Naavi.org

The recent developments in RBI with the issue of “Cyber Security Guidelines” on June 2, 2016 and formation of an IT Subsidiary which apart from overseeing the internal IT operations will guide the regulated Banks also has created a renewed thrust on Information Security across the Banking organizations in India.

When we discuss such issues, we often focus on the top Public Sector and Private Sector Banks and forget that Indian Banking system has hundreds of Cooperative Banks of various categories licensed to accept deposits from public and are important for the financial welfare of the citizens. Some of these Cooperative Banks are big enough to be considered as significant players particularly in a restricted area of operation.  Some of them have adopted technologies of Internet Banking, ATMs and credit cards. They need to adopt security practices that are on par with the larger Banks since the risks they face are similar. However, these Banks have lesser access to required skilled manpower to advise them on Information Security and also lesser resources to deploy for security beyond the investments already committed to IT infrastructure and operational training.

As a long term observer of the Banking industry, I can foresee this sector becoming a “Security Hole” in the Indian Banking industry unless the managements wake up and initiate quick action to set things right. RBI and State regulators also need to initiate action that is required to ensure that these Banks have the necessary information security implementation that is recommended vide various RBI circulars.

As of a recent date, 172 Banks in India operate NEFT and this list includes many cooperative Banks and Grameena Banks. 154 Banks have been permitted Mobile Banking which again includes man Banks outside the well known public sector and private sector Banks. 44 Banks are permitted to issue Prepaid Cards. Soon many of them will also issue credit cards either co-branded or otherwise. In addition, RBI licenses payment Banks and wants to issue Banking licenses on tap.

All these liberalized approach to Banking regulation and adoption of new technology has diluted the security of Banking from the customer’s perspective.

While RBI has refused to force Cyber Insurance responsibility on Banks, it has from time to time issued guidelines and notifications that mandate information security practices in these Banks. It is a moot point however whether these small and micro banks have the capability to implement the guidelines and whether RBI is monitoring the implementation.

In this context we can view the impact of the circular of November 2, 2015, in which All licensed StCBs, DCCBs and UCBs which have implemented CBS and migrated to IPv6 and complying with the regulations mentioned in the circular may offer Internet Banking (View only) facility to their customers without prior approval of RBI.

Further, those who satisfy other criteria listed in the circular  on Networth, NPA etc will be permitted transactional facility “With Prior Approval” of RBI.

Some of the key criteria included in the annexure to these circulars are interesting to note and are summarised here. (Detailed circular is available here)

1. Bank should formulate and Internet Banking and Information Security policy and obtain approval of the Board and such policy should ensure confidentiality and security addressing legal, regulatory and supervisory issues mentioned in the circular.
2. Banks should put in sound internal controls and provide adequate disclosure on risk, responsibilities and liabilities to the customers before offering the facility.
3. There should be clear segregation of duties between IT and IS divisions and there should be a separate designated IS officer and IS auditor as well as a Network and Database administrator.
4. Banks should ensure that there should be no direct connection between the Internet and the Bank’s system.
5. All computer access including messages should be logged.
6. Suspected security violations should be recorded and follow up action taken.
7. Periodic penetration tests should be conducted.
8. Should have proper back up and business continuity plan.
9. Should follow the guidelines provided in the April 29, 2011 circular on Internet Banking (GGWG Guidelines)

The Circular has also highlighted the following legal issues:

1. Banks may provide Internet Banking facility to a customer only at his/her option based on specific written or authenticated electronic requisition along with a positive acknowledgement.
2. Considering the prevailing legal position, there is an obligation on the part of banks not only to establish the identity but also to make enquiries about the integrity and reputation of the customer opting for internet banking. Therefore, even though request for opening an account may be accepted over Internet, accounts should be opened only after verification of the identity of the customer and adherence to KYC guidelines.
3. From a legal perspective, security procedure adopted by banks for authenticating a user needs to be recognized by law as a substitute for signature. The provisions of the Information Technology Act, 2000, and other legal requirements need to be scrupulously adhered to while offering internet banking.
4. Under the present regime, there is an obligation on banks to maintain secrecy and confidentiality of customers’ accounts/information. In the Internet banking scenario, the risk of banks not meeting the above obligation is high on account of several factors. Despite all reasonable precautions, banks may be exposed to enhanced risk of liability to customers on account of breach of secrecy, denial of service etc., because of hacking / technological failures. The banks should, therefore, have in place adequate risk control measures to manage such risks.

