IMF Staff Country Reports

This technical note focuses on cyber and operational resilience, supervision and oversight in Iceland. The Icelandic financial sector has not experienced seriously disruptive cyber-attacks or operational issues in recent years, but threats are growing. Iceland’s dependence on international connectivity for both debit and credit card systems introduces a significant vulnerability into the payment system. There is no dedicated cyber security strategy for the finance sector. Operational risk experts in the Central Bank of Iceland (CBI) are experienced and well regarded by financial institutions, but more resources are needed to provide adequate coverage of this increasingly important area. The supervision of financial institutions’ cybersecurity is highly dependent on self-assessments by the regulated entities themselves and independent reviews carried out by third parties. CBI should regularly revise the list of critical operations and critical service providers for internal use and for presentation to the Financial Stability Committee and Financial Stability Council. CBI is encouraged to enhance its incident dashboard by summarizing cyber incidents and examining trends.