FinTech Companies need to watch out for the new regulations from SSWG

Since June 2016, there have been a flurry of activities in the RBI as regards formation of security guidelines that apply to the Financial Services Industry in general in India and Banking in particular.

First, there was the circular regarding “Cyber Security Framework” which required Banks to set up a “Security Operations Center” (SOC) and monitor even “Zero Day Vulnerabilities”.  Though the earlier information security guidelines of April 2011 following the GGWG (G Gopalakrishna Working Group) recommendations did press for many information security initiatives that the Banks should have taken which could be interpreted to include what is now being stated, none of the Banks had taken the GGWG guidelines seriously.

Now RBI  has taken a decisive step to alert the Board Members in Banks and more particularly the Independent Directors to not only take stock of the implementation status but also confirm to RBI that they have indeed done so. Additionally, Banks have been specifically directed to place the RBI circular and a Gap Analysis before the Bank’s board and send a report to DBOD, before July 31, 2016. They have also been given the deadline of September 30, 2016 for implementation of the Cyber Security Framework and confirmation to RBI.

Setting up of an SOC and more particularly to watch out for “Zero Day Vulnerabilities” calls for a high level of expertise, technical enablement as well as investment by Banks. Except the top few Banks, others may neither have the expertise nor the technical know how to maintain the SOC as required. There are also many smaller Banks which may not have the necessary resources to buy technological services required for the purpose. This has already sent most CISOs in Banks to a huddle and a feverish activity amongst those Banks which have the capability to understand the implications.Many others are likely to continue in their mode of “All is Well” and “Ignorance is Bliss” until they are jolted again by another followup  initiative of RBI if there is one.

Following this circular, RBI also released a “Vision Document” for the “Payment and Settlements Systems Industry” consisting of the  a focus on “Prevention of Frauds” in the payments eco-system which includes many private sector players who are today acting as business associates of Banks. A responsive regulatory framework was suggested to be developed which included new policies to be developed for the sector.

These measures clearly indicated that Banks would significantly increase their oversight on private sector FinTech companies who were hitherto working in the background while fraud risk exposure at least in perception terms was absorbed by the front end Banks. Though legally, under ITA 20008 the back end service providers were exposed to the risks of frauds, due to general ignorance of the customers and the Banks, they were not called upon to bear the risk of fraud losses.

This situation will now be changed. RBI has identified measures to increase the accountability of the back end service providers and even indicated that RBI may directly retain the power of regulating the back end service providers such as Payment Gateways, Authentication Providers, Customer Aggregators etc. While RBI may wait until it takes a direct plunge into regulating the intermediaries who work between the Banks and the End users of different services, it will definitely bring sufficient pressure on the Banks themselves to increase their supervision of the back-end service providers.

As a result, the back-end service providers which include many Start Ups in the FinTech industry will start feeling the heat of regulatory oversight soon. Since most regulations translate into a Techno Legal Compliance exercise at the service provider’s level, it will require additional investments which might not have been budgeted earlier. The VCs who have funded these companies will also have to take note of the new regulations and ensure that their funds are protected. In case these Tech Companies continue to ignore the compliance requirements in their operations, they are likely to face unpleasant surprises soon.

In a bid to develop policies that may be required for such regulation, RBI has recently set up a working group under the Chairmanship of Mr Sudarshan Sen, Executive Director. (We shall call this the SSWG).

It is time that the FinTech industry takes note of this development and tries to understand the implications of the setting up of the SSWG and its likely recommendations that may follow. The working group has been asked to submit its report in the next 6 months. Since this will be one of the first Working Groups that will define the role of FinTech companies in India, it will be a trend setter. But if the trend is set in a direction that the FinTech companies consider as incorrect, then their business will be adversely affected.

We may take note that in the recent past the Taxi Aggregators and the E Commerce Companies were at the wrong end of new regulations from politicians who did not understand the business. Since these companies also did not understand the mindset of the regulators, they failed to defend their interests and allowed regulations that are dysfunctional. As a result, a “Taxi  Service Aggregator” today is considered as a “Taxi Operator” and E-Commerce “Market Place” is considered as a “Wholesaler”.

