Naavi.org

The BrExit referendum has exposed the complacency of international financial managers including India where we never had any serious discussion running into the BrExit poll on how it could affect the Indian corporate sector. Some of the Business Channels like CNBC TV discussed the likely impact of BrExit in the same tone as the Federal Rate hikes or RBI policy meetings and did not foresee the possibility of the poll going in favour of the Exit and the serious consequences that could follow.

Even yesterday the channels were taking a position that the result will be in favour of “Remain” and they were easily misled by the opinion polls and betting odds. What we saw today was therefore a disaster which was on the horizon but we could not foresee.

Most of the mutual funds who hold the money of the public must have absorbed the loss arising out of the 1000 point drop in the Sensex today in the early morning bloodbath. This could have a huge adverse impact on ordinary investors who trusted the expertise of the fund managers. It would be interesting if some body researches on the impact of BrExit on the mutual funds and how different fund managers managed the crisis.

In the later part of the day,  markets recovered slightly but there is no guarantee that on Monday the recovery will continue or we will see another drop.

One of the developments that may create a further drop on Monday could be the effect of the BrExit virus spreading to other countries in the EU and Germany, France, Austria, Denmark and other members calling for their own referendum to quit EU. Additionally, the possibility of Scotland trying to go out of Britain is another development that could  cause more concern.

From the look of it, the 4% difference in voting in favour of “leave” when 30% of voters did not vote, can cause a USSR kind of break up of the EU and cause multiple fissures of the Union in the next couple of years.

While we may not like such a fissure that appears illogical from the perspective of “Strength in Unity”, the possibility appears very high.

Just as we failed to analyze the probability of “Leave” voting in BrExit, we cannot afford to overlook the probability of EU breaking up into its several erstwhile independent countries. This is a “Risk” that needs to be identified, analyzed and mitigated.

Just as in Information Security management, where we often fail to identify “Risks”, and fall prey to a “Known Risk”, there is a possibility that we may underestimate or ignore the risk of EU break up and this could create another crisis on another day.

The BrExit was like a “Zero Day” risk which we failed to recognize but we cannot afford to do the same next time when Denmark or another country goes on a referendum.

I therefore urge RBI and SEBI to start planning for “EU Break up” and develop strategies to contain the risks.

Before the BrExit, I would have liked an “Advisory” from RBI that in the event of a BrExit “leave” vote, the British Pound would drop 8-10%, and any open position should be avoided. Similarly,  if SEBI could have announced closure of stock exchange today, probably the risk could have been contained.

However, neither RBI nor  SEBI anticipated the possibility and hence did not take any corrective action. Next time when such events occur, RBI and SEBI should be more pro-active and just as meteorology department broadcasts advisories for fishermen in times of expected weather disturbances, they should provide advisories on known events that could cause extreme volatility of the markets.

I must however appreciate some individual investment advisors who kept reminding that “There is No Trade on such uncertainties” though it might not have been taken note of by many.

Now we are at the fag end of June. The listed companies will be coming up with their quarterly results in the next fortnight and if any company has taken a hit on the foreign exchange front because of an uncovered open exchange position today, their quarterly results will be adversely affected.

Before this comes up as a surprise one by one next month, SEBI should make an assessment of the impact of uncovered Foreign Exchange exposure of all companies (mostly the IT companies with high exposure to the EU currencies) by calling for a report from all the listed companies. This is a strategy like the “Incident Report” that a CERT-In would ask after a zero day malware is detected.

Once any risk is detected, SEBI can ensure that the losses if any are allowed as an extraordinary loss which can be written off over the next three or four quarters instead of the first quarter itself.    This will be like the relief that was given to Banks in the NPA write off and would provide relief to the IT sector in particular.

At the same time, just as  anti Virus companies come up with special virus removal tools, RBI should come up with some special measures to even out the foreign exchange impact of the BrExit in the current quarter balance sheets of listed companies by providing hedging options in the form of specially structured “exchange cover instruments” to spread out the impact.

Hope RBI and SEBI will take the necessary action as otherwise  we must be prepared for another round of down trend in the market from the current levels not only through the next week which happens to the expiry week but also the first fortnight of July.

I presume that these are some lessons from the Information Security practice that Financial regulators can benefit from.

Naavi

In what should be an eye opener for the new generation tech companies, who are unmindful of legal compliance, In Mobi, the mobile advertising company has been fined US $ 950,000 (approx R 6.39 crores) for collecting information about children without their consent and violating the provisions of COPPA (Children’s Online Privacy Protection Act ).

FTC (Federal Trade Commission) initially fined US$ 4 million and later reduced it to $950,000. InMobi claimed that due to a technical error that led to the process not being correctly implemented. As a result information was collected even when the privacy settings of the consumers were configured otherwise.

Naavi has many times warned the Start Ups to undertake an “ITA 2008 compliance” as part of the “Techno Legal Feasibility” before scaling up their activities. Unfortunately these companies have other priorities for their scarce resources in the initial days and later become too engrossed in business development to take care of legal compliance. The result of such ignorance and negligence is what results in liabilities such as these. It is possible that the company would not have covered themselves with appropriate insurance also and hence has to absorb the loss from their revenue itself.

