National Insurance has not updated cyber security policies in a decade, State Comptroller says

The National Insurance Institute gets tens of thousands of alerts of cyber attacks a day that must be examined by a lone analyst manning the cyber control center.

By EVE YOUNG NOVEMBER 12, 2024 16:37

National Insurance (photo credit: NATI SHOHAT/FLASH90)

The National Insurance Institute (NII) has not updated its cyber security and information security policies for around ten years, in spite of the fact that the threats in these fields have developed and NII policy states that these must be reviewed and updated yearly, according to a comptroller report released Tuesday.

It has also been over two years since the NII's cyber steering committee has met, the report added.

"Especially in wartime, cyber weaknesses are a failure," said State Comptroller Matanyahu Englman

"We cannot wait for our enemies to lay their hands on NII databases - we must fix the weaknesses long before."

The NII gets tens of thousands of alerts of cyber attacks a day that must be examined by a lone analyst manning the NII's cyber control center, the report said, adding that the NII is lacking the proper teams to respond to the threats and alerts it faces.

State Comptroller Matanyahu Englman at the license distribution ceremony of the Council of Accountants, July 2, 2024 (credit: Via Maariv)

Some 87% of NII cyber security policies are only upheld partially, and there is no periodic tracking of this, said the report.

The systems the NII uses to transfer information to outside organizations also have cyber security issues, the report added.

The comptroller called on the NII to work to address the cyber security risks the organization faces and to create a plan to map out cyber security risks.

The comptroller also addressed information security issues faced by Israeli weapons manufacturer Rafael Advanced Defense Systems.

The management of Rafael has not approved the government's risk management strategy, and as of June 2023, the company's risk management does not include mechanisms to report risks to outside bodies, said the comptroller, adding that Rafael has not reported to government offices as required.

---

---

Rafael's management also failed to report and examine cyber incidents properly and does not have the necessary insurance policies for cyber incidents, the comptroller added.

National Insurance Institute responds to report 

The NII responded to the report, saying that the report came out as the institute is in the midst of work to improve on the issues mentioned, and a new deputy CEO for computing was brought in.

"Although the changes were underway and this was communicated to the comptroller along with the work plan, the audit still took place. This is why the report does not address cyber incidents or data leaks due to negligence; instead, the main focus of the audit is solely on administrative aspects, which we also prioritize. Everything mentioned in the report is already part of our work plans, some of which have already been completed and upgraded," the NII said. 

Rafael has not yet responded to a request for comment.