RBI has opened the doors for Cyber Insurance for E Banking Frauds

Posted on August 14, 2016 by Vijayashankar Na

If the recent circular of RBI on limited liability for Customers in E Banking frauds becomes a reality, it would simultaneously open the doors for the Cyber Insurance Industry to offer products for Cyber Insurance to individual Bank customers.

The reason why Insurance Companies were reluctant to insure E Banking frauds on behalf of individuals was their fear of unknown risks and possibility of a sudden huge loss arising out of Phishing at individual customer’s level or at a system level in Banks or their critical service providers.

While Insurers manage their risks by having  a limited liability clause in their policies with sub limits for various causes, now the overall liability of the customer itself would have been brought down significantly in view of the RBI guidelines.

When a loss occurs on account of an E Banking Fraud, the fraud would be classified as

A: Zero Liability Incident

B: Limited Liability Incident

The “Zero Liability Incident” is one in which the Customer shall not be liable and the Banks should reverse the amount lost within 10 days.

This is applicable when the security architecture and systems of the bank for electronic banking transactions are not able to protect the customer in case of

a) Fraud or Negligence on the part of the Bank

-irrespective of whether the loss was reported by the customer or not

b) Third party breach

-where the fault lies neither with the Bank nor with the customer and

-the customer notifies the Bank within three working days of receiving communication from the bank regarding the unauthorized transaction

c) Involving Negligence of the customer

-such as sharing of payment credentials

– after the customer reports the unauthorized transaction to the Bank

The “Limited Liability Incident” is one where the customer has to bear the loss to a limited extent and would cover the following cases.

a) In cases where the responsibility for the unauthorized electronic banking transaction lies neither with the Bank nor the Customer and

-the customer notifies the Bank of the unauthorized nature of the transaction between 4 to 7 days

-the liability of the customer is limited to the transaction value or Rs 5000/- whichever is lower

-Where the customer notifies the Bank after 7 days, the liability will be determined as per the Bank’s approved policy.

It is reasonable to expect that the liability will be still limited and cannot be 100% of the transaction value

The residual category where the fraud is involving negligence of the customer (such as sharing of payment credentials) and the loss occurs before the customer reports the unauthorized transaction to the Bank, the loss may have to be boarne by the customer.

From the perspective of an Insurer therefore, it is critical that the customer notifies the Bank that a transaction reported to him by the SMS or EMail alert by the Bank is “Unauthorized”  and it is done within 3 days.

Then the Bank will check if the unauthorized transaction is due to the “Negligence” of the Customer which will be a matter of dispute to be resolved in the next 90 days.

The Customer will not have any liability unless it is able to provide evidence that the negligence of the customer was the cause of the loss or the customer himself committed the fraud with an accomplice or otherwise.

In the meantime Bank will have to provide a shadow credit within 10 days which should also provide for compensation of any interest loss that may be involved especially in the credit card transactions.

Since the customer is not suffering any loss in these transactions, the Insurer need not take any liability on the individual’s cyber insurance policy.

Even in other cases, the liabilities will be limited to Rs 5000/- except where the “Negligence” is proved. What constitutes negligence in these cases is a matter that will be debated and the Insurance industry will be required to put its weight behind the customer in ensuring that excessive responsibility is not expected of the Customer in identifying a fraud such as “Phishing” or “Vishing” particularly when malware is used to extract the credentials of the customer without his knowledge.

Insurers will also be required to recognize the concept of “Proximate Cause” for loss where a the Bank had an opportunity to prevent the loss even after the negligent act of the customer but failed to do so because of its own inadequacies in which case the loss is due to the failure of the Bank and not of the customer.

Though some of these intricate points will be disputed and resolved over a period of time, it is clear that the Cyber Crime Insurance Risk of the insurers for E Banking frauds  in policies issued or to be issued to individuals has come down from the clouds to the ground level

There is therefore no excuse after this circular to the Insurance companies to issue such policies for individuals.

I hope Tata AIG, HDFC Ergo, ICICI Lombard, Bajaj Alliance etc will now start structuring their individual Cyber liability policies.

We look forward to developments in this regard in the next few months and request IRDA to also suggest all its members through a circular to construct such policies.

