Norwegian Finanstilsynet finds no major ICT control deficiencies at Askim & Spydeberg Sparebank but requires improvements in patching logging and supplier oversight

Norwegian Finanstilsynet published an ICT on-site inspection report for Askim & Spydeberg Sparebank, concluding that it found no material deficiencies in the bank’s governance and control of ICT operations. The review nevertheless identifies weaknesses in aspects of overall risk management and in specific ICT routines, including security patching, log monitoring, supplier follow-up, change management and the bank’s assessment of suppliers’ contingency testing. Key observations include insufficient follow-up of board-approved governance documents and a need to report on the operationalisation of strategic objectives, including alliance documents. The supervisor also expects ongoing identification and reporting of ICT risk against board-approved targets, and it challenged the handling of “yellow” risks in relation to the bank’s stated ICT risk tolerance. On operational controls, Finanstilsynet notes that procedures for security patching and log follow-up were not adequately established, and it expects the bank to put in place its own requirements for these areas even where activities are outsourced. The report also highlights improvement areas in change management, including clearer identification of whether changes have led to incidents, and it finds shortcomings in supplier oversight and in the assessment and documentation of suppliers’ resilience testing; the bank referenced updates made to its ICT, outsourcing and crisis management frameworks in connection with compliance with the Digital Operational Resilience Act (DORA) from 1 July 2025. Finanstilsynet asked the bank to provide the minutes from the board meeting where the inspection report is considered, and requested that a copy of the letter be sent to the bank’s auditor.