The Banking Supervision Department conducted a cyber exercise for the entire banking system, as part of the process of strengthening risk management and preparedness for incidents that may take place in the system. The background for the Department’s activity is the increasing cyber risk in general, and large cyber incidents that are taking place in financial organizations around the world that may also take place at Israeli banking corporations.
With the objective of strengthening the preparedness of the banks and credit card companies for dealing with a cyber incident, the Banking Supervision Department is using a number of regulatory tools. The main tools are the issuing of regulatory directives to the banking system, chiefly a Cyber Defense Management directive and a directive on Supply Chain Cyber Risk Management; processes for the enforcement of the directives’ implementation in the field; strengthening the interface between the banks and Banking Supervision Department and the National Cyber Directorate as an additional line of defense; and conducting a sector-wide cyber exercise, at least once a year, for the entire banking system.
On Thursday, January 24, 2019, the Banking Supervision Department’s Cyber Defense Unit conducted a “round table” exercise for all banking corporations regarding a material business process.
Supervisor of Banks Dr. Hedva Ber opened the exercise and emphasized that, “It is very important for the banking corporations to hold cyber exercises, including exercises that involve senior management echelons, as part of their preparedness for managing a large incident that may take place in the economy in general, and in the banking system in particular. Awareness and cyber risk management are not just the responsibility of the banks’ cyber and technology units, but also of the banks’ business units, since an incident may begin through a business anomaly. Information sharing in the area of cyber risk management between the banking corporations, the Banking Supervision Department and the National Cyber Directorate is critical, since such sharing can increase and strengthen the layers of defense against attackers, thereby reducing the scope of an incident and the damage that it may cause should an incident take place.”
The exercise included many representatives from among the banking corporations, including Chief Cyber Defense Officers at all the banks and credit card companies, operational risk and cyber risk managers, and representatives of the relevant business units, as well as a representative of the National Cyber Directorate.
The exercise was intended to practice business and technological decision-making processes during a significant and developing cyber incident, strengthening internal and external work interfaces during a cyber incident, and dealing with a cyber incident vis-à-vis the banking corporation’s customers, among other things. The exercise related to various components of the banks’ business operations and the changing technological environment, including work with outside suppliers in some of the bank’s material business systems that may expose the banking corporation to third party or supply chain risks; working digitally with customers; phishing incidents regarding information from customers, and more.
The banks and credit card companies are required to summarize their insights from the exercise, integrate them in the organization through various means including independent exercises within the bank, and transfer their findings to the Banking Supervision Department.