In recent years, the number of cyber incidents taking place at financial institutions in Israel and abroad has increased.  These incidents generally involve tremendous damage caused and sophisticated and innovative attack methods, that sometimes come from external sources that provide various services to the banking corporations and are included in the banking corporations’ supply chain.  Therefore, the banking corporation is required to determine what actions are necessary to make sure that their material external service providers take the required actions to reduce the banking corporation’s exposure to cyber risks.


The Banking Supervision Department today published a proper conduct of banking business directive on cyber risk management in the supply chain, with the aim of clarifying the banking corporation’s responsibility concerning the existence of a secure working format with external suppliers, as well as its obligations to properly manage cyber risks in the activities of those suppliers and in their interfaces with the corporation.


According to the directive, the banking corporation is required to set out principles for the obligations of material external suppliers regarding cyber risk management, and to make sure that those principles are adhered to.  In addition, the directive provides a detailed list of accepted protections, which the banking corporation must consider integrating in contracts with external suppliers (for instance, determining how to delete the banking corporation’s data stored by the supplier, after completion of the contractual association between them).


The directive defines the reporting obligations of the relevant parties in the banking corporation to management when there is a concern that a supplier is exposing the corporation to significant cyber risks.  Based on this report and the risk assessment, management must consider and decide on how to continue the association with the external supplier (such as reducing activity, implementing compensatory controls in the banking corporation, halting the association, and so forth).


Supervisor of Banks Dr. Hedva Ber said, “Banks are operating more and more through service providers and various external entities, such as suppliers that provide capital market trading services or technology services to the bank, which constitute part of the bank’s supply chain.  We are setting out our supervisory expectations to the banks’ management in terms of the standards that must be demanded from the entities with which the banks have contractual associations in order to receive various services, so that the “weak link” in the supply chain will not expose them to cyber risks and the leakage of information.”