LogoRegulatory Alerts
2021-01-01

Circular No. 55: IT and Information Security Operational Incidents

The Palestine Monetary Authority issued Circular No. 55/2022 mandating all payment service companies operating in Palestine to establish internal information security teams and submit gap reports with remediation plans by June 30, 2022. The directive requires immediate notification of any cyber incidents, fraud, system failures, unauthorized access, or data breaches affecting company or third-party systems, followed by detailed written reports within two days. Companies must also implement interim mitigation measures, conduct root cause analyses, and outline long-term corrective actions to ensure operational continuity and regulatory compliance.

Palestine Monetary Authority logo

Palestine

Palestine Monetary Authority

Click to view thumbnail

Palestine Monetary Authority

PALESTINE MONETARY AUTHORITY

Circular No. (55 / 2022)

To all payment service companies operating in Palestine

Date: Monday, 07 March, 2022

Subject: IT/Information Security Operational Incidents

In order to mitigate cyber risks that payment service companies may face, to prevent negative impacts on their operational integrity and continuity amid rising cyber attacks, and to reduce anticipated risks, and based on best standards, practices, and our related directives, all payment service companies are required to comply with the following:

  1. Establish an internal company team responsible for reviewing and presenting the information security framework and its capacity to face risks, aiming to ensure business continuity during critical periods, identifying additional steps required to address elevated threat levels, identifying current gaps and remediation plans, and monitoring necessary budgets for implementation as soon as possible.

  2. Provide the Palestine Monetary Authority with a gap report and remediation plan no later than 30/6/2022.

  3. Notify the Palestine Monetary Authority immediately and without delay of any cyber incidents or attacks that the company or any contracted third party has been or may be subjected to, which affect or are likely to affect the company's systems and services, regardless of the duration of service disruption or irregularity, including:

    a. Cyber attacks and any information security breach, whether successful or failed attempts. b. Fraud incidents. c. System failures/system disruptions. d. Unauthorized access. e. Data breaches.

  4. Reporting shall be conducted via the email below or phone/mobile, followed by a detailed written report within a maximum of two days from the incident date, according to the attached annex.

    (CC: bshubairi@pma.ps) (To: ITSGD@pma.ps)

Supervision Group
Palestine Monetary Authority

www.pma.ps

Ramallah & Al-Bireh Governorate - Palestine P.O. Box 452
info@pma.ps | Fax: +970 2 2415310 | Tel: +970 2 2415251

Gaza - Palestine P.O. Box 4026
Fax: +970 8 2844487 | Tel: +970 8 2825713

Incidents Form

Basic Information

1. Particulars of Reporting:

  • Name of the Company
  • Date and Time of Reporting to PMA
  • Name of Person Reporting
  • Designation/Department
  • Contact details (e.g. official email-id, telephone no, mobile no)
    • IT Manager.
    • Information Security Officer

2. Details of Incident:

  • Date and time of incident detection

Type of incidents and systems affected

  • i. Outage of Critical IT system(s)
  • ii. Cyber Security Incident (e.g. DDOS, Ransom ware/crypto ware, data breach, data destruction, web defacement, etc.)?
  • iii. Theft or Loss of Information (e.g. sensitive customer or business information stolen or missing or destroyed or corrupted)?
  • iv. Outage of Infrastructure (e.g. which premises- DC, branch, etc., power/utilities supply, telecommunications supply.)?
  • v. Financial (e.g. liquidity)?

What actions or responses have been taken by the Company?

3. Impact Assessment(examples are given but not exhaustive):

  • Business impact including availability of services
  • Impact on stakeholders– affected retail/corporate customers, affected participants including operator(s), settlement institution(s), business partners, and service providers, etc.
  • Financial and market impact – Trading activities, transaction volumes and values, monetary losses, liquidity impact, company run, etc.
  • Regulatory and Legal impact

4. Chronological order of events:

  • Date of incident, start time and duration

Escalations done including approvals sought on interim measures to mitigate the event, and reasons for taking such measures

  • Channels of communications used (e.g. email, internet, SMS, press release, website notice, etc.)
  • Rationale on the decision/activation of BCP and/or DR.

5. Root Cause Analysis (RCA):

  • Factors that caused the problem/ Reasons for occurrence, Cause and effects of incident

Interim measures to mitigate/resolve the issue, and reasons for taking such measures.

  • Steps identified or to be taken to address the problem in the longer term. List the remedial measures/corrective actions affected (one time measure) and/or corrective actions taken to prevent future occurrences of similar types of incident

6. Date/target date of resolution (DD/MM/YYYY).

Note: All fields are REQUIRED to be filled unless otherwise stated.

Share