The Supervisor of Banks at the Bank of Israel (Israel's central bank), David Zaken, has issued a circular regarding "Cyber Defense Management" at banking corporations and credit card companies.
The circular specifies that banking corporations must place special emphasis on managing cyber-related risks, and take the necessary measures to effectively manage these risks. According to the circular, banking corporations particularly need to enhance their existing cyber defense capabilities, in order to better deal with cyber threats. One of the circular's operative sections requires that banking corporations and credit card companies appoint a cyber defense manager and define the board of directors' responsibilities in this domain.
Directive 357 addresses information security controls and technical controls for information security risk management. The newly issued cyber defense management guidelines focus on mechanisms and procedures necessary for managing cyber risks, cyber defense objectives, and enhancements necessary to better defend against cyber threats – including designated controls needed in order to achieve cyber defense objectives.
According to the circular, banking corporations need to appoint an adequately qualified and experienced senior employee, to serve as cyber defense manager. The corporation must ensure that the cyber manager's organizational position and corporate authority, each support his or her role as the officer who directs, supervises and coordinates the relevant activities and procedures – also at the strategic business level, and not just with regard to managing information technology. The cyber defense manager can also contemporaneously serve as information security officer, as long as the interests of the two positions do not conflict.
Banking corporations are expected to routinely identify and evaluate cyber threats and risks, and the circular goes on to detail the requirements for an effective process for identifying and evaluating cyber risks. The circular also points-out that banking corporations ought to continuously examine the effectiveness of the various cyber defense controls that they have established – using tools such as vulnerability reviews and controlled intrusion tests.
The circular enters into effect on September 1, 2015.