Header image alt text

Naavi.org

Building a Responsible Cyber Society…Since 1998

Cyber Dispute Resolution over an ADR Process

Posted by Vijayashankar Na on April 6, 2017
Posted in arbitrationITA 2008  | No Comments yet, please leave one

India recognized laws applicable for the use of Electronic Documents with the passage of Information Technology Act 2000 (ITA 2000) on 17th October 2000. The law recognized contraventions of different kinds and prescribed civil penalties in certain cases as well as criminal penalties in other. Additionally, law also prescribed procedures for grievance redressal in detail for claiming of damages through an institution called “Adjudication” with an appeal process through Cyber Appellate Tribunal. (CyAT, which is now called Appellate Tribunal or AT and merged with TDSAT).

Over the past 14 years (Adjudicators were first appointed in 2003) we have seen how these Adjudicating offices have been functioning. Most Adjudicating officers are not interested in shouldering this responsibility and a few who were doing a good job have been transferred out for various reasons. There are a few who have not credited themselves with the decisions they have made. At the end of it, we can say that the system of Adjudication has not been as much of a success as it was meant to be.

The CyAT also functioned  for nearly 2 decades without a single valid judgement coming out. This itself was the justification for the merger of CyAT to TDSAT.

In view of the non functioning of the Adjudicators and the CyAT, many disputes landed up with the courts burdening the system which is already reeling under a huge mountain of pending cases.

The Criminal cases have landed up with the Police and most of them are pending investigation since Police also donot have time and necessary expertise at all Police Stations to handle the complex Cyber Crime cases.

In this context there is a need for the Community and the Government to consider adopting the “Alternate Dispute Resolution” (ADR) process for Cyber Disputes in a big way.

We can note that ADR is already being used in some domains of Cyber Disputes. For example most of the E Commerce Companies have been using Mediation and Arbitration to resolve their disputes with the customers recognizing the disputes as a “Consumer Protection Issue”.

But a more formal system of ADR needs to be established to deal with all Cyber Disputes so that the burden on the legacy systems such as the Adjudication and the Police are reduced without adversely affecting the law of the land applicable in such cases.

Cyber Disputes Mediation and Arbitration Center (CDMAC) is in the process of developing this ADR for Cyber Disputes within the provisions of ITA 2000/8.

What is being proposed is invocation of an ADR process as a support to the Adjudication system and also the Criminal justice system within the boundaries of established law under Section 63 and Section 77A of ITA 2000/8

Section 63 of ITA 2000/8, states as under:

Sec 63: Compounding of Contravention

(1) Any contravention under this Act  may, either before or after the institution of adjudication proceedings, be compounded by the Controller or such other officer as may be specially authorized by him in this behalf or by the adjudicating officer, as the case may be, subject to such conditions as the Controller or such other officer or the adjudicating officer may specify:

Provided that such sum shall not, in any case, exceed the maximum amount of the penalty which may be imposed under this Act for the contravention so compounded.

(2) Nothing in sub-section (1) shall apply to a person who commits the same or similar contravention within a period of three years from the date on which the first contravention, committed by him, was compounded.

Explanation – For the purposes of this sub-section, any second or subsequent contravention committed after the expiry of a period of three years from the date on which the contravention was previously compounded shall be deemed to be a first contravention.

(3) Where any contravention has been compounded under sub-section (1), no proceeding or further proceeding, as the case may be, shall be taken against the person guilty of such contravention in respect of the contravention so compounded.

Under this section, the Adjudicator is empowered to permit compounding in respect of the issue before him where he is likely to pass an order for payment of compensation under Section 46 of the Act.

What is proposed now is for the Cyber Disputes Mediation and Arbitration Center (CDMAC) (if approached by the parties to the dispute) to take up the Mediation or  a Non Binding Arbitration which is then submitted by the parties jointly to the Adjudicating Officer for ratification  if required. If the parties come to an amicable settlement the process can be closed at CDMAC level itself. If however, one of the parties has refused the terms of Mediation but there is a “Non Binding Arbitration Award”, he may prefer to refuse to abide and then the matter has to be taken up by either party to the Adjudicator.

It would be open to the Adjudicator to completely ignore the prior proceedings under CDMAC and hear the issue afresh and take a decision. In the case of CDMAC having undertaken a mediation effort which has failed, by virtue of the confidentiality clause, the proceedings of CDMAC will not be brought into the Adjudication table. However if the CDMAC process has been a “Non Binding Arbitration” instead of Mediation, it may be open by virtue of the Arbitration Agreement that the evidences presented in the Arbitration before CDMAC and its Non Binding Conclusion can be placed before the Adjudicator for his decision in whatever manner he wants to use it.

If this process is used, many disputes may be settled at the mediation level itself and in other cases, the Adjudication process can be speeded up.

Similarly when it comes to criminal issues, section 77A states as follows:

Section 77A: Compounding of Offences

(1) A Court of competent jurisdiction may compound offences other than offences for which the punishment for life or imprisonment for a term exceeding three years has been provided under this Act.

