Financial Supervisory Authority of Norway finds ICT governance gaps at SpareBank 1 SMN and calls for stronger third party risk controls

The Financial Supervisory Authority of Norway has published an ICT supervision report on SpareBank 1 SMN, finding shortcomings in the bank’s governance and control of ICT operations. Although it noted progress since the previous ICT inspection, the authority said further improvement is needed in the bank’s business impact analysis, its implementation of the EU Digital Operational Resilience Act framework including later level 2 measures, the independent control of ICT third party risk, and testing of digital operational resilience. The report says the business impact analysis should be operationalised through uptime requirements that drive priorities across all lines of defence and should routinely be presented to the board. On outsourced ICT services, the authority maintained that independent control functions must have their own documented basis for assessing supplier risk, controls, performance and compliance, and may need to carry out targeted checks on providers where criticality, risk, complexity or weaknesses in the control basis warrant it. It also expects resilience and contingency testing for both internal and outsourced services to cover relevant and worst case scenarios and full business processes so the bank can demonstrate that availability requirements are met. In its response, the bank said it had updated its routine so the board is routinely informed of the business impact analysis results and had established a 2026 information security and digital resilience plan that includes further implementation of DORA level 2 requirements. The authority asked to receive the minutes of the board meeting that considers the report and requested that the bank send a copy of the letter to its auditor.