The Swedish Financial Supervisory Authority, also known as the Finansinspektionen, imposed the fines on Nasdaq Clearing AB and Nasdaq Stockholm AB.
The regulator said in a December 13 statement that Nasdaq Clearing’s breaches were more serious, due to the “critical importance” of a central counterparty to derivatives trading.
Clearing houses are pieces of market infrastructure that sit between derivatives trades. They formed a key part of regulatory efforts in the wake of the financial crisis to make derivatives markets safer.
Finansinspektionen said that deficiencies at a clearing house may have “serious side-effects” for other companies in the financial system.
As a result, Nasdaq Clearing’s fine of Skr25 million was higher, in relation to its net sales, than the fine of Skr30 million for Nasdaq Stockholm, the regulator said.
A Nasdaq spokesman said the regulator’s conclusions “pertain strictly to governance structure: they have not expressed any concerns about our systems or platforms”.
The regulator’s investigation considered how well Nasdaq Clearing had complied with “certain fundamental requirements” placed on a central counterparty under provisions in the European Market Infrastructure Regulation, which sets out rules for over-the-counter derivatives, central counterparties and trade repositories.
Finansinspektionen said the investigation focused on how the companies manage cyber risks. Both companies outsourced the information security function to their parent company, according to the statement.
Finansinspektionen said that neither Nasdaq Clearing nor Nasdaq Stockholm “have acquired the information required to assess the quality of the delivered services and place sufficient requirements on the service provider”.
The regulator said its investigation showed that neither of the companies had “a sufficient basis in their risk management to make the decisions that were made and that they have not taken local conditions into consideration”.
The regulator added that it had “also identified that the companies’ continuity guidelines and emergency plans were prepared without considering a scenario that manages the risk of cyber attacks.”
A Nasdaq spokesman said: “Cybersecurity is — and always will be — a crucial focus for us and for the entire financial eco-system. Fair, transparent and secure markets [are] our top priority and we have the resources and the global knowledge needed to build and maintain a robust defense against cyber threats.”