Financial Supervisory Authority of Norway issues ICT inspection report finding significant governance and reporting deficiencies at Sparebanken Øst

The Financial Supervisory Authority of Norway published an ICT inspection report following an on-site review of Sparebanken Øst, concluding that the bank has partly material shortcomings in the governance and control of its ICT operations. The review covered ICT risk management, change and incident management, data governance, ICT security, outsourcing, and business continuity. Key deficiencies included inadequate management reporting on both in-house and outsourced ICT activities, elevated key-person risk in the ICT function, and insufficient incident reporting, including failures to report serious ICT incidents to the supervisor in line with the ICT regulations. The report also points to gaps in independent assurance and continuity planning, with expectations that the bank more systematically obtains independent confirmation (including through internal audit), expands and embeds business impact analysis as a documented routine, strengthens control of supplier access, and formalises documented routines for ongoing oversight and reporting from ICT service providers. Crisis preparedness training, exercises and testing were also expected to use realistic scenarios and adequately cover critical and important processes. For follow-up, the supervisor requested that the report be shared with the bank’s auditor and asked to receive the board meeting minutes in which the report is considered.