|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Due to the increasing risks from cybersecurity threats, measures are continuously taken to strengthen SEK’s protection both before, during and after a possible cybersecurity incident. The security monitoring of the cybersecurity threat landscape is important in order to detect and mitigate cybersecurity risks and threats and prevent any cybersecurity incidents. Analyses of the security monitoring show that SEK is continuously exposed to risks from cybersecurity threats. Attempted attacks and identified vulnerabilities are controlled and continuously followed up on.Cybersecurity risk management is integrated into SEK’s overall risk management procedures and is part of information and communication technology (ICT) and information security risk management.
SEK has a framework for risk management (the Risk Framework) to seek to ensure that SEK can continuously identify, measure, manage, report and have control over the significant risks to which SEK is or may be exposed. The Risk Framework is described in the risk policy, which is adopted each year by the Board.
SEK maintains a holistic approach to the risks that the Company is or could be exposed to and all material risks are documented in the risk taxonomy. The risk taxonomy is updated at least annually and on a continual basis as new risks are identified. Cybersecurity risk is one of the most significant operational risks in SEK’s risk taxonomy. For additional information on SEK’s approach to risk, see Note 29 to the Consolidated Financial Statements.
The Risk Framework encompasses the entire operations and is ultimately governed by SEK’s mission. The Board has the ultimate responsibility for SEK’s organization and administration of SEK’s affairs, including governing and monitoring cybersecurity risk exposure and risk management, and for ensuring satisfactory internal control. The Board determines, annually, overall risk management principles in relation to cybersecurity risks by establishing the risk strategy, the risk policy and the risk appetite. All business activities are kept within the Board’s established risk appetite and limits and are conducted in adherence with SEK’s risk strategy.
According to the Risk Framework, SEK is to promptly reduce critical and high operational risks, including cybersecurity risks, and limit operational losses resulting from potential incidents.
SEK’s risk control function monitors and follows up on risk appetite limits regularly. At least on a quarterly basis, the Board is provided with a comprehensive update of risk exposures in relation to the risk appetite.
SEK tracks certain key risk indicators that warn of increased cybersecurity risk levels. If an increased level is identified, the security specialists within SEK’s CIO department and an independent risk control function analyze the reason for the increase and follow up with the decided mitigating actions.
The Finance and Risk Committee’s responsibilities include ensuring that the Company can identify, measure, manage, report internally and control the risks to which SEK is or can be expected to be exposed. It also handles matters pertaining to general policies, strategies and risk appetite in all risk and capital-related issues. Cybersecurity risk management is included in this work.
The Audit Committee’s responsibilities include monitoring the Company’s financial reporting and submitting recommendations and proposals aimed at assuring the reliability of the Company’s reporting, monitoring the efficiency of the Company’s internal control, internal audit and risk management in terms of the financial reporting, evaluating the audit process and informing the Board of the results and, through the Chairman of the Board, informing the Company’s owner about the results of the evaluation. The Audit Committee is also responsible for the integration of cybersecurity-related topics into control monitoring procedures.
SEK’s CEO is responsible for the day-to-day management of business operations in accordance with the Board’s guidelines, established policies, and instructions. The executive management is tasked with supporting the CEO in the operational management of the Company. For example, the CIO plays a pivotal role when it comes to cybersecurity risks and is responsible for assessing and managing cybersecurity risks within SEK. The CEO is responsible for SEK’s work in relation to risks from cybersecurity threats. This includes ensuring that SEK’s policies and guidelines relating to cybersecurity are relevant and up-to-date.
Cybersecurity risk management is integrated into SEK’s overall risk management procedures. In adherence to industry standards, SEK takes on a systematic approach to managing risks from cybersecurity threats. SEK’s risk management framework considers cybersecurity risks alongside other company risks. The Company’s risk management procedures encompass risk identification, risk measurement, risk management, reporting and control of those risks to which SEK is or can be exposed to. They are designed to identify, assess, and mitigate potential threats, thereby providing a foundation for the protection of the organization’s information assets. However, security conditions are subject to constant change, prompting SEK to continuously evaluate and address emerging threats. Beyond new threats, increased expectations from regulatory authorities, partners, and society at large are emphasizing the need for a proactive and structured approach to these risks.
