Regulatory Alerts2022-01-01
Circular No. 55/2022 - IT and Information Security Operational Incidents
The Palestine Monetary Authority issued Circular No. 55/2022 mandating all payment service companies operating in Palestine to establish an internal information security team and submit a gap analysis and remediation plan by June 30, 2022. The directive requires immediate notification of any cyber incidents, fraud, system failures, unauthorized access, or data breaches affecting company systems or third-party contractors, regardless of service disruption duration. Companies must report these incidents via designated email or phone, followed by a detailed written submission within two days using the provided incident form.
Palestine Monetary Authority PALESTINE MONETARY AUTHORITY
Circular No. (55/2022) To all payment service companies operating in Palestine Date: Monday, March 07, 2022
Subject: IT/Information Security Operational Incidents
To mitigate cyber risks that payment service companies may face, to prevent negative impacts on their operational integrity and continuity amid rising cyber attacks, and to reduce anticipated risks, and based on best standards, practices, and related directives, all payment service companies are required to comply with the following:
- Establish an internal team responsible for reviewing and evaluating the information security system and its capacity to face risks, aiming to ensure business continuity during critical times, identifying additional steps required to address elevated threat levels, determining the current gap and remediation plan, and monitoring necessary budgets for implementation as soon as possible.
- Provide the Palestine Monetary Authority with the gap report and remediation plan no later than June 30, 2022.
- Notify the Palestine Monetary Authority immediately and without delay of any cyber incidents or attacks the company or any contracted third party has faced or may face that affect or are likely to affect the company's systems and services, regardless of the duration of service interruption or irregularity, including: a. Cyber attacks and any information security breach, whether successful or failed attempts. b. Fraud incidents. c. System failures/system disruptions. d. Unauthorized access. e. Data breaches.
- Reporting shall be conducted via the email below or phone/mobile, and must be reinforced in writing with detailed information within a maximum of two days from the date of the incident, according to the attached appendix. (To: ITSVD@pma.ps) (CC: bshubairi@pma.ps)
Supervision Group Palestine Monetary Authority
Ramallah & Al-Bireh Governorate - Palestine P.O. Box 452 Tel: +970 2 2415251 | Fax: +970 2 2415310 | Email: info@pma.ps Gaza - Palestine P.O. Box 4026 Tel: +970 8 2825713 | Fax: +970 8 2844487
INTERNAL PALESTINE MONETARY AUTHORITY
Incidents Form
Basic Information
| 1. Particulars of Reporting: | |
|---|---|
| • Name of the Company | |
| • Date and Time of Reporting to PMA | |
| • Name of Person Reporting | |
| • Designation/Department | |
| • Contact details (e.g. official email-id, telephone no, mobile no) <br> - IT Manager. <br> - Information Security Officer | |
| 2. Details of Incident: | |
| • Date and time of incident detection |
INTERNAL PALESTINE MONETARY AUTHORITY
Incidents Form
| • Type of incidents and systems affected | |
|---|---|
| i. Outage of Critical IT system(s) | |
| ii. Cyber Security Incident (e.g. DDOS, Ransom ware/crypto ware, data breach, data destruction, web defacement, etc.)? | |
| iii. Theft or Loss of Information (e.g. sensitive customer or business information stolen or missing or destroyed or corrupted)? | |
| iv. Outage of Infrastructure (e.g. which premises-DC, branch, etc., power/utilities supply, telecommunications supply,)? | |
| v. Financial (e.g. liquidity)? |
INTERNAL PALESTINE MONETARY AUTHORITY
Incidents Form
| • What actions or responses have been taken by the Company? | | | 3. Impact Assessment(examples are given but not exhaustive): | | | • Business impact including availability of services | | | • Impact on stakeholders- affected retail/corporate customers, affected participants including operator(s), settlement institution(s), business partners, and service providers, etc. | | | • Financial and market impact - Trading activities, transaction volumes and values, monetary losses, liquidity impact, company run, etc. | | | • Regulatory and Legal impact | | | 4. Chronological order of events: | | | • Date of incident, start time and duration | |
INTERNAL PALESTINE MONETARY AUTHORITY
Incidents Form
| • Escalations done including approvals sought on interim measures to mitigate the event, and reasons for taking such measures | | | • Channels of communications used (e.g. email, internet, SMS, press release, website notice, etc.) | | | • Rationale on the decision/activation of BCP and/or DR. | | | 5. Root Cause Analysis(RCA): | | | • Factors that caused the problem/ Reasons for occurrence, Cause and effects of incident | |
INTERNAL PALESTINE MONETARY AUTHORITY
Incidents Form
| • Interim measures to mitigate/resolve the issue, and reasons for taking such measures. | | | • Steps identified or to be taken to address the problem in the longer term. List the remedial measures/corrections affected (one time measure) and/or corrective actions taken to prevent future occurrences of similar types of incident | | | 6. Date/target date of resolution (DD/MM/YYYY). | __________________________ |
Note: All fields are REQUIRED to be filled unless otherwise stated.