Provided that the Court shall not compound such offence where the accused is by reason of his previous conviction, liable to either enhanced punishment or to a punishment of a different kind.

Provided further that the Court shall not compound any offence where such offence affects the socio-economic conditions of the country or has been committed against a child below the age of 18 years or a woman.

(2) The person accused of an offence under this act may file an application for compounding in the court in which offence is pending for trial and the provisions of section 265 B and 265 C of Code of Criminal Procedures, 1973 shall apply.

Here again the power to compound lies with the Court and any proceedings of Mediation prior to this will only assist the Court to receive a settlement agreement and quickly dispose off the same. Again, if there is no agreement under the banner of CDMAC, the Court will proceed to do what it would otherwise do.

Hence what is being proposed is a Private Sector initiative to reduce the burden of the Adjudicating Officers and the Criminal Courts and the system in no way curtails the existing judicial protection available to the parties.

Since the use of CDMAC services is purely voluntary, there is no reason not to give a fair trial to this system which in due course may develop into an effective ADR mechanism for Cyber Disputes.

CDMAC proposes to use ODR facilities and this would be a great advantage to the disputing parties to reach a settlement without the hassles of personal hearings in physical meetings. CDMAC proposes to use the services of Techno Legal experts who can interpret Forensic findings and Cyber Laws in a manner which the parties may find satisfying in comparison to the legacy systems.

CDMAC proposes to use  the following types of ADR :

a) Assisted Negotiation

b) Mediation

c) Conciliation

d) Non Binding Arbitration

e) Binding Arbitration

The disputing parties may chose what suits them best and sign a “Consent” contract indicating their acceptance to the ADR method to be used.

If CDMAC can handle the disputes professionally, parties should be happy to treat their dispute resolved without further action and hence the cost of CDMAC may substitute the cost they would have otherwise incurred which could be lower. If however the intervention of CDMAC is not fruitful, then the cost incurred at CDMAC would be an additional expense.

CDMAC is developing proper rules as are normally adopted by Arbitration Councils under the Arbitration and Conciliation Act 2015 and will try to conduct its operations within the parameters of this Act. It will try to set up an organizational structure that will ensue that appropriate members are available for Mediation and/or Adjudication and the rules of conduct are fair and costs reasonable.

At this point of time, views from experts in the field are being sought as to how this system can be structured to be of use to the society and the project is considered as being under incubation. Any suggestions and comments in this regard can be sent to Naavi.

Naavi

Print Friendly

The Cyber Security Framework (CSF-2016) proposed by RBI to be implemented by Banks has posed a stiff challenge to the community of Bank Directors. After the lukewarm response to its previous guidelines including the E Banking Security Guidelines (GGWG Recommendations) of 2011 from Banks, RBI has now tried to tighten its screws on the Bank boards and therefore repeatedly sought the direct responsibility of the Board of Directors in Banks for ensuring implementation of the recommendations under CSF-2016.

The Countdown has already started. By September 30, 2016, RBI wants several aspects of its recommendation to be in place and it is hardly 51 days to this deadline and probably not more than two board meetings left to review the implementation.  The challenge is stiff, but we need to make a start and start running. The spirit is to make an honest attempt.. afterall, we are in the season of Olympics and participation is the key.. Making an honest attempt to win is necessary….But actually winning is incidental..

Let’s briefly review the challenge that our Bank Directors have on their hand now. I wish Directors in banks and more appropriately the “Independent Directors” need to take note of the following in their own interest.

The first deadline given by RBI was July 31, 2016 by which the Board should have approved a “Gap Analysis ” and signed on a report sent to the DBOD.  Probably most Banks should have completed the formality. Those who have shot off the report may now review if the report was complete and those who have not, need to review how quickly they can recover the lost ground.

Banks already have some infrastructure to handle Information Security and there will be a sub committee of senior executives already assigned to the task of managing the Information Security in the Bank as per the GGWG guidelines. There is also a CISO in most Banks. The CISO should therefore present (should have already presented) to the Board his assessment of the Gap and recommended action plan.

If not, summon another Board meeting immediately and ask the CISO to make a presentation. Even if a note has been already presented, it is recommended that the CISO is asked to present his views on the Gap report already sent to RBI and modifications that may be required.

The “Gap Report” is to document the current status of the implementation of the “Cyber Security Program” vis a vis the recommendations contained in the Cyber Security Framework-2016 elucidated in the RBI circular of June 2, 2016.

Obviously, in order to prepare this Gap Report or approve it as a member of the Board of Directors, there is a need to understand the CSF-2016 document and absorb its implications. This itself requires a deep understanding of the nuances of Cyber Risk Management without which the Directors can be easily mislead that “All is Well” and ignore the urgent action to be undertaken.