Changes in factors underpinning SEK’s cybersecurity risk management require regular review and adaptation of internal frameworks. Factors that can initiate such change include shifts in the external environment and corresponding alterations in the threat landscape facing SEK. Changes are continuously monitored, documented, and followed up to ensure that information protection aligns with current threats and risks.
At any given time, SEK must be aware of the risks from cybersecurity threats to which it can be exposed in order to determine the security measures needed to protect the integrity of and access to its information assets. Risk and control self-assessments are conducted in relation to identified risks. Risk analysis considers potential losses associated with a given incident and key risk indicators. The likelihood and potential impact of identified risks are measured and assessed quantitatively and qualitatively on an ongoing basis. The risk assessments inform the selection and design of security measures, controls and subsequent systematic information security work.
SEK effectively manages cybersecurity risks by identifying and addressing them across all relevant areas, including in relation to its digital systems, physical IT infrastructure and organizational processes. The risk identification process includes, but is not limited to, analyzing external factors and security-related events, security monitoring and vulnerability scanning, performing risk workshops, including self-assessments with all business units to identify and assess risks, incident management, assessment of key risks and performance indicators and analyzing potential deficiencies. The risk identification process is structured to align with the International Organization for Standardizations (ISO) 27001/27002 standards for general information technology controls. The security specialists within the CIO department at SEK, supports the Company in identifying and assessing cybersecurity risks. Additionally, SEK has engaged an external Security Operations Center (SOC) provider that continuously monitors and improves SEK’s cybersecurity posture.
The risk identification process is also in place to ensure that information security at SEK is developed in line with the current security landscape. The procedures enhance the Company’s understanding and awareness of the risks to which it is exposed.
In addition, SEK has rules and procedures associated with the procurement of new systems, services or third party vendors. The procurement process covers everything from analyzing potential vendors to concluding an agreement. To ensure that risks related to third parties are identified and handled, the procurement process includes assessments and risk evaluations pertinent to cybersecurity. Furthermore, SEK continuously monitors and evaluates third-party vendors over the duration of their involvement, verifying compliance with cybersecurity controls aligned with SEK’s policies. The Digital Operational Resilience Act (DORA) (Regulation (EU) 2022/2554), which became applicable in all member states from January 17 2025, imposes further requirements on SEK to assess risks related to third-party providers.
Further, SEK has processes for reporting and handling operational incidents, including in the event of a cybersecurity incident. Upon discovery of a cybersecurity incident, notification is promptly relayed through agreed-upon communication channels. The security specialists within SEK’s CIO department remain on standby to address any cybersecurity incidents outside of office hours. If an incident occurs, the immediate focus will be to resolve the direct event and minimize potential damage. SEK has established documented escalation procedures to notify relevant stakeholders empowered to decide on appropriate action plans. After the incident has been resolved, an analysis would be performed to determine the root cause of the incident to understand why it occurred, and what remedial actions should be undertaken and followed up on to prevent reoccurrence. In relevant cases, an analysis of lessons learned would be performed to make appropriate corrections and ensure future resilience.
SEK’s independent risk control function and compliance function controls and monitors adherence to risk appetite statements and applicable limits, risk management principles as well as internal and external rules based on its internal control framework to ensure that risk exposures are kept at an acceptable level and that risk management is effective and appropriate. Those control and monitoring activities encompass risks from cybersecurity threats and potential incidents. Continuous monitoring and follow-up activities are undertaken to evaluate the progress of action plans and to ensure that the protection of information is adapted to current threats and risks.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|Cybersecurity risk management is integrated into SEK’s overall risk management procedures and is part of information and communication technology (ICT) and information security risk management.
SEK has a framework for risk management (the Risk Framework) to seek to ensure that SEK can continuously identify, measure, manage, report and have control over the significant risks to which SEK is or may be exposed. The Risk Framework is described in the risk policy, which is adopted each year by the Board.
SEK maintains a holistic approach to the risks that the Company is or could be exposed to and all material risks are documented in the risk taxonomy. The risk taxonomy is updated at least annually and on a continual basis as new risks are identified. Cybersecurity risk is one of the most significant operational risks in SEK’s risk taxonomy. For additional information on SEK’s approach to risk, see Note 29 to the Consolidated Financial Statements.
