Reporting of Technological Failures and Cyber Incidents

Supervisor of Banks Proper Conduct of Banking Business [4] (01/23) Reporting of Technological Failures and Cyber Incidents 366-1 Reporting of Technological Failures and Cyber Incidents Introduction and goals

1. The banking corporations are an important layer in the everyday operations of the financial sector in Israel. Since the banking corporations’ information technology systems constitute a critical infrastructure for their business activity, the banking corporations need to identify and deal with technological failures and cyber incidents as quickly and efficiently as possible, while at the same time continuing to operate and provide essential services. Accordingly, the banking corporation’s policy and its procedures for handling incidents of this type must relate to, among other things, the process for reporting to the Banking Supervision Department.
2. There are a number of goals for the reporting of technological failures and cyber incidents to the Banking Supervision Department: 2.1 To ensure that the banking corporation in which the incident has occurred is managing the incident in an optimal manner and to assist in the handling of the incident if necessary. 2.2 To enhance the ability to provide an up-to-date assessment of the situation in order to facilitate an informed decision as to whether the Banking Supervision Department should take any action, and if so, which action. 2.3 To identify the potential for a systemic incident and to limit the effect of the incident on other banking corporations to whatever extent possible. 2.4 To identify the areas in which the banking corporation or the banking system as a whole needs to adopt measures in order to prevent the reoccurrence of events of this type or measures that will improve the resilience of the banks to events of this type in the future. 2.5 To enable the Banking Supervision Department to prepare for similar scenarios in the future based on appropriate assessment of risk to the banking system. 2.6 To ensure that the incident is investigated and lessons learned. Applicability
3. (a) This directive will apply to the following banking corporations as defined in the Banking (Licensing) Law, 5741 – 1981 (herein: a “banking corporation”): (1) A banking corporation; (2) A corporation as defined in Sections 11(a)(3a) and (3b); (3) A corporation as defined in Section 11(b); (4) A merchant acquirer as defined in Section 36i; (b) Cancelled.
4. The reporting requirement shall apply to each banking corporation separately, even if the incident occurs simultaneously in a number of banking corporations that belong to a single banking group.

Supervisor of Banks Proper Conduct of Banking Business [4] (01/23) Reporting of Technological Failures and Cyber Incidents 366-2 Definitions 5. In this directive, the following terms will have the following definitions: Technological failure incident An event, incident or result that is not expected or planned as part of the banking corporation’s ongoing activity and which has a disruptive effect on the ongoing activity of the banking corporation’s information technology system or on the services provided by it. Significant technological failure incident A technological failure that causes a disruption of business activity, of a process or of a function that has a severe and broad effect on the banking corporation’s activity, on the services it provides to its customers or on the banking system as a whole. Cyber incident According to its definition in Proper Conduct of Banking Business Directive no. 361 on “Cyber Defense Management”. Damage According to its definition in Proper Conduct of Banking Business Directive no. 361 on “Cyber Defense Management”. Incident status A description of the current stage of the reported incident: Identification – identification of the incident. Analysis – identification of the incident’s source and its scope. Halt of intensification / containment – Halt of incident intensification. Treatment / eradication – implementation of measures to repair / neutralize the attack components found within the banking corporation. Rectification / restoration – Return to fully normal activity. Accepted working hours The accepted working hours for the purposes of this directive only: Sunday to Thursday that are business days in the banking system, from 8:00 to 18:00. Types of incidents that require reporting 6. Following are the types of incidents that require reporting to the Banking Supervision Department: 6.1 A significant technological failure incident. 6.2 A suspected cyber incident that is dealt with at the level of the banking corporation’s Chief Cyber Defense Officer and the handling of which was not completed within four hours from the time of its initial identification or within

