The financial sector must quickly become better at preventing and handling cyber threats. Customers and society at large must be able to trust that the critical services offered by financial corporations will function even during periods of uncertainty and in the presence of threats. As commissioned by the government, Finansinspektionen (FI) therefore has proposed a number of measures to increase resilience to cyber attacks in the financial sector.
The Swedish financial system has a large selection of digital services that are widely interlinked with one another. Being at the head of the digitalization curve also means that financial corporations are vulnerable to cyber threats, and a serious IT incident in a corporation can quickly spread and impact society at large. Given the current worsened security policy climate, it is also not possible to rule out state-supported cyber attacks on Swedish financial corporations and infrastructure. Therefore, the resilience of the financial sector as a whole to cyber threats must increase.
"Financial corporations bear considerable responsibility for ensuring that their IT systems are sufficiently resilient," says FI's Director General Erik Thedéen. "However, it comes down in the end to Sweden's security, and therefore the state must step in."
Financial corporations carry the main responsibility for counteracting and preventing cyber attacks, but increased collaboration between the state and the commercial sector can enhance resilience to cyber threats and attacks. It is crucial that customers' expectations are met and that cyber security is adequate.
FI therefore proposes the following:
That FI sharply increases its cyber-related supervision. This applies both to more in-depth and frequent review of financial corporations' cyber preparedness but also more controls of the critical parts of these corporations' IT operations that have been outsourced.
That the Swedish National Defence Radio Establishment is allowed to assist corporations with cyber protection. It is important that the high level of competence at the Swedish National Defence Radio Establishment be allowed to help raise the level of cyber security in financial corporations. This is not allowed today.
That a separate cyber security council be established within the Prime Minister's Office that consists of concerned authorities and ministries. It is important for the Government Offices to create a shared overview of the cyber threats to Swedish society and establish a policy framework to manage cyber security matters at concerned authorities in the area.
That the establishment of the National Cyber Security Centre be accelerated. The centre is an in-depth collaboration between the Swedish Armed Forces, the Swedish National Defence Radio Establishment, the Swedish Civil Contingencies Agency, and the Swedish Security Service. The plan is for the centre to be up and running in 2025, but this time frame should be accelerated so the centre is established already next year.
That Bank ID and other private e-identifications are subject to adequate supervision or replaced with a state e-identification. Bank ID is a critical service. A cyber attack that shuts down Bank ID could have a major impact on several parts of Swedish society – not just payment services. State supervision of Bank ID and similar activities should be significantly strengthened or replaced with a state equivalent.