Norwegian Financial Supervisory Authority reports no material ICT governance deficiencies at Fremtind Forsikring but flags gaps in third-party oversight and contingency testing

The Norwegian Financial Supervisory Authority has published an ICT inspection report on Fremtind Forsikring AS assessing the insurer’s governance and control of its ICT operations, with a focus on systems supporting core activities and ICT services delivered by external providers. The supervisor identified no material shortcomings, but issued remarks calling for clearer and more consistent risk management follow-up. Key points included unclear overarching monitoring of board-approved governance documentation, insufficient own controls or audit-style reviews of ICT services delivered by third-party providers, and a need for more robust testing of contingency and crisis arrangements, including scenarios involving outsourced services. The report also highlighted expectations around adequate resourcing and competence in the second line of defence where information security responsibilities sit in the first line, internal audit coverage of ICT risks proportionate to the firm’s size and risk profile, board-level awareness of the business impact analysis underpinning continuity planning, and stronger processes for incident follow-up, change management (including assessing impacts on contingency plans), and third-party access controls. Fremtind reported having reviewed and renegotiated critical and important ICT service agreements where needed, and is strengthening vendor follow-up routines, training, and central support. Finanstilsynet asked the company to provide a copy of the report to its external auditor.