In particular, I request attention of Mr Rajesh Aggarwal the dynamic ex-Adjudicator of Maharashtra who is now heading a public sector Insurance Company and urge him to make the first move. Let one of our public sector Insurance companies be the first to introduce a Cyber Insurance Policy for Individuals as a part of the 70th Independence day celebrations.

Naavi

 

Posted in Cyber Law | 2 Comments

What is Negligence of the Customer under RBI’s circular on Limited Customer Liability?

Posted on August 13, 2016 by Vijayashankar Na

At the cost of repetition, we must congratulate RBI on its recent circular of August 11, on Customer Service in which they have proposed that customer’s liability on cyber frauds should be limited.

Presently, a draft circular has been issued and RBI is awaiting public comments before confirming the circular. I urge all visitors to peruse the circular and provide a strong positive feedback to RBI. (Refer this earlier article for details).

The reason why I advocate strong positive support for this move of RBI from all consumers and consumer organizations (without remaining silent supporters) is that there is every possibility that vested interests in Banks would try their best to scuttle this move of RBI and let the circular remain in draft form and not see the light of the day. The Indian Banks Association which is an industry body is often swayed by the leading Banks such as SBI and ICICI Bank to adopt practices which are not always consumer interest protective. We therefore need a balancing pressure on RBI to maintain its poise and let the circular become a reality.

I recall that way back in 2002, in a circular dated April 8, 2002, RBI had stated

“…we continue to receive complaints of fraudulent encashment by unscrupulous persons opening deposit accounts in the name/s similar to already established concern/s resulting in erroneous and unwanted debit of drawers’ accounts…..Besides, in cases of the above kind, the banks have also not restored funds promptly to customers even in bona-fide cases but deferred action till completion of either departmental action or police interrogation…..

With a view to redressing the grievances of the customers in this regard, we have reviewed the position and advise that (i) in cases where banks are at fault, the banks should compensate customers without demur, and (ii) in cases where neither the bank is at fault nor the customer at fault but the fault lies elsewhere in the system, then also the banks should compensate the customers ( upto a limit) as part of a Board approved customer relations policy.”

However, we have not seen Banks following this instructions from RBI. I can personally vouch for the same having represented many Cyber Crime victims in Banks against Banks such as ICICI Bank, PNB and Union Bank of India”. Other Banks will not be better since the big brother SBI is leading this anti-customer attitude and making RBI look like a paper tiger good only for issuing circulars which can be safely ignored.

In August 2011, the D.Damodaran Committee on Customer Service in Banks had made some far reaching customer friendly recommendations. But the influential Banks forced RBI to forget  the report and not issue any operative circular as a follow up.

It is in this context that we the consumers need to stand up and support RBI in its latest efforts and not let our vigil drop.

Now it appears that RBI has once again issued a circular which will have far reaching protective influence on Bank customers. It puts a cap on the liability that a Bank customer may suffer on account of a Cyber fraud which may happen with a Phishing Attack or a Credit Card Cloning or an ATM hack, or hacking of the Bank systems. In most of these cases, involvement of Bank staff may be implied though not proved. But in almost all cases, negligence of the Bank can be identified as the “Proximate Cause” of the loss that a customer suffers.

The recent circular has classified the losses into the following categories:

  1. When a customer brings to the notice of the Bank the fraudulent transaction within 3 working days of him coming to know, there would be “Zero Liability” for the customer
  2. Where the report is delayed and made within 4-7 days the customer’s loss will be limited to Rs 5000/-
  3. Where the delay is more, the Bank’s Board shall have a policy on how to deal with the customer’s liability.

Once notified, the bank shall credit the amount from their suspense debit within 10 working days.

There is however a possibility that Banks may try to find a loophole in the RBI guideline and try to avoid the liability on themselves.

I have even seen one argument from a Bank that they cannot pay back the fraudulent money because it is “Public Money” as if the customer’s own money does not belong to that category. We have also seen Banks trying to hide behind “Privacy” and refusing to reveal information of fraudster’s accounts through which an honest customer’s money has been withdrawn forgetting that opening such accounts with defective KYC was part of the offence under AML.

