Instructions No. (11) of 2022 Regarding the Cybersecurity Regulatory Framework

---

[Logo of the Palestine Monetary Authority]

Palestine Monetary Authority

Instructions No. (11) of 2022 Regarding the Cybersecurity Regulatory Framework

Based on the provisions of Law-Decree No. (9) of 2010 regarding Banks, particularly Articles (43) and (72) thereof, In accordance with the powers delegated to us, And in pursuit of the public interest, We have issued the following Instructions:

Article (1) Objective and Scope of Application

1. The provisions of these Instructions aim to establish a general framework for managing cybersecurity risks in accordance with best practices and prevailing standards, and to mitigate their impact on information and technical assets.
2. The provisions of these Instructions apply to all banks licensed by the Palestine Monetary Authority to conduct banking business in Palestine.

Article (2) Cybersecurity Function

The Bank must comply with the following:

1. Establish a function for managing cybersecurity risks within the Risk Department.
2. Appoint a staff cadre possessing scientific and practical expertise and specialized professional certifications to manage cybersecurity risks and enroll them in continuous training courses and workshops to perform the following tasks: a. Prepare a specific policy for the Bank and action plans for managing cybersecurity risks in accordance with the provisions of these Instructions, and update them annually or upon making any fundamental changes to systems. b. Conduct periodic assessments of the adequacy and efficiency of the cybersecurity policy, and conduct regular reviews of applied security and technical controls and the development of cybersecurity infrastructure. c. Identify potential cybersecurity vulnerabilities and risks and gaps requiring follow-up and correction, and provide appropriate solutions and controls to mitigate and limit their impact.

---

1

[Palestine Monetary Authority Contact Information]

---

d. Supervise and support system officials regarding the development, procurement, and application of system updates in accordance with the Bank's cybersecurity policy and controls. e. Coordinate with officials responsible for managing devices and infrastructure systems in the Information Technology Department to effectively apply cybersecurity controls. f. Prepare awareness programs for Bank employees regarding cybersecurity concepts and requirements in accordance with the Bank's policy. g. Prepare reports on cybersecurity within risk management reports.

Article (3) Information Security Operations Center (SOC)

The Bank must form a specialized team or contract with a third party in accordance with the prevailing Outsourcing Instructions to manage the Information Security Operations Center, and provide necessary systems and programs such as Security Information and Event Management (SIEM) to perform their assigned tasks, including:

1. Detecting security threats through continuous monitoring (24/7).
2. Monitoring and detecting changes made to systems and files to ensure their integrity.
3. Monitoring systems for any external or internal attacks or intrusions.
4. Monitoring and analyzing security logs and events.
5. Activating the incident response plan within approved procedures.
6. Proactively assessing vulnerabilities and threats to limit their impact.
7. Adequately documenting events and threats and preserving evidence, and submitting periodic supervisory reports as deemed appropriate by the Palestine Monetary Authority.

Article (4) Incident Reporting and Information Sharing

In the event that the Bank experiences any cyber event affecting the continuity of service provision, customer data, or systems and networks, the Bank must immediately notify the Palestine Monetary Authority, provided that the notification is reinforced with a detailed written report on the consequences, response measures, and preventive measures taken.

---

2

[Palestine Monetary Authority Contact Information]

---

Article (5) Data and Privacy Protection

Subject to what is stated in the prevailing Instructions regarding data confidentiality, the Bank must include in its data and privacy protection policy appropriate controls and procedures to maintain confidentiality, integrity, and availability, and to protect personal data, access rights, usage, storage, retention, and during linking, integration, and interoperability processes using various technical means such as APIs between different systems.

Article (6) General Provisions

1. The Cybersecurity Regulatory Framework attached is considered Annex No. (1) and is an integral part of these Instructions.
2. Annex No. (1) is not a substitute for the Bank developing internal charters that define its mechanisms and procedures for complying with the framework's requirements or any additional standards the Bank deems important to implement, provided they do not conflict with prevailing legislation.
3. The Bank may contract with another party in accordance with the prevailing Outsourcing Instructions for the purpose of assessing its cybersecurity risks.

Article (7) Penalties

Anyone who violates the provisions of these Instructions shall be punished in accordance with the provisions of Law-Decree No. (9) of 2010 regarding Banks.

Article (8) Implementation and Enforcement

All competent authorities must implement the provisions of these Instructions, each within their respective purview, and they shall apply from the date of their issuance. Issued in Ramallah on 22/11/2022.