Supervisor of Banks Proper Conduct of Banking Business [4] (01/23) Reporting of Technological Failures and Cyber Incidents 366-3 two hours from the point at which there was knowledge of damage that it had caused. 6.3 A cyber incident that affects a large number of customers and/or has new offensive characteristics. 6.4 Any significant data leak incident that is not specified in Subsections 6.1 to 6.3. 6.5 An incident as specified in Sections 6.1–6.4 above, that occurs at a corporation controlled by a banking corporation, while it itself is not a banking corporation, and has a significant impact, among other things, from the technological, reputation, and financial perspectives, on the banking group or on the banking system. 6.6 A severe security incident as understood in Section 31 of the Financial Information Service Law, 5782-2021, that occurs along with the banking corporation’s activity as an information source or as a financial information service provider, in accordance with this law. Responsibility for reporting 7. A banking corporation will decide on a member of the Executive whose responsibility it will be to fulfill the conditions of this directive. 8. Reporting Officer: 8.1 A banking corporation will appoint a Reporting Officer for Technological Failure and a Reporting Officer for Cyber Incidents. 8.2 Every technological failure and/or cyber incident as mentioned in Section 6 above will be reported to the Banking Supervision Department by the Reporting Officer appointed by the banking corporation. 8.3 The two functions mentioned in Subsection 8.1 above can be carried out by one officer, according to the decision of the banking corporation. 8.4 A permanent acting reporting officer can be appointed for each of the reporting functions. 9. A banking corporation will submit the details of the officer according to Sections 7 and 8 above to the Technology and Innovation Division of the Banking Supervision Department and will provide an update of any change in those appointments, including changes in their details. Manner of reporting 10. Initial reporting of the incident – 10.1 A banking corporation shall submit a report by telephone within two hours of identifying the incident as one that requires reporting according to Section 6 above and subsequently will supplement that with a written initial report within 8 hours from the time of the telephone report. The Banking Supervision Department can extend or shorten the aforementioned time limits for a written report if the circumstances justify that decision. 10.2 The telephone report will be made at any time of day, regardless of the accepted working hours.

Supervisor of Banks Proper Conduct of Banking Business [4] (01/23) Reporting of Technological Failures and Cyber Incidents 366-4 10.3 The telephone report will be conveyed, according to the circumstances, to the Head of the Information Technology Regulation and Examination Unit and/or the Head of the Supervisory Cyber Unit in the Technology and Innovation Division of the Banking Supervision Department. 10.4 If the time to make the initial written report is outside the accepted working hours, then it will be submitted at the start of accepted working hours on the following day. 11. A significant technological failure incident will be reported as an event in which there is a suspicion that a cyber incident has occurred (in the appropriate field on the reporting form) as long as it has not been proven that there is no such suspicion. 12. Additional reports during the incident – 12.1 A banking corporation shall be required to submit up-to-date information on the incident in writing, on the last reporting form submitted as mentioned above, at least once daily or at any time that there are significant changes in the characteristics of the incident and/or its consequences, included the criteria for reporting as described in Section 6. The Banking Supervision Department can approve a request from a banking corporation to lessen the frequency of the reporting for a specific event, if the circumstances justify that decision. The aforementioned approval will be valid as long as there has been no significant change in the characteristics of the event or its consequences. 12.2 Without detracting from what is stated in Subsection 12.1 above, it should be clear that an incident that was reported on the basis of one of the criteria listed in Section 6 and for which it later becomes clear that additional criteria are fulfilled does not require an additional new report, but rather an update will be made regarding the additional criterion in subsequent reports. 12.3 In the case that there is a significant development in an incident for which there is already a reporting process going on, at a time outside regular working hours, then an update will be provided by telephone to the responsible official in the Technology and Innovation Division within the Banking Supervision Department (as mentioned in Section 10.3 above) and subsequently a written report will be submitted, as required. 13. Reporting the completion of an incident – 13.1 A banking corporation is required to report the completion of an incident. 13.2 The banking corporation will verify that the form is complete and contains the most up-to-date information as of the time that the report on the completion of the incident is submitted. Investigation of the incident 14. A banking corporation shall establish an incident investigation procedure, which will specify among other things the method of investigation and the functions that will carry it out. The procedure shall refer as well to a case in which the incident

Supervisor of Banks Proper Conduct of Banking Business [4] (01/23) Reporting of Technological Failures and Cyber Incidents 366-5 occurred at a corporation controlled by a banking corporation while it itself is not a banking corporation. 15. A banking corporation shall implement an investigation on the completion of the incident according to the procedure it has established. The investigation will include at least the following items: 15.1 Final and up-to-date details of the incident and the circumstances of its occurrence (while relating to all of the details that were reported to the Banking Supervision Department). 15.2 A final lessons-learned report, including recommendations, the installation of internal controls, a schedule for implementation, a list of the officials involved in the investigation and the official approving the investigation. 16. The investigation will be approved by the member of the Executive responsible for fulfilling this directive, as mentioned in Section 7 above, and it will be submitted to the Banking Supervision Department within 45 days from the completion of the incident or within 60 days from the date on which the incident was identified as an event that requires reporting according to Section 6 above, according to the earlier of the two. Updates Circular 06 no. Version Details Date 2643 1 Original circular December 29, 2020 2669 2 Update September 30, 2021 2680 3 Update November 24, 2021 2736 4 Update January 22, 2013