Ina statement Swedish regulatory body Finansinspektionen (FI) said that both Nasdaq Stockholm and Nasdaq Clearing demonstrated deficiencies in the management of cyber-risk of such a degree that there are grounds on which to intervene against them. Nasdaq Clearing is being issued a remark and an administrative fine of SEK 25 million and Nasdaq Stockholm a remark and administrative fine of SEK 30 million.

Finansinspektionen judged Nasdaq Clearing's breaches to be more serious because deficiencies at a central counterparty may have serious side-effects for other companies in the financial system. This is why the administrative fine for Nasdaq Clearing is higher in relation to its net sales.

The investigation focused on how the companies manage cyber risks. The function for information security at both of the companies is outsourced to the Group's parent company, Nasdaq, Inc., and the companies' independence was therefore reviewed during the investigation.

FI found that neither Nasdaq Clearing nor Nasdaq Stockholm have acquired the information required to assess the quality of the delivered services and place sufficient requirements on the service provider.

FI's investigation also shows that Nasdaq Clearing and Nasdaq Stockholm have not had a sufficient basis in their risk management to make the decisions that were made and that they have not taken local conditions into consideration. FI also identified that the companies' continuity guidelines and emergency plans were prepared without considering a scenario that manages the risk of cyber attacks.