New Standards in Cyber Protection for Companies in the Government, Infrastructure, and Finance Sectors

The Governmental Cyber Security Unit has published a new directive according to which material service providers to government, infrastructure, and finance bodies will be required to adopt a common and unified standard for cyber protection, with the goal of improving the security of the State’s essential IT and infrastructure systems. This directive expands the existing instructions of various regulators, such as the Supervisor of Bank and the Supervisor of Capital Market, Insurance and Savings, regarding the cyber security requirements for the supervised entities’ entry into contractual agreements with third party service providers.

The directive focuses on service providers who provide governmental entities information systems maintenance and support, external storage of sensitive data, and technological outsourcing services. A data breach event in any of these services providers could cause significant harm to the governmental entity. In light of the nature of the services provided, such service providers have become highly attractive targets for hackers. According to the Israeli Cyber Security Authority estimation, thousands of businesses in Israel meet this definition. Examples for such services providers include printing houses who print checks for banks, companies offering email dissemination services, app and website developers, data storage services, and more.

In order to create a unified standard for performing due diligence of a supplier for cyber protection purposes, the Cyber Unit has stipulated the following instructions:

1. Providers must be mapped out using a meticulous methodology of questionnaires, which include about 90 controls in four areas: remote access, breadth requirements, cloud storage, and secure software development.
2. The due diligence must be performed by examiners who successfully completed specialized training and through a test evaluating the service provider and its authorization by the designated entity.
3. A cyber risk management and information security system was designed to support government entities in performing the review, in order to assist ministries in properly contracting with significant providers and others.

The standard’s implementation will progress gradually. In the first stage, services providers to critical entities will be mandated to meet it, for instance hospitals whose operation is essential to ensuring continuity of service to citizens as well as government entities. Later the standard’s implementation will be expanded to service providers of financial entities, transportation entities, and more. In the last stage, a cyber calculator will be launched, enabling interested providers to perform voluntary checks of their cyber security in accordance with the standard and to receive confirmation from the Cyber Unit that they are compliant.

Under the new directive, after December 31, 2020, no contract will be permitted between a government entity and a material provider who fails to meet the standard. Such requirements are generally rolled out gradually onto secondary providers, who will in turn be obligated to meet the requirements.

The directive’s implementation is expected to impact not only entities included in the inner circle of entities directly contracting with government entities, but also entities in the second and perhaps third circles, hence its importance. The questionnaire attached to the directive allows different businesses to examine themselves and their level of preparedness in issues of cyber security. When cyber events are not a matter of “if” but “when,” these tools can help a business protect itself.