Israel’s Capital Market, Insurance and Savings Authority (CMISA) recently published two new risk management circulars for financial service providers. The first circular pertains to risk management in its broadest sense, while the second circular specifically addresses cyber risk management.
Both circulars apply to a long list of financial service licensees, including small entities:
1. Licensees for the provision of deposit and credit services.
2. Licensees for the operation of a peer-to-peer credit system.
3. Licensees for the provision of financial asset services, under which financial assets are retained and managed in a designated account managed by the service provider for a particular customer and enable a financial asset to be transferred to another account, such as digital wallets and payment services.
4. Any entity seeking to operate as a financial information service provider within the framework of the designated arrangements prescribed in this regard.
5. Any licensee for the provision of financial services that retains online both information about its customers and the financial assets of its customers, or any entity that serves as a source of information or that uses credit data, as this term is defined in the Credit Data Law. In this alternative, the circulars also apply to credit providers.
Circular on Risk Management for Regulated Financial Service Providers
In the risk management circular, CMISA is seeking to create a risk management framework for financial service providers. It does so by examining both the responsibility imposed on the regulated entity and the domino effect a risk management failure could trigger in one of the related entities, due to the relations and interconnectivity between these entities.
This circular aims to serve as a framework circular supplementing individual circulars, such as the circular on money laundering risks and the circular on cyber risks.
This circular adopts the international practices for performing structured risk identification and assessment operations and for taking risk management measures according to the characteristics, nature, volume, and complexity of the risks, and according to the financial service provider’s business objectives.
This circular gives financial service providers a time frame of 18 months to complete the necessary preparations, apart from any entity seeking to provide a financial information service, to which the circular applies immediately.
During this time frame, service providers will need to analyze the applicability of the circular to their operations. They will need to appoint a risk manager with the purview to work independently and formulate and obtain the board of directors’ approval for a risk management plan.
In addition to the general risk management circular, CMISA also published a circular focusing on cyber risks.
Circular on Cyber Risk Management for Financial Service Providers
The purpose of this circular is to define cyber defense principles for financial service providers. According to this circular, cyber risks are particularly high in this sector. This is due to it requiring online operations and the multiple interconnectivity between service providers and other entities in the Israeli and international financial systems. Therefore, CMISA is obligating companies operating in this sector to maintain particularly stringent cybersecurity standards.
The principles defined in the circular are intended to ensure the proper conduct of business activities and to maintain the confidentiality, integrity, and availability of both service providers’ and customers’ information and information systems. Service providers are to implement a series of cybersecurity measures. These measures include preventing hacking and information leaks, neutralizing cyber incidents, investigating cyberattacks after they have been contained, and contending with cyber threats in the future.
This circular also mandates performing cyber risk management on an ongoing basis, updating regularly, and basing the management on principles of good corporate governance.
Actions Obligated by the Circular:
– Formulating a cyber risk management policy.
– Formulating a board of directors’ policy within this context.
– Appointing a cyber defense officer and defining the officer’s roles.
– Formulating a work plan.
– Monitoring readiness for cyber incidents.
– Implementing cyber defense mechanisms in information systems.
CMISA is giving entities subject to this circular one year to complete the necessary preparation, apart from financial information service providers, to which the circular applies immediately.
We recommend all licensees ascertain the applicability of these circulars’ directives to their operations. If they must comply with these circulars, they should begin taking the necessary actions now. These circulars set high standards of corporate governance and impose responsibility on financial service providers’ boards of directors and CEOs.