The next axe will fall on the Health Information App companies and the FinTech Companies. If they donot wake up and take measures to protect their interests, they will regret.

I am not suggesting here that the FinTech companies should manipulate the regulatory framework contemplated by RBI. But I am surprised that FinTech companies donot find a representation in the SSWG though the decisions taken there could affect them. There is a need for the FinTech Companies to ensure that their voices are heard in the regulatory circles.

While organizations such as CII or FICCI ensure that policies are not generally detrimental to the industries they represent, FinTech Companies donot have a proper industry body to represent them. NASSCOM is also not represented in the SSWG and even if represented, it is not a reliable representative of the FinTech companies which are mostly small and micro enterprises.

There is therefore an immediate necessity for these entities to come together and form a body of “FinTech entitites” that understands the needs of this industry segment and represents it to the right authorities.

Since the SSWG has already been formed and in the next one month will start collecting data about the industry, it is high time for the FinTech entities to formulate their strategy of presenting a collective industry face to the SSWG and ensure that they are heard fairly.

I urge industry players to take the initiative and form a “Society of FinTech Entities”, enrol members, develop an industry representation that can be presented to the SSWG. The society can propose certain “Self Regulation” that would pre-empt any unreasonable regulations which may otherwise be imposed on them.

Since Bangalore is a hub of Start Ups and there are many FinTech companies working here, it is a food place to start with. If the industry players are interested in coming together to form such a “Society of FinTech Entities” and need any assistance, Naavi would be happy to assist them.

Naavi

 

 

Share Button
Print Friendly

RBI’s FinTech Working Group needs to secure Consumer interests also

It is good to see that RBI at last appear to be walking its talk on hardening the security in Banks. After the last circular on “Cyber Security Framework” (June 2, 2016), which while reiterating the earlier circulars issued after the G.Gopalakrishna working group (GGWG) which was largely ignored in  implementation, the July 31 deadline for Gap Analysis and September 30 deadline for putting a new policy in place must be haunting the Bankers. Those in the Banking system who have understood the import of the circular and want to be compliant must be spending sleepless nights.

In the meantime, it is reported that Deputy Governor R Gandhi at an IDRBT participating in an event in Hyderabad on July 19, has confirmed that RBI has  constituted a working group on financial technology, “to fully understand the new paradigm of Fintech and to chart out the best way of using it”. (A Copy of the speech is available here)

It was also noticeable that for the first time, RBI has also drawn attention of the Government on the Fraud risks associated with the Jan Dhan Yojana scheme which has been highlighted in these columns on various occasions. (Refer artice in IE)

It would however have been better if RBI had also endorsed our suggestions regarding provision of Cyber Crime Insurance to the Jan Dhan users along with proper education and technical help for security.

Hopefully once the risk is flagged, some measures would follow. Probably the working group on FinTech will address these issues in their deliberations.

The Constitution of the Working Group iss indicated in this notification

The Working Group will consist of 13 members including the Chairman Shri Sudarshan Sen, Executive Director. Other members as shown below.

(i) Shri Sudarshan Sen, Executive Director, RBI Chairman
(ii) Dr. Sarat Kumar Malik, CGM, SEBI Member
(iii) Shri R.K. Sharma, Joint Director, IRDAI Member
(iv) Shri Rakesh Sharma, GM, PFRDA Member
(v) Shri A. P. Hota, MD & CEO, NPCI Member
(vi) Dr. A. S. Ramasastri, Director, IDRBT Member
(vii) Shri R Ravikumar, CGM, DBS, RBI Member
(viii) Smt. Nanda S. Dave, CGM, DPSS, RBI Member
(ix) Shri Mrutyunjay Mahapatra, DMD, & CIO, SBI Member
(x) Shri Nitin Chugh, Head, Dig. Bkg. HDFC Bank Member
(xi) Shri Amish Mehta, CFO, CRISIL Member
(xii) Shri A. Joseph, JLA, LD, RBI Member
(xiii) Shri Prasant K. Seth, GM, DBR, RBI Member-Secretary

Notably, there is no representation of ICICI Bank, a regular participant of all RBI working groups on Banking matters but HDFC Bank and SBI represent the Banking industry. Surprisingly , there is no representation from the FINTECH industry and as usual from the Consumer side.

