The Norwegian Financial Supervisory Authority published an inspection report from an on-site ICT review of Haugesund Sparebank, identifying shortcomings in the bank’s governance and control of its ICT operations. The main findings point to insufficient operationalisation of board-approved governance documents and a need to strengthen requirements and follow-up of reporting from ICT service providers in both the first and second lines of defence, even where the bank relies heavily on supplier oversight performed through the Eika alliance. The review covered ICT risk, operations, security, use of ICT service providers and contingency arrangements, with expectations framed against the Digital Operational Resilience Act (DORA) and national requirements for independent control functions. The report highlights the need for a concrete, time-bound plan to embed the bank’s ICT risk management framework through routines, training, controls and reporting; better alignment between recurring supplier reporting and the bank’s own internal policies; sufficient ICT competence and resourcing in the second line; and independent assessment of third-party service delivery against the bank’s business impact analysis, including availability, recovery requirements and dependencies. It also flags gaps in change management (including classification beyond emergency changes and monitoring of pre-approved changes), documentation of how supplier and sub-supplier audit and risk reports are analysed and integrated into the bank’s risk management, controls over vendors’ access to the operating environment, and contingency testing that includes relevant cyber scenarios such as ransomware and worst-case disruptions. Haugesund Sparebank reported that remediation work has been initiated, including strengthening the second line, establishing a joint solution for periodic review of supplier access, and developing extended contingency testing plans with its provider. The supervisor requested that the bank send a copy of the report letter to its auditor.
Norwegian Finanstilsynet 2026-03-12
Norwegian Financial Supervisory Authority finds DORA-related ICT governance and third-party oversight weaknesses at Haugesund Sparebank
The Norwegian Financial Supervisory Authority's inspection of Haugesund Sparebank revealed deficiencies in ICT governance and control, particularly in operationalising governance documents and managing ICT service providers. The report calls for a concrete plan to enhance ICT risk management, supplier reporting alignment, and independent assessments of third-party services. Haugesund Sparebank has started remediation efforts, including strengthening the second line and improving contingency testing.