The Israeli Securities Authority (ISA) has issued an opinion stating its intention to clarify existing disclosure requirements concerning cyber related risks. The new requirements aim to increase the awareness of publicly traded companies to such risks and their reporting obligations in cases of cyber incidents.
The opinion focuses on disclosure requirements in companies’ Prospectus or Periodic Report, and immediate disclosures during cyber-attacks.
ISA provides that if the company has a significant cyber risk, which is relevant to its activity, it must include a disclosure regarding that risk in its Prospectus and Periodic Reports. Disclosure must also be made if a material incident occurs during the reporting period.
According to ISA, a company is required to examine the nature of cyber attacks and decide whether to disclose them to the public in an immediate report. For this purpose, the company must evaluate the overall effect and potential damage caused by an attack, either directly or indirectly.
An Immediate disclosure of a cyber attack may be appropriate, inter alia, in the following cases:
- The business activity of the company has been suspended for a period of time;
- The company’s databases have been breached and that breach affects the company's operations. Disclosure where the databases are also regulated by privacy protection laws must be dealt with separately;
- The company's computer system is materially damaged, effecting the company’s activity;
- Following a cyber incident, the company is required to pay ransom in a substantial amount;
- Private business information has been stolen, the exposure of which could cause material damage to the company; and
- When a security breach is discovered in the products or systems produced by the company, for which the company is significantly exposed (as a supplier, producer, etc.).
CLICK HERE to read the opinion [Hebrew].