Financial Supervisory Authority of Norway publishes ICT inspection report on Trøgstad Sparebank and calls for stronger outsourcing oversight and contingency testing

The Financial Supervisory Authority of Norway has published its report from an on-site ICT inspection of Trøgstad Sparebank, assessing how the bank governs, operates and secures ICT systems and services, with particular focus on ICT risk, change and incident management, data governance, ICT security, outsourcing and contingency arrangements. The report identifies areas where controls and board oversight should be strengthened, particularly given the bank’s heavy reliance on external ICT providers. Key findings include that the bank did not receive the detailed follow-up reports on ICT incidents that the supervisor receives from Eika Gruppen after around 30 days, leaving the bank without full information on root causes, including whether incidents were triggered by changes. Eika is expected to adjust its routines so final incident reports are also shared with banks. Given the bank’s high supplier dependency, Finanstilsynet expects a dedicated, more detailed routine for monitoring outsourced ICT, specifying supplier reporting frequency and content and how the bank will assess the information, and it reiterates that outsourcing does not transfer responsibility. The report also points to the need for clearer board-level reporting and documentation of the board’s assessments in meeting minutes, a broader ICT risk analysis that better addresses integrity and confidentiality risks and security incidents, and a business-led business impact analysis to underpin crisis planning, including acceptable downtime per critical system and communication of results to relevant suppliers. On contingency arrangements, the supervisor underlines that annual training, exercises and testing must be carried out at the firm level and that information security scenarios, including worst-case scenarios, must be included in testing. Finanstilsynet notes remedial steps described by the board, including additional ICT staffing and enhancements to risk and compliance reporting, and assumes remaining routines will be established as set out in the bank’s response.