21Dec 2016

Swedish trading venue Nasdaq Stockholm fined for cyber security failures

Protection concept. Protect mechanism, system privacy. Vector illustration

Nasdaq Stockholm and its clearing operation have been fined by the Swedish financial services regulator over security management failures.

This is part of a crack-down by the regulator, Finansinspektionen (FI), amid increasing cyber crime. Trading venues such as Nasdaq Stockholm are vital cogs in the financial systems and economies of countries and are therefore a target of cyber attacks.

The two organisations, which outsource information security to parent company Nasdaq Inc, were fined a total of SEK 55m (£4.7m) by FI for not adequately managing information security.


“The investigation looked at how the two organisations manage cyber risk given the fact that information security is outsourced,” said a statement from FI.

“Both companies have demonstrated deficiencies of such a degree that FI has made the assessment that there are grounds on which to intervene against them.”

In particular, due to security being outsourced, the regulator looked at the companies’ independence in security management.

“FI finds that neither Nasdaq Clearing nor Nasdaq Stockholm have acquired the information required to assess the quality of the delivered services and place sufficient requirements on the service provider,” said FI.

It also found that local conditions were not taken into consideration when decisions were made.

Nasdaq Clearing and Nasdaq Stockholm were not fined as a result of a particular breach, but because they lacked oversight of the information security service from Nasdaq Inc.

Businesses that outsource security cannot outsource the risks and will be fined by regulators even when the failings are the fault of the supplier. Controls imposed on suppliers are not always the same as those imposed internally by businesses and can expose a business to cyber risk.