The Department of Capital Market, Insurance and Savings at the Israeli Ministry of Finance has issued the final version of its circular on Cyber Risk Management at Institutional Entities (Institutional Entities Circular 2016-9-14). Earlier drafts of the circular were published in October 2015 and April 2016 for public comments.

The circular will enter into force on April 2, 2017 (except for certain provisions that will enter into force in October 2017). The circular applies to all institutional investors in Israel. Its declared objective is to spell out “principles regarding the protection of an institutional entity's assets for the purpose of ensuring the rights of stakeholders and policyholders, by safeguarding the confidentiality, integrity and availability of information assets, information systems, business processes and the proper functioning of the entity”. According to the circular, cyber-security risk management includes actions for preventing, neutralizing, investigating and addressing cyber-security threats and incidents, in order to mitigate their effects and damage before, during and after they occur.

Among other topics, the circular addresses the following matters –

• The roles and responsibilities of the institutional entity's CEO and board of directors, which includes approving, at least once a year, a corporate policy on cyber-security risk management, as well as ensuring proper management of cyber-security risks according to the entity's objectives, policies and needs.
• Appointing a chief cyber-defense officer with experience and expertise in cyber-defense.
• Establishing a steering committee on cyber-security risk management, headed by the CEO. Other members of the committee include the chief of IT, chief risk management officer and chief cyber-defense officer.
• Establishing a corporate policy for cyber-security risk management that spells out implementable guiding principles on cyber-defense. The principles should address objectives, organizational framework (areas of responsibility, reporting channels, control and oversight), implementation of cyber-defense in the context of cloud computing and human resources (integrity and trustworthiness of employees, training and supervision), and implementation of logical and physical cyber-defense measures across the entity's procedures, systems and infrastructure.
• Establishing protocols that specify the entity's cyber-defense procedures.
• Preparing a cyber risk management program that addresses cyber risks to the entity's procedures and IT systems. Among the topics to be developed within this program are assessment of the entity's cyber-security risks (an updated overview of the overall cyber-security risks that the entity faces), and procedures for reporting and monitoring risks and implementing controls.
• Conducting an annual assessment of the adaptability of defensive measures to the entity's overall cyber-security risks. The assessment should take into account developments in the threat map, the nature of existing threats and the technology available to deal with those threats.

The circular will repeal the 2009 Institutional Entities Circular on “Instructions for Information Security Risk Management at Institutional Entities”.

A copy of the circular (in Hebrew), is available here.