Dr. Firas Malham Governor

---

3

[Palestine Monetary Authority Contact Information]

---

Annex No. (1) Cybersecurity Regulatory Framework Cyber Security Framework

Introduction The Palestine Monetary Authority constantly seeks, within its strategy, to take necessary measures to ensure its capability and readiness, and that of the banks under its supervision, to provide services continuously under all circumstances. Given the increasing use of technology and its role in improving the effectiveness and efficiency of business and services provided, there are risks and weaknesses, as well as the impact of cyber incidents/attacks on business quality, which confirms the necessity of continuous preparedness for cybersecurity risks in banks and financial institutions.

After reviewing and benefiting from best practices and experiences in the field of cybersecurity, it was necessary to establish controls and requirements to secure the cyberspace in banks, protect information and technical assets, and focus on the basic objectives of protecting data and information and maintaining service resilience and continuity, which are:

1. Confidentiality: Ensuring that access to sensitive information and systems is not available to unauthorized individuals, entities, or processes.
2. Integrity: Ensuring that sensitive data and information are not modified or deleted in an unauthorized manner that cannot be detected.
3. Availability: Ensuring authorized access to information in a timely manner and its use.

---

1

---

Index

1.	Cybersecurity Governance
1.1	Cybersecurity Strategy
1.2	Cybersecurity Management
1.3	Cybersecurity Policies and Procedures
1.4	Cybersecurity Roles and Responsibilities
1.5	Cybersecurity Risk Management
1.6	Cybersecurity in Projects Management
1.7	Cybersecurity Regulatory Compliance
1.8	Cybersecurity Periodical Assessment and Audit
1.9	Cybersecurity in Human Resources
1.10	Cybersecurity Awareness and Training
2.	Cybersecurity Defense Controls
2.1	Asset Management
2.2	Identity and Access Management
2.3	Information Systems and Processing Facilities Protection
2.4	Software Development and Acquisition
2.5	E-mail Protection
2.6	Infrastructure and Networks Security Management
2.7	Remote Connection Controls
2.8	Portable Devices Security
2.9	Data and Information Protection
2.10	Cryptography
2.11	Backup and Recovery Management
2.12	Vulnerabilities Management

---

2

---

| 2.13 | Cybersecurity Event Logs and Monitoring Management | | | 2.14 | Cybersecurity Incident and Threat Management | | | 2.15 | Physical Security | | | 2.16 | Internal and Web Applications Security | | | 3. | Cybersecurity Resilience and Business Continuity Management (BCM) | | | 4. | Third-Party and Cloud Computing Cybersecurity | | | 4.1 | Third-Party Cybersecurity | | | 4.2 | Cloud Computing Cybersecurity | |

---

3

---

Cybersecurity Controls

1. Cybersecurity Governance Effective cybersecurity governance requires preparing a clear and comprehensive framework for cyber resilience (as guiding directives) within the Bank's operating environment, which includes policies, procedures, and controls to be adopted to ensure control over expected cyber threats and risks, and to maintain a resilient environment that ensures the safe and effective continuity of systems and operations. The Bank must commit to applying controls, instructions, and standards related to governance requirements and reviewing them periodically through a steering committee, and providing a strategy and framework for cybersecurity.

Cybersecurity Governance Requirements:

1. The Board of Directors and Senior Management, or those delegated by them, must include individuals possessing the necessary knowledge and skills to understand and manage cybersecurity risks.
2. Provide proactive measures to manage current, emerging, and unexpected cyber threats and risks that the Bank may face.
3. Provide support for cybersecurity risk management at all levels within the work environment.
4. Allocate sufficient resources and expertise to manage cybersecurity risks and threats.

1.1. Cybersecurity Strategy Objective: To ensure that the Bank's action plans, objectives, and projects related to cybersecurity contribute to meeting the requirements of the Palestine Monetary Authority. Controls: The Bank must commit to the following: 1.1.1. Prepare and adopt the Bank's cybersecurity strategy by the Board of Directors. 1.1.2. The Bank's cybersecurity strategy must prioritize the protection of the Bank's assets and systems. 1.1.3. The Bank's strategy must include policies, procedures, human resources, in addition to information technology assets and cybersecurity risk management. 1.1.4. The cybersecurity strategy must include the following: a. The Bank's strategic objectives related to cybersecurity. b. The main parties and entities responsible for implementing the strategy. c. Internal and external resources to implement directives and operations and their workflow properly. d. The people, processes, and technological resources necessary to manage cybersecurity risks. e. Communication and collaboration mechanisms with stakeholders and decision-makers to respond quickly and effectively to recover from cyber attacks. f. Adopting a plan to implement the Bank's cybersecurity strategy. 1.1.5. Review the cybersecurity strategy at least once a year or when changes require it.