The guidelines also highlight the security features to be adopted. In particular, speaking on the authentication, the circular says

“There is a legal risk in not using the asymmetric cryptosystem and hash function for authenticating electronic transactions.

For carrying out critical transactions like fund transfers, the banks, at the least,

need to implement robust and dynamic two-factor authentication through user id/password combination and second factor like

(a) a digital signature (through a token containing digital certificate and associated private key, preferably for corporate customers) or

(b) One Time Password (OTP) / dynamic access code through various modes (like SMS over mobile phones or hardware token).”

Though the OTP is provided as an alternative, it is important for Banks to remember the “Legal Risk” that RBI has warned the Banks of. In the GGWG circular, special mention had been made on the S.Umashankar Vs ICICI Bank case and hence Banks should be wary of introducing any systems which is not ITA 2008 compliant.

All said and done, one cannot deny that RBI is providing information security guidelines from time to time and the ball is transferred to the Court of the Banks to implement them or face the “Legal Risk”.

While larger Banks have the access to necessary expertise in the form of well qualified and informed CISOs, the smaller Banks will not find it easy to access either professionals or technology for managing their information security at affordable costs.

However, since these Banks cannot ignore security, they need to find a solution to this challenge of  “Information security at affordable cost” and if they ignore this responsibility, they will be facing undue business risks that may pose a grave survival risk. Many times genuine business problems leading to financial failure in these institutions will be unfairly interpreted as a “Fraud” and “Scam” and adversely publicized by the news hungry media leading to arrest and humiliation of the Directors even when they are honest.

I therefore request all the Directors of small Banks including Co Operative Banks to immediately bestow their attention on reviewing their “Compliance Status” and build a “Compliance Shield” to protect them from adverse developments.

Naavi is trying to work out a suitable strategic solution to such small Banks to harden their security posture at a reasonable cost.

Naavi

Naavi  has been an advocate of Cyber Insurance for a long long time. However, the market seems to be dragging its feet either because the insurance companies are too scared to touch the unknown risks involved or the insurance seekers are not pushing them for the service. To understand the status of the Cyber Insurance industry in India, a Cyber Insurance Status study  titled “India Cyber Insurance Survey 2015” was undertaken. Some aspects of this survey has been briefly referred to on this site earlier. Now based on the results of the survey, a more detailed information is being presented in a series of articles to be published over time. Hope this will be useful to the community….Naavi

When the study was being planned, one of the discussions was whether we should call it a “Cyber Insurance” or “Cyber Crime Insurance”. Though ultimately it was decided that the nomenclature would not make any difference, the discussion highlighted the dilemma on what should be the driving force for a “Cyber Insurance Policy” and who should be the beneficiaries of such an insurance.

The survey obtained different responses on this aspect through multiple questions. However one of the direct questions asked was who should be covered in the Cyber Insurance policy.

The response was

–100% agree that corporates are to be covered

–Only 58% consider individuals are to be covered

–74% want Non Commercial organizations also to get cover

Most of the respondents were professionals working in organizations and hence it was natural that 100% of them wanted the insurance to cover the corporates.

However, it was significant to note that only 58% thought that Cyber Insurance should cover Individuals and 74% said that it should cover other organizations such as NGOs.

It was intriguing that 42% of the respondents who are also individuals in their own right and are exposed to personal cyber crime related risks did not consider that they needed insurance protection.

One of the reasons why such a self defeating opinion was expressed was that perhaps many did not believe that there could be a Cyber Insurance policy that can cover individuals.

A minority of them might have felt that if corporates are covered, individuals also may be indirectly protected.

There is no doubt that Cyber Risks affect both individuals and corporates and most of the times, individuals are affected through breaches at the corporate level.

However in the current status of digitization of Commerce and Governance in India, it is important to realize that individuals are getting exposed directly to Cyber Crime related risks and Organizations are using loopholes in law and their bullying strength to escape liabilities when the ultimate loss can be shifted to the individuals.

