Financial Supervisory Authority of Norway publishes ICT inspection report on Sparebank 1 Sør-Norge with only minor risk management observations

The Financial Supervisory Authority of Norway has issued an inspection report on its ICT review of Sparebank 1 Sør-Norge ASA, finding no material deficiencies in the bank’s governance and control of ICT operations, but identifying several minor observations in its overall risk management. The inspection assessed how the bank manages, develops, operates, maintains and secures ICT systems and services, with emphasis on solutions supporting core activities and prioritised outsourced ICT systems. The report’s observations relate to follow-up of governance documents, operationalising the business impact analysis so it drives prioritisation of control activities across the lines of defence, ICT risk assessments and reporting, and ICT-related internal control. It also sets expectations for second-line functions to perform their own controls of ICT service providers and to have sufficient ICT capacity and competence, for change management to link pre-approved changes to operational stability and to assess whether changes require updates to contingency plans, for consistent oversight of outsourced ICT arrangements, and for contingency planning and testing to include relevant information security and worst-case scenarios and documented assessments of whether supplier testing meets business impact analysis requirements. The report notes the inspection was conducted under the ICT Regulation, while the bank is required to comply with the Digital Operational Resilience Act (DORA) Regulation and related delegated Commission Regulations from 1 July 2025. Finanstilsynet requested a copy of the minutes from the board meeting where the report is discussed and asked the bank to send a copy of the letter to its external auditor.