Second Draft of Circular on Cyber Risk Management in Institutional Entities

The Department of Capital Market, Insurance and Savings at the Israeli Ministry of Finance recently published a second draft of its circular on cyber risk management in institutional entities, revising the first draft it published in October 2015. According to the explanatory notes issued by the ministry, the second draft emphasizes the “cyber threats concept” in which information security and physical security are at the core of a broader approach to technological threats in general. The current draft illustrates the State's prevalent perception on comprehensively dealing with cyber threats. Other than terminology revisions and comprehensive edits, the new draft introduces various updates, including: 
  • Particularizing the duties of the institutional entity’s CEO to employ adequate executive means to ensure compliance with the circular’s guidelines.
  • Obligating the institutional entity’s cyber officer to investigate unusual cyber incidents and requiring that the entity's steering committee for cyber risk management investigate, compile actionable "lessons learned" and offer recommendations concerning every significant cyber incident. 
  • Addressing the possibility of relying on risk assessment conducted by outsourced suppliers, subject to the adequacy of the assessment.
  • Requiring that institutional entities monitor activities on systems that manage sensitive customer information and systems exposed to an elevated risk of unauthorized activities.
  • Requiring that programs for cyber incident preparedness and cyber incident management address containment (seizing control of the incident), halting (stopping further escalation), recovery (overcoming the incident with minimal damage) and restoration.
  • Instituting procedures for cyber defense requirements applicable to outsourcing risks.
  • Documenting the consent of customers to use the institutional entity’s online customer platforms.
  • Offering corporate group entities operating under one controlling shareholder an option to appoint just one steering committee for the entire group, rather than a separate committee for each of the entities. 
The Ministry of Finance has invited the public to comment on the new draft by May 12, 2016, ahead of the ministry’s discussions on the comments which are scheduled for the end of May. The circular is expected to enter into force on January 1, 2017, but the circular’s provisions on IT monitoring and security, security of customer channels and channels between institutional entities and pension consultants and agents will all enter into force 6 months later. {Click here for the updated draft circular, in Hebrew}.