1.2. Cybersecurity Management Objective: To ensure the commitment and support of the Bank's Board of Directors and Senior Management regarding the management and application of cybersecurity policies and procedures in the Bank in accordance with the requirements of the Palestine Monetary Authority.

---

4

---

Controls: The Bank must commit to the following: 1.2.1. Conduct periodic awareness and assessment of the level of awareness of Board of Directors and Senior Management members regarding their roles and responsibilities in managing cybersecurity, including their knowledge of cybersecurity risks and threats. 1.2.2. The Cybersecurity Officer/Manager must be administratively independent from the Bank's Information Technology Department and possess high scientific and practical expertise. 1.2.3. The entity responsible for cybersecurity must submit periodic reports, or whenever necessary, to Senior Management and the Board of Directors regarding cybersecurity in the Bank. The report must include the following: a. The most important challenges, obstacles, and gap analysis related to the implementation of the cybersecurity policy. b. Results of cybersecurity risk assessments. c. Results of assessing the adequacy and efficiency of cybersecurity policies, procedures, and controls. d. Recommendations and actions to be implemented. e. A summary reviewing the most important cybersecurity events and threats the Bank has experienced during the reporting period. 1.2.4. Establish a steering committee composed of members from Senior Management from various departments such as Finance, Risk, Operations, Information Security/Cybersecurity, Information Technology, Legal, and Human Resources. External parties may be consulted if necessary. The committee aims to develop and implement the cybersecurity strategy and supervise its application. It must report directly to the Board of Directors or Senior Management, keeping the Board informed of fundamental matters. Its most prominent tasks are: a. Identifying and evaluating the priorities and needs of internal and external stakeholders in the Bank. b. Providing guidance to Senior Management on what the cybersecurity strategy should achieve. c. Making decisions related to cybersecurity and the mechanism by which these decisions should be made. d. The nature of the Bank's risks and its risk appetite must be taken into consideration when determining how to address cybersecurity risks. e. Evaluating the mechanism by which different departments within the Bank may be affected, and how to handle and coordinate with each other to achieve the desired results from the cybersecurity strategy at the Bank level. f. Evaluating the mechanism for monitoring the performance and results of cyber resilience, and intervening when necessary to ensure the proper application of the cybersecurity framework. g. Ensuring coordination and information exchange regarding cybersecurity between the Bank and relevant external parties, and participation in workshops, seminars, and conferences related to cybersecurity. h. Determining the necessary procedures to design, implement, update, and monitor cyber resilience. i. Determining the mechanism used in managing projects in cyber resilience, including determining procedures and estimated budgets. 1.2.5. Responsibilities of the Board of Directors or those delegated by them: a. Adopt the cybersecurity strategy, and ensure it is reviewed and updated regularly at least once a year, in accordance with changes, accompanying threats, and cybersecurity risks. b. Continuously monitor reports on all cybersecurity risks and threats, and ensure they align with the Bank's risk tolerance and appetite, so that they can achieve the Bank's objectives and strategy. c. Promote and emphasize the importance of employees' role in taking responsibility to ensure "cyber resilience" and the Bank's ability to deal with cybersecurity threats and risks. d. Prepare and adopt an effective system for managing the risks of banking systems and operations and ensure its update, including accountability procedures and controls to be applied to limit the effects of these risks. Accordingly, the Board of Directors or those delegated must commit to the following: a. Having one or more members on the Board or delegated, who possess the necessary knowledge, expertise, and skills to understand and evaluate cybersecurity risks and threats that may affect the Bank, and the ability to understand and evaluate Senior Management's recommendations regarding cybersecurity, or hiring employees outside the Board members or an independent external party to provide advice and necessary support to report their cybersecurity reports to the Board. b. Ensuring that cybersecurity risks and the implementation of the cyber resilience framework are regularly included on the Board meeting agenda. c. Working to enhance, spread, and develop awareness of the necessity of complying with the Bank's cybersecurity policy. d. Supervising Senior Management's implementation of necessary awareness campaigns for employees regarding risks and threats related to cybersecurity. e. Ensuring that Senior Management regularly conducts self-assessment tests for cyber resilience, reviews the self-assessment, and makes appropriate decisions to increase the effectiveness of cybersecurity controls and ensure their integration with the Bank's strategy. f. Reviewing and adopting Senior Management's priorities and executive plans and allocating necessary resources for cybersecurity, based on Key Performance Indicators (KPIs) and self-assessment results.