Naavi has been in the forefront of the fight for Netizen’s protection particularly in cases involving Bank frauds where the “Intermediary Responsibilities” under ITA 2008 have been invoked to argue that Banks and other intermediaries should pick up the liabilities arising out of cyber crimes such as Phishing.

The Government of India under the Digital India program has placed increased reliance on Aadhaar and JanDhan yojana which are exposed to high risk of mass security compromise. I have brought it to the attention of the Government including the PMO that in the coming days, the JanDhan Yojana could be the target of cyber attack since it not only can help the attackers to siphon off money, but also discredit Mr Modi before the next elections.

The risk is so daisy that political parties in India which have no qualms of supporting Pakistani terror groups even by falsifying records and blaming patriotic soldiers of the country as the kingpins of terror, may themselves attack the e-Governance systems and cause havoc. If this risk materializes, then the burden of such attack will be on the individual members of the public. Political parties may use mass attacks on e-Governance projects as a tool for their political gains unmindful of the damage that it may cause on the citizens like you and me.

It is for this reason that Naavi has strongly felt that Cyber Insurance should be a mandatory protection that Government should organize for users of JanDhan Yojana as well as the Mobile and Internet Banking customers.

When RBI wanted to consider new Banking licenses, even the RBI Governor was sounded out with a request that new licensees need to be mandatorily required to provide Cyber Insurance cover for their customers. Unfortunately, the sights of the RBI Governor Mr Raghuram Rajan was so far removed from safe E-Banking that there was no attempt to impose such responsibilities on the new banking licensees.

We can therefore say that both the Government as well as the RBI have for now rejected the need for individuals to be protected by Cyber Insurance and our respondents seemed to reflect the same attitude.

When it comes to coverage of risks in the corporate environment, while the “Own Damage” coverage refers to the loss suffered directly by an insured company, the “Liability loss ” depends on the loss suffered by the customers of the company. If these customers are directly covered by the insurance, then the liability of the company in which the breach occurred would automatically get reduced.

For example, if there is a group insurance scheme under which all the customers of a mobile banking application are insured to the extent of say Rs 5000/-, then when a breach occurs at the application owner (say a Bank) and individuals suffer a loss, the liability that the Bank needs to cover gets reduced to the extent the individuals are already covered.

Hence, if individuals are provided Cyber Crime insurance cover, it only acts as a sub limit in the coverage of the organization in which the breach occurred.

 The reason why Insurance coverage to individuals are preferred is that such a cover will provide an opportunity to harden the security at the individual level since individuals will now see a direct benefit in following security practices mandated by an insurance company before the claims could be settled.  After all, the insurance companies will have plenty of excuses to deny the claim if the individual has compromised on an of the security principles.

I therefore still advocate that Cyber Insurance should be extended to individuals to enable them take direct insurance at a low cost and also as a “Group” associated with any organization.

If any Insurance Company is innovative, they can encourage many self help groups to collectively insure themselves against defined Cyber Crime risks even outside the ambit of the Banks.

For example, as an administrator of a WhatsApp group on Information Security, I may seek cyber insurance for all my members using say mobile apps such as Paytm, Ola Money, iMobile etc. subject to a maximum of say Rs 5000/- per member per incident. I will simultaneously build awareness of the security requirements with all the members so that majority of them will follow the security practices.

I suppose this would be a manageable risk for the insurance company and can be priced with a nominal premium. In the process, it would also encourage all the members of the group to follow a certain discipline.

I am aware that individuals would like to be covered for much more than Rs 5000/- but this could be a good beginning to cover mobile related risks. At the same time, higher coverage can be provided outside the group insurance scheme.

Similarly, companies and educational institutions may encourage all their employees or students to obtain a group Cyber Insurance to protect themselves from losses arising out of Cyber Crimes outside the company’s own activities, undertaking to build awareness of security amongst its employees. Slowly the aggregation of such groups will provide a large base of insured Netizens and not only generate enough revenue to the Insurance company but also make the society more secure.

This is an illustration and many other strategies can be developed by self help groups and Banks to improve the security culture in the society using the insurability as an incentive. This will be beneficial both to the society and to the insurance company itself.

At the same time, I consider that it is the duty of the Government and RBI to mandate Cyber Insurance at the Bank level so that the risk of loss is reduced at the gross level. The Government has already instituted many insurance proposals for farmers and rural folk and RBI has reiterated the need for Cyber Insurance in its policy guidelines. What is now required for them to do is just take steps to implement Cyber Insurance also in such a manner that users of Digital India services will be protected from financial losses.

