Financial Crime World

Norway’s Financial Regulator Reports on 2021 Security Incidents

The Norwegian Financial Supervisory Authority (Finanstilsynet) has released its annual report on security incidents affecting Norway’s financial sector. The report highlights several significant events that took place in 2021, including the vulnerability of Log4j logging utility.

No Successful Breaches

Despite the vulnerability of Log4j, Finanstilsynet notes that no one successfully accessed the IT systems of Norwegian financial institutions using this utility.

Disproportionate Impact on Small Institutions

Small financial institutions were disproportionately affected by reported security incidents in 2021. These incidents included:

  • Virus attacks on email servers
  • Malicious code infections in text editors
  • Denial-of-service (DoS) attack
  • Aggressive phishing campaigns against several banks

Ransomware Attack

A key service provider to the financial sector suffered a ransomware attack in February, but this did not affect Norwegian financial institutions.

Operational Incidents

The report highlights several operational incidents that occurred in 2021, including:

  • Significant outage at Danske Bank
  • Recurring instability and periodic unavailability of payment services due to operational problems at a service provider
  • Delayed payments and settlements in the securities sector
  • Non-conformances with electronic anti-money laundering transaction monitoring

Finanstilsynet is investigating these issues and has met with Vipps (BankID) on several occasions.

Contingency Preparedness

Finanstilsynet participates in the Financial Infrastructure Crisis Preparedness Committee (BFI) and conducted three meetings in 2021. The authority also performed a joint exercise with Eika Gruppen under the auspices of the Norwegian National Security Authority.

Financial Infrastructure

Finanstilsynet cooperates with Norges Bank on supervising and monitoring Norway’s financial infrastructure, including:

  • Reports
  • Risk assessments
  • Joint supervision

The authority has also been working on regulatory sandbox initiatives for fintechs, including:

  • Publishing final reports from two projects in January 2021
  • Admitting a new project to the sandbox in March 2021
  • Expected publication of a final report in early 2022

Finanstilsynet continues to cooperate with other authorities, including the Norwegian Data Protection Authority and the National Archives of Norway, on regulatory sandbox initiatives.