Such unscrupulous Banks can go to any extent to refuse relief to Cyber Crime victims under one pretext or the other unless strong penalties are imposed for non compliance of RBI’s orders.

In the circular, the frauds have been categorized into three categories as follows.

  1. Fraud/ negligence on the part of the bank (irrespective of whether the loss/fraudulent transaction is reported by the customer or not)
  2. cases involving negligence by a customer, such as where he has shared the payment credentials,
  3. . Third party breach where the fault lies neither with the bank nor with the customer but lies elsewhere in the system, and the customer notifies the bank within three working days of receiving the communication from the bank regarding an unauthorized transaction.

In the first type involving fraud or negligence on the part of the Bank,  (including where  staff of Bank may be involved), there would obviously be no liability for the Customer.

At the same time legal proceedings can be initiated on the Bank and its executives including the Chairperson and Directors for civil and criminal action under ITA 2000/8.

I wish RBI also imposes “Sanctions” on such a Bank  and its key executives without waiting for the law to grind to a conclusion.

The third type is self explanatory once we understand the implications of the second type “cases involving negligence of the customer”.

What is Negligence of a Customer

Banks have been struggling for generations to decipher the meaning of “Negligence” under Section 131 or Section 10 of Negotiable Instruments Act. We often leave it to be judged by the circumstances of the case to define “negligence” as “What a Prudent man under similar circumstances would have done” or “What a prudent man under similar circumstances would not have done” without being clear about who is that “Prudent Man”.

It is the Courts who have in different occasions defined what is negligence. In the E-Banking environment we need to accept that the Judiciary has not matured enough to provide a good guidance of what is “Negligence” on the part of a Customer.

Looking back on some of the instances we can identify the following types of behaviour which could come for discussion as “Negligence”.

  1. Keeping the ATM card along with its PIN written down in one place.
  2. Acting on a Phishing E-Mail and logging into a “Pseudo Bank Site” failing to recognize impersonation in the e-mail and the website, thereby providing the credentials on the pseudo bank site.
  3. Allowing Trojans and viruses to attack their access devices such as a computer or mobile which could be a Key logger virus or a Man in the browser virus, Coat tailing virus etc
  4. Answering a Vishing Call and providing credentials like the OTP
  5. Using very weak passwords such as “1234” etc.
  6. Downloading malicious apps on the mobile or on the computer
  7. Not updating or installing an effective malware protection software
  8. Sharing their cards and passwords with family members or others whom they otherwise think are trustworthy
  9. Not using secure mode of accessing Bank accounts with the use of Digital Signatures or the Secure Browsing Mode provided by their anti virus software.

At the same time, we need to recognize that some of the above acts of potential negligence could be prevented if Bankers are “Not Negligent” or are “Security Conscious”.

For example,

  1. Banks can introduce a mandatory face recognition system for all ATMs so that there is also a record of who visited the ATM
  2. Defined weak passwords can be deactivated (most banks do it at present)
  3. Phishing sites need to be brought down at the earliest. How early depends on what Banks spend on such security. But customers using a web protection feature in their anti virus software or a netcraft anti phishing extension for their browsers may be able to identify phishing reasonably quickly. But when can we consider “Non Installation of Netcraft extention” as “Negligence” depends on an evaluation of the minimum level of awareness in the Bank customers. This also depends on what “Awareness Building” efforts have been taken by the Bank (and documented).
  4. Using of Passwords and OTP instead of ITA 2008 approved digital signatures/eSign for the purpose of authentication and not even providing an option for interested customers.
  5. Ignoring the June 2001 Internet Banking Guidelines of RBI  and absorbing the legal risk for not using digital signatures.
  6. Ignoring the judicial award of the Adjudicator of Tamil Nadu in the S Umashankar Vs ICICI Bank case advising use of digital signatures for bank statements distributed to customers.

In the case of sophisticated spear phishing attacks, many of the technology aware  as well as security aware users have fallen prey in the past.