Hope the company is able to absorb the loss and proceed.

Related Article

Naavi

It appears at this point of time that BrExit is really happening.  As the effects of the unexpected result unwinds, the debate now is what will be the effect of the BrExit on India in general and Indian stock markets and Indian Economy in particular.

Before we start discussing the impact, we need to first congratulate the British public for perhaps what can be their first “Independence Day Feeling”. We in India and even US have an experience of an “Independence” but Britain perhaps did not have one and this occasion has given them a new experience. Let them enjoy.

As regards the impact of the result, there is a reasonable expectation that there will be a new election in England and a new Government as well. There will be lot of changes happening in England and the rest of EU. The exchange rates will readjust with US $ becoming stronger as well as Japanese yen. The EU currencies and the British Pound may become weaker. Those companies who have a trade surplus in EU area and have not hedged their exchange risks will be adversely affected. The IT Companies of India which have a huge exposure to the EU market need to check if they have been holding any open positions and re assess the impact.

The next quarter announcements of financial performance of these companies will indicate that they may have to revise their guidance mostly downwards.

The stock markets in the next one month will be down by atleast 5% from current levels.

However, in the long run, the business in EU will remain whether the contracts are decided by a new leader or by the old leader. Hence the overall business opportunities will remain. Probably the IT companies will gain new business since what they did so far for EU will have to be re-done with EU-UK and UK as two different entities. It will be like the Y2K moment where any change will lead to re-work of software and additional business for IT service providers.

It is now open to the Indian IT companies to quickly make a Business impact analysis and put together a response team that can immediately suggest revised versions for all they did in the last few years as software solution to Banks and other financial institutions as well as Government institutions and review what needs to be done now.

Then BrExit may actually benefit India.

I think that the days are interesting and innovators will make a kill. I am sure India has many of these innovators and we can look for an overall benefit to India being carved out. This will ofcourse be a challenge to the Government also and it has to come up with its own strategies to take advantage of the situation and act with a nimble foot.

Let’s watch and enjoy..

Naavi

P.S: If EU economy weakens by breaking into parts, the benefit will be for US and probably for economies emerging into the top of the heap and that includes India.

Naavi has been repeatedly emphasizing the need for banks to provide mandatory Cyber Insurance for the benefit of the customers as a support to the technology related innovations which have changed the threat landscape in the Banking industry.

While new technologies have reduced the costs and improved the profits of Banks, the customers are left to handle the increasing risks in exchange of the “Convenience” which is part of the new life style to which we are getting accustomed to.

The possibility of a major Cyber Heist wiping out the bank accounts of a large number of Bank customers and eventually the Bank itself is looming large on the Indian scene and I repeat that Mr Modi and Arun Jaitely will be considered unimaginative if they donot see the risk and take steps to mitigate the risk.

In this context, it was refreshing to hear that a Los Angeles bank namely Grand Point Bank introduced cyber insurance policies for it customers for covering against wire-transfer fraud schemes.

According to the report, ” the coverage includes losses from wire-transfer scams including business email compromise. In business email compromise schemes, fraudsters pose as executives or vendors from a business, sending requests for money transfers to accounts controlled by criminals.”

FBI data shows that criminals have sought to use such “Business Email Compromise scams” to steal more than $3 billion since June 2013.

The policy, which is underwritten by Hiscox Inc, a unit of Hiscox Ltd, costs $30 to $70 per month for up to $1 million in coverage.

India also have seen many such incidents and instead of exposing the business to such risks, companies would be happy to spend some money and cover the risks.

We look forward to Insurance companies in India pushing such policies and Banks adopting them.

However, unless the Government or the new RBI Governor who may take over RBI Governance in the next couple of months takes this up as a part of its initiative to secure E-Banking in India, it is unlikely to be a reality.

The regulators should however ensure that the cost of such insurance should be shared between the Bank and the Customer with a weightage of at least 70% for the bank and 30 % for the Corporate customer. The risk sharing may be higher for the Banks at 90%:10% for the retail customers.

Naavi

Related Article:

Tata Asset Management CEO’s E mail hacked

Currently, the Government has announced a merger of SBI with some of the associate Banks including SBM.

It is reported that a new fraud has surfaced in which fraudsters are calling associate bank customers and informing them that due to the merger, they need to change their ATM card and collecting the card details to fraudulently withdraw the money.

All Customers are warned not to fall to such fraud attempts.

I also urge Banks and Police to immediately take steps to ensure that the fraudsters donot continue with the fraud.

Naavi

The hallmark of Democracy is that every Citizen has a right to be entitled to Quick and Fair Justice. But when the system fails to provide this fundamental right of a citizen, the society faces the danger of the raise of extra constitutional forces. Such failures encourage the growth of  “Naxalism” which soon escalates to anti national activities and terrorism.

