Reporting of Technological Failures and Cyber Incidents

Bank of Israel Banking Supervision Department Technology and Innovation Division Banking Technology Unit November 24, 2021 Circular no. C-06-2680 To: The banking corporations and merchant acquirers Re: Reporting of Technological Failures and Cyber Incidents (Proper Conduct of Banking Business Directive no. 366) Introduction

1. Effective management and handling of technological failure incidents and cyber incidents is critical and is a fundamental part of continued functioning and provision of services by the banking corporation at an incident of this type. The Banking Supervision Department views reporting to it on such incidents as one of the central principles on which rests the proper management of information technology risks, including the management and handling of information security risks and cyber risks. There are many goals for reporting on such incidents detailed in Section 1 of Banking Supervision Department Circular no. 06-2643 on the issue of “Reporting of Technological Failures and Cyber Incidents”, dated December 29, 2020. One of the themes connecting the goals is the need to reduce the systemic impact of the incident, at the level of the banking corporation as well as the banking group to which it belongs, and on the rest of the banking system in Israel. Accordingly, Section 4 of the Directive establishes that “the reporting requirement shall apply to each banking corporation separately, even if the incident occurs simultaneously in a number of banking corporations that belong to a single banking group”. However, some banking corporations control corporations that do not fall under the application of the directive in accordance with Section 3a of the directive (hereinafter, “corporation”), such as: a corporation controlled by a “merchant acquirer” as defined in Section 36i of the Banking (Licensing) Law, 5741-1981, or a corporation as noted in Section 11(a)(2) of the Banking (Licensing) Law—a foreign corporation that if it would conduct business in Israel would be required to receive a license under that law—that is controlled by the banking corporation, and therefore it may be that events occurring in that corporation will not be reported to the Banking Supervision Department in accordance with the guidelines of the directive and its related reporting instructions. Accordingly, the update determines that technological failure incidents and cyber incidents that occurred in a corporation controlled by a banking corporation and that have a material impact on the banking corporation, on the overall banking group, or on

overall banking system, among other things from the aspects of technology, reputation, or finance, are required to report to the Banking Supervision Department at the Bank of Israel via the banking corporation controlling that corporation. 2. After consultation with the Advisory Committee on Banking Business Affairs and with the approval of the Governor, I have revised Proper Conduct of Banking Business Directive no. 366 on “Reporting of Technological Failures and Cyber Incidents”. Amendments to the directive Section 6 of the Directive—types of incidents requiring a report 3. The words “of the banking corporation” were added in Section 6.2. 4. Section 6.5 was added, according to which, an event noted in Sections 6.1–6.4 of the Directive that occurs at a corporation controlled by a banking corporation while it itself is not a banking corporation, and has a significant impact, among other things, from the technological, reputation, or financial perspectives, on the banking corporation that controls it, on the banking group or on the banking system, also requires a report to the Banking Supervision Department. The reporting of the incident, its investigation and the approval of the investigation, shall be in accordance with the guidelines of the Directive and the responsibility of the banking corporation. Section 14 of the Directive 5. In accordance with the update, the procedure for investigation of the incident existing at the banking corporation shall refer as well to a case in which the incident occurred at a corporation that requires reporting to the Banking Supervision Department, to the extent that there is a corporation controlled by the banking corporation. Incidence and transition directives 6. The updates to this Directive shall go into effect one month from their publication. Updating of the file 7. Attached are the updates to the Proper Conduct of Banking Business file; following are the updates: Remove page Insert page (09/21) [2] 366-1-4 (11/21) [3] 366-1-4 Sincerely, Yair Avidan Supervisor of Banks