In the past RBI working Groups have been dominated by some industry players who have successfully tried to manipulate the RBI policies through such working group. During the times of the GGWG group Naavi  fought a tough battle to ensure that some motivated changes which were not legally sound were not part of the recommendations.

The RBI Circular however states that the Working Group may invite views from representatives from any area relevant to its terms of reference and may also, at its discretion, co-opt entities in the payment, telecom, software and start up ecosystem. Hope this would be implemented in practice and does not remain on paper only.

The terms of reference of the Working Group is:

  1. To undertake a scoping exercise to gain a general understanding of the major Fin Tech innovations / developments, counterparties / entities, technology platforms involved and how markets, and the financial sector in particular, are adopting new delivery channels, products and technologies.
  2. To assess opportunities and risks arising for the financial system from digitisation and use of financial technology, and how these can be utilised for optimising financial product innovation and delivery to the benefit of users / customers and other stakeholders.
  3. To assess the implications and challenges for the various financial sector functions such as intermediation, clearing, payments being taken up by non-financial entities.
  4. To examine cross country practices in the matter, to study models of successful regulatory responses to disruption across the globe.
  5. To chalk out appropriate regulatory response with a view to re-aligning / re-orienting regulatory guidelines and statutory provisions for enhancing Fin Tech / digital banking associated opportunities while simultaneously managing the evolving challenges and risk dimensions.
  6. Any other matter relevant to the above issues.

Perhaps we need to watch out how the recommendations of the FinTech Working Group developsand whether it will properly represent the views of the Fin Tech industry and the interest of the public who are consumers of the services rendered by these companies as well as Banks.

Naavi

Share Button
Print Friendly

“There will be no prosperity without Law and Order..” Donald Trump.. A message also for Digital India

Donald Trump the Republican nominee for US president  this year  says “There will be no prosperity without Law and Order”.  This was said in the context of the American physical space where Crime and Terrorism has created a situation where protection of the US citizens has become the prime election plank for US presidency. But what he said in the context of the US physical space is also a timely reminder for Cyber Space watchers in India  or more so to the Cyber Space regulators of India.

Time and again we have highlighted the need to ensure “Security” before we take a technology leap particularly when the users are uneducated and un-initiated to a security culture. However, the Ministry of IT has not moved fast enough and decisively enough to take such steps as are necessary to mitigate the Cyber Crime risks in the country.

It is possible that Government may not accept this criticism and say that they are taking many steps in the background for which the public is not privy. I hope it is true and security issue is being addressed in all our Digital India projects including the FinTech revolution in the financial sector, Tele Medicine projects, E Governance projects, Smart City projects , Smart Grid projects, Big Data projects etc.

But if we look at some of the publicly visible aspects such as E Banking Security, Lack of Government interest in Cyber Insurance, Continued apathy to re-activation of the Cyber Appellate Tribunal, Non Correction of the flawed Adjudication System of Cyber Justice, Scrapping of Section 66A which remains unchallenged, it appears that the list of what needs to be done urgently seems to be growing.

Not all of this can be blamed on the Modi Government since atleast on the Cyber Appellate issue and Section 66A, the role of Supreme Court is evident.  But the Government has not decisively taken steps to fight it out with the Supreme Court to make necessary corrections.

As regards the financial sector, very recently, RBI has taken some bold new initiatives and demanded action from Banks on the security front with deadlines. A Cyber Security Framework has been suggested and Bank’s acknowledgement on its implementation has been asked before July 31st.  If this is pursued, there should be improvement in the E-Banking security. But will the new Governor takes steps to push the Banks beyond issue of circulars is to be watched.