The first question to be raised is

  • It is a requirement of the CSF-2016 that the Board of Directors should be adequately trained on Cyber Security issues. Has the CISO organized such an awareness  program for the Directors? If not.. when is it scheduled?
  • In order not to waste further time, the agenda for the next Board meeting should include a presentation by the CISO of not only the action plan under CSF-2016 but also a general training on the implications of CSF-2016 .
  • Since CISO is the implementing party, it is better if such a training program is organized by an external consultant who understands the issues in managing Information Security in the Banking environment and should precede the presentation of the CISO so that right questions can be raised to the CISO.
  • Since it is embarassing for the Board to call for a training for itself, it is better to call this an  “Interaction with an expert” or a “Round Table” in which the implications of CSF-2016 can be discussed by the members of the Board along with the CISO and his team.

Some of the challenges that the Directors need to meet during this initial interaction is..

a) The Gap report should have identified the Cyber Threats that confront the Banking environment considering the business and product profile of the Bank. The CISO should have developed a “Threat Register” to identify and list the threats.

b) The Gap report should have identified the Cyber Vulnerabilities of the system including the technical, regulatory, and manpower related deficiencies in the system.

c) Based on the threats and vulnerabilities, the CISO should have developed a “Risk Register” listing out the individual Cyber Risks that confront the Bank.

d) The “Risk Identification” should not be restricted to technical matters only and should also address the legal issues such as compliance to Information Technology Act 2000 as amended in 2008 and later (ITA 2000/8) and also take into account the human factors that can result in exploitation both at the employee level and the customer level

c) The Risk Identification has to also assign a measure of the risk criticality  which can be either a subjective evaluation of “Low Risk”, “Medium Risk”, “High Risk” etc or assign a value in an objective manner if possible.

d) The CISO should also indicate and recommend the “Risk Management Policy” consisting of how much of the risk can be avoided, how much of the risk can be transferred by insurance, how much of the risk can be mitigated by various measures and how much of the risk has to be absorbed by the organisation.

e) The CISO should also indicate and recommend a brief overview of a  “Risk Mitigation Plan” and suggest what should be the “Risk Appetite” of the organization. It would however be the decision of the Board to determine the “Risk Appetite” of the organization which reflects the extent of risk that it can absorb in the interest of business since ultimately commercial activity is always a risk-return trade off.

f) The CISO may also be asked to present his specific recommendations on the status of implementation on the 24 Baseline controls that have been indicated in Annexure 1 of the CSF-2016 as well as how to approach the SOC set up indicated in Annexure 2 and the Incident Reporting structure indicated in Annexure 3 of the CSF-2016

The “Gap Report” is only a starting point and may be imperfect. But what is required to be done is to set in motion a corrective plan so  that by September 30, 2016 when a comprehensive “Cyber security Policy” along with an operating “Security Operations Center” and a “Cyber Crisis Management Plan” is to be presented to the RBI with the recommendations of the Board, the Directors are fully aware of the responsibilities they are undertaking in submitting the plan.

This is also the time for the Board to review if its current information security management infrastructure is adequate and needs to be augmented. Finding right people in the domain is not easy and even if a decision is taken today, it is impossible to get quality people before the deadline of September 30 has already elapsed by a mile. Hence the first set of action has to be initiated by the existing team summoning whatever assistance they can gather from within and available external consultancy resources.

There is no doubt that your CISO will say setting up an SOC is a long term project and even a proper risk assessment will take time. But RBI has taken this into account and advised that Banks cooperate amongst themselves through the CISO forum coordinated by IDRBT to share knowledge and achieve the goals faster than what they would otherwise achieve.

This however requires shedding of individual egos of Banks and their CISOs and working in a spirit of cooperation and benefit to the Banking community on the whole.

The Board has a responsibility to provide support to their CISOs to explore such cooperation in a spirit of give and take so that professional CISOs are not constrained by the fears of breaking the norms of secrecy that often shrouds the operation of the information security departments.

… With these introductory words, I urge the Directors of the Banks to accept the challenge placed before them by RBI to strive towards achieving the Cyber Security Goal however difficult it appears to be.

Naavi

 

Print Friendly

The security world is warning Indian Android mobile users that the malware HummingBad has been spreading fast across the globe and pose a threat to Indian mobile users also.

This malware which is reported to have infected over 1.4 billion Android devices worldwide and generates an ad revenue of over $300000 to its Chinese owner “Yingmob”, which is a Chinese mobile ad server company, which had already been linked to the development of malware targeting Apple iOS devices.

Once on a device, HummingBad is capable of exploiting  a full range of paid services, including displaying mobile ads, creating fraudulent clicks from users’ devices, and installing additional fraudulent apps.According to Check Point,  the apps display more than 20 million advertisements per day, and Yingmob achieves over 2.5 million ad clicks per day which translates into significant revenues.  Yingmob’s average revenue per clicks (RPC) is $0.00125, making accumulated daily revenue from clicks is over $3,000. Added to revenues from fraudulent app downloads, which exceed $7,500 daily, Yingmob makes over $10,000 per day, more than $300,000 a month.

Under the Indian laws, such “Unauthorized introduction of a code is considered a computer contaminant and is an offence under Section 66 of ITA 2000/8”. In case any of the intruded mobile is a property of the Government of India, the intrusion can be considered as an offence under Section 66F which is considered as “Cyber Terrorism” under which “Life Imprisonment” is possible. Also in view of Section 75 of ITA 2000/8, Indian Courts have a jurisdiction to take on trial this offence and pronounce a verdict.

