Regulatory Alerts2022-01-01
Circular No. 55: Operational Incidents Related to Information Technology and Information Security
The Palestine Monetary Authority issued Circular No. 55/2022 mandating all payment service companies operating in Palestine to establish an internal team to assess information security gaps and submit a remediation plan by June 30, 2022. The directive requires immediate notification of any cyber incidents, fraud, system failures, unauthorized access, or data breaches affecting company systems or third-party contractors, followed by a detailed written report within two days. Companies must also allocate necessary budgets for implementation and adhere to best practices to mitigate cyber risks and ensure operational continuity.
Palestine Monetary Authority PALESTINE MONETARY AUTHORITY
Circular No. (55/2022) To all payment service companies operating in Palestine Date: Monday, March 07, 2022
Subject: Operational Incidents Related to Information Technology / Information Security
In order to mitigate the cyber risks that payment service companies may face, to prevent negative impacts on the integrity and continuity of their operations amid the rising volume of cyber attacks, and to minimize anticipated risks, and based on best standards and practices and our relevant directives, all payment service companies are required to comply with the following:
- Establish an internal team responsible for reviewing and assessing the information security system and its capacity to confront risks, in order to ensure business continuity during critical periods, identify additional steps required to address elevated threat levels, determine current gaps and a remediation plan, and allocate necessary budgets for implementation as soon as possible.
- Submit the gap report and remediation plan to the Palestine Monetary Authority no later than June 30, 2022.
- Notify the Palestine Monetary Authority immediately, without delay, of any cyber incidents or attacks that the company or any contracted third party has experienced or may experience, which affect or are likely to affect the company's systems and services, regardless of the duration of service disruption or irregularity, including: a. Cyber attacks and any information security breaches, whether successful or failed attempts. b. Fraud incidents. c. System failures / system operational interference. d. Unauthorized access. e. Data breaches.
- Reporting shall be conducted via the email below or phone/mobile, and must be reinforced in writing with detailed information within a maximum of two days from the date of the incident, according to the attached appendix. (To: ITSVD@pma.ps) (CC: bshubairi@pma.ps)
Supervision Group Palestine Monetary Authority
Ramallah & Al-Bireh Governorate - Palestine P.O. Box 452 Tel: +970 2 2415251 | Fax: +970 2 2415310 | Email: info@pma.ps Gaza - Palestine P.O. Box 4026 Tel: +970 8 2825713 | Fax: +970 8 2844487
INTERNAL Palestine Monetary Authority PALESTINE MONETARY AUTHORITY
Incidents Form
Basic Information
| 1. Particulars of Reporting: | |
|---|---|
| • Name of the Company | |
| • Date and Time of Reporting to PMA | |
| • Name of Person Reporting | |
| • Designation/Department | |
| • Contact details (e.g. official email-id, telephone no, mobile no) <br> - IT Manager. <br> - Information Security Officer | |
| 2. Details of Incident: | |
| • Date and time of incident detection |
INTERNAL Palestine Monetary Authority PALESTINE MONETARY AUTHORITY
Incidents Form
| • Type of incidents and systems affected | |
|---|---|
| i. Outage of Critical IT system(s) | |
| ii. Cyber Security Incident (e.g. DDOS, Ransom ware/crypto ware, data breach, data destruction, web defacement, etc.)? | |
| iii. Theft or Loss of Information (e.g. sensitive customer or business information stolen or missing or destroyed or corrupted)? | |
| iv. Outage of Infrastructure (e.g. which premises-DC, branch, etc., power/utilities supply, telecommunications supply,)? | |
| v. Financial (e.g. liquidity)? |
INTERNAL Palestine Monetary Authority PALESTINE MONETARY AUTHORITY
Incidents Form
| • What actions or responses have been taken by the Company? | |
|---|---|
| 3. Impact Assessment(examples are given but not exhaustive): | |
| • Business impact including availability of services | |
| • Impact on stakeholders- affected retail/corporate customers, affected participants including operator(s), settlement institution(s), business partners, and service providers, etc. | |
| • Financial and market impact - Trading activities, transaction volumes and values, monetary losses, liquidity impact, company run, etc. | |
| • Regulatory and Legal impact | |
| 4. Chronological order of events: | |
| • Date of incident, start time and duration |
INTERNAL Palestine Monetary Authority PALESTINE MONETARY AUTHORITY
Incidents Form
| • Escalations done including approvals sought on interim measures to mitigate the event, and reasons for taking such measures | |
|---|---|
| • Channels of communications used (e.g. email, internet, SMS, press release, website notice, etc.) | |
| • Rationale on the decision/activation of BCP and/or DR. | |
| 5. Root Cause Analysis(RCA): | |
| • Factors that caused the problem/ Reasons for occurrence, Cause and effects of incident |
INTERNAL Palestine Monetary Authority PALESTINE MONETARY AUTHORITY
Incidents Form
| • Interim measures to mitigate/resolve the issue, and reasons for taking such measures. | |
|---|---|
| • Steps identified or to be taken to address the problem in the longer term. List the remedial measures/corrections affected (one time measure) and/or corrective actions taken to prevent future occurrences of similar types of incident | |
| 6. Date/target date of resolution (DD/MM/YYYY). | __________________________ |
Note: All fields are REQUIRED to be filled unless otherwise stated.