Cybersecurity risk management is integrated into SEK’s overall risk management procedures. In adherence to industry standards, SEK takes on a systematic approach to managing risks from cybersecurity threats. SEK’s risk management framework considers cybersecurity risks alongside other company risks. The Company’s risk management procedures encompass risk identification, risk measurement, risk management, reporting and control of those risks to which SEK is or can be exposed to. They are designed to identify, assess, and mitigate potential threats, thereby providing a foundation for the protection of the organization’s information assets. However, security conditions are subject to constant change, prompting SEK to continuously evaluate and address emerging threats. Beyond new threats, increased expectations from regulatory authorities, partners, and society at large are emphasizing the need for a proactive and structured approach to these risks.
Changes in factors underpinning SEK’s cybersecurity risk management require regular review and adaptation of internal frameworks. Factors that can initiate such change include shifts in the external environment and corresponding alterations in the threat landscape facing SEK. Changes are continuously monitored, documented, and followed up to ensure that information protection aligns with current threats and risks.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]
|SEK’s business strategy, results of operations and financial condition have not been materially affected by risks from cybersecurity threats, including as a result of previous cybersecurity incidents, but we cannot provide assurance that they will not be materially affected in the future by such risks and any future material incidents.
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|The Board has the ultimate responsibility for SEK’s organization and administration of SEK’s affairs, including governing and monitoring cybersecurity risk exposure and risk management, and for ensuring satisfactory internal control. The Board determines, annually, overall risk management principles in relation to cybersecurity risks by establishing the risk strategy, the risk policy and the risk appetite. All business activities are kept within the Board’s established risk appetite and limits and are conducted in adherence with SEK’s risk strategy.
SEK’s risk control function monitors and follows up on risk appetite limits regularly. At least on a quarterly basis, the Board is provided with a comprehensive update of risk exposures in relation to the risk appetite.
SEK’s Board, its management and other employees undergo cybersecurity training and simulations on a regular basis. In addition, SEK uses the Nano Learning cybersecurity training methodology via the platform Junglemap in conformity with the International Organization for Standardizations (ISO) 27001 standard, with appropriate adjustments and adaptations made to complement SEK’s business.
SEK has organized risk management and risk control in accordance with the principle of three lines of defense, wherein there is a clear-cut separation of responsibilities between (i) the business and support operations that own and handle the cybersecurity risks, (ii) the control functions that independently monitor the cybersecurity risks and (iii) the internal audit function, which reviews the control functions.
The second line of defense consists of the independent risk control and compliance functions. Responsibilities include independent identification, quantification, monitoring and control and reporting of cybersecurity risks, ensuring that cybersecurity risks are part of the risk management framework and internal control framework and that the Company complies with such frameworks and reporting to the Board.
The third line of defense consists of the independent internal audit function (outsourced to Deloitte). Responsibilities of that function include review and evaluation of the efficiency and integrity of cybersecurity risk management. The internal audit function reports directly to the Board.
In addition, SEK’s independent internal audit function and SEK’s external auditors perform controls throughout the year, both operational control testing and testing of controls over the financial reporting (i.e., Sarbanes-Oxley Act controls). Further, SEK enhances its cybersecurity measures by annually engaging external experts to perform penetration tests of SEK’s digital environment. Cybersecurity risk management is subject to internal audits on a regular basis.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
The Finance and Risk Committee’s responsibilities include ensuring that the Company can identify, measure, manage, report internally and control the risks to which SEK is or can be expected to be exposed. It also handles matters pertaining to general policies, strategies and risk appetite in all risk and capital-related issues. Cybersecurity risk management is included in this work.
The Audit Committee’s responsibilities include monitoring the Company’s financial reporting and submitting recommendations and proposals aimed at assuring the reliability of the Company’s reporting, monitoring the efficiency of the Company’s internal control, internal audit and risk management in terms of the financial reporting, evaluating the audit process and informing the Board of the results and, through the Chairman of the Board, informing the Company’s owner about the results of the evaluation. The Audit Committee is also responsible for the integration of cybersecurity-related topics into control monitoring procedures.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
SEK’s independent control functions provide regular report, at least quarterly, to the Board, the Finance and Risk Committee (FRC) and the CEO regarding the development of the Company’s significant risks. The risk reports are designed to provide an accurate and comprehensive picture of SEK’s risk exposure.