Hence the  level of expertise required to identify and eliminate phishing attacks should not be considered as a base line skill level that can be expected of an ordinary Bank customer. When Trojans and Viruses are installed while visiting otherwise respected websites or downloading of apps and software programs and the available malware protection has also failed, it is too much to expect every Bank Customer to have the necessary expertise to identify the signature of a malware and take steps to prevent its malicious action.

Hence the burden of “Negligence” should not be thrust on the customer in the case of phishing and installation of malware  where the customer himself is a “Victim” of an identity theft crime. Making an identity theft victim liable because he allowed himself to be a victim, is like telling a pick pocket victim why did you keep your money in the pocket and not in the locked brief case or underwear pocket?

Bankers will however advance an argument that if in the case of “Phishing” the customer is not made to bear the burden, they will collude and commit frauds on the Bank. I therefore suggest that in cases of “Phishing” (and Vishing) where the  customer has in fact parted with his credentials, if the “Customer” and the “Beneficiary” donot have any nexus (Such as one being a family member or a friend), his contention that he was cheated should be given credence and the fraud should be considered as arising not due to the negligence of the customer.  Even then, I suggest that the customer could be penalized  even 10% of the total loss. This can be part of the mediation between the customer and the bank where the mediator adjudicates if the customer was in deed negligent or not.

Presently RBI has a scheme of Ombudsman to resolve disputes arising out of “Non Adherence to RBI regulations”. However Ombudsman often refuse to take responsibility to mediate and function more like “Adjudicators” and often have a soft corner with the Banks. Customers have often been at the wrong end of the decisions of Ombudsman and hence this system requires a serious rethinking. One suggestion is to make the Ombudsman adopt a mediation strategy and include a member of public who has knowledge of Cyber Fraud issues in the mediation team.

In all cases of “Alleged Negligence” by the customer where the Bank wants to refuse payment under the proposed scheme, the Ombudsman may step in to resolve the dispute.

We need to continue our discussions and debate this issue of “What Constitutes Negligence” of the Customer in cases of E Banking frauds before making the customer pay for the technological advances of the financial market. I invite comments and suggestions in this regard.

Naavi

 

Posted in Cyber Law | 3 Comments

Limited Customer Liability on Bank Frauds.. Your Comments solicited by RBI

Posted on August 12, 2016 by Vijayashankar Na

In a long awaited but highly welcome move, RBI has released a “Draft Circular” for public comments on “Limited Liability” for customers in case of frauds in Internet Banking and Card transactions.

Suggestions/comments, if any, on the Draft Circular may be sent by post to the Chief General Manager, Department of Banking Regulation, Reserve Bank of India, Central Office, 12th Floor, Shahid Bhagat Singh Marg, Mumbai-400 001, or by E-Mail:  (  Click Here to send email)  (liabilityebt@rbi.org.in) on or before August 31, 2016.

I urge all visitors to go through the circular and provide their feedback to RBI taking into account the following points.

  1. The recommendations in the Circular are welcome in the context of increased use of electronic mode of payments by Banks as a part of its effort to improve efficiency and reduce costs and the growing cyber threats from organised cyber criminals.
  2. The frauds are being facilitated by use of “Password” for most of the authentication requirements though use of passwords is legally not recognized as “Signature” for banking transactions.
  3. The marginal improvements in security sought with the 2 Factor authentication is considered inadequate to protect the consumers against the current set of frauds.
  4. The increased use of cloned cards for Credit/Debit Card and ATM cards through card merchant side compromises has placed the customers in a defenseless position against frauds.
  5. The system of limited liability to customers has already been in vogue in USA and other countries and was also recommended by the Damodaran Committee on Customer Service which gave its report way back in 2011 and was sidelined due to opposition from influential Banks.

The suggested recommendation from RBI is therefore welcome and needs to be notified at the earliest.

As regards some of the conditions that have been indicated in the circular, the following may be noted.

Recommendation Comments
Banks must ask their customers to mandatorily register for alerts for electronic banking transactions.

The alerts shall be sent to the customers through different channels (email or SMS) offered by the banks.

 Where the customer is able to provide both SMS and E-Mail addresses, the alert should be sent through both channels.