The FinTech Companies are changing the financial landscape in the country and are also eroding the role of the regulated Banks in shaping the future of e-finance industry. These being private sector companies, their profit motive is at a level higher than the commercial Banks and the possibility of a trade off between security and profits is high. There is therefore a need to keep a strict watch on the activities of FinTech Companies and ensure that the regulation works.

If however, the Government is committed to “Free Enterprise” and “Placing Faith in Private Sector” and liberalize the financial sector, then there is a need for the Government to simultaneously take steps to protect the Citizens from the vagaries of Cyber Crimes. Citizens cannot be left to fend for themselves and used as sacrificial lambs to promote Digital India.

I therefore advocate immediate steps  for the Government of India to take namely,

  1. Call a meeting with the CJI and finalize the appointment of the Chair person of Cyber Appellate Tribunal immediately without the larger issues such as NJAC becoming a stumbling block.
  2. Improve the system of “Adjudication” under Section 46 of ITA 2000/8, by setting up a separate “Adjudication Bench”  in each State and Union Territory which should consist of one member of the Judiciary trained in Cyber Crimes to be the Adjudicator and supported by a technically qualified Co-Adjudicator who could be a Government official like the IT Secretary or even a Non Governmental person.
  3. Both the Adjudication system and Cyber Appellate Tribunal should be mobile and sit in any location outside their head quarters as often as required and also use video conferences to reduce the cost of the process and make it more user friendly.
  4. Introduce a strict policy in Banks that they should not pursue the policy of litigation on Customers for Cyber Crime related issues unless there is evidence that the customer is involved in the fraud and ensure that the NPA recognition norms are suitably altered to ensure that Banks try to hide cyber crime frauds under “Pending litigation”.
  5. Introduce a “Limited Liability” policy in terms of cyber crimes related to ATM cards, Credit Cards, Phishing, Mobile Wallets etc where the customer’s loss should be limited to not more than 10% of the amount lost so that where he opts for immediate settlement, the complaint may be closed at this 10% cap without any litigation with the customer while the Bank may continue its efforts to recover the full money lost against the alleged fraudster.
  6. Introduce mandatory Cyber Insurance for Mobile Wallet users across the country upto a nominal amount of Rs 5000/- per month and subject to an annual limit of Rs 10000/- (The limits are suggestive) with strict penalization for fraudulent claims through the re-invigorated Adjudication system.
  7. Section 66A of ITA 2008 which not only provided security against Cyber Stalking and Cyber Bullying but also on Spamming and Phishing should be re-introduced immediately if possible with a simple review of the earlier decision by a larger Supreme Court bench introducing whatever clarifications that Supreme Court wants on Free Speech..

I request Mr Ravishankar Prasad, the honourable Minsiter of Law and IT to immediately take steps to initiate these suggestions and where there is financial implications such as Cyber Insurance and Banking liability, I request Mr Arun Jaitely as the honourable Finance Minister  to step in with his support.

If such measures are not taken at the earliest, I foresee that political opponents of Mr Modi will hire hackers to hack into Cyber Assets of the country, inflict loss on the public and hold Mr Modi responsible in the same way some allegedly thought of hiring Ishrat Jehan and Taliban forces to assassinate him.

This is a prophesy which I donot want to become true but urge the Government not to neglect.

Mr Donald Trump has rightly identified that unless terrorism is eliminated by a policy which is different from the current “Politically Correct” approach, there will be no prosperity for the community. Similarly, in Digital India, prosperity will not be possible if the Government does not take corrective steps and slips into complacency that Technology is fascinating and nothing will go wrong.

Naavi

Share Button
Print Friendly

Why Finger Print is not a “Signature” in electronic form?