1.2.6. Senior Management must commit to the following: a. Submit a regular report to the Board of Directors on the general state of the cyber resilience program, including the most important risks and key issues such as the estimated budget and current and future resource needs, to ensure the achievement of cyber resilience objectives in coordination with the Information Technology and Information Security/Cybersecurity Risk Management departments. b. Prepare a special training and skills development program regarding cybersecurity and cyber resilience concepts and risks. Training must include Board of Directors and Senior Management members and all Bank employees, at least once a year. Programs must include topics such as (incident response, current cyber threats, vulnerabilities, etc.), and attacks and techniques used in threats. c. Provide specialized cybersecurity training for employees who have broad access rights to information and sensitive assets. d. Adopt an authority matrix and separate tasks among employees in high-risk positions and activate job rotation to avoid concentration risks. e. Periodically review skills, competencies, and training requirements to ensure alignment with the development of technologies and cybersecurity risks. f. Provide an employee incentive program to enhance belonging and ensure full compliance with controls and instructions related to cybersecurity risks. g. Measure the effectiveness of cyber resilience activities and their consistency with business activities in the Bank, and report to the Board of Directors regarding the same. h. Ensure employee compliance with the Bank's adopted cyber resilience and cybersecurity policies and standards, and hold employees accountable for non-compliance.

---

5

---

1.3. Cybersecurity Policies and Procedures Objective: To ensure the documentation of cybersecurity requirements and the Bank's commitment to them, in accordance with business needs, organizational risks, and the requirements of the Palestine Monetary Authority. Controls: The Bank must commit to the following: 1.3.1. Identify cybersecurity policies and procedures and ensure they are compatible with the Bank's needs and surrounding risks and comply with the requirements of the Palestine Monetary Authority. Document and adopt them by the Board of Directors or those delegated by them, and disseminate them to relevant parties, especially employees. 1.3.2. The policy must include the introduction, objective, scope, tasks and responsibilities, policy requirements, review, update, and approval. 1.3.3. Distribute cybersecurity policies and procedures among tasks and responsibilities for employees according to their duties. 1.3.4. Ensure the application of cybersecurity policies and procedures. 1.3.5. Cybersecurity policies must be based on technical standards. 1.3.6. Review cybersecurity policies and procedures based on a risk-based approach and update them at least once a year or in the event of changes in the requirements of the Palestine Monetary Authority and related standards. Document these changes and updates, including a list of reviewers and their approval according to due process.

1.4. Cybersecurity Roles and Responsibilities Objective: To ensure the identification of clear roles and responsibilities for all relevant parties in applying cybersecurity controls in the Bank. Controls: The Bank must commit to the following: 1.4.1. Identify and adopt the organizational structure for cybersecurity governance, clarify roles and responsibilities related to cybersecurity, assign relevant persons, and provide necessary support to enforce this, taking into account the non-conflict of interests and the principle of separation of authorities. 1.4.2. Review and update cybersecurity roles and responsibilities in the Bank once a year (or in the event of changes in the requirements of the Palestine Monetary Authority). 1.4.3. Ensure the clarity of tasks and the separation between the tasks of the information security officer in the Information Technology Risk Department and the Bank, including supervisory reporting.

