An effective and robust financial infrastructure is crucial to well-functioning markets and financial stability. The financial sector is characterised by rapid digitalisation, driven by new and advanced digital solutions, new regulations and new market entrants and service providers. Technological developments entail significant gains for users, financial institutions and society as a whole but may also introduce new or changed vulnerabilities. Finanstilsynet is keeping a close watch on the digitalisation and on how digital vulnerabilities are developing in the financial market. This is taking place through regulatory development, the processing of licence applications and supervision, monitoring of ICT incidents and contingency preparedness work in cooperation with the industry and other authorities.
By international standards, Norway is among the most digitalised countries in Europe and scores particularly high when it comes to the use of digital financial services. There is a high rate of innovation within financial services. Greater use of open interfaces (APIs), cloud services and artificial intelligence has paved the way for new products and business models. At the same time, new regulation has facilitated new services and increased competition.
Finanstilsynet observes a changing threat picture. The threat from actors looking for security holes in widely used software which, if exploited, may result in information leaks and/or unauthorised changes in firms’ systems and infrastructure, appears to be increasing. These attacks often have a global reach and take place across sectors. Cybercrime motivated by financial gain is also increasing. In 2021, there were many cases of phishing/smishing, often with an element of social engineering. Various forms of ransomware attacks continued in 2021. These are attacks in which the attacker succeeds in encrypting or otherwise rendering the firm's data and systems inaccessible and demands a ransom to end the attack.
Any attacks that affect the financial infrastructure could have serious consequences. The high degree of interconnectedness within the financial system also means that a single serious incident – in Norway or internationally – could lead to a more widespread crisis with the risk of financial instability if efforts to limit its consequences fail. Preventive measures help reduce the risk of serious incidents.
Supervision and analyses
In 2021, Finanstilsynet carried out a number of inspections of institutions’ IT operations. At the inspections, Finanstilsynet may uncover breaches of laws and regulations as well as identify vulnerabilities that pose risks of serious incidents in the financial sector. The inspections carried out in 2021 addressed areas of importance to the management of the institutions’ IT risk, including outsourcing, emergency preparedness, IT infrastructure and security. Supervision in the IT area is often in the form of separate IT inspections. IT risk can also be part of broader inspection at an institution. The inspections carried out in 2021 are described in further detail in the reports for the various supervised sectors.
Risk and vulnerability analysis
Finanstilsynet performs an annual risk and vulnerability analysis of the financial sector’s use of IT. The Risk and Vulnerability Analysis 2021 was published and presented at a webinar in May 2021. According to the report, Norway’s financial infrastructure is robust. Finanstilsynet believes that vulnerabilities in the institutions’ defences against cybercrime and in their IT operations are the two most important threats associated with the institutions’ use of IT, although the risk of information leaks is also a key threat.
Digital finance is an important part of several regulatory processes in the EU relating to financial services. A package of proposed regulations, as part of the EU's digital finance strategy, was presented in autumn 2020 and was under political consideration in the EU in 2021. The package includes new regulations on
- crypto assets – Markets in Crypto Assets (MiCA)
- a pilot regime for market infrastructure based on blockchain technology
- IT security – Digital Operational Resilience Act (DORA).
The purpose of the measures is to strengthen Europe's competitiveness and innovation in the financial sector. Consumers will be given more choices and opportunities within financial services and payments, while ensuring consumer protection and financial stability.
Financial institutions shall report serious and critical IT incidents to Finanstilsynet. Although the number of reported security incidents increased somewhat in 2020 and 2021 compared with previous years, this has thus far not led to serious incidents among institutions in the Norwegian financial sector. However, the incidents have uncovered vulnerabilities that, if successfully exploited, could have caused significant harm.
Finanstilsynet did not observe particularly serious instances of non-conformance in the operation of the payment systems in 2021, but problems with the BankID app and code devices, following the change of operations service provider, resulted in significant instability in a number of users’ access to the BankID service towards the end of the year.
Finanstilsynet reported six incidents to the Ministry of Finance in 2021.
20 security incidents were reported by various types of financial institutions. Many of these concerned a vulnerability in a so-called logging utility (Apache Log4j) uncovered in December 2021. The vulnerability affected all sectors and was considered to be highly critical, as it enabled malware to be run on an infected server without the need for usernames and passwords. A number of attempts to exploit the vulnerability were observed, but to Finanstilsynet’s knowledge, no one has succeeded in accessing the IT systems of Norwegian financial institutions. In cooperation with their service providers, the institutions checked whether they used the vulnerable component, made the necessary updates to their IT systems and implemented measures to monitor and handle any attempts to exploit the vulnerability.
With respect to other reported security incidents, small financial institutions were overrepresented. The reported incidents included virus attacks on email servers and malicious code infections in text editors. Only one denial-of-service attack was reported in 2021. Several banks reported particularly aggressive phishing campaigns.
A key provider of services to the financial sector was subject to a ransomware attack in February, but this did not affect institutions in the financial sector.
Finanstilsynet is in dialogue with Nordic Financial CERT (NFCERT) about most of the security incidents. In order to reach financial institutions that are not members of NFCERT, Finanstilsynet published information about the vulnerability of the Log4j logging utility on its website.
With the exception of an operational incident at Danske Bank on 13 October, there were no operational incidents in 2021 of particularly long duration. However, there were incidents in which several banks reported recurrent instability and periodic unavailability of payment services due to operational problems at a service provider. Finanstilsynet considers the problems with the BankID app and code devices following Vipps' shift of operations services provider to be very serious. Finanstilsynet has followed this up through frequent meetings with Vipps (BankID) and letters to the banks.
