Financial Supervisory Authority of Norway finds material shortcomings in Skagerrak Sparebank’s ICT governance and controls

The Financial Supervisory Authority of Norway has published an inspection report from an on-site ICT review of Skagerrak Sparebank (9–10 January 2025), concluding that the bank has partly material deficiencies in its governance and control of ICT activities. The findings cover weaknesses in overall ICT risk management and internal control, supplier oversight, and compliance with requirements in the ICT Regulation (IKT-forskriften). Key issues included missing board approval of overarching ICT governance documents, insufficiently documented processes for ICT risk assessment and reporting, and shortcomings in ongoing internal control and second-line oversight. The review also found deficiencies in change management and incident handling, access management, and outsourcing governance and documentation, including follow-up of the bank’s main ICT provider, Eika Gruppen, and other vendors. On continuity and resilience, the bank had not exercised or tested its crisis solution in 2024, and its business impact analysis process and its linkage to crisis and contingency plans required further development. The bank has informed the supervisor that it has implemented or plans remedial measures across the identified areas, including updated routines and enhanced board-level reporting. Finanstilsynet requested a copy of the minutes from the board meeting where the inspection report is considered and asked the bank to send a copy of the letter to its external auditor.