It is therefore essential for the “System”, which consists of the Government, the Judiciary and the Administrators to do their very best at all times to ensure that the “Rule of Law” prevails in the country.

The Government is responsible to frame proper laws, the Judiciary is responsible to deliver the justice and the Administrators which includes the law enforcement machinery is responsible to provide the support required by the Judiciary.

Karnataka has been often hailed as a technology savvy state and Bengaluru is recognized as the “Silicon Capital” of India in view of the presence of a large number of IT industries. It is also of late trying to be the “Start Up Capital”. The perception therefore is that Bengaluru in particular is endowed with rich IT talent and sets an example to the rest of the country in all matters related to IT.

However, despite specific efforts, Bengaluru has failed to make progress when it comes to delivery of Justice to Cyber Crime victims and I would like to highlight one of the major shortcomings in the administration of Cyber Justice in Karnataka and the specific role of the IT Secretary of the State in this regard.

The law relevant to delivery of Cyber Justice in India is the “Information Technology Act 2000 amended in 2008” (ITA 2000/8).

Under this law, any person who has suffered a financial loss of an amount upto Rs 5 crores, arising out of any contravention of ITA 2000/8 should approach the IT Secretary of the State for seeking damages. The IT Secretary is called the “Adjudicator” who has been bestowed the powers of a Civil Court without the burden of the archaic procedures of the Civil Procedure Code to conduct an enquiry and render his award within 4 months. The Adjudicator has the sole jurisdiction in this regard and no other Court can hear a matter that comes under his jurisdiction.

The net effect of this legislation is that a Cyber Crime victim who has suffered a financial loss can be provided quick justice through an “Enquiry Process” by the Adjudicator. The process of filing a complaint is simple and the cost is less than going to a Civil Court (which option is anyway not available for claims upto Rs 5 crores).

Though the law makers who wrote ITA 2000/8 provided for this special judicial process called the “Adjudication”, the IT Secretaries of Karnataka have not been keen to accept this responsibility and do everything in their powers to discourage public from approaching them with a complaint under Section 46 of ITA 2000/8.

Chennai was the first City from which an IT secretary  started his adjudication activities, way back in 2008. Suequently, an IT Secretary from Mumbai continued the tradition and now the Chattisgarh IT Secretary seems to be active.

The techno savvy IT Secretaries in Karnataka donot seem to be interested in pursuing their statutory responsibilities as “Adjudicators” and have  found a clever way of keeping the applicant’s off. The Government and the High Court of Karnataka are not concerned with the plight of Cyber Crime victims in Karnataka and allowed the lawlessness in Cyber space thrive in Karnataka.

Whenever we speak of Cyber Crimes, we immediately turn our attention to the Cyber Crime police station which is doing an excellent job of investigation. But the role of Police ends with investigation and their success in prosecution depends on the Criminal Justice system which is in the hands of the Courts and administrators.

ITA 2000/8 envisaged that while the Police may pursue prosecution of a Cyber Crime perpetrator, the system of Adjudication may parallely be used by a Cyber Crime victim to claim financial damages not only from the ultimate perpetrator of a cyber crime but also from others who aided and abetted in the crime.

In most of the financial cyber crimes such as Bank frauds or Credit card frauds, the perpetrator may be hard to find but the intermediaries who aided and abetted the crime such as the Banks who opened the accounts for the fraudster and helped him launder the fraud proceeds or the Mobile Service providers who issued duplicate SIM card without verification or a merchant establishment whose employee stole the credit card data can be identified and held liable under ITA 2000/8. If therefore the Adjudicators are interested in dispensing justice to Cyber Crime victims and do their duty cast under law, many Cyber Crime victims can find relief much before the Police are able to find the Cyber Crime perpetrator who may sit in Nigeria or a far corner of India and prosecute him.

In one of the cases which was brought before a Karnataka Adjudicator, the cyber crime victim had lost money due to the negligence of Axis Bank and hence claimed the money from Axis Bank which was vicariously liable under ITA 2000/8. Unfortunately, Axis Bank also happens to be the Bank which does e-Governance work for Karnataka Government and there was a conflict of interest for the IT Secretary to take up the complaint against Axis Bank.

However, the IT Secretary not only went ahead of the proceedings without recusing himself from the proceedings but also passed an award which was bad in law and prevented any further complaints being filed on any Banks under Section 46 of ITA 2000/8. Though the Karnataka Human Rights Commission intervened and the Law department of the State also gave its opinion that the award was legally incorrect, due to the failure of the Karnataka High Court to review the decision and the non functioning of the appellate authority in Delhi, the flawed award remains a law in Karnataka since 2011.

The responsibility for correcting the situation lies primarily with the current IT Secretary of the State. But the silence of the IT Minister, the Chief Minister as well as the Chief Justice of Karnataka who has the ultimate responsibility for maintaining the judicial system in Karnataka are also unpardonable.

Are all of them ignorant? Are all of them unconcerned?

History will judge how the cyber judicial system was trampled upon by the system in Karnataka and the failure of the political leaders as well as the Judiciary in Karnataka.

Naavi