Publications| Shira Plotnik
Israel Anti-Trust Authority issued a draft opinion on information sharing for cybersecurity. Partners Timor Belan, Avner Finkelshtein and associates Assaf Harel and Shira Plotnik review attributes of the draft.
Israeli Anti-Trust Authority Issues New Draft Opinion on Information Sharing for Cybersecurity Purposes*
Growing cybersecurity threats require businesses to take various measures to protect their systems, including by sharing information with other businesses - even competitors - to facilitate better evaluation of existing threats and to promote the protection of computer-based systems. However, the sharing of information among competitors may also be considered prohibited under anti-trust laws. In this context, and given the value of information sharing as a measure for promoting cyber-security, Israel’s Anti-Trust Authority (the “IAA”) has recently published a draft opinion (the “Draft Opinion”) that is meant to clarify the boundaries for the sharing of cyber-related information among competitors.
According to the Draft Opinion, sharing of information that is not related to business activities, but solely to cyber-security threats (for example, information on system vulnerabilities, or indications of possible cyber events), is not likely to limit competition, and may even promote it, by assisting all competitors to overcome cyber-attacks and to maintain functioning and protected systems. Accordingly, the Draft Opinion states that the IAA would not view such information sharing as a measure that restricts or reduces competition.
The Draft Opinion further states that due to the contribution that access to security-related data could provide to a company’s ability to address cyber-security threats, the prevention of access to cyber-security data sharing systems, without reasonable justification, may negatively affect competition.
The Draft Opinion is open for public comments until April 5, 2017
Download as PDF
For further information please contact:
Timor Belan (partner), Avner Finkelshtein (partner), Assaf Harel or Shira Plotnik
*This client update is designed to provide general information only, is not a full or complete analysis of the matters presented, and may not be relied upon as legal advice.
Regulators are imposing new cybersecurity requirements on financial institutions. Partner Timor Belan together with associates Assaf Harel and Shira Plotnik explain how this may affect the financial sector.
In response to the increasing cybersecurity threats to the financial sector and considering the grave risks associated with such threats, regulators have introduced new cybersecurity requirements aimed at improving the protection of companies in the financial sector from such risks. This Client Update discusses two recent cybersecurity regulations that will affect financial institutions operating in the State of New York or in Israel – the proposed New York State Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies (the “Proposed Regulation”) and the Directive on the Management of Cyber Risks, published by the Israeli Ministry of Finance (the “Israeli Directive”). This Client Update also addresses guidelines recently issued by the Group of Seven Industrial Powers (“G-7”).
On September 13, 2016, the NYDFS published the Proposed Regulation which requires financial institutions (such as banks and insurance companies) regulated by the NYDFS, to implement a number of measures to protect their systems from misuse, disruption and unauthorized access. Such measures include, inter alia, establishing and maintaining a cybersecurity program; adopting a cybersecurity policy which is to be reviewed on an annual basis by the board of directors and approved by a senior officer of such financial institution; appointing a chief information security officer who will be responsible for implementing and enforcing the cybersecurity program; adopting and implementing policies for interactions with third parties (including the requirement of certain cyber-related representations and warranties from such third parties); and preparing a response and recovery plan for cybersecurity events.
Furthermore, the Proposed Regulation requires financial institutions to notify the superintendent of the NYDFS of cybersecurity events no later than 72 hours after becoming aware of the event, and to submit a certificate confirming compliance with the requirements under the Proposed Regulations to the superintendent on an annual basis.
Israel’s financial regulators have also taken important steps to promote cyber readiness and resilience among companies operating in the Israeli financial sector. On August 31, 2016, following the March 2015 publication of the Bank of Israel’s cybersecurity requirements applicable to banks and credit card companies, the Director of the Capital Market, Insurance and Savings Department in the Ministry of Finance of Israel issued the Israeli Directive, which applies to other financial institutions (such as insurance companies and companies managing provident funds and pension funds). The Israeli Directive imposes new requirements which are intended to promote the confidentiality, integrity and availability of sensitive information stored by such financial institutions, and to protect the proper function of their computer systems.