Finanstilsynet has followed up an incident where staff at a service provider had searched for customer data in breach of the 'need to know' principle. Finanstilsynet has also followed up incidents related to delayed payment and delayed settlement in the securities area.
Banks and payment institutions reported 14 incidents of non-conformance in the electronic AML transaction monitoring. Ten operational incidents related to problems with account servicing payment service providers' dedicated interfaces were reported for trusted third parties’ access to customers' payment accounts.
Reporting of incidents by type of institution:
- 16 incidents from debt collection agencies
- 12 incidents from insurers
- 215 incidents from banks
- 7 incidents from payment institutions
- 3 incidents from finance companies
- 39 incidents from the securities sector
Finanstilsynet heads, and is the secretariat for, the Financial Infrastructure Crisis Preparedness Committee (BFI). The BFI held three meetings in 2021. A review of the current status and measures related to the Covid-19 pandemic were on the agenda at all of the meetings. One emergency preparedness exercise was conducted in the BFI in 2021 under the auspices of Eika Gruppen.
Finanstilsynet has been designated as sectoral response body in the financial market area in accordance with the framework of the Norwegian National Security Authority (NSM) for handling IT-related security incidents. Finanstilsynet performs this role in cooperation with Nordic Financial CERT (NFCERT). As part of this effort, Finanstilsynet and NFCERT had regular meetings every four weeks throughout 2021.
Vital societal functions
In 2021, the Ministry of Justice and Public Security commissioned the Norwegian Directorate for Civil Protection (DSB) to revise its overview of vital societal functions in the report Vital Functions in Society (2016). Along with Norges Bank, Finanstilsynet provided feedback to the revision of those parts of the framework that concerned the financial sector.
Collaboration on IT security and financial infrastructure
In autumn 2021, Norges Bank and Finanstilsynet decided to establish a framework for security testing of critical functions in the Norwegian financial sector. The cooperation is based on the European TIBER framework – Threat Intelligence-based Ethical Red-Teaming. The purpose of the framework is to promote financial stability by increasing the resilience of critical functions in the Norwegian financial sector against cyberattacks. The framework also allows testing of non-critical functions. In spring 2021, the proposed framework for TBER-NO was circulated for comment. A process is also underway to identify critical functions and the institutions responsible for such functions. Norges Bank will organise and staff a ‘TIBER Cyber Team’ (TCT-NO) to manage and operationalise TIBER-NO and have formal responsibility for managing the framework. A steering group led by Norges Bank, where Finanstilsynet is also a member, will be responsible for the overall testing.
Interaction with the Norwegian National Security Authority
Finanstilsynet is a partner at the National Cyber Security Centre (NCSC) and participated in regular meetings at the NCSC in 2021 where status reports for the national digital threat picture were reviewed.
Finanstilsynet participates in the National Security Authority's cooperative forum for supervisory authorities that supervise ICT security in their sector (SIG ICT). The forum was established in 2021.
The financial infrastructure
Finanstilsynet cooperates with Norges Bank on the supervision and surveillance of the financial infrastructure in Norway, including through reports, risk assessments and joint supervision. Finanstilsynet's follow-up of the customer-oriented part of the payment system is part of Norges Bank's monitoring of the overall payment system.
Box: Finanstilsynet's regulatory sandbox for fintechs
On commission from the Ministry of Finance, Finanstilsynet operates a regulatory sandbox for fintechs as part of a broader information and guidance initiative. Final reports from the first two projects were published on Finanstilsynet’s website in January 2021.
In March 2021, a project from Abendum AS was admitted to the sandbox. Abendum is a startup company aiming to develop a solution for blockchain audit evidence. The purpose of participating in the sandbox was to assess the solution in relation to the requirements set in international auditing standards. The project was completed as planned in December 2021, and a final report summarising the project will be published on Finanstilsynet’s website in early 2022.
The purpose of the sandbox is to help innovative firms gain better knowledge of relevant regulations, increase Finanstilsynet’s understanding of new technological solutions in the financial market and increase technological innovation and the number of new market entrants. Participants in the sandbox may be existing financial institutions, new entrants who wish to offer financial services, or players outside the financial industry who offer services to supervised institutions. In order to participate in the sandbox, the service and the firm must meet certain set criteria, see table.
In 2021, Finanstilsynet continued its cooperation with the regulatory sandboxes of the Norwegian Data Protection Authority and the National Archives of Norway. In addition, Finanstilsynet was in regular contact with the regulatory sandbox in Denmark, held the opening speech at a seminar in connection with the establishment of the Spanish FSA’s regulatory sandbox and attended four meetings of the European Forum for Innovation Facilitators (EFIF).
In addition to the regulatory sandbox, Finanstilsynet has an information and guidance service targeting fintech firms. Through this initiative, Finanstilsynet responded to twelve enquiries in 2021. Finanstilsynet also responded to a large number of enquiries about cryptocurrencies.
Criteria for participation in the regulatory sandbox for fintechs
Is the service associated with regulated financial services under Finanstilsynet's responsibility?
Will the service be of use to consumers or the financial system as a whole?
Is the service an example of technological innovation or something genuinely new?
Is participation in Finanstilsynet's regulatory sandbox crucial to the realisation of the service?
Ready for participation
Are the firm and its service ready for participation in the regulatory sandbox?