1.5. Cybersecurity Risk Management Objective: To ensure the management of cybersecurity risks according to a methodology aimed at protecting the Bank's information and technical assets, in accordance with the Bank's organizational policies and procedures and the requirements of the Palestine Monetary Authority. Controls: The Bank must commit to the following: 1.5.1. Identify, document, and adopt a methodology and procedures for managing cybersecurity risks according to considerations of confidentiality, availability, and integrity of information and technical assets. 1.5.2. Implement cybersecurity risk assessment procedures at the earliest in the following cases: a. In the early stages of technical projects. b. Before making fundamental changes to the technical infrastructure. c. When planning to obtain outsourcing services. d. When planning and before launching new technical products and services. 1.5.3. Ensure that the Bank's cybersecurity risk assessment program includes at a minimum: a. Identifying and documenting vulnerabilities in the technological environment's assets. b. Identifying and documenting internal and external threats resulting from identified vulnerabilities. c. Identifying and documenting potential impacts on operations and services in the Bank. d. Identifying risks based on identified vulnerabilities and threats, probabilities, and impacts. e. Identifying and documenting risk response methods and prioritizing them. 1.5.4. Risk assessment procedures and mechanism: The Bank must commit to the following: a. Assess cybersecurity risks by identifying the Bank's information and system assets, and identifying critical operations, functions, and information systems that may affect these assets and access methods, including internal and external systems, periodically or upon making any fundamental changes. b. Prepare and apply administrative controls to assess the risk of each Bank asset, to identify vulnerabilities that can be exploited in potential threats that may affect the confidentiality, integrity, or availability of this asset. c. Conduct cybersecurity risk gap analysis and risk assessments annually or upon making any fundamental changes, to determine the adequacy of applied controls and the effectiveness of response and recovery plans. In addition, the Bank must develop a plan to address any discovered vulnerabilities immediately. d. Senior Management must determine the responsibility for managing cybersecurity risks (team, committee, etc.) in the Bank. Accordingly, the entity responsible for managing cybersecurity risks in the Risk Department must identify information technology risks and risk acceptance processes, and review and evaluate incidents related to non-compliance with information technology environment management policies. The process must include at a minimum: 1. Risk assessment, description, and approval by the Risk Owner and Senior Management. 2. Identification of mitigating controls. 3. Preparation of a remedial plan to reduce the impact of those risks. e. Identify risks through a (risk matrix) and determine the impact (financial/operational) on Bank assets resulting from each threat, and then conduct qualitative and quantitative impact analysis. The extent of risk impact depends on the likelihood of the correlation between threats and vulnerabilities capable of causing harm to Bank assets upon the occurrence of the event. f. Develop a Threat and Vulnerability Matrix to evaluate the impact of threats on the information technology environment and prioritize response and handling. g. The cybersecurity risk assessment process must include identifying events and activities that can disrupt critical operations in the Bank, or pose risks related to reputation or profits, and assess compliance with regulatory requirements for risk assessment. h. Conduct Threat Assessments that may arise from inside or outside the Bank, covering potential threats such as: Nature, Wars, Accidents, Threats, and Malware. i. Conduct Vulnerability Assessments to identify each vulnerability and the likelihood of its exploitation, in addition to evaluating policies, procedures, standards, and physical and technical controls, etc. 1.5.5. Review and update the cybersecurity risk management methodology and procedures at least once a year (or in the event of changes in the requirements of the Palestine Monetary Authority and related standards). Changes must be documented and approved. 1.5.6. Establish a cybersecurity risk register for critical systems and monitor it periodically.

1.6. Cybersecurity in Projects Management Objective: To ensure the application of cybersecurity requirements within the Bank's project management policy and procedures to protect the Bank's assets, ensuring the confidentiality, integrity, accuracy, and availability of information and technical assets, in accordance with the Bank's organizational policies and procedures and the requirements of the Palestine Monetary Authority. Controls: The Bank must commit to the following: 1.6.1. Include cybersecurity requirements in the methodology and procedures for project management and change management of information and technical assets in the Bank to ensure the identification and treatment of cybersecurity risks as part of the project lifecycle. 1.6.2. Cybersecurity requirements for project management and changes to information and technical assets must cover at a minimum the following: a. Vulnerability assessment and treatment. b. Conduct penetration testing and security assessment (Penetration Testing and Security Assessment) for infrastructure, web applications, APIs, and mobile applications. c. Conduct configuration and hardening reviews and update patches before launching projects and changes. d. Conduct stress testing to ensure the capacity and adequacy of different technological environment components. e. Ensure the application of business continuity requirements. 1.6.3. Cybersecurity requirements for the Bank's application and software development projects must cover at a minimum the following: a. Use secure coding standards, including securing access, storage, and documentation of software code and versions, and conducting security source code review before launching software and systems. b. Use licensed and reliable sources for application development libraries. c. Conduct testing to verify that applications meet the Bank's cybersecurity requirements. d. Ensure integration between applications. e. Apply necessary security controls to secure the API (Authenticated API). f. Apply controls that ensure the secure and reliable transfer of applications from testing environments to production environments, deleting any data, identities, or passwords related to testing environments before transfer. 1.6.4. Review cybersecurity requirements in project management in the Bank by an independent internal or external specialized entity before launching the project in the live environment.

1.7. Cybersecurity Periodical Assessment and Audit Objective: To ensure that the Bank's cybersecurity controls are applied in accordance with policies and procedures