LogoRegulatory Alerts
2022-01-01

Circular No. 55/2022: Regarding Operational Events Related to Information Technology - Information Security

The Palestine Monetary Authority issued Circular No. 55/2022 requiring all payment service companies operating in Palestine to establish internal teams for information security risk assessment and submit gap analysis reports by June 30, 2022. The regulation mandates immediate notification of any cyberattacks, fraud, system failures, unauthorized access, or data breaches that impact company systems or services. Companies must follow specific reporting protocols via email or phone followed by detailed written submission within two days, utilizing the provided incident form for comprehensive documentation.

Palestine Monetary Authority logo

Palestine

Palestine Monetary Authority

Click to view thumbnail

Palestine Monetary Authority

PALESTINE MONETARY AUTHORITY

Circular No. (55/2022)

To all payment service companies operating in Palestine

Date: Monday, 07 March, 2022

Subject: Operational Events Related to Information Technology / Information Security

In order to mitigate cyber risks that payment service companies may face, and to prevent negative impacts on the integrity and continuity of their operations amidst the rising volume of cyberattacks, and to reduce expected risks, and based on best standards and practices and our relevant instructions, all payment service companies are required to comply with the following:

  1. Establish an internal team within the company responsible for reviewing and evaluating the information security system and its ability to face risks, with the aim of ensuring business continuity during critical times. This team must identify additional steps required to address the increased threat level, determine the current gap and deficiency, and monitor the necessary budgets for implementation as soon as possible.

  2. Provide the Palestine Monetary Authority with a gap and deficiency report no later than 30 June 2022.

  3. Notify the Palestine Monetary Authority immediately and without delay of any cyber events or attacks that the company or any third-party contractor has been exposed to or may be exposed to, which affect or are likely to affect the company's systems and services, regardless of the duration of service interruption or irregularity. This includes: a. Cyberattacks and any information security breaches, whether successful or failed attempts. b. Fraud events. c. System failures / system operational disruption. d. Unauthorized access. e. Data breaches.

  4. Reporting shall be conducted via email/phone/mobile, followed by a detailed written report within a maximum of two days from the date of the event, according to the attached annex. (CC: bshubairi@pma.ps) (To: ITSV D@pma.ps)

Supervision Group Palestine Monetary Authority

www.pma.ps

Ramallah and Al-Bireh Governorate - Palestine P.O. Box 452 info@pma.ps | Fax: +970 2 2415310 | Tel: +970 2 2415251 Gaza - Palestine P.O. Box 4026 Fax: +970 8 2844487 | Fax | Tel: +970 8 2825713 | Tel

Incidents Form

Basic Information

1. Particulars of Reporting:

  • Name of the Company
  • Date and Time of Reporting to PMA
  • Name of Person Reporting
  • Designation/Department
  • Contact details (e.g. official email-id, telephone no, mobile no)
    • IT Manager.
    • Information Security Officer

2. Details of Incident:

  • Date and time of incident detection

Type of incidents and systems affected

  • i. Outage of Critical IT system(s)
  • ii. Cyber Security Incident (e.g. DDOS, Ransomware/crypto ware, data breach, data destruction, web defacement, etc.)?
  • iii. Theft or Loss of Information (e.g. sensitive customer or business information stolen or missing or destroyed or corrupted)?
  • iv. Outage of Infrastructure (e.g. which premises- DC, branch, etc., power/utilities supply, telecommunications supply.)?
  • v. Financial (e.g. liquidity)?

What actions or responses have been taken by the Company?

3. Impact Assessment (examples are given but not exhaustive):

  • Business impact including availability of services
  • Impact on stakeholders– affected retail/corporate customers, affected participants including operator(s), settlement institution(s), business partners, and service providers, etc.
  • Financial and market impact – Trading activities, transaction volumes and values, monetary losses, liquidity impact, company run, etc.
  • Regulatory and Legal impact

4. Chronological order of events:

  • Date of incident, start time and duration

Escalations done including approvals sought on interim measures to mitigate the event, and reasons for taking such measures

Channels of communications used (e.g. email, internet, SMS, press release, website notice, etc.)

Rationale on the decision/activation of BCP and/or DR.

5. Root Cause Analysis (RCA):

  • Factors that caused the problem/ Reasons for occurrence, Cause and effects of incident

Interim measures to mitigate/resolve the issue, and reasons for taking such measures.

Steps identified or to be taken to address the problem in the longer term. List the remedial measures/corrective actions affected (one time measure) and/or corrective actions taken to prevent future occurrences of similar types of incident

6. Date/target date of resolution (DD/MM/YYYY).

Note: All fields are REQUIRED to be filled unless otherwise stated.

Share