Hence the circular may be modified to read as (email and/or SMS)  instead of (email or SMS)
The customers must be advised to notify the bank concerned of any unauthorised electronic banking transaction at the earliest after the occurrence of such transaction. Banks must provide for response by “Reply” to the SMS and E Mail and should not be required to search for a web page or an e-mail address to notify the objection if any.

Necessary change may be made to the circular in this regard
A customer shall be liable for the loss occurring due to fraudulent transactions in the following cases:

(a) In cases involving negligence by a customer, such as where he has shared the payment credentials, the customer will bear the entire loss until he reports the unauthorised transaction to the bank. Any loss occurring after the reporting of the unauthorised transaction shall be borne by the bank.

 When the credentials of the customer is stolen by a fraudster by the use of “malware”, it should not be construed as “sharing” of the credentials in as much as the customer is a victim of the systemic problem.

Such instances may be classified as “Arising due to neither the negligence of the bank nor the customer”.

In order to ensure that malware in the browser software does not result in a fraud, Bankers should provide “Secure Browsing Environment” for all Banking transactions through an appropriate security software.

Presently, most anti virus software such as Kasparesky provides such “Safe Browsing” for Banking transactions but such session requests are some times are rejected by the Banking systems due to improper configuration.

Not enabling such “Safe Browsing” environment should be considered as a “Negligence” by the Bank.

Under Indian law (ITA 2000), the only legally recognized form of authentication which also applies to the Banking transaction is in the form of Digital Signatures (or eSign).

Banks should mandatorily enable their systems for the use of Digital Signatures and eSign so that customers who intend to use digital signature based log-in may be able to use them.

Not providing such options should be considered as “Negligence” by the Banks.

(P.S: This was stated in the Internet Banking Guidelines of June 2001 where the Banks were expected to assume the legal risk in such cases)
In cases where the responsibility for the unauthorised electronic banking transaction lies neither with the bank nor with the customer but lies elsewhere in the system and when there is a delay (of four to seven working days) on the part of the customer in notifying the bank of such a transaction the customer liability shall be limited to the transaction value or ₹ 5000/- In the case of mobile transactions through apps where there is a monthly transaction limit of Rs 10000/- and no KYC obligation, the liability limit  may be reduced to Rs 2000/-
The policy must be transparent, non-discriminatory In the past Banks have easily refunded fraud losses to some celebrities and even the police personnel but have taken the genuine normal customers to Court through a process of lengthy litigation which the customers are unable to sustain.

Examples of cases pending in Cyber Appellate Tribunal involving ICICI Bank, SBI , PNB and Axis Bank are available for this. All these cases involved serious KYC lapses on the part of Banks but are going through needless litigation because Banks can throw money to lawyers for dragging the cases for years.

RBI should therefore review all the pending cases and open a window for mediating compromise solutions based on the new policy.
The burden of proving customer liability in case of unauthorised electronic banking transactions shall lie on the bank. The bank’s above policy shall also specify the maximum time period for establishing customer liability after which the bank shall compensate the customer. Welcome move since all the evidences are with the Bankers within their system and are capable of being manipulated.

Bankers should be advised to archive fraud related log data as “Evidence” and make it available to the law enforcement authorities even when the dispute with the customer is settled through this suggested mechanism or otherwise.
The banks shall put in place a suitable mechanism and structure for reporting of the customer liability cases to the Board or its Committee. The reporting shall, inter-alia, include volume/number of cases and the aggregate value involved and distribution across various categories of cases viz., card present transactions, card not present transactions, internet banking, mobile banking, ATM transactions, etc. The Standing Committee on Customer Service in each bank shall review, on a monthly basis, the unauthorised electronic banking transactions reported by customers or otherwise, as also the action taken thereupon, the functioning of the grievance redress mechanism and take appropriate measures to improve the systems and procedures. A summary of incidents settled under this mechanism should be made available on the website of the Bank.

I request visitors to send their comments to RBI without fail both appreciating their efforts towards Consumer protection as well as making suggestions if any.