In order to discourage legitimate commercial companies getting into cyber crime as business, it is necessary that such activities are nipped in the bud. I therefore urge the Indian Government to lodge a formal complaint with evidence obtained from Check Point and prosecute YingMob for Section 66F offence in India and then take up the issue at International Levels.

This trend of mobile malware that tries to root into the system may also be commercially beneficial to the mobile companies since users tend to get fed up with the slowing down of their devices and often decide to buy a new mobile rather than put up with a persistent malware induced performance attrition. Probably the Chinese mobile Industry is not so unhappy therefore that there are companies like YingMob in their midst.

Besides, the growth of mobile ransomware poses unimaginable threat to the India’s Digital India program and if proper defensive action is not taken to prevent the YingMob type of companies from using its resources to commit international crimes, the future for Indian economy is in danger of being swamped by a Cyber war attack launched through the same mobiles through which HummingBad may be operating today as a relatively less harmful, performance reducing malware. Left unchecked it can become a monster in the days to come.

It is time India takes a lead in checking such malpractice and show to the world that such deceit does not pay.

Naavi

Print Friendly

The Case of stolen NSE Live Data

Posted by Vijayashankar Na on July 6, 2016
Posted in cricketITA 2008  | No Comments yet, please leave one

(P.S: The discussion that is contained herein is for educational purpose and in exercise of free speech rights in public interest of journalism)

The Incident as Reported

An interesting case has been reported from Mumbai where the Mumbai Cyber Cell has arrested a person from Durgapur for illegally selling “Live NSE Feed”. The accused, one Mr Rajendra Kumar Chell has been booked under Section 420 (Cheating) of IPC besides Section 66 and 66B of ITA 2000/8.

The complaint was filed by the manager of NSE working in a NSEs group company DotEx international Ltd (100% subsidiary of NSE) which has purchased exclusive rights to sell live Capital market data. DOTEX was providing such service to 33 other companies.

Around October 2015, the company DotEx noticed that two websites other than their customers appeared to be selling NSE live data and when approached, offered the service for a fee. On payment the complainant was provided with a “Team Viewer” ID and password through which access was provided to live data. By logging into the Team Viewer, the user would be able to view the “NSE Now Terminal System” and the live market data. The complainant has alleged that the two website owners had stolen NSE’s live data and were selling it illegally.

On receiving the complaint, on January 19, 2016, the police have traced the accused through the Bank account to which payment of the subscription amount (Rs 2550/- presumably per month) was credited and the arrest has now been made on 2nd July 2016.

(Details of the case as reported in dnaindia.com)

Presumption

It is not clear how the accused first acquired the data. It is possible that he would be one of the legal subscribers to the DotEx service which he shared with others like a “Sub Broker”.

“The NSE’s real time data is provided in three levels (level 1, level 2,level 3 and tick by tick). Level 2 provides market depth data upto 5 best bid and ask prices and Level 3 provides market depth data upto 20 best bid and ask prices .The real time data feed is provided in TCP-IP format. It is provided on-line through a dedicated 2-10 mbps channelized E1 private leased line circuits. This line shall be owned by the customer and the line should be from National Stock Exchange, Mumbai to the premises of the customer. Alternatively, the customer can take the data from one of our authorised data vendors.” (Source: DotEx website)

This is raw data which the users need to use through appropriate systems and software. According to the NSE tariff table, the level 3 service for tick by tick basis offered on “Terminal Basis” may cost as much as Rs 99 lakhs for both capital markets and Futures segment. This can be used “Free” by 300 users  with an additional Rs 1140 per month per user there afterwards.

It is presumed that one such user has re-sold the service. It is also possible that the accused has subscribed to the service legally with one of the brokers who is authorized to sell the data and tried to re-sell the same data to his customers.

Alternate Legal Interpretations

The case represents certain important legal interpretations and opens up some old discussions on the principles involved in Copyright law.

Presently the case has been booked under Sections 420 of IPC, Sec 66 and 66B of ITA 2000/8.

Section 420 of IPC is a broad section and states as under

420. Cheating and dishonestly inducing delivery of property.—Whoever cheats and thereby dishonestly induces the person de­ceived to deliver any property to any person, or to make, alter or destroy the whole or any part of a valuable security, or anything which is signed or sealed, and which is capable of being converted into a valuable security, shall be punished with imprisonment of either description for a term which may extend to seven years, and shall also be liable to fine.”

In the instance case, the “Property” is the “Live NSE Data”. Assuming that the property belonged to DotEx as an exclusive licensee, the allegation is that it was dishonestly sold to others by the accused. Does this qualify to be called “Property” under IPC, is a matter to be discussed if IPC sections are to be applied to the case.

On the other hand, Section 66 of ITA 2000 is a reflection of Section 43 and includes “Unauthorized Access” to a computer system including data. Section 66B applies to “Usage of stolen computer resource” which includes data. Hence application of ITA 2000/8 is undisputed though the cause of action under sections 66 and 66B needs to be established. This revolves around “Whether the sharing of data was authorized or not”.