The Israeli Directive requires financial institutions to adopt a cybersecurity program and a policy which is to be approved by the board of directors on an annual basis; appoint a cybersecurity officer, who will oversee the cybersecurity program, implement a cybersecurity policy and guide the institution on cybersecurity in general; and to provide cybersecurity training to employees. Although the Israeli Directive requires financial institutions to notify the Ministry of Finance of cybersecurity events, in contrast to the NYDFS Proposed Regulation, it does not define a clear time frame for such notifications, but only states that such notifications shall be given “as soon as possible”. The Israeli Directive also stipulates that the CEO of the financial institution shall be responsible for the management of the institution’s cybersecurity risks and for allocating the proper resources in this regard.
Efforts to promote cybersecurity in the financial sector have also been made on an international level. On October 11, 2016, the G-7 issued a set of nonbinding cybersecurity guidelines to promote cybersecurity best practices in the financial sector (titled G-7 Fundamental Elements of Cybersecurity for the Financial Sector). Such guidelines are intended to assist financial private and public entities in developing and shaping their cybersecurity strategy, in order to address the growing number of cyber threats. The G-7 guidelines consist of eight elements: establishing a cybersecurity strategy and framework; governance setting; conducting risk and control assessment; establishing monitoring processes; implementing response policies; establishing recovery plans; information sharing with internal and external stakeholders; and continuous learning.
The NYDFS Proposed Regulation is open for public comments until November 12, 2016. If adopted in its current proposed form, it would become effective on January 1, 2017. The Israeli Directive will become effective in Israel on April 2, 2017.
Gornitzky’s Cyber-Security, Privacy and Data Protection team offers clients a well-rounded multidisciplinary approach to navigating the emerging regulatory and legal frameworks in the field of cyber security, privacy and data protection.
* This client update is designed to provide general information only, is not a full or complete analysis of the matters presented, and may not be relied upon as legal advice.
A proposed amendment to the Israeli Copyright Act intends to combat online copyright infringement by focusing on "intermediaries". Our team survey the key aspects of the proposed amendment.
An amendment to the Israeli Copyright Law, recently proposed by the Ministry of Justice, offers new measures against online copyright infringement. The proposed measures are not directly aimed at the publisher of the infringing material, but at intermediaries, such as internet service providers and other individuals or entities that either host the infringing material or could identify the publisher of such material.
An interesting aspect of the proposed law, is that it seeks to provide courts with the authority to issue an order for revealing identifying details (such as the IP address) of a person who anonymously published copyright infringing material online, at the request of the copyright or moral right owner. Such orders, which according to the proposal would be issued to individuals or entities that are believed to hold information on the publisher of the infringing material, are meant to facilitate filing of lawsuits against publishers of infringing material and, as a result, to deter potential infringers. Prior to providing identifying details to the owner of the infringed rights, the court would be required to allow the publisher of the infringing information (in case the court is able to identify such a person) to object to revealing his/her details.
In addition, the proposed law would allow courts to issue injunction orders requiring internet service providers and providers of storage services to fully or partially restrict access to a website that contains copyright infringing material, provided that such infringing material constitutes the main content of such website. Although even under existing law courts can issue injunction orders to prevent copyright infringement, the proposed amendment is meant to better clarify towards whom such orders would be aimed and what the court should consider when deciding on requests to issue such injunction orders. Among others, prior to issuing such an injunction order, the court would need to consider, the severity of the claimed infringement, possible alternatives to restricting access to the site and the effects such restriction of access would have on the public. This proposal aims to provide an effective and immediate course of action for ceasing online infringements.
In addition to the abovementioned measures, the proposed amendment suggests to broaden the current definition of “Indirect Infringement” so that such definition would include making works available to the public, even without creating an infringing copy. Such Indirect Infringement would include, for example, unauthorized streaming of copyright protected films or television shows. In order to deter such forms of online infringements, which appear to be fairly popular nowadays, the proposed amendment also suggests penalizing the making of works available to the public and the broadcasting of a work, provided that such infringements were done for the purpose of making a profit.
For further information please contact:
This client update is designed to provide general information only, is not a full or complete analysis of the matters presented, and may not be relied upon as legal advice.