Once this system comes into practice, I suppose Cyber Insurance Providers will feel bold enough to provide Cyber Fraud insurance cover to Bank customers to cover the balance risk that is left uncovered by this system (Rs 5000/- )

Naavi

Suggestions/comments, if any, on the Draft Circular may be sent by post to the Chief General Manager, Department of Banking Regulation, Reserve Bank of India, Central Office, 12th Floor, Shahid Bhagat Singh Marg, Mumbai-400 001, or by E-Mail:  (  Click Here to send email )on or before August 31, 2016.

Posted in Cyber Law | 2 Comments

Cyber Security Framework and Directors of Banks- An Action Plan..for Now..

Posted on August 11, 2016 by Vijayashankar Na

The Cyber Security Framework (CSF-2016) proposed by RBI to be implemented by Banks has posed a stiff challenge to the community of Bank Directors. After the lukewarm response to its previous guidelines including the E Banking Security Guidelines (GGWG Recommendations) of 2011 from Banks, RBI has now tried to tighten its screws on the Bank boards and therefore repeatedly sought the direct responsibility of the Board of Directors in Banks for ensuring implementation of the recommendations under CSF-2016.

The Countdown has already started. By September 30, 2016, RBI wants several aspects of its recommendation to be in place and it is hardly 51 days to this deadline and probably not more than two board meetings left to review the implementation.  The challenge is stiff, but we need to make a start and start running. The spirit is to make an honest attempt.. afterall, we are in the season of Olympics and participation is the key.. Making an honest attempt to win is necessary….But actually winning is incidental..

Let’s briefly review the challenge that our Bank Directors have on their hand now. I wish Directors in banks and more appropriately the “Independent Directors” need to take note of the following in their own interest.

The first deadline given by RBI was July 31, 2016 by which the Board should have approved a “Gap Analysis ” and signed on a report sent to the DBOD.  Probably most Banks should have completed the formality. Those who have shot off the report may now review if the report was complete and those who have not, need to review how quickly they can recover the lost ground.

Banks already have some infrastructure to handle Information Security and there will be a sub committee of senior executives already assigned to the task of managing the Information Security in the Bank as per the GGWG guidelines. There is also a CISO in most Banks. The CISO should therefore present (should have already presented) to the Board his assessment of the Gap and recommended action plan.

If not, summon another Board meeting immediately and ask the CISO to make a presentation. Even if a note has been already presented, it is recommended that the CISO is asked to present his views on the Gap report already sent to RBI and modifications that may be required.

The “Gap Report” is to document the current status of the implementation of the “Cyber Security Program” vis a vis the recommendations contained in the Cyber Security Framework-2016 elucidated in the RBI circular of June 2, 2016.

Obviously, in order to prepare this Gap Report or approve it as a member of the Board of Directors, there is a need to understand the CSF-2016 document and absorb its implications. This itself requires a deep understanding of the nuances of Cyber Risk Management without which the Directors can be easily mislead that “All is Well” and ignore the urgent action to be undertaken.

The first question to be raised is

  • It is a requirement of the CSF-2016 that the Board of Directors should be adequately trained on Cyber Security issues. Has the CISO organized such an awareness  program for the Directors? If not.. when is it scheduled?
  • In order not to waste further time, the agenda for the next Board meeting should include a presentation by the CISO of not only the action plan under CSF-2016 but also a general training on the implications of CSF-2016 .
  • Since CISO is the implementing party, it is better if such a training program is organized by an external consultant who understands the issues in managing Information Security in the Banking environment and should precede the presentation of the CISO so that right questions can be raised to the CISO.
  • Since it is embarassing for the Board to call for a training for itself, it is better to call this an  “Interaction with an expert” or a “Round Table” in which the implications of CSF-2016 can be discussed by the members of the Board along with the CISO and his team.