Incident reports are an important component of SEK’s continuous improvement measures. Incidents are reported on an ongoing basis both to the CIO function and to the independent risk control and compliance function and affected parties, who in turn, regularly, and at least quarterly, report on material risks and incidents to the Board and the Board’s Finance and Risk Committee. Risk reporting is designed to give an accurate and comprehensive picture of SEK’s risk exposure, including risks from cybersecurity threats. In addition, the CIO reports on relevant cybersecurity risks and threats on an ongoing basis to the Board and the CEO. Material incidents would also be reported to competent authorities, such as the Swedish Financial Supervisory Authority (Sw. Finansinspektionen).
SEK’s independent risk control function and compliance function conducts regular control testing throughout the year to ensure control effectiveness with regards to design, implementation, and operative effectiveness. The control testing is performed by staff who are independent from the individuals who perform the controls. The outcome of this testing and a follow-up on any action plans are reported to the Board’s Audit Committee.
|Cybersecurity Risk Role of Management [Text Block]
|
According to the Risk Framework, SEK is to promptly reduce critical and high operational risks, including cybersecurity risks, and limit operational losses resulting from potential incidents.
SEK tracks certain key risk indicators that warn of increased cybersecurity risk levels. If an increased level is identified, the security specialists within SEK’s CIO department and an independent risk control function analyze the reason for the increase and follow up with the decided mitigating actions.
SEK’s CEO is responsible for the day-to-day management of business operations in accordance with the Board’s guidelines, established policies, and instructions. The executive management is tasked with supporting the CEO in the operational management of the Company. For example, the CIO plays a pivotal role when it comes to cybersecurity risks and is responsible for assessing and managing cybersecurity risks within SEK. The CEO is responsible for SEK’s work in relation to risks from cybersecurity threats. This includes ensuring that SEK’s policies and guidelines relating to cybersecurity are relevant and up-to-date.
The CIO-team collectively possesses over 40 years of combined experience gained via previous IT management and cybersecurity-related roles within banking, insurance, and other industries and relevant education. They are supported by a dedicated IT security department comprised of seven specialists across various operational security domains such as information security, security architecture, operational security and physical security. The members of the IT security department hold cybersecurity certifications that are kept relevant by attending dedicated training and specialist conferences.
SEK has organized risk management and risk control in accordance with the principle of three lines of defense, wherein there is a clear-cut separation of responsibilities between (i) the business and support operations that own and handle the cybersecurity risks, (ii) the control functions that independently monitor the cybersecurity risks and (iii) the internal audit function, which reviews the control functions.
The first line of defense is responsible for the daily oversight of cybersecurity risks, ensuring alignment with risk appetite and strategy. This includes implementing controls and conducting regular monitoring and follow-up on these risks.
The second line of defense consists of the independent risk control and compliance functions. Responsibilities include independent identification, quantification, monitoring and control and reporting of cybersecurity risks, ensuring that cybersecurity risks are part of the risk management framework and internal control framework and that the Company complies with such frameworks and reporting to the Board.
SEK constantly monitors the development of business activities, actively utilizes risk-reduction capabilities, and controls the development of risks including cybersecurity risks, over time, to ensure that the Company operates within the boundaries of its risk appetite and other applicable limits. In addition, SEK has a process for continuity of business-critical processes and systems during crises which could be triggered by a cybersecurity incident. Crisis and/or continuity exercises and trainings are performed regularly for handling of situations that require actions to be taken in accordance with SEK’s crisis and/or continuity management.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|
SEK’s risk control function monitors and follows up on risk appetite limits regularly. At least on a quarterly basis, the Board is provided with a comprehensive update of risk exposures in relation to the risk appetite.
The Finance and Risk Committee’s responsibilities include ensuring that the Company can identify, measure, manage, report internally and control the risks to which SEK is or can be expected to be exposed. It also handles matters pertaining to general policies, strategies and risk appetite in all risk and capital-related issues. Cybersecurity risk management is included in this work.
