Financial Supervisory Authority of Norway flags ICT governance and contingency testing gaps at Storebrand Livsforsikring

The Financial Supervisory Authority of Norway published an inspection report on Storebrand Livsforsikring AS following an on-site review on 25–26 November 2024 of how the firm manages, develops, operates, maintains and secures ICT systems and services, including outsourced ICT. The report identifies areas where the firm should make changes, notably stronger follow-up of board-approved governance documents, carrying out its own controls at relevant ICT service providers, and ensuring contingency testing includes relevant information security scenarios, including worst-case scenarios. The report also sets expectations that the second and third lines of defence independently monitor adherence to ICT strategies and policies and verify that these are operationalised, and that independent, risk-based checks are performed to confirm supplier criticality assessments align with the firm’s business impact analysis. It highlights the need for sufficient ICT resources and competence to conduct risk and compliance controls over outsourced ICT, strengthen compliance with change-management and deviation-handling processes (including reporting on remediation actions), and ensure changes that may affect operations or customers, including production deployment and changes to machine-learning models, are subject to formal change control. For ICT preparedness, it emphasises enterprise-level testing of crisis, recovery and alternative operations plans for both internal and outsourced services, including scenarios such as prolonged unavailability and more active involvement of suppliers. Finanstilsynet requested a copy of the minutes from the board meeting where the inspection report is discussed and asked the firm to send a copy of the letter to its auditor.