Some of the challenges that the Directors need to meet during this initial interaction is..

a) The Gap report should have identified the Cyber Threats that confront the Banking environment considering the business and product profile of the Bank. The CISO should have developed a “Threat Register” to identify and list the threats.

b) The Gap report should have identified the Cyber Vulnerabilities of the system including the technical, regulatory, and manpower related deficiencies in the system.

c) Based on the threats and vulnerabilities, the CISO should have developed a “Risk Register” listing out the individual Cyber Risks that confront the Bank.

d) The “Risk Identification” should not be restricted to technical matters only and should also address the legal issues such as compliance to Information Technology Act 2000 as amended in 2008 and later (ITA 2000/8) and also take into account the human factors that can result in exploitation both at the employee level and the customer level

c) The Risk Identification has to also assign a measure of the risk criticality  which can be either a subjective evaluation of “Low Risk”, “Medium Risk”, “High Risk” etc or assign a value in an objective manner if possible.

d) The CISO should also indicate and recommend the “Risk Management Policy” consisting of how much of the risk can be avoided, how much of the risk can be transferred by insurance, how much of the risk can be mitigated by various measures and how much of the risk has to be absorbed by the organisation.

e) The CISO should also indicate and recommend a brief overview of a  “Risk Mitigation Plan” and suggest what should be the “Risk Appetite” of the organization. It would however be the decision of the Board to determine the “Risk Appetite” of the organization which reflects the extent of risk that it can absorb in the interest of business since ultimately commercial activity is always a risk-return trade off.

f) The CISO may also be asked to present his specific recommendations on the status of implementation on the 24 Baseline controls that have been indicated in Annexure 1 of the CSF-2016 as well as how to approach the SOC set up indicated in Annexure 2 and the Incident Reporting structure indicated in Annexure 3 of the CSF-2016

The “Gap Report” is only a starting point and may be imperfect. But what is required to be done is to set in motion a corrective plan so  that by September 30, 2016 when a comprehensive “Cyber security Policy” along with an operating “Security Operations Center” and a “Cyber Crisis Management Plan” is to be presented to the RBI with the recommendations of the Board, the Directors are fully aware of the responsibilities they are undertaking in submitting the plan.

This is also the time for the Board to review if its current information security management infrastructure is adequate and needs to be augmented. Finding right people in the domain is not easy and even if a decision is taken today, it is impossible to get quality people before the deadline of September 30 has already elapsed by a mile. Hence the first set of action has to be initiated by the existing team summoning whatever assistance they can gather from within and available external consultancy resources.

There is no doubt that your CISO will say setting up an SOC is a long term project and even a proper risk assessment will take time. But RBI has taken this into account and advised that Banks cooperate amongst themselves through the CISO forum coordinated by IDRBT to share knowledge and achieve the goals faster than what they would otherwise achieve.

This however requires shedding of individual egos of Banks and their CISOs and working in a spirit of cooperation and benefit to the Banking community on the whole.

The Board has a responsibility to provide support to their CISOs to explore such cooperation in a spirit of give and take so that professional CISOs are not constrained by the fears of breaking the norms of secrecy that often shrouds the operation of the information security departments.

… With these introductory words, I urge the Directors of the Banks to accept the challenge placed before them by RBI to strive towards achieving the Cyber Security Goal however difficult it appears to be.

Naavi

 

Posted in Bank, ITA 2008, RBI | Leave a comment

At Last, the Finance Ministry seems to have recognized Cyber Threats in Banks

Posted on August 10, 2016 by Vijayashankar Na

It has been pointed out ad nauseam on this forum that Cyber threats in Banks are looming large to be considered as a “National Security Issue”. However, the commercial considerations in Banks have pushed technology solutions ahead of security considerations in most Banks and new services dependent on insecure technology has been embraced with enthusiasm by the system. Customers are being lured by the fancy of “Convenience” to adopt technologies that they donot understand and open themselves to threats of Cyber Crimes.

While our repeated cries in the name of Customer Fraud Protection through Cyber Insurance have still not caught the attention of the Government, what seems to have moved them now is the direct attacks on the Banks such as what Union Bank Faced in the SWIFT system. It appears that the “Intelligence Officials” have nudged the ministry to initiate the latest set of measures.

Recognizing the risks in the compromise of the Banking system, the Finance Ministry has sent out a warning  to state owned Banks to strengthen the Bank’s Information Technology Systems. Coming close on the heels of the RBI’s notification of the Cyber Security Framework-2016, there appears to be some positive action from the regulatory system to harden security in e-Banking.

In the past there have been such short bursts of enthusiasm which have later fizzled out due to commercial considerations.

