The Financial Supervisory Authority of Norway published an ICT inspection report on DNB Livsforsikring AS covering an on-site review in December 2023, identifying partly material deficiencies in the firm’s governance and control of ICT operations. The main issues related to weak reporting and follow-up of both internal and outsourced ICT, and insufficient coverage of business impact analyses and realistic exercising and testing of contingency and crisis arrangements for critical and important processes. The report highlights unclear allocation of responsibility for ICT risk between DNB Liv and the group technology unit (DNB Bank ASA Technology and Services), limited ICT competence and attention to ICT risk in the second-line risk management function, and shortcomings in management and board reporting routines. Finanstilsynet expects greater use of independent assurance over the robustness of ICT governance and requested an overview of the periodic ICT reporting established after organisational changes. DNB Liv has created a new ICT section from January 2024 led by a Chief Digital Officer, plans improved ICT reporting routines from 2025, will expand business impact analyses with a plan to complete the annual review by end-May each year, and will conduct at least one annual realistic scenario exercise involving management and relevant ICT suppliers. The report also addresses access management, security testing (including planned security and penetration testing of key systems by an external firm in the first quarter of 2025), outsourcing follow-up (including treating three shared insurance-industry services as outsourced ICT), data governance, and routines to ensure reportable incidents are notified to the supervisor. For follow-up, Finanstilsynet asked DNB Liv to send a copy of the letter to its auditor and to provide the minutes from the board meeting at which the inspection report is considered.

Original source View in tracker