The angle of  License Rights

The interesting aspect of the case is what was the rights available to the accused with regard to the data and whether he wrongfully applied the rights.

More than the concept of “Data Theft”, this offence appears to be falling in the domain of  transgression of the “License to use”. If the accused is an authorized user in the first place and re-sold it to others, it may not qualify as “Data Theft” or “Unauthorized Access” but may have to be debated under the “Terms of usage of license”.

The scheme as reflected in the NSE tariff card, envisages that an authorized user can anyway share the data with 300 free users and more on additional payment basis. It is possible that the accused may be one such licensed user of another licensee.

In the instant case, the accused has further used “Team Viewer” and created a “Closed system of sub-users” who have been authorized to share the feed which was available to him probably as a legal right. If therefore the first right was legal, the sale thereof would be legal or otherwise based on the contract on which the first right was obtained.

SEBI regulates the scheme of “Sub Brokers” and “Investment Advisors” as regards providing “Investment Advise” from the point of view of investor protection. But SEBI regulation may not prohibit distribution of raw data on which the investors may take their own decision. Hence in the instant case, there may not be any violation of SEBI regulations. However, if the concept of “Sub Brokers” and “Investment Advisors” as regulated by SEBI permits providing of investment advice as well as data sharing services through broker’s own shared “Trading software”, there is an implied permission for brokers to share NSE live data to their customers.

The key point therefore that determines this case is how did the accused first come to possess the right to the data and what were the terms. If the terms under which the accused acquired the data did not specifically prohibit its sharing with others either for consideration or otherwise, it may be difficult to make the charges stick.

In this connection, I am reminded of an old debate on copyrights in which it was discussed if a “License to a Music CD” obtained by a person entitles him to play the music aloud in such a manner that the music could be heard by the other non licensees in the vicinity some of whom may be the members of the family of the licensee and some not. (P.S: Reference may be found in the archives in naavi.org)

We can also discuss such “Licence Rights” as to whether it extends to the playing of the music on loud speakers in a function for a fee.

We have similar debates where TV broadcasters and cable operators object to playing of TV in a public place such as a restaurant, arguing that the licence given is for use by a “Single Person”. Even BCCI and ICC have used such rights for restricting rights of providing live feeds of cricket match scores and taking pictures of live sports action etc.

It appears that in the instant case also a debate will ensue on whether the data feed which gets displayed on a TV screen should be viewable only by the licensee and no body else.

The trend in the copyright arena is to narrow down the licenses to such an extent that every commercial harnessing of the licensed material whether it is for personal use or for education or for other truly commercial purposes under different forms of licensing so that the user can be bled to the last drop of his blood.

It must be also remembered that the data in this particular instance refers to the collection of activities of investors as captured by the system. NSE is only an aggregator of the actions of investors to make a bid or buy or sell. The live data feed is therefore not a originally created “Intellectual Property” of the NSE. Hence the right of NSE on live data feed is not “Absolute”.

A comparable example is a sports event where the sportsmen create the spectacle. But the “Organizer” claims right to the viewing of the “Spectacle”.  However, in a Cricket match organized by BCCI, it pays the players so that it can claim the right to their performance view. In the case of NSE, the investors pay money in different forms to NSE and hence NSE cannot automatically claim the right to display the actions of the investor.

 Hence there are several larger complicated issues involved in determining if the offence in this instance is upheld.

If therefore the present charge is upheld, there could be a fall out which would affect several other usage contexts of data beyond the stock markets.

In particular, in the stock market domain,   it would affect every licensed live data feed owner such as a broker. If the concept of “Live data feed is only for the licensee” is upheld, every employee of the broker who works in the trading hall and has the probability of viewing the live data feed on the trader’s screens, would be considered as a “Licensed user”.

Similarly, if a customer of a broker is using a broker’s feed on his personal computer and his friend or colleague is shoulder surfing to find out how a share is moving, it could be construed as an offence of data theft.

From preliminary information that is available, it is unlikely that either DotEx or any of its 33 licensed data users and the scores of licensed brokers have a robust usage contracts that prohibits the viewing of the trading screens on a user’s computer  by friends and family members of the licensed users. They may however make retrospective changes to their contracts now to manipulate the terms of usage of their live data feed to protect their interests unmindful of the possibility that such unilateral changes of contractual terms may amount to offences under Section 65 or 66 of ITA 2008 as well as offences under IPC for manipulation of evidence.

I wish that the Court which goes into the case understands the possibilities of an undesirable consequence of its decision (if it upholds the charge and rules out that a licensed user cannot share the trading screen with another) which would require every computer user to ensure that his computer screen is not visible except to himself when a trading screen is running and take a consumer centric view of the incident.

(The above discussion is for academic purpose and in exercise of the journalistic freedom of speech and is based on the information available at this point of time. I reserve the right to change my views if additional information becomes available)

Naavi

 Related Articles:

When you buy music, will you be buying trouble?

Copyright Act amendments in India.. Watch Out for surprises

Print Friendly

The mystery land of Cyber Insurance-2: What is Cyber Insurance?