India gave legal recognition to electronic documents on 17th October 2000 as equivalent to paper, by notifying Information Technology Act 2000 (ITA 2000). At the same time, a system of “Signing” of an electronic document was also given recognition in the form of “Digital Signatures” as defined in the Act itself. An authentication of an electronic document with digital signature was provided legal recognition as “Signature” on a paper document. The system that the Act defined as the accepted form of authentication of an electronic document was one which used hashing of the electronic document to be signed which is encrypted with the private key of an asymmetric crypto system. The legal recognition was conditional to the requirement that the standard algorithms for hashing and asymmetric encryption as notified by the Controller of Certifying Authorities (CCA) alone be used and that the digital certificate be issued by a licensed Certifying authority. The system of e-Sign which was notified last year is a different form of digital signature itself except that it is a “Single use system”.

Over the last 16 years, though digital signatures have come to be used mainly by the Companies for filing annual returns to the Ministry of Corporate Affairs and for filing Income Tax, its use for other commercial transactions have been minimal.

What is also observed is that the Banking industry has been conspiring against the system of digital signatures as a means of authentication of Cheques and Banking instructions and trying to project “Passwords” and “Two Factor Authentication” as a substitute for digital signature.

Recently, Indus Ind Bank has gone on a publicity blitz to promote “My Finger Print is My Password” and suggests its use through mobile phones to access Bank accounts. The ad campaign can be considered as attractive enough for many customers of Indus Ind Bank to start using the finger print enabled mobile phones to access the account with only the finger print.

In India, using finger print on paper documents have been in use since times immemorial partly because it was considered as a “Signature” of an illiterate person and more reliable for property transactions. Many semi literate persons find it difficult to develop unique written signatures  and maintain consistency and in such cases, a thumb impression is easier to use though verification of a finger print may require some extra effort on the part of the person who wants to rely on the finger print. In case of Banks where a specimen thumb print is already registered, verification was possible but for others a written signature is more user friendly.

In recent days, after the Government took efforts to promote Aadhaar, there is a renewed interest in the use of “Finger Print” as a universal mechanism to authenticate an user of an electronic document. It will not be surprising that soon, finger print would be an acceptable form of authentication by other Banks as well and Government agencies to the extent that public may perceive it as a continuation of the paper based system of affixing thumb impression and adopt it readily.

It is here that there is a need to understand both the technical and legal risks associated with the use of thumb impressions (or finger print of any 10 fingers which is often used in mobiles) both by the public as well as the organizations and of course the Government, before too much hype is created on “Finger Print as Password” concept.

It must be considered as an eye opener that already a major fraud has been identified in Madhya Pradesh where a scam involving fake finger prints by proxy candidates in Police entrance examinations has been unearthed.

As per the details of the scam reported here in TOI , thumb impressions have been captured on films and converted into finger caps of “Synthetic bandages” which are then worn by the fraudsters  and used on the finger print scanners. This is a low tech and low cost fraud that can be committed every where the finger print is used to identify a person and should expose the myth that finger prints are secure form of authentication.

When a person voluntarily wants some body else to use his identity, (as in MP scam) he can share his password or provide a copy of his finger print to create a synthetic replica. If the user of the authentication is negligent not to recognize a different face or observe the cap on the finger, then he will also be in complicity with the fraudster all of them are together trying to cheat the system. No security can fight this collusion of three human beings. This risk is more a human risk than a techno legal risk and should be handled as such.

On the other hand, a frequent question we receive is why did ITA 2000 not recognize “Thumb Print Scan” as a form of “signature” though thumb impressions have long been used as a substitute for signature in the  physical world.  It must be remembered that thumb impression only identifies a person but a digital signature identifies both the person and the document that he is authenticating.  A thumb print (or a finger print) can be used in conjunction with the private key pair and hashing to replace the “password to invoke the private key”  but not to replace the private key altogether. Hence, the system of Indus Ind Bank does not qualify as a ITA 2000 compliant system and does not meet the RBI guidelines under the Internet Banking guideline of June, 2001 or E Banking security guidelines of April 2011.

