The National Insurance Institute had not updated its cyber security and information security policies for around a decade, despite the fact that threats in these fields have developed and that NII policy states that these must be reviewed and updated yearly, according to a comptroller report released Tuesday.
The NII's cyber steering committee also failed to meet between 2022 and January of 2024, the report added.
“Especially in wartime, cyber weaknesses are a failure,” said State Comptroller Matanyahu Englman. “We cannot wait for our enemies to lay their hands on NII databases; we must fix the weaknesses long before.”
The NII receives tens of thousands of alerts of cyber attacks a day that must be examined by a lone analyst manning the NII’s cyber control center, the report said, adding that the NII is lacking the proper teams to respond to the threats and alerts it faces.
According to the report, 87% of NII cyber security policies are only partially upheld, and there is no periodic tracking of this. The systems the NII uses to transfer information to outside organizations also have cyber security issues, the report added.
The comptroller called on the NII to work to address the cyber security risks the organization faces and to create a plan to map out cyber security risks.
He also addressed information security issues faced by Israeli weapons manufacturer Rafael Advanced Defense Systems.
The management of Rafael has not approved the government’s risk management strategy, and as of June 2023, the company’s risk management does not include mechanisms to report risks to outside bodies, the comptroller said, adding that Rafael has not reported to government offices as required.
Rafael’s management also failed to report and examine cyber incidents properly, and does not have the necessary insurance policies for cyber incidents, he added.
National Insurance Institute, Rafael respond to report
The NII responded to the report, saying that the report came out as the institute is in the midst of work to improve on the issues mentioned and that a new deputy CEO for computing was brought in.
“Although the changes were underway and this was communicated to the comptroller along with the work plan, the audit still took place. This is why the report does not address cyber incidents or data leaks due to negligence; instead, the main focus of the audit is solely on administrative aspects, which we also prioritize,” the NII said.
“Everything mentioned in the report is already part of our work plans, some of which have already been completed and upgraded,” it concluded.
Rafael also responded that the company “invests a great deal in information security and is a leading body nationally in the field of cyber defense, among others.”
“All issues raised in the report were addressed as necessary.”