Bank of Israel publishes draft guidelines on risk management in cloud computing

The Banking Supervision Department at the Bank of Israel (Israel’s central bank) recently published a draft directive letter to banks and credit card companies regarding the use of cloud computing services. The draft directive emphasizes that a banking corporation’s use of cloud services may expose it to “material operational risks related to information security, business continuity, command and control of IT assets, and etc.”
 
The draft directive letter seeks to supplement the guidelines prescribed in the Supervisor’s Directive on proper conduct of banking business, regarding information technology management (regulation 357). Among other things, the draft directive letter provides that –
 
  • A banking corporation’s use of cloud computing services is subject to the prior approval of the Banking Supervisor, even if the intended use of cloud services will not cover customer data;
  • Before engaging with a cloud service provider, the banking corporation must assess the associated risks, devise ways to mitigate them and establish a written policy that will address the division of authorities and responsibilities in the corporation, and the control, auditing and approval mechanisms related to all aspects of the use of cloud services. All these shall be discussed and approved by the board of directors;
  • A banking corporation is prohibited from using cloud services for its core activities and core systems;
  • Cloud services may be used only if the data is stored in Israel, or through a cloud service provider that adequately protects personal data pursuant to the EU Data Protection Directive;
  • The banking corporation is required to conduct a due diligence review over the prospective cloud service provider, prior to engaging with it, as well as from time to time throughout the term of the engagement;
  • The banking corporation must encrypt the data communicated to and from the cloud. If the data is stored on a multi-tenant system, the banking corporation must store the data in encrypted form;
  • The banking corporation is required to monitor information security incidents on the cloud infrastructure it uses, and ensure that it possesses the proper means to do so;
  • The engagement with the cloud service provider shall be in writing and ensure that the banking corporation, as well as the Banking Supervisor, can audit the cloud service provider. The agreement must permit the banking corporation to terminate the engagement and ensure that upon termination, the cloud service provider deletes the data stored on its systems and undertakes not to recover or restore the data.
 
The draft letter also references the Israeli legislation on protection of privacy, and the guidelines on using outsourcing services for processing personal data, published by the Israeli Law Information and Technology Authority (ILITA) (The Israeli Authority under which the Registrar of Databases (the Israeli privacy regulator) operates). Source: Draft directive letter of the Supervisor of Banks regarding risk management in cloud computing environment (in Hebrew).