If however, finger prints need to be used in replacement of passwords in say ATM machines, it is necessary that the system of identification of a finger print has to be improved with an identification as to whether the finger print is “Live or Not”. One of the technologies that is recommended for this purpose is “Poroscopy” where the sweat pores present between ridges is also used for identification purpose.

Some finger print scanners use the updated technology where by a “Liveness Score” is computed to check if the finger print is of a living person or not. The latex prints will obviously fail this test.

Despite these innovations, any form of identity verification in electronic domain involves capture and transmission of an electronic data at the point of use and its verification with a pre-registered version. If therefore the back end system can be manipulated by a suitable malware, it is not difficult for the server to be cheated to believe that “What it sees is what it is expecting”.

Hence it is unsafe to use any form of finger print scanning as a substitute to “Signature” in Banking transactions.  If a man in the middle attack can capture the finger print in an earlier transaction whether banking or otherwise, it is possible for the fraudster to use the same electronic file to spoof a “live finger print” in a subsequent attack on other transactions including banking transactions.

A man in the middle attack which steals a digital signature of one transaction however cannot be used in another transaction and to this extent, digital signature still has an edge. Digital signature may fail only of the digital certificate can be spoofed which may happen when the real time validation system is not used.

The increased publicity from Indus Ind Bank which can provide a false sense of security to the users of finger print as a means of authentication to critical resources though the insecure mobile network. In view of this and the MP scam, the CCA (Controller of Certifying Authorities)  needs to release an advisory to alert the public that they should not perceive that “Finger Print Banking” is “As safe as Digital Signature Banking”.

Judicial authorities should also take note that use of finger print for authentication does not indicate compliance of RBI guidelines by the Banks and hence continue to be treated as “Lack of Due Diligence” under section 85 or Section 79 of ITA 2000/8 and the liability for fraudulent transactions where digital signature has not been used will still lie with the Bank and not with the customer.

Naavi

Share Button
Print Friendly

Cyber Abuse is not Free Speech and Virtual Reality is not Reality

(This article was first published on bfirst.in)

The tragic suicide of a girl in Salem who could not tolerate the threats to her dignity on the world of the face book and decided to end her life is an indication that Internet coupled with the omnipresent mobile has thrown a serious challenge to the society. The Challenge is to find the means to prevent the adverse impact of the virtual life on the real life of impressionable minds.

This is not the first time that a young life has been lost because of what happened on Facebook or Twitter nor it will be the last time. A couple of years back, an IIM Bangalore student ended her life because one of her boyfriends decided to “Un-Friend” her on face book indicating that even well informed and tech savvy persons who are successful in other aspects of their life can also be victims to this tendency of “Over reaction to Virtual Reality”  which we shall call, the “VROR syndrome”.

This menace needs the attention of the society in general and psycho analysts in particular.

In the Salem suicide case, the suicide note indicated that the girl decided to end her life for multiple reasons which we need to analyze.

The principle reason which was apparent was that a morphed picture showing her dressed in scantily clad clothes was posted by a boy on Facebook who threatened further to post more such pictures. She felt humiliated by the socially unacceptable image of herself being painted by the publication of the pictures. The boy was arrested two days after the suicide and has been charged for “Abetment to Suicide”. There were also two other contributory reasons which Cyber Sociologists should not ignore.

First was that a Complaint made to the Police remained unattended for more than 15 days. Police did not act until the second threat of further pictures being posted came to the girl prompting her to take the next step.

The other little obscure but equally important contributory factor was mentioned in the suicide note of the girl which stated that she did not receive a whole hearted support from her own parents in the matter, who might have distrusted her statement that the photos were fake. The fact that the perpetrator sent a direct WhatsApp message to the parents and threatened to do the same again would have made them mount abuse on her daughter  without understanding her own stress.

If we need to prevent recurrence of such events in the future, we need to address all these three causes that lead to the suicide. While the law will take its course regarding punishing the boy for multiple offences such as “creating false electronic documents”, “Causing defamation”, “Threatening”, “Outraging the modesty of women”, “Publication of obscene electronic content”, which has the potential to cumulatively put him behind the bar for a long period of time,  the society needs to take its own steps so that such incidents do not recur.