The Audit Committee’s responsibilities include monitoring the Company’s financial reporting and submitting recommendations and proposals aimed at assuring the reliability of the Company’s reporting, monitoring the efficiency of the Company’s internal control, internal audit and risk management in terms of the financial reporting, evaluating the audit process and informing the Board of the results and, through the Chairman of the Board, informing the Company’s owner about the results of the evaluation. The Audit Committee is also responsible for the integration of cybersecurity-related topics into control monitoring procedures.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|
SEK’s CEO is responsible for the day-to-day management of business operations in accordance with the Board’s guidelines, established policies, and instructions. The executive management is tasked with supporting the CEO in the operational management of the Company. For example, the CIO plays a pivotal role when it comes to cybersecurity risks and is responsible for assessing and managing cybersecurity risks within SEK. The CEO is responsible for SEK’s work in relation to risks from cybersecurity threats. This includes ensuring that SEK’s policies and guidelines relating to cybersecurity are relevant and up-to-date.
The CIO-team collectively possesses over 40 years of combined experience gained via previous IT management and cybersecurity-related roles within banking, insurance, and other industries and relevant education. They are supported by a dedicated IT security department comprised of seven specialists across various operational security domains such as information security, security architecture, operational security and physical security. The members of the IT security department hold cybersecurity certifications that are kept relevant by attending dedicated training and specialist conferences.
SEK’s Board, its management and other employees undergo cybersecurity training and simulations on a regular basis. In addition, SEK uses the Nano Learning cybersecurity training methodology via the platform Junglemap in conformity with the International Organization for Standardizations (ISO) 27001 standard, with appropriate adjustments and adaptations made to complement SEK’s business.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
SEK’s independent control functions provide regular report, at least quarterly, to the Board, the Finance and Risk Committee (FRC) and the CEO regarding the development of the Company’s significant risks. The risk reports are designed to provide an accurate and comprehensive picture of SEK’s risk exposure.
Further, SEK has processes for reporting and handling operational incidents, including in the event of a cybersecurity incident. Upon discovery of a cybersecurity incident, notification is promptly relayed through agreed-upon communication channels. The security specialists within SEK’s CIO department remain on standby to address any cybersecurity incidents outside of office hours. If an incident occurs, the immediate focus will be to resolve the direct event and minimize potential damage. SEK has established documented escalation procedures to notify relevant stakeholders empowered to decide on appropriate action plans. After the incident has been resolved, an analysis would be performed to determine the root cause of the incident to understand why it occurred, and what remedial actions should be undertaken and followed up on to prevent reoccurrence. In relevant cases, an analysis of lessons learned would be performed to make appropriate corrections and ensure future resilience.
Incident reports are an important component of SEK’s continuous improvement measures. Incidents are reported on an ongoing basis both to the CIO function and to the independent risk control and compliance function and affected parties, who in turn, regularly, and at least quarterly, report on material risks and incidents to the Board and the Board’s Finance and Risk Committee. Risk reporting is designed to give an accurate and comprehensive picture of SEK’s risk exposure, including risks from cybersecurity threats. In addition, the CIO reports on relevant cybersecurity risks and threats on an ongoing basis to the Board and the CEO. Material incidents would also be reported to competent authorities, such as the Swedish Financial Supervisory Authority (Sw. Finansinspektionen).
SEK’s independent risk control function and compliance function controls and monitors adherence to risk appetite statements and applicable limits, risk management principles as well as internal and external rules based on its internal control framework to ensure that risk exposures are kept at an acceptable level and that risk management is effective and appropriate. Those control and monitoring activities encompass risks from cybersecurity threats and potential incidents. Continuous monitoring and follow-up activities are undertaken to evaluate the progress of action plans and to ensure that the protection of information is adapted to current threats and risks.
SEK’s independent risk control function and compliance function conducts regular control testing throughout the year to ensure control effectiveness with regards to design, implementation, and operative effectiveness. The control testing is performed by staff who are independent from the individuals who perform the controls. The outcome of this testing and a follow-up on any action plans are reported to the Board’s Audit Committee.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef