Bank of Israel Circular C-06-2579: Amendments to Cloud Computing Directive

Bank of Israel Banking Supervision Department Policy and Regulation Division 1 November 13, 2018 Circular Number C-06-2579 To: The banking corporations and credit card companies Issue: Cloud Computing (Proper Conduct of Banking Business Directives no. 357 and 362) Introduction

1. Proper Conduct of Banking Business Directive no. 362 on Cloud Computing (hereinafter, the Directive/the Cloud Computing Directive) requires banking corporations to contact the Banking Supervision Department in certain cases to request a permit before using cloud computing technology. In the year that has passed since the Cloud Computing Directive was published, the Banking Supervision Department examined several alternatives regarding the said requirement and concluded that leniencies are possible for banking corporations in this area and to exempt them from the need for a license, among other things due to the following reasons: 1.1. Improvement and maturity of cyber defense and information security tools, together with an accumulation of experience regarding this issue among banking corporations, which allows to transfer risk management to the banking corporations. 1.2. Reduction of regulatory barriers together with the supervisory objectives to connect the innovative technology, for improving competition and customer services of banking corporations and the increasing of efficiency of such services. 1.3. The use of cloud-computing technology, in addition to other advanced technologies, can assist Banking Corporation to promote innovation and improve the services to customers. 1.4. Financial-institution supervisory authorities worldwide do not require a permit in advance, however, based their regulation on risk management.
2. Nevertheless, the Banking Supervision Department did not remove the prohibition of using cloud computing for core activities and/or core systems.
3. The amendment of the Directive includes additional guidelines and refers to “material cloud computing” (see Section 9.1).
4. As cloud computing is a specific case of outsourcing, and due to the cancellation of the need to apply in advance for a permit to implement cloud computing technologies, the

Bank of Israel Banking Supervision Department Policy and Regulation Division 2 necessity to receive the Supervisor’s consent in cases of storing any type of information regarding banking corporation’s customers on systems which are not under its control, there for, Section 17b(2) of Directive 357 was cancelled. The amendments to the directive 5. Section 3 of the previous version of the Directive is cancelled. 6. It is also required to act accordingly with the Proper Conduct of Banking Business Directives which were added and published in the past year – 363 (Supply Chain Cyber Risk Management) and 359A (Outsourcing) - (Section 7 of the Directive). 7. The banking corporation will examine the need for assistance, as seen fit, from external expert consultants, in order to reduce inherent cloud technology risks (Section 9 of the Directive—the term “will examine the assistance” is replaced by “the need for assistance”). Chapter C: Corporate Governance (Section 10–13(b) of the Directive) The guidelines regarding the board of directors and senior management were separated into guidelines for the board (Sections 10–13 of the Directive) and guidelines for senior management (Sections 13(a)–13(b) of the Directive). Board of Directors 8. The banking corporation’s board of directors is required to direct the management to formulate and approve a policy document on the use of cloud computing technology (Section 10(b) of the Directive—the term “as relevant” was removed). 9. The amendment includes two new guidelines for the banking corporation’s board: 9.1. To approve all application of material cloud computing (Section 12 of the Directive). Examples of material cloud computing are brought forth in appendix A of the Directive. 9.2. To verify that the use of cloud computing technology is based on the policy established by the banking corporation’s management (Section 13 of the Directive).

Bank of Israel Banking Supervision Department Policy and Regulation Division 3 Senior Management 10. The amendment adds content to the policy of cloud computing technology usage that the banking corporation’s management needs to formulate, including the types of implementations that require the board’s approval (“material cloud computing” as well as the types of implementations that require only management’s approval (Section 13(a) of the Directive). 11. Section 13(a) of the Directive—replaces section 11 of the previous version of the directive. Chapter D: Cloud Computing Applications that require a permit (Sections 14–17 of the previous version of the Directive) — was cancelled. Chapter E: Risk Management (Section 17(a)–22 of the Directive) 12. The guidelines within the process of risk management and risk assessment refer to “material cloud computing” (Sections 18–21 of the Directive). Chapter F: Cloud Services Provider Contractual Agreement (Section 23–24 of the Directive) 13. For material cloud computing, in addition to Proper Conduct of Banking Business Directive no. 357, a banking corporation is required, in a contractual agreement with the provider to comply as well with Proper Conduct of Banking Business Directive no. 363 (Section 23 of the Directive). 14. The amendment adds two more obligations by the provider that are to be included in the contractual agreement with the banking corporation, among other things: 14.1. Providing the banking corporation an option to carry out an examination of the cloud computing provider, based on the risk assessment (Section 23c of the Directive). 14.2. Providing the Banking Supervision Department the option to carry out examinations at the cloud computing provider when material cloud computing is implemented (Section 23d of the Directive). Chapter G: The Permit Letter (Sections 25–26 of the previous version of the Directive) — was cancelled Chapter H: Reporting to Banking Supervision Department (Sections 27a and 27b of the Directive)

Bank of Israel Banking Supervision Department Policy and Regulation Division 4 15. The amendment requires that banking corporations submit to the Banking Supervision Department, in writing, once a year (at the end of calendar year) two types of report: 15.1. An updated list of cloud computing implementations that the banking corporation applied since the last report date, including the date of the implementation and the name of the cloud services provider. In addition, with regard to “material cloud computing”, the list is to include the geographical location of the cloud servers as well (Section 27a of the Directive). 15.2. A report on future cloud computing implementations that the banking corporation is planning to apply. The Banking Supervision Department shall consider, as needed, examining details in the report such as the provider’s name and the servers’ location in order to examine the potential systemic risk that might be caused by the concentration of banking sector implementations with the same provider at the same site (Section 27b of the Directive). The report is to include all planned implementations. Appendices 16. A new appendix was added to the directive. Appendix A in the previous version of the directive was changed to Appendix B, and a new Appendix A was added to the current version. 17. The amendment includes an appendix that details examples of “material cloud computing”. The examples refer to use cases that in the past obligated banking corporations to contact the Banking Supervision Department in order to request a permit (Appendix A of the directive). 18. Relevant aspects were added to the appendix, which provide detailed examples of cloud computing characteristics to take into consideration when performing risk assessments (Appendix B of the directive). Effective date These updates go into effect with the publication of this circular.

Bank of Israel Banking Supervision Department Policy and Regulation Division 5 Update of file Update pages for the Proper Conduct of Banking Business Directive file are attached. Following are the provisions of the update: Remove page Insert page (7/16) [7] 357-1-14 (11/18) [8] 357-1-15 (7/17) [1] 362-1-9 (11/18) [2] 362-1-9 Sincerely, Dr. Hedva Ber Supervisor of Banks