Israel Supervisor of Banks Issues Cyber Defense Circular

The Supervisor of Banks at the Bank of Israel (Israel's central bank), David Zaken, has issued a circular regarding "Cyber Defense Management" at banking corporations and credit card companies.

The circular specifies that banking corporations must place special emphasis on managing cyber-related risks, and take the necessary measures to effectively manage these risks. According to the circular, banking corporations particularly need to enhance their existing cyber defense capabilities, in order to better deal with cyber threats. One of the circular's operative sections requires that banking corporations and credit card companies appoint a cyber defense manager and define the board of directors' responsibilities in this domain.

The circular points-out the recent increase in cyber threats, which financial institutions in Israel and around the globe are exposed to. It explains that the need to issue a specific directive on cyber defense management emanates from the recognition of the significance of these types of threats in the myriad of threats that banking corporations are confronted with.
The circular emphasizes the Banking Supervision's approach, according to which cyber risk mitigation is a corporate-wide issue that commands active involvement of the corporation's executives. The circular deals with the ways to address the requirements that the Banking Supervision imposes on covered entities, and describes the Banking Supervision's expectations of those entities. It specifies a structured, yet flexible, framework for cyber risk management, and gives the banking corporations freedom as to how they implement the framework. To this end, the circular defines principles for cyber defense, anticipating that banking corporations adopt them as they establish their cyber defense program in accordance with the specific nature and scope of their activities and risk profile. The Banking Supervision department at the Bank of Israel plans to follow-up with another directive that it will issue, regarding information security at banking corporation.
The cyber defense circular does not substitute other directives that the Banking Supervision issued, such as Proper Conduct of Banking Business Directive number 357, on information technology management. According to the circular, the proper management of cyber risks requires a broader and more tailored approach to the existing framework of information technology risk management at banking corporations, in terms of the perceived zone of threat and the necessary defense capabilities.

Directive 357 addresses information security controls and technical controls for information security risk management. The newly issued cyber defense management guidelines focus on mechanisms and procedures necessary for managing cyber risks, cyber defense objectives, and enhancements necessary to better defend against cyber threats – including designated controls needed in order to achieve cyber defense objectives.
The circular also details the areas of responsibility of the banking corporation's board of directors and its senior management. It recognizes that their involvement is an imperative factor to the corporation's ability to effectively manage cyber defense, and expects that the banking corporation establish the necessary reporting and audit mechanisms.

According to the circular, banking corporations need to appoint an adequately qualified and experienced senior employee, to serve as cyber defense manager. The corporation must ensure that the cyber manager's organizational position and corporate authority, each support his or her role as the officer who directs, supervises and coordinates the relevant activities and procedures – also at the strategic business level, and not just with regard to managing information technology. The cyber defense manager can also contemporaneously serve as information security officer, as long as the interests of the two positions do not conflict.

Banking corporations are expected to routinely identify and evaluate cyber threats and risks, and the circular goes on to detail the requirements for an effective process for identifying and evaluating cyber risks. The circular also points-out that banking corporations ought to continuously examine the effectiveness of the various cyber defense controls that they have established – using tools such as vulnerability reviews and controlled intrusion tests.

The circular enters into effect on September 1, 2015.