A position paper of the Israel Securities Authority states that reviewing developments from the last few years showed that cyber threats have become a significant and increased risk for companies listed on the Tel Aviv Stock Exchange.
The number of corporations that have experienced one or more cyber attacks is increasing.
ISA requires in-depth disclosure of cyber incidents
The ISA requires that the risk assessment and disclosure process regarding cyber incidents corporations experience be more in-depth. Also, corporate boards must discuss the audit findings on cyber incidents, reassess the risks and continuously discuss the possibility of cyber attacks.
Companies are required to add a disclosure chapter on cyber risk management policy in their quarterly reports and when publishing a prospectus. The disclosure should include details of their risk management strategy, procedures, work processes, operations and controls.
Also, companies will be required to state which resources are being allocated to cyber risk management and who's in charge of implementing risk policies. In the reports, a disclosure chapter will be added on the expertise of officers and board members in the supervision and management of cyber risks.
Shlomi Bani, a partner at the Shiff Hazenfratz RSM office, which provides internal audits and cyber risk services, said, "The ISA's position is that each corporation's board of directors has a vital role when it comes to supervising and implementing the design and operation of a cyber risk management system."
Bani added that specifically, the management of corporations on the stock exchange are the ones who should actually manage and implement the risk management policy. It's important for there to be communication, coordination and close cooperation between boards and senior management regarding risk identification and assessment, risk management and ongoing controls.