Hope the PMO is listening…..

Naavi

An Advisory has been issued by deity on ITA 2008 compliance requirements by matrimonial websites.

It is well known that matrimonial websites are “Intermediaries” under ITA 2008 and the guidelines already issued under Section 79A for “Due Diligence”are applicable. Such rules are applicable not only for matrimonial sites but also for many other types of websites including Job portals and corporate websites. It is therefore surprising that this advisory has been issued now as if there was no such requirement so far. This advisory is therefore considered redundant though one can say that perhaps it can be treated as a reminder for the websites which never considered ITA 2008 compliance as their duty.

In fact the right thing to do was for CERT-IN to issue notices to some of these websites and imposing some fines for not following the Sec 79 rules. This would have a more salutary effect on them.

By issuing the advisory only for matrimonial websites and not for other websites it appears as if this is not required for others. The advisory should have clarified this matter.

We would like to keep every other website that collects personal information of the public with or without displaying them on the website is also liable for maintaining the records as indicated in the advisory failing which they will be liable for any offence committed with the use of such information.

Naavi

Over the years, RBI has grown in multiple directions and the management of its responsibilities is getting increasingly complicated. The media is obsessed with the monetary policy related functioning of the RBI such as the management of interest rates and liquidity ratios. The discussions on Raghuraman Rajan’s continuation and its impact on the stock markets is an indication of this obsession.

However, one of the areas which the public are interested and what we normally focus through these columns is how RBI manages the security of Banking operations in the technology era. This covers the work of DBOD and the Department of Payment and Settlements.

The perception is that DBOD focussses more on Loans and frauds related to loans where as all  the new generation issues such as cards and mobile wallets are directed by the Department of Payments and Settlements. However when we discuss “Frauds”, RBI normally talks of NPAs and Loan related issues as “Frauds” and the Cyber Crime related frauds which we try to focus is normally relegated to the background. This is the reason why RBI does not have a proper statistics of credit card and Phishing related frauds as revealed in many RTI applications.

It appears that the Department of Payment and Settlement  focusses on introduction of technology and leaves it to the DBOD to deal with the fraud related issues. The converging point for both is the issue of “Information Security”.

In June 2001, RBI first came up with the Internet Banking Guidelines based on the passage of ITA 2000. Then in April 29, 2011, RBI came up with the GGWG based guidelines on E Banking security which took into account the amendments to ITA 2000 made in 2009 (ITAA 2008) and some data protection elements implemented in 2011.

In the last month or so, there have been some serious activity on Information Security in RBI. First an IT Subsidiary was formed in RBI to take care of Information Security requirements of RBI itself. Probably, this would automatically absorb the activities of the Information Technology Cell of RBI.

Additionally, it has been informed that this subsidiary will also advise the regulated Banks on Information Security requirements.

On June 2, Department of Banking Supervision came up with a comprehensive guideline that revised the June 29, 2011 circular on E Banking Security. This circular did not mention the IT Subsidiary but recognizes existence of a “Cyber Security and Information Technology Examination (CSITE) cell of the Department of Banking Supervision. It is not clear if this is the same as the IT cell which was in existence earlier or is a different monitoring and audit  section.

All along, there was one subsidiary institution called IDRBT which was assisting RBI in technology related issues.

Thus we now have an IT Subsidiary, IDRBT and the CSITE Cell as the trinity of  institutions being involved in guiding and advising Banks on Information Security.

IDRBT has already issued an Information Security framework, GGWG had issued its own framework and now the Cyber Security framework is the third framework that has been provided by RBI to guide the Banks in information security issues. While the earlier frameworks were more technical in nature, the recent Cyber Security Framework is more in the “Techno Legal Nature” as we normally recognize.

Banks therefore need to negotiate through multiple RBI arms and their guidelines to work on Compliance. This would be a challenge which the CISO s of Banks need to negotiate. Let us not forget that there is also the CERT-IN and several Government agencies which have been empowered under ITA 2000/8 to monitor the activities of the Banks and CISOs need to worry about satisfying the compliance requirements of these entities also.