In this direction, there needs to be action on the following three fronts.

  1. Fighting the VROR Syndrome

Firstly, we need to ensure that Social media users do not over react to events on cyber space to the extent of considering suicide as a means to escape the adverse turns in their Cyber life.

The Psychologists and Cyber Sociologists should recognize this VROR syndrome as a psychological disorder induced by an addiction to cyber living and believing that the “Virtual Reality” is “Reality itself”. They need develop appropriate measures to mitigate the risks associated with VROR syndrome in their interaction with the vulnerable sections of the society.

VROR syndrome should be recognized as a field of study by the community and measures to counter its adverse impact on society should be identified.

A wide awareness of the adverse effect of VROR syndrome should be created through immediate  programs to be conducted in Schools and Colleges for which the Principals of educational institutions should take necessary action. Such programs should encourage victims to fight cases of harassment or trolling rather than succumbing to the pressures.

  1. Informing the Uninformed

 Additionally,  there is also a need to simultaneously address the older generation in the society who create pressures on the victims of social media abuse because of their won ignorance. The parents of the Salem girl who committed suicide perhaps were not aware of what is “Morphing” and how frequently it is used by deranged criminals to harass girls either for “Stalking”, or “striking vengeance for rejection” or “blackmailing”. If they had the awareness of such happenings, they would have sympathized with their daughter as a “Victim” and come to her moral support to fight the injustice meted out to her both by the erring boy as well as the delayed delivery of justice by the Police.

The “Social Media” related awareness programs should therefore be also directed towards those who are today non-users of the social media. This “Social Media Awareness Program for Non Social Media users” is therefore also an important strategy in prevention of incidents of VROR.

  1. Strengthening the Law

Our discussion will  be incomplete if we do not point out that there was a “Section 66A” in Information Technology Act 2000/8 which addressed the issue of harassment through messages in Mobile or Internet and acted as a deterrrant to the offences of abuse and harassment through messages.

Unfortunately, Supreme Court scrapped it in March 2015, under the false pretext of “Upholding the Right to Freedom of speech” and a wrong message was sent to all abusers that “Abusing a person on Facebook or Twitter is Free Speech guaranteed by our Constitution and protected by Courts”.

This has created confusion amongst the Police on how to address internet related harassment complaints and a fear that they will be criticized by the Courts as well as the media if they invoke harsh measures. This could well be a contributory reason why Police failed to act in the first 15 days though they were able to crack the case in the next to two days as soon as the seriousness of the complaint was realized after the suicide.

It is now time to correct the perception that “Cyber Abuse is Free Speech”  which can be done only by re-instating Section 66A of Information Technology Act 2000/8 by the Supreme Court taking up a Suo Moto review of the Shreya Singhal judgement and reversing the decision.

 

Naavi

Share Button
Print Friendly

Cyber Insurance-4: The enigma called Cyber Insurance Premium

[This is a continuation of our discussions on Cyber Insurance Survey-2015 ending with our previous article : …Who Should Get Insurance Cover?]

Last Friday (15th July), TATA AIG conducted a conference in Bangalore attended mainly by CFOs of different industries in Bangalore to promote their “Cyber Insurance” product. Cyber Insurance in India is being talked about for more than 5 years but companies have been hesitant to push the product aggressively because of the fear that Cyber Risks may be too hot to insure. Most of the time the Insurance companies have been tentative in their approach and are reluctant to discuss their policy offers in detail and in open. In this background, it can be appreciated that Tata AIG at least considered spending some marketing rupees on promoting their product though they hedged the marketing cost with their more popular D&O policy (Directors and Officers Liability Insurance) covering Director’s liabilities for negligence and omissions under the new Companies Act.

The interaction followed the familiar logic that “Cyber Risks are growing and Companies may be facing huge liabilities and existential risks like what Sony or Ashely Madison faced recently or some of the ransom ware threats faced by Indian companies and therefore they need to go for Cyber Insurance.

