Bank of Israel Issues Proper Conduct of Banking Business Directive on Cybersecurity

Israel’s Supervisor of Banks has released a new directive – Proper Conduct of Banking Business Directive No. 364 – which consolidates and replaces three previous directives on information technology management, cybersecurity, and data protection (Directives 357, 361, and 363). This comprehensive update reflects the banking sector’s need to deal with the growing sophistication of cyber threats and the evolving privacy landscape in recent years.

The directive introduces a unified framework for managing cybersecurity and data protection risks through technology-neutral guidance adaptable to the various information systems banks may choose. Thus, the directive gives banks greater flexibility to implement tailored risk management solutions while maintaining robust oversight.

The directive consists of several sections, dealing with various topics including governance responsibilities allocated to corporate organs and focal points, risk management methodologies, and breach incident procedures. The directive also requires that banks address the human factor as a facilitator of breaches, requiring periodic organization-wide training on cyber threats and relevant technologies.

The directive also mandates continuous monitoring of the bank's information systems, proactive threat assessments, and robust incident response protocols, including structured reporting and regular drills. It emphasizes accountability in third-party relationships, particularly where external vendors manage critical assets.