Neglecting protective security measures can lead to serious threats to Swedish national interests, but also significant financial penalties. The Swedish Financial Supervisory Authority is intensifying its oversight of how the financial sector complies with the regulations.
Halszka Onoszko, Head of Protective Security Oversight at the Swedish Financial Supervisory Authority (FI) Foto: Anna Nildén
An increasingly complex threat landscape against Sweden has brought security protection issues to the forefront in recent years, both in the private and public sectors. The risks are manifold, and several foreign entities are assessed as having malicious intentions, targeting actors in the financial market.
Complex security risks
– We know that the serious global situation increases the risk of attacks on the financial system in the form of cyberattacks, disinformation, infiltration, or sabotage. A significant disruption in the financial system could obviously threaten financial stability, which in turn could impact Sweden’s national security, says Halszka Onoszko, Head of Protective Security Oversight at the Swedish Financial Supervisory Authority (FI).
FI is one of the authorities, alongside the Armed Forces and the Swedish Security Service (Säpo), entrusted with special supervisory responsibilities regarding protective security issues. This responsibility specifically applies to companies within the financial sector, whether they are banks or other financial institutions.
So far, around ten financial companies have reported that they conduct security-sensitive operations. The exact number is classified. Ultimately, it is up to each company to conduct its own analysis to determine whether any part of their operations falls under Protective Security Act.
– The legislation is structured so that companies themselves are primarily responsible for making these assessments, including the initial determination of whether they conduct security-sensitive activities, explains Halszka Onoszko.
First supervisory investigation
Currently, FI cannot comment on whether the number of companies conducting security-sensitive operations ought to increase further. However, in a report to the Swedish government in September 2024, FI highlighted the possibility of companies having incentives to classify themselves at a lower level, concluding, for example, that an antagonistic act against their operations would only cause "minor damage to Sweden's security." This approach allows companies to avoid certain costly measures, such as placing personnel in various security clearance categories.
This year, FI launched the first supervisory investigation into one of Sweden's major banks. It is not yet clear when the investigation will be completed, but the industry is likely to scrutinise the findings closely. The Swedish Post and Telecom Authority (PTS), another supervisory authority under the Protective Security Act, recently imposed a penalty of SEK 12.5 million on a major Swedish telecom operator for deficiencies in its security protection work – a decision upheld by the Administrative Court of Appeal in Stockholm in October this year.
– It is too early to comment on specific assessments made in our sector. However, as early as December 2023, we noted in a report that many actors need to strengthen their security protection efforts further. Unfortunately, it is too sensitive to specify what is being done well and what needs improvement, says Halszka Onoszko.
Background checks needed
The requirements for different financial companies can vary greatly. This is why the initial analysis must be taken seriously. It should include assessing the need for measures related to personnel security, information security, and physical security. Ultimately, the responsibility for the analysis rests at the CEO level. If a security-sensitive operation is identified, a security protection officer must be appointed to report directly to the CEO. Regarding personnel security specifically, roles should be classified based on their involvement in operations, and some roles may require background checks, security interviews, and in some cases, more in-depth registry checks.
– There must be an organisation in place responsible for the protective security work. Companies should allocate sufficient resources, and routines should be integrated into daily operations and risk management through governance documents, mandates, and regular reporting, says Halszka Onoszko.
FI was given this new supervisory responsibility three years ago and, during the initial period, has also devoted resources to guiding the industry on the applicable regulations.
– If an entity is under our supervision, they are more than welcome to approach us. We have a duty to provide guidance on security protection matters within our area of supervision. We have also conducted several information activities early on to support companies, for instance, on how specific information should be submitted to us, concludes Halszka Onoszko.
Comments