160808gycs_17Last Saturday, the undersigned addressed a group of Bankers in Chennai and spoke on “Role of Banks in Cyber Security”. During the interaction the immediate measures that the Bankers need to initiate to meet the September 30 deadline for implementing the Cyber Security Framework were briefly discussed.

In the latest monetary policy speech, the Governor of RBI has hinted at some more immediate regulatory notes on the FinTech industry In particular, there could be some measures to regulate P2P lending and aggregation services in Financial Services.

Following the deliberations in the workshop, Naavi is intending to launch a “CSF-2016 Compliance initiative” directed to create better awareness with the Bankers on the implications of the new RBI guidelines. Watch out for more information on the developments in the coming days.

However these new regulations are likely to be more on regulating the business of these FinTech companies rather than addressing the information security issues arising out of these services.

We need to wait and watch the shape of these new regulations before passing any specific comment on them. But our earlier warning to FinTech companies remains in tact.

Naavi

Posted in Cyber Law | Leave a comment

Privacy Rights..Let’s preserve for the next generation.

Posted on August 5, 2016 by Vijayashankar Na

“Privacy” is a concept most dear to human right activists and is considered as an important pillar of democracy. Constitutions of all democratic countries swear by Privacy Rights to its citizens. However, it is well known that no Government in the World is really intending to provide “Privacy Rights”  which infringe on the Security of the State and hence all Privacy legislations provide for  “Reasonable Exceptions”.

If there is a direct conflict between providing “Privacy” for Citizens and “National Security”, there is no option but to chose National Security.

The problem however is that while “Surrender of Privacy Rights” in the name of National Security is normally accepted by all right thinking Citizens, there is a fear that the information so surrendered may not be used by the State for the purpose for which it is collected. The misuse may be for political reasons or for the self interest of officials who are provided with powers to deal with the information in the interest of national security.

Similarly, when commercial organizations seek information which is in violation of the general privacy norms, for the purpose of providing some services in return, most Citizens are able to forego their rights if they see value in return.  Hence if Google maps provide directions for driving, we obviously donot mind sharing our locations. We also may not mind Google maps suggesting through some advertisements, services such as hotels on the highway as part of its service since it could be of some use.

Again the problem arises when the commercial entities donot provide adequate value in return for the private information exchanged by the individual or use it in contexts different from the purpose for which they were shared or simply are not transparent of their intentions.

With the new developments such as Smart Cities, Smart Grid, IOT, Big Data etc, the concept of mining data from multiple sources has become an acceptable practice. E-Governance in India has placed large quality of both Personal and Sensitive Personal Data in narrow funnels such as the Aadhar system, the Digi Locker System or the UPI or the upcoming GST. Citizens donot have the confidence that these agencies will be able to protect the integrity of the system and sooner or later (if not already) the data shared by millions of Indians with these authorities in good faith and in confidence will be available in public domain.

Hence the fight for “Privacy” may already be a lost cause at least for the current generation. We therefore need to learn to live without privacy.

However, the next generation which have not already shared their personal information to Aadhar and other agencies may still have an opportunity to keep their future activities away from the risk of privacy breach if we can develop a suitable system which provides a middle of the road solution between Privacy and National Security.

The solution for “Privacy in harmony with National Interest” is therefore to find a method by which an individual can interact with the world without disclosing his identity to the extent it is not necessary either in the interest of the transaction nor national interest.

The quest for such a solution is the challenge to all of us who need to leave a legacy of “Privacy Protection” to our posterity though we ourselves may not consider it feasible at this point of time.

“Anonymization” of transactions could be a solution but it needs to be protected in the interest of “Security”. Hence the solution lies in building a system of “Regulated Anonymity System” which is also a system of “Filtered Identity Management” system.

The time for such a solution seems to have arrived now with Aadhaar, Digi Locker and UPI systems becoming a part of every individual in India and all these are dependent on the Mobile identity of an individual which therefore has become a universal ID for all of us. Unfortunately the KYC system under which the mobile ID is issued as well as the security risks in its compromise place all our other IDs in danger of being subsumed by the insecurity associated with the Mobile ID.

Hope technologists will start working towards finding a solution to this problem..

Naavi

Posted in Cyber Law | Leave a comment