Posted by Vijayashankar Na on June 10, 2016
Posted in Cyber CrimeITA 2008  | 3 Comments

Naavi along with some of his friends embarked upon a Cyber Insurance Status study in India titled “India Cyber Insurance Survey 2015”. Some aspects of this survey has been briefly referred to on this site earlier. Now based on the results of the survey, a more detailed information is being presented in a series of articles to be published over time. Hope this will be useful to the community….Naavi

When the exploration of the Cyber Insurance land was contemplated, it was known that knowledge about the concept of Cyber Insurance was low in the market. Hence the expectations of the study was set low. There was no surprise here to find out that the penetration of Cyber Insurance in India was low. Some of the reasons for such a status despite the growing Cyber Crime threats is analysed here.

Penetration Levels:

Let us analyze one set of the responses which indicated as under:

 92 % of the respondents who represented different IT user entities had no experience of taking Cyber Insurance.

54% of the respondents stated that they are unlikely to consider in the near future.

90% said that they will consider only if they suffer any loss in a cyber attack.

74% said that they will consider only of they have an attack on themselves.

72% said that they may consider if a suitable product at a right price is available and 80% said that they will consider if there is a mandate. 

The respondents were all senior professionals from IT sector and included CEOs. For 54% of them to say they are unlikely to consider Cyber Insurance in near future was very disappointing.

The fact that 90% said that they will consider only if they suffer a loss indicated the dreaded syndrome of “Closing the stable  doors  after the horses have bolted”.

I can categorically state that many of the organizations may either not survive after their first attack or may get so badly battered that their survival after the attack would be an unending struggle.  None of us know what is in destiny for us. But for us to take the Cyber Risks so lightly is nothing short of recklessness and readyness to commit harakiri.

I therefore strongly advocate entrepreneurs of all kinds to shed their complacence and take a look at the need for Cyber Insurance.

I also want to highlight here that the need for Cyber Insurance is more for the entrepreneurs than the Cyber Security professionals since the business risk lies mostly with the entrepreneurs and their investors. If a company faces a fatal attack, the Cyber Security professionals will easily walk out and settle in another company enriched with their experience. Their loss is for a limited time and can be overcome. But for the entrepreneur, loss of his dream project may be the end of the world.

Hence it is the Company promoters, Directors and Investors and Business Managers, who need to watch out for what I am set to say on Cyber Insurance through these columns.

Cyber Insurance is part of Cyber Security Management

Cyber Security professionals who understand that Cyber Security management consists of the four strategies of ” Risk Mitigation,  Risk Transfer, Risk Avoidance and Risk  Absorption” and “Risk Transfer” is achieved through Cyber Insurance should also need to watch out. After all they are senior professionals today and many of them will be owners of business in the Start Up revolution that is sweeping our country.

The first reason why a responsible professional is not keen on Cyber Insurance, is that there is less than needed understanding of what is “Cyber Insurance”. Let us therefore try to address this issue first.

Two Components of Cyber Insurance

Cyber Insurance has two major components. One is insuring self damage where losses suffered by the insured is covered by the insurer. The second is that when a Cyber incident occurs, the insured may suffer a liability to pay damage to an outsider. Cyber insurance also covers this as “Liability insurance”.

It is easy to understand this concept by looking at similarities or otherwise between Motor Insurance. In motor insurance, if an accident happens, the owner of the vehicle gets a compensation to pay for the repair of the vehicle. At the same time, under the motor vehicles act, if he is liable to pay damages to third parties, that is also covered.

Cyber Insurance is also like Motor Insurance and has the two components of “Own Damage” and “Third Party Liability”.

The “Cyber Incident” may happen due to many reasons. For example it can happen due to internal technical issues including physical issues such as electrical outage, flood, fire etc. It can also happen due to fault in the hardware or software. It can happen due to human failure such as negligence of employees. It can also happen due to malicious intentions of humans including insiders and unknown attackers from the wild.  In such attacks there are also those which are categorized as “Zero Day Attacks” which essentially means that until such an attack is revealed , even the manufacturer of the software/hardware does not know that a certain Zero day vulnerability exists in the system which he has in good faith sold to the IT user who is today facing a liability situation.

Asset Valuation Issues

A quick glance at the various reasons that can cause a loss which may come under the umbrella of a Cyber Insurance indicates why Cyber Insurance is complicated and poses a challenge not only to the insured but also to the insurance industry itself in structuring a suitable policy.

For example, for insuring “Own Damage” one needs to value the Cyber Assets. While it is easy to value the hardware and purchased software, for which there is a cost and a depreciation, the value of internal software development needs to be arrived at on an assessment. Also a huge part of the cyber assets is in the form of “Data” which is acquired at a cost. The resident data should therefore be valued.

Now check back with your CFOs if there is a proper valuation of the cyber assets reflected in the balance sheets and whether your current asset valuation policies for the purpose of P&L is well suited for claiming insurance.