However, the meeting failed to address the most important aspect of “Cost of Insurance” and how it can be brought down. Obviously, as the Risk grows, companies would be willing to consider Cyber Risk insurance but unless the policy is reasonably priced, it is difficult to expect Companies to really cover their risks.

According to a recent press release from TATA AIG itself, the policy premia for a Rs 5 Crore limit range from Rs 5 to 10 lakhs for manufacturing industry, the education sector and for consulting, accountancy and similar professional services. This may go up to Rs 25 lakhs for financial services, health are and telecom industry. This indicates that in the industry segment where there is a need for insurance cover and also some acceptability of the cost the premia could be Rs 25 lakhs for cover of Rs 500 lakhs or nearly 5%. Can a Flipkart or Ola or even a Bank consider 5% as the cost of insurance is doubtful.

Secondly, incidents like Sony and Ashely Madison make good discussion point for creating the threat perception but it is difficult to believe that a Cyber Insurance policy would cover what was perhaps a Cyber War attack in the case of Sony or a patently illegal business of Ashely Madison. Such companies may take the insurance only for the sake of projecting their commitment to cover the risks but their claims are unlikely to be accepted when the d-day arrives.

When we conducted the Cyber Insurance Survey 2015 therefore we tried to get the perception about how the premia in a Cyber Insurance policy is determined.

Cyber Insurance policy being a hybrid policy that is having cover for both the “First Party Loss” and “Third party liability”, the premia could be “Asset Value Based” for the First Party loss and “Discretionary Based” for Third party liability. However, the Insurance companies are or transparent about their premium policy  and hence insurers are not sure where they stand on the cost of insurance as well as the success of their claims if required.

During our survey, 82% of the respondents felt that the premium should be fixed on the basis of assets covered and equally 86% felt that it should be based on the liability basis. The respondents of the survey might not have been clear about whether the “Value of Assets” meant the total assets of a particular type that are being covered or the value chosen by the insurer and whether there is any agreement on how to value the “Data Asset” as different from the value of hardware and software. Should data be valued at “Potential Liability in case of a breach” or “Cost of Acquisition” is not an easy question to answer and there is no confirmation whether either the Insurers or the Insured have a clear understanding of this aspect.

The corporate respondents felt that discounts on premia should be based on the status of the security posture of an organization such as “Having been subjected to Compliance audits” and “Robustness of the Information Security Policy” followed by the company. On the other hand to what extent “Past Incidents” some of which might not have resulted in any liability should influence the premium fixation. More than 82% of the respondents of the survey had expressed the view that discounts should be provided for different IS audits to distinguish between two companies with similar risk profiles but different risk mitigation efforts.

TATA AIG only indicated that their proposal will be vetted by a team from KPMG which may make an assessment of the risk before quoting the premium. Greater transparency on such matters is needed before potential customers can give a serious thoughts. Similarly there was a need for TATA AIG to explain if they had faced any claim situation in India and if so of what type and how it was responded to. Without sharing of such information in generic terms, it is difficult for companies to take a view on the feasibility of Cyber Insurance.

I hope TATA AIG would in their future interaction with the industry try to be a little more transparent and let the companies develop some trust in the feasibility of Cyber Insurance. ..and of course 5% premium is considered usurious and it will be difficult for any company to set aside such a huge percentage of their resources for a potential liability cover.

Surely, the dilemma of the Insurance Companies on the enormity of the risks is understandable but they need a better understanding of the Cyber threats, Vulnerability management and the real rupee risks in India before trying to quote impractical premiums.

Hopefully the Insurance companies will realize that there is a huge market potential for Cyber Insurance in India and if they can quickly increase their risk assessment and risk pricing skills, there is a good business to harness. The other insurers such as ICICI Lombard and HDFC Ergo who also have Cyber Insurance policies need to take lessons from TATA AIG which claims to be the market leader at this point of time and structure their own offerings attractively.

Naavi

Share Button
Print Friendly