Norway's Financial Supervisory Authority finds material ICT governance and control deficiencies at Sparebanken Vest and requires remediation confirmation by 31 August 2025

Norway's Financial Supervisory Authority published an ICT supervisory report on Sparebanken Vest following an inspection on 10 to 11 June 2024, identifying partly material shortcomings in the bank’s governance and control of ICT systems and services, including areas that are outsourced. The supervisor noted that the bank has implemented and plans a range of corrective measures, many scheduled for completion in the first and second quarters of 2025. Key observations covered organisational arrangements and the independence and resourcing of control functions, including potential conflicts of interest where multiple roles are held by the same person, and questions about internal audit capacity relative to the bank’s size and ICT complexity. The report also highlighted weaknesses in the ICT risk framework and board information flows, documenting that board reporting from the third quarter of 2024 was expanded and aligned to board-approved KPIs for risk appetite and tolerance. Operational findings included insufficiently documented internal ICT operations procedures, the need for a completed business impact analysis to underpin continuity planning, and crisis testing that had been too narrowly focused on single data-centre failover rather than broader and worst-case scenarios, including for outsourced services. Further issues related to outsourcing oversight, including incomplete consolidated inventories and assurance over suppliers’ configuration management controls, as well as the absence of a documented end-to-end change management process covering DevOps and changes to machine learning and artificial intelligence algorithms. The bank also committed to strengthening incident reporting routines and to making information security requirements contractually binding for suppliers as part of contract revisions linked to DORA. Finanstilsynet requested that the board confirm by 31 August 2025 that all measures described in the board’s response have been implemented with the expected result. It also asked for a copy of the board minutes where the report is handled and requested that the letter be shared with the bank’s external auditor.