Most companies have a system of writing off all software purchases as “Expenses” though its beneficial use is spread over several years. Hence many soft assets continue to be used much after they find no mention in the balance sheets. As regards the hardware, it is often the practice to retain a nominal value of Rs 1 in the balance sheet even after the value is depreciated for a conservative reflection of the P&L. A similar approach is required for any software acquired at a cost so that no asset remains outside the radar. When a cyber event occurs and the company has to regroup, what is relevant is “Replacement Cost” of the asset and not the depreciated value represented in the balance sheet.

Of course it would be convenient for the insurance company if the insured is stating that what he has lost is of “Zero Value” on the books while it costs a bomb to replace. Insurance company may simply value the assets at book value and deny any compensation.

There is therefore the first hurdle of “Asset identification and Valuation” for the purpose of “Cyber Insurance” on which the industry has to reach a convergence.  Perhaps the Chartered Accountants and the Institute of Chartered Accountants need to think if their asset valuation system needs to be reconsidered.

I would urge the Institute to consider valuation of IT assets on “Replacement Cost”.  Depreciation may be considered as first tier, second tier and third tier. The first tier depreciation would be the writing off of the cost over the estimated useful period of the asset. The second tier depreciation could be the conservative approach where assets are depreciated faster than their useful life as a conservative practice. The third tier depreciation would be the equalization amount which arises due to the revaluation of the asset at replacement cost.

If accountants follow this system of representing the asset value, then analysts can pick up either the replacement value or the book value as they please. Insurance companies may use the replacement cost for evaluating the compensation while share holders and SEBI may look at the lower asset value as a conservative estimation of profits.

Where software assets are developed within the company, there needs to be a valuation process which is today mostly absent. Only service companies who bill their services to their clients have a good system of evaluating their operational costs. Others ignore the internal development cost which gets debited to the P&L as an expense. There  is a need for maintenance of employee work record and assigning them to valuation of Work in Progress and later to the completed service. If this can be done, there would be a greater efficiency in the operation of many IT companies. This is of course the work of a Cost Accountant who can develop a system of valuing the service component which can be rightly priced for business purposes while at the same time providing the asset value for the insurance purpose.

Last item of asset is the “Data”. While the company can value “Data” on the basis of its acquisition cost, during a cyber incident leading to a liability  and insurance claim, what is relevant is not the asset acquisition cost but the loss which the victim has suffered and has claimed from the Company under the legal rights given to him under law.

Dependency on Compliance

This “Liability” estimation depends on the “Legal Compliance” status of the company such as “Reasonable Security Practice” and “Due Diligence” under ITA 2008 and also the Privacy Rights granted under the constitution or other laws.  Additionally the efficiency of our legal system where victims are aware of their rights and make adequate claim also will influence the losses which the company suffers and expects to be covered by the insurance policy.

Just as Liability insurance has a dependency on ITA 2008 compliance of the insured, the estimation of replacement value of soft assets has a dependency on the DRP and BCP status of the company. If a Company has an excellent DR and lost assets can be recovered in full without much cost, the replacement cost as well as the insurance liability will be reduced.

It is for this reason, that the survey has discussed in greater detail the Compliance status responses to which will be discussed in subsequent articles.

Declared Value of Assets

Practically, when an Insurance contract is written, the insured and the insurer have to identify the value of assets since it determines not only the liability but also the premium. The general practice is for the proposer to seek insurance based on the details furnished in the proposal form which will include the value of the assets to be insured. The insurer looks at the value and determines the premium.

Now it is possible that if the insured and the insurer is not on the same level of understanding, the contract may be vitiated by declarations that are made by the proposer which always works to the advantage of the insurer.

The insurance contract is considered as a “Uberrimae Fedei” contract or a “Contract of utmost faith” and in such contract the entire responsibility to make truthful declarations lies on the proposer. The insurance company can accept the declarations in good faith and later rescind the contract when a claim is made on the grounds that the proposer was aware of some adverse aspects which he did not declare during the insurance time.

The easily understandable example is when we take a health insurance and fail to disclose pre-existing diseases. While the insurer can accept the proposal, and charge a premium based on the declaration, if a claim arises, then the insurance company goes into an investigation mode and finds out that there was an pre-existing condition of the insured which would have altered the premium and risk and since it was not disclosed, the entire contract is declared invalid and claim denied.

A similar situation may arise in Cyber Insurance if the insured fails to declare earlier security incidents, weaknesses in its DR/BCP or other IS related issues. “Hiding Truth” is therefore not  a good strategy at the time of insurance and this is a challenge for professionals since they might have hidden the truth even from their own management in the past.  Hence a strong “Security Incident Management” policy and implementation is essential to write a robust insurance contract.

Another factor which insurers should remember is that in the event valuation of assets at the time of insurance is lower than at the time of the insurance claim, (When a re-assessment is made as a general practice) it may be considered as an event of “Under insurance” and the insurance company may decline to pay the full loss considering the shortfall as “Self Insurance”.

Hence it is important for the insured and insurer to agree upon a proper valuation system so that there will be no claim of “Under Insurance” or even “Over valuation” though there may be a natural appreciation or depreciation of the value for different reasons.

