Increasing cyber threats to Nordic banks continues to produce industry-led initiatives that enable organisations in the financial space to better manage risk, bolster readiness and strengthen internal IT network security systems.
Finans Norge, the central organisation for banks and financial services providers in Norway, has established a dedicated Cyber Threat Support Unit (CTSU) that will collaborate with bank members to provide expert assistance and a centralised resource to share cyber risk experiences, IT network protection methods and recommend defence threat solutions.
The formation of the CTSU represents a direct response to the escalating threat of ever more aggressive cyber attacks against banks, and the emergence of new risks involving bad actors collaborating with bank employees to capture insider information and embezzle finance institution funds.
Sector-wide guidance
To support its financial services members, Finans Norge has launched the Guide to Personnel Security in The Financial Industry (GPSFI). The GPSFI is intended to serve as a roadmap to help organisations in the sector better manage “internal risk” relating to fraud, while protecting loss of assets by using advanced digital and customised artificial intelligence (AI) technologies to limit personnel authorised access to restricted areas for legitimate purposes.
Notwithstanding that Norway’s financial services industry is becoming increasingly robust in the face of digital threats, the use of “insiders” by bad actors poses a new level of security risk for banks and insurance groups, said Therese Høyer Grimstad, Norge Finans’ director of labour relations.
“The guide’s purpose is to assist companies in the financial industry to handle personnel security in such a way that their assets are sufficiently protected. The guide also informs about employees’ rights and privacy, which must be safeguarded,” Grimstad said.
The GPSFI addresses employment law and other legal issues to ensure that the network security and cyber defence measures adopted to counter internal fraud and data breaches by bad actors conform to Norway’s workplace discrimination and data protection regulations.
“By strengthening efforts covering personnel security, it enables our finance sector members to become more equipped to handle increasingly complex threat situations,” said Grimstad.
The escalating threat posed by internal fraud among Norway’s 123 commercial, digital and savings banks has become a significant challenge for Økonomisk (Økonomisk Kriminalitet og Miljøkriminalitet), the country’s national authority for the investigation and prosecution of economic crime.
Økokrim is currently running seven separate investigations involving bank employees colluding with bad actors to defraud their employers, said Pål Lønseth, the police agency’s director general.
“We are seeing a sharp rise in digital threats and bank fraud activities where certain personnel are acting in a disloyal way to their employers by collaborating with external associates. The end-goal is to embezzle monies by helping criminals gain access to bank assets,” Lønseth said.
New and serious threats
Quantum computers may offer a new form of emerging threat and challenge for IT network security in the banking sphere, given that they could eventually make current encryption methods obsolete.
Deepfake technology is also adding a layer of complexity to financial fraud, potentially enabling bad actors in the dark web impersonate bank directors by using AI manipulation tools to reproduce voices and faces.
A survey conducted by Finans Norge in 2024 found that less than 20% of bank executives viewed the evolution of quantum computers as a real future threat to their IT security defences. Around 40% of bank executives regarded malware and ransom ware as posing a higher degree of risk and threat to their operations and IT network security.
Banks in Norway are lobbying the government to introduce additional measures to help companies in the finance sector boost their cyber security capacities through the implementation of more effective legislative protections.
Specifically, banks in Norway want the government to incorporate the European Union’s Network and Information Systems 2 (NIS2) directive into Norwegian legislation at the earliest opportunity.
A member of the European Economic Area (EEA), Norway’s relationship with the EU is built on trade and supplementary economic treaties active through the EEA. Norway is part of the EU’s single market and the Schengen free-travel areas. Around 68% of the country’s exports are with EU countries.
Bank chiefs view the early implementation of the NIS2 (replacing NIS1 2016) in Norway as a fundamental legislative action by government to deliver an updated framework for cyber security to the whole of the financial services sector.
Banks in Norway believe that the NIS2 would establish a high common standard of security coupled with a unified legal framework for network and information systems advantageous to financial services organisations.
Wider cooperation
Banks in Norway are also ramping up cooperation with financial groups across the Nordic region with the aim of building information platforms to share expertise and IT network protection solutions relevant to bolstering cyber security defences.
In a Nordic context, Denmark and Sweden are regarded as being ahead of Norway in terms of work done to evaluate cyber security risks and threats attaching to AI. Denmark and Sweden are also ahead in developing defensive tools to combat the ever more sophisticated deceptive methods being used by bad actors in the dark web to penetrate bank IT network defences to illegally appropriate assets.
Finansforbundet, Denmark’s financial services union, is advising commercial bank and financial sector members to invest more heavily in AI-related risk training with the goal of reinforcing their online platforms and IT networks with a more advanced layer of security protection.
It is imperative that banks in Denmark and the Nordic region adopt effective measures to ensure control over data before introducing AI, said Dorrit Brandt, chairman of Finansforbundet.
“There are advantages and risks with AI. The ability to maintain control over data is very important. There will be efficiency gains, and in some cases the introduction of AI will translate into layoffs over the short term for finance companies,” Brandt said.
Denmark’s financial sector is in the process of introducing AI on a broader scale. An industry analysis conducted in February (2025) by Arbejderbevægelsens Erhvervsråd, the Danish labour movement’s Economic Council, calculated that 98% of all jobs in the country’s financial sector will to some degree be affected by AI while a further 9% could be automated over the next two decades.
The response by Nordic banks to the AI revolution is evident in the uptick in spending on personnel upskilling programmes that track developments in the technology and help structure training requirements.
Specialised training is being provided to employees by banks to highlight the new dimension of IT network security threat that AI poses, as well as how the technology is reshaping conventional cyber security defences long employed by banks and insurers to safeguard IT networks and financial assets.
“As a priority, there needs to be a comprehensive programme of upskilling in generative AI across the financial sector. We are confronting one of the most transformative technologies ever. The industry needs to stay alert and remain in control,” Brandt said.
