Cyber-attacks are part of the tool kit of warfare. After Russia launched its invasion of Ukraine in February, the FIN-FSA reacted to the deterioration in the cybersecurity situation proactively in close cooperation with other authorities. In addition, the FIN-FSA improved its own preparedness, continued inspections and thematic reviews related to cyber-preparedness and participated in an exercise simulating a cyber-attack incident.

Cyber risk management has been one of the focus areas in the supervision of banks’ operational risks in recent years. The management of ICT and information security risks in different sectors of supervised entities had been mapped extensively in thematic reviews already before the war began.

Cooperation between authorities and the industry participants intensified the exchange of information

A task force consisting of various authorities’ cyber experts was established very soon after the war broke out. The group is led by the Ministry of Finance and also includes the National Cyber Security Centre, the National Emergency Supply Agency, the Ministry for Social Affairs and Health, the Bank of Finland, the Financial Supervisory Authority and the Financial Stability Authority. Within the task force, information has been shared on the cyber situation and cyber-attacks, and channels have been created for communication on severe threats.

The FIN-FSA also contributes to the security of supply in normal conditions within the joint financial sector pool of financial market participants and authorities and in working groups within the insurance sector pool. The assessment of cyber threats and preparation for them are an important part of this work.

Preparation for disruption events also covered own activities

The FIN-FSA’s own contingency plans were updated to reflect the escalated geopolitical situation and the increase in cyber risks. This work continues in 2023. In addition, guidelines were drafted to prepare for various incidents, such as electricity and data communication outages. The FIN-FSA’s contingency plan will be updated in 2023.

Management of ICT and information security risks by supervised entities was inspected

At the beginning of March, the FIN-FSA urged its supervised entities to ensure that the protections of their own and of their outsourcing partners against various cyber threats are up to date. Supervised entities were steered to ensure the capacity to detect information security deviations fast and to react immediately to cybersecurity incidents or disruptions.

The FIN-FSA conducted inspections and thematic reviews on the management of ICT and information security risks. Two inspections launched in 2022 continued into 2023, ending in the first quarter. A thematic review of investment firms was conducted with the same topic. The inspections examine the situation of a single supervised entity at a detailed level. Meanwhile, thematic reviews explore the situation of a broader group of supervised entities, typically based on self-assessments, and they provide for other supervisory actions, including inspections, where necessary.

TIETO22 exercise tested cooperation amid a cybersecurity disruption

The FIN-FSA participated in the nationwide TIETO22 exercise, involving around 120 organisations. The exercise was centred on the cybersecurity of the financial sector: it tested and practised the smoothness of cooperation in a fictitious cyber-attack scenario targeting the societal institutions on a wide scale and the banking sector in particular.

Aim is to protect financial sector functions also in cases of severe disruption

The FIN-FSA participated in the creation of the national backup account system both at the phase of drafting the legislative proposal and establishing the actual system. The backup account system maintained by the Financial Stability Authority consists of the backup account service and the backup service for card payments. The backup arrangements for daily payments also includes the interbank settlement system provided by the Bank of Finland. These systems enable the provision of basic banking services, such as cash withdrawals, card payments and credit transfers in the event of a severe disruption. The national backup account system may be activated by a Government decision in circumstances where a bank is unable to use the systems required by key payment services due to a severe disruption or emergency conditions.

As the threat of cyber-attacks increases, the EU also wants to strengthen the security of information systems in the financial sector. Political agreement on the EU Digital Operational Resiliency Act was achieved in 2022, and the statute entered into force in January 2023. DORA helps ensure that financial sector functions in Europe can be maintained also in the event of severe disruption.