Need for Well Structured Policies

These complications are one of the reasons why perhaps 72% of the respondents to our study felt that they may consider Cyber Insurance if a suitable product at suitable price is available.

This also indicates what an insurance company needs to do now that it knows that 92% of the respondents are their potential customers who may consider such products.

If all the complications of asset valuation etc cannot be sorted out to mutual satisfaction, insurance companies will offer coverage with certain sub limits for different types of losses. Though this may not be a perfect solution for the insured, it represents a way forward for further refinement of the product.

(……Discussions To continue)

Naavi

Earlier Article in the series:

The mystery land of Cyber Insurance-1: Overcome the “All is Well syndrome”

Print Friendly

Has RBI Permitted Social Media Banking?.. What about audit of Mobile Apps?

Posted by Vijayashankar Na on April 25, 2016
Posted in ITA 2008  | 1 Comment

We have been following the discussions on how the Unified Payment Interface introduced by RBI has created one big security risk where the telecom links have been provided a direct access to Banking transactions server through execution of USSD codes.

Though the authorities claim to have adequate security, customers are yet to be convinced about whether RBI and the Banks are saying the truth.

Does it mean that Banks and RBI can lie?

I would like consumers to make their own conclusions from the following RTI exchange between one Mr Sisirkumar and RBI.

(P.S:Though this RTI pertains to ICICI Bank, the issues are expected to apply to other Banks also)

Mr Sisirkumar of Vijayawada made a simple RTI Query to RBI raising the following questions.

  1. Details on decision taken by RBI to let Banks use Social media and mobile applications.. and how RBI arrived at a decision that this does not violate the privacy of customers or their data.
  2. Details on specific documents related to approval given by RBI to ICICI Bank limited for creation of the following accounts.
    1. https://twitter.com/icicibank
    2. https://twitter.com/icicibank_care
    3. https://facebook.com/icicibank/
    4. https://youtube.com/user/icicibank

3. Details of  decision taken to permit ICICI Bank to do social media banking

4. Copy of RBI guidelines on how online presence can be conveyed to customers

5. A copy of the results of the security and privacy audits conducted by RBI

6.Details of the official RBI accounts on social media and the relevant act as per which they have been created and their purpose.

RBI has replied to the above RTI as follows:

Reply for query1:

” Department of Payment and Settlement Systems, Reserve Bank of India (DPSS, RBI) has not issued specific instructions to Banks on areas raised in the query. However, Banks have been advised vide our circular on mobile banking which is available on the website of RBI at link:

https://rbidocs.rbi.org.in/rdocs/notification/PDFs/65MNF052B434ED3C4CE391590891B8F3BE66.PDF

Para 2(ii) of Annexure I advise that social media can also be used by the Banks to build awareness and encourage customers to register on mobile Banking as one of the measures of customer awareness programs”

Reply for query 2:

“DPSS, RBI has not issued any such approvals to ICICI Bank Ltd”

Reply for query 3:

“No Specific instruction has been issued to ICICI Bank”

Reply to query 4

“DPSS has not issued any instructions in this matter”

Reply to query 5:

“DPSS has no information in this matter…. Your query has been forwarded to CPIO..to provide information if available..”

Reply to query 6:

“DPSS, RBI has no information in this matter….Your query has been forwarded to CPIO…”

Subsequently regarding query 6, M.Nandakumar, CPIO replied on January 12, 2016 stating :

“We have no information”

Another reply dated January 11, 2016 signed by Ms Alpana Killawala , CPIO stated for the same query,

“From April 13, 2015, the Reserve Bank of India has presence on two Social Media sites namely, You Tube and Twitter. It is an initiative taken by Reserve Bank for enhanced outreach and real time engagement with the public in addition to engaging with them through traditional media.

Purpose: For wider dissemination of information about RBI policies, rules and regulations”.

On query 5, a reply dated January 15, 2016, Subhash Chandra Mishra, another CPIO replied

“No Security or Privacy audits of mobile applications of banks are done by us. However, the level of adherence to extant guidelines issued by RBI are examined during the course of annual inspection of banks.”

From the above it is clear that the DPSS which issues guidelines on the use of technology is not even aware of the need for security and privacy audits and the CPIOs are completely confused about the state of affairs.

The replies confirm that RBI has not even considered security and privacy audits of mobile apps and have not recognized the security risks associated with the use of Twitter and Facebook for conducting banking transactions such as balance enquiry and transfer of funds. Perhaps they are not even aware that some banks are using Twitter handles to interact with the Banking servers and execute fund transfer requests.

As an ex Banker and lot of respect for RBI (by tradition), it is a big surprise for me to note the level of incompetence at the RBI.

This in fact corroborates some of my earlier concerns that I expressed in respect of use of USSD codes for Banking transactions by NPCI.

I am awaiting Banking security experts to react to what we have indicated here particularly to the fact that the mobile apps have not been audited by RBI.

In the earlier guidelines IDRBT was supposed to clear any banking related applications. Obviously, this guideline is being flouted by Banks and RBI has not taken any corrective action.

Naavi

Print Friendly