The Bank CISOs would find it better if there is clarity on what is expected of them and if there is a good coordination between these three institutions.

In fact one wonders if there was really a need for the creation of multiple institutions instead of entrusting IDRBT with the responsibilities that the new IT Subsidiary is expected to discharge but this discussion may be redundant at this point and the two subsidiaries need to work together along with the departments supervising their activities.

I suppose the relative responsibilities of the three institutions would crystalize over time and all the three will find some justification to exist irrespective of the efficiency considerations.

In terms of “Compliance” however, there would be possibilities of some confusion when different guidelines come up from different organizations overlapping in terms of operational issues.

The CISO’s of Banks should through their CISO Forum ensure that there is clarity on the functioning of these three organizations and coordination of their activities so that the Banks are not left not left to handle inter departmental non coordination issues.

 I also envisage that soon the Compliance issues will grow beyond the capabilities of the CISOs and every Bank will have to create designated Compliance Officials and the Chief Compliance Officers need to form their own Forum and address some of the issues raised in the recent Cyber Security Framework.

As regards the trinity of Cyber Security institutions that have now come to exist, it would be necessary for them to form a coordination committee amongst themselves so that any instruction/guidance going out from any of them to the Banks carry the approval of all of them.

This “Cyber Security Regulation Coordination Committee for Banking in India” could be the apex body which will be a single point policy formulation entity that could absorb all the problems arising out of the existence of multiple organizations with overlapping functions.

I suggest any of these three entities may take steps to formalize the formation of this committee.

Naavi

One of the customers of SBI has reported a faulty behaviour of the NEFT system in SBI which needs to be explored both by SBI and the RBI. It could be considered as causing a “Legal Risk” both to the Bank itself as well as the customers.

The customer has sent video evidence of the incident which is with me and I am not immediately posting it in public domain since it contains information that is confidential. It can however be shared with SBI or RBI if it is requested.

The observation reported is this:

As we all know, when a customer logs into the account, he can view the previous transactions. In the incident referred to, the customer observed that there was an NEFT receipt from one Mr X. But when the customer refreshes the transactions, each time he sees different names as the remitter of the NEFT credit. One time it says money received from X or and another time Y or Z and so on. The amount and the transaction number  remains the same but only the name changes.

The customer has not so far lost any money due this peculiar behaviour which appears to be a bug in the software and it is said that the changing of the names of the remitter stops after lapse of a period which could be after the transaction moves to a different status in the server.

However, my objection is this:

If I capture the screen record at one point of time, it will show all the details of the customer and an evidence  that a remittance with a certain transaction ID has been received from Mr X. At another time, the same transaction is shown as money received from Y and yet another time it is shown as Z and so on.

This means that the evidence presented by the server is unreliable and any other information from a similar source presented as evidence either under Section 65B or under Banker’s Book of Evidence Act will be unacceptable in a Court of Law.

We can interpret this issue in two ways:

1. We can demand that no Court should henceforth accept any evidence presented from SBI server showing a remittance since it is unrelaible and could be a result of a faulty software. or
2. We can say that SBI has manipulated the evidence to show a person who has not sent the money as the remitter.

-This is “Tampering” with the electronic file and an offence under Section 65, 66 and other sections of ITA 2000/8.

-These are cognizable offences under which the SBI officer responsible for the business and the CEO and Directors may face prosecution.

I request SBI and RBI to undertake an investigation of this incident and whether this is a one off occurrence with the particular customer or it occurs with others.

This report appearing in a public website is to be treated as an “Incident” coming to the knowledge of SBI and RBI and should be documented in the books of SBI.  Also, according to the recent “Cyber Security Framework” released by RBI  it should be reported to the RBI in the periodical report along with its resolution.

(P.S: If after a time, an RTI with RBI does not show the report of this incident, then it would confirm that there was non compliance of the RBI guideline.)

I look forward to appropriate action from SBI and RBI, though I would not be least surprised if both of them simply ignore this public notice and carry on with the “All is Well Syndrome”.#

#”All is Well Syndrome” is a behavioural trait often expressed by Information Security professionals,  businessmen, regulators and software professionals that nothing will go wrong and has gone wrong in their systems and occasional reports of bugs are better ignored… a trait which is the bane of all compliance managers.

Naavi