-money laundering transaction monitoring were reported, in addition to four security incidents.  

According to the revised Payment Services Directive (PSD2), account servicing payment service providers shall give third-party payment service providers access to the payment service user's accounts once the user has given permission. In 2022, DNB provided a weekly status report on problems with its dedicated interface for third parties' access to customers' payment accounts. Other banks report when special problems arise. In 2022, third parties also frequently reported observed downtime in the banks' interfaces for trusted third parties' access to customers' payment accounts.   

Reporting of incidents by type of institution

• 9 incidents from debt collection agencies
• 11 incidents from insurers
• 206 incidents from banks
• 12 incidents from payment institutions
• 3 incidents from finance companies
• 42 incidents from the securities sector
• 1 incident from a debt information undertaking 

Notification obligation in connection with outsourcing

With some exceptions, financial institutions are obliged to notify Finanstilsynet when they enter into an agreement on critical or important outsourcing of IT activities, changes to agreements or changes of service provider, etc. Finanstilsynet may impose certain conditions for the institutions' outsourcing, issue orders not to carry out the assignment or issue an order to terminate the assignment. Finanstilsynet may do this if it finds that the outsourcing cannot be deemed prudent, that it complicates supervision or that it is in breach of the regulations. In 2022, Finanstilsynet processed approximately 240 reports on outsourcing of IT deliveries, which was an increase of close to 20 per cent from the previous year. Some of the notifications came from joint service providers on behalf of participating banks.  

Contingency preparedness

Financial Infrastructure Crisis Preparedness Committee (BFI)

Finanstilsynet heads, and is the secretariat for, the Financial Infrastructure Crisis Preparedness Committee (BFI). The BFI held three regular meetings in 2022 and three crisis meetings for updates on emergency preparedness and measures related to the situation in Ukraine. One emergency preparedness exercise was conducted in the BFI in 2022 under the auspices of Nordea Bank Abp’s Norwegian branch. Finanstilsynet and BFI also participated in the 2022 Cyber Exercise organised by Norges Bank. 

Sector response body

Finanstilsynet has been designated as sectoral response body in the financial market area in accordance with the framework of the Norwegian National Security Authority (NSM) for handling IT-related security incidents. Finanstilsynet performs this role in cooperation with Nordic Financial CERT (NFCERT). As part of this effort, Finanstilsynet and NFCERT had monthly meetings throughout 2022. Based on experience from incidents in 2022, more detailed operational procedures for the cooperation have been drawn up in an appendix to the cooperation agreement. 

Collaboration on IT security and financial infrastructure

TIBER-NO

In autumn 2021, Norges Bank and Finanstilsynet decided to establish a framework for security testing of critical functions in the Norwegian financial sector, and a TIBER-NO implementation guide was published on the websites of Norges Bank and Finanstilsynet. The Norwegian framework is based on the European Central Bank’s TIBER framework (Threat Intelligence-based Ethical Red-Teaming) and aims to promote financial stability by increasing the resilience of critical functions in the Norwegian financial sector against cyberattacks. The framework also permits testing of non-critical functions.  

Norges Bank resourced a TIBER Cyber Team (TCT-NO) in 2022 that has formal responsibility for managing TIBER-NO and following up entities in connection with TIBER-NO testing.  

In 2022, Norges Bank and Finanstilsynet identified critical functions and the entities responsible for such functions. In the second quarter of 2022, these entities and other entities that showed special interest in security testing were invited to participate in TIBER-NO testing and the TIBER-NO meeting forum. In the fourth quarter of 2022, the first entities started the testing process. 

Norwegian National Security Authority (NSM)

Finanstilsynet is a partner at the National Cyber Security Centre (NCSC). NCSC is part of NSM. NCSC provides continuous information on the digital threat picture and recommendations related to security and other topics that may be relevant in the supervisory follow-up of financial sector entities. 

Finanstilsynet participates in NSM's cooperative forum for supervisory authorities that supervise IT security in their sector. The cooperative forum is useful for exchanging information and sharing experience on IT risk and security between supervisory authorities. In 2022, Finanstilsynet presented its supervision module for continuity and continuity management. 

Norges Bank

Finanstilsynet cooperates with Norges Bank on the supervision and surveillance of the financial infrastructure in Norway, including through the exchange of reports, risk assessments and joint supervision. Finanstilsynet's follow-up of the entities’ payment services is part of Norges Bank's monitoring of the overall payment system. 

Fintech and regulatory sandboxes

Finanstilsynet has a regulatory sandbox for fintechs as part of a broader information and guidance initiative. Since the establishment of the regulatory sandbox in 2019, Finanstilsynet has received 19 applications for admission. Four projects have been admitted to the sandbox, three of which have been completed. Project plans and final reports are published on Finanstilsynet's website.  

In 2022, the previous system whereby firms were admitted at regular intervals was replaced by a system where Finanstilsynet processes applications on an ongoing basis. There were three applications for admission to the regulatory sandbox in 2022. 

One of the applicants, R8Me AS, was admitted to the regulatory sandbox on 28 February, and four workshops were held with the firm during the year. The firm plans to develop a solution for automated sustainability measurement. The solution will target small and medium-sized businesses and is based on a set of defined measurement indicators. Sustainability is measured in three dimensions: environmental footprint, social conditions and financial sustainability, and against the industry average. This method should, as far as possible, make use of available data from established systems and registers. The EU's taxonomy forms the basis for the project. The project is well underway and is scheduled for completion during the first quarter of 2023.  

Finanstilsynet and the Norwegian Data Protection Authority have cooperated on sandbox projects related to anti-money laundering and counter-terrorism financing (AML/CFT). In 2022, Finanstilsynet helped clarify statutory provisions related to AML/CFT measures in a project admitted to the Data Protection Authority's sandbox.  

Finanstilsynet holds quarterly coordination meetings with the regulatory sandboxes of the National Archives of Norway, the Norwegian Digitalisation Agency and the Norwegian Data Protection Authority. A joint experience seminar was held on 28 April. Participants included politicians and firms that have participated in sandboxes.  

In 2022, Finanstilsynet was in contact with the Norwegian technology incubator Startuplab and participated in an event for fintechs on 11 May. At a meeting in June, four firms presented their business ideas to Finanstilsynet. Such meetings help raise Finanstilsynet's understanding of new technological solutions in the financial market. 

Finanstilsynet participated in three meetings of the European Forum for Innovation Facilitators (EFIF) in 2022. EFIF is a forum established by the European Commission. The European Supervisory Authorities EBA, ESMA and EIOPA jointly organise the forum, which is attended by all national financial supervisory authorities in the EEA. One of the objectives is to exchange experiences from the work on regulatory sandboxes and so-called innovation hubs, and to reach common views on the regulatory treatment of innovative products, services and business models. 

Warnings against buying or owning virtual assets

When purchasing or owning virtual currencies or financial instruments exposed to such currencies, one will not benefit from the safeguards associated with regulated financial services. In 2022, Finanstilsynet and other European financial supervisory authorities again warned consumers/investors against this risk.