The Norwegian Financial Supervisory Authority (Finanstilsynet) published an ICT on-site inspection report for OBOS-banken AS, identifying areas where the bank should strengthen governance and controls over its ICT operations. The findings cover strategy, business impact analysis, reporting by independent control functions, operational routines and the design and execution of resilience testing. The review assessed ICT risk management, change and incident handling, data governance, ICT security, outsourcing and contingency arrangements. Finanstilsynet highlighted that the ICT strategy should better reflect the objectives and digital priorities in the business strategy, and that the bank’s business impact analysis did not set out concrete business requirements for ICT systems, including acceptable downtime and data loss. It also pointed to gaps in second- and third-line reporting on ICT compliance and ICT risk, and raised questions about resources and competence in the control functions in light of Norway’s DORA law entering into force on 1 July 2025. Additional observations included insufficiently specified change testing in change-management routines, missing procedures for log monitoring for access to sensitive systems and data, lack of guidelines for independent security testing, shortcomings in the outsourcing routine around supplier reporting and follow-up, and contingency testing that was not clearly anchored in the business impact analysis or defined requirements for supplier crisis-solution testing. OBOS-banken informed Finanstilsynet it will revise its ICT strategy, has updated its business impact analysis and plans to improve ICT coverage in quarterly compliance and risk reporting, expand internal audit scope, further operationalise change-management routines in the third quarter of 2025, and align future contingency exercises more closely to critical processes and supplier involvement. Finanstilsynet asked the bank to share the letter with its auditor and requested the minutes from the board meeting where the inspection report is addressed.
Norwegian Finanstilsynet 2025-07-01
Norwegian Financial Supervisory Authority flags weaknesses in OBOS-banken’s ICT governance, security testing and contingency arrangements
The Norwegian Financial Supervisory Authority (Finanstilsynet) released an ICT inspection report for OBOS-banken AS, highlighting deficiencies in governance and controls over ICT operations. Issues include inadequate ICT strategy alignment with business objectives, insufficient business impact analysis, and gaps in compliance reporting and change management. OBOS-banken plans to revise its ICT strategy, update its business impact analysis, and enhance compliance and risk reporting.