Naavi.org

RBI has been from time to time providing guidelines to Banks for managing the Information Security aspects. Recently, RBI also has created an Information Security Subsidiary which apart from looking after the Information Security in RBI will also provide policy guidelines to the Banking industry as a whole.

While the IT subsidiary is kicking off its activities with the appointment of a CEO (Mr Nandakumar Sarvade), RBI has come up with a notification on a “Cyber Security Framework for Banks”, vide its circular dated June 2, 2016, RBI/2015-16/418, DBS.CO/CSITE/BC.11/33.01.001/2015-16) as an extension of the circular of April 29, 2011, after the well known GGWG report on which extensive comments were made in 2011.

In particular the new circular of June 2, 2016, recognizes the growing sophistication of attacks in the Banking sector and highlights the need to putting in place an “adaptice Incident Response”, Management and Recovery framework to deal with adverse incidents/disruptions, if and when they occur.

Some of the key aspects of the circular are reproduced here. (Detailed Circular is available here)

1. Banks need to communicate to the Cyber Security and Information Technology Examination (CSITE) cell of the DBOD that they have in place a “Cyber Security Policy” elucidating the strategy containing an appropriate approach to combat Cyber threats.
2. The Cyber Security policy is to be distinct from the broader IT Policy/IS Security policy of a Bank and highlight the risks from cyber threats and measures to address/mitigate these risks.
3. While identifying the inherent risks, banks are required to reckon the technologies adopted, alignment with business and regulatory requirements, connections established, delivery channels, online / mobile products, technology services, organisational culture and internal & external threats.
4. It is mandated that a SOC (Security Operations Centre) be set up at the earliest, if not yet been done. It is  essential that this Centre ensures continuous surveillance and keeps itself regularly updated on the latest nature of emerging cyber threats.
5. Banks, as owners of such data, should take appropriate steps in preserving the Confidentiality, Integrity and Availability of the same, irrespective of whether the data is stored/in transit within themselves or with customers or with the third party vendors; the confidentiality of such custodial information should not be compromised at any situation and to this end, suitable systems and processes across the data/information lifecycle need to be put in place by banks.
6. A Cyber Crisis Management Plan (CCMP) should be immediately evolved and should be a part of the overall Board approved strategy. Cyber-risk is different from many other risks and hence the traditional BCP/DR arrangements may not be adequate. 
7. Banks need to take effective measures to prevent cyber-attacks and to promptly detect any cyber-intrusions so as to respond / recover / contain the fall out. Banks are expected to be well prepared to face emerging cyber-threats such as ‘zero-day’ attacks, remote access threats, and targeted attacks.
8. The adequacy of and adherence to cyber resilience framework should be assessed and measured through development of indicators to assess the level of risk/preparedness.
9. It is reiterated that banks need to report all unusual cyber-security incidents (whether they were successful or were attempts which did not fructify) to the Reserve Bank. Banks are also encouraged to actively participate in the activities of their CISOs’ Forum coordinated by IDRBT and promptly report the incidents to Indian Banks – Center for Analysis of Risks and Threats (IB-CART) set up by IDRBT. Banks are required to report promptly the incidents, in the format given. 
10. The format indicates that the report on  “Cyber Incidents” submitted within two to six hours, which includes an “Impact Assessment” including the “Legal Impact”. (Looks too good to be true!)
11. The material gaps in controls may be identified early and appropriate remedial action under the active guidance and oversight of the IT Sub Committee of the Board as well as by the Board may be initiated immediately. The identified gaps, proposed measures/controls and their expected effectiveness, milestones with timelines for implementing the proposed controls/measures and measurement criteria for assessing their effectiveness including the risk assessment and risk management methodology followed by the bank/proposed by the bank, as per their self-assessment, may be submitted to the Cyber Security and Information Technology Examination (CSITE) Cell of Department of Banking Supervision, Central Office not later than July 31, 2016 by the Chief Information Security Officer.
12. Top Management and Board should also have a fair degree of awareness of the fine nuances of the threats and appropriate familiarisation may be organized.
13. Banks should proactively promote, among their customers, vendors, service providers and other relevant stakeholders an understanding of the bank’s cyber resilience objectives, and require and ensure appropriate action to support their synchronised implementation and testing.
14. It is well recognised that stakeholders’ (including customers, employees, partners and vendors) awareness about the potential impact of cyber-attacks helps in cyber-security preparedness of banks. Banks are required to take suitable steps in building this awareness.
15. Concurrently, there is an urgent need to bring the Board of Directors and Top Management in banks up to speed on cyber-security related aspects, where necessary, and hence banks are advised to take immediate steps in this direction.
16. A Copy of this circular may be placed before the Directors in the ensuing meeting

A close observation of the guidelines indicate that this is significantly different and aggressive than the earlier guidelines and comes close to what Naavi has been suggesting as “Techno Legal Information Security”. RBI must be congratulated for coming up with these guidelines.

The responsibility of the Directors is being emphasized by the insistence of placing the circular in the next meeting. The circular also recognized that the data is processed by the Bank as an “Owner” and not as an “Intermediary” which was often a point of difference in my discussions with the Bankers. Another notable feature is that by including the “Zero day” attacks in the list of threats, the expectation on the security measures required has been significantly enhanced.

The CISOs will no longer be feeling comfortable with this circular which actually will force Banks to create a separate “Cyber Security Policy” over and above the “Information Security Policy”. This may also require a seggregation of duties by designating a separate “Cyber Security Compliance Officer” in addition and above the CISO.

The policy also highlights the need for Banks to consider “Data with outsource vendors” as “Data owned by the Bank” and ensure its security. This will require a significant additional oversight on the vendors.

A new measurement criteria has been suggested to be developed by the Banks to assess their preparedness and this calls for some effort from the Banks.

Obviously the “Gap Assessment” will be one of the requirements that banks have to immediately undertake and this will develop the further road map for the Bank. Since “Gap Assessment” is an assessment of the current status, it can be and should be ordered immediately. Hence, the Board of Directors after taking note of this circular should immediately order a Gap assessment and expect the results to be available by the  next board meeting. Otherwise they need to record a delay in compliance at that meeting, failing which, their oversight will itself show a shortfall.

Independent directors should take special note of this requirement and should not allow this circular to be brushed under the carpet.  (They can expect numerous RTI applications from industry watch dogs which should keep them on their toes).

Overall, the circular has brought a “Quantum Jump” in the  Reasonable Security Practice criteria of ITA 2008 which should shake up the industry.

We may add however that in the past RBI has been good in providing advisories to the Banks but has not cared to follow up. Major Banks have used their clout in IBA to delay or defer good practices that RBI has tried to initiate. This circular should not be allowed to be treated in a similar manner.

Now that RBI has also set up an IT Subsidiary in addition to the Cyber Security and Information Technology Examination (CSITE) Cell referred to above, it would be interesting to observe the role segregation between the IT subsidiary and CSITE. Perhaps CSITE should continue to monitor the member Banks while the subsidiary will get busy with the Information Security within the RBI.

Also the role of IDRBT which was hither to taking care of advising Banks on security matters including providing security clearances on applications (which might have been ignored in recent years) may get revised since the CSITE and the IT subsidiary already will be addressing similar concerns.

It would be interesting to watch how the CISOs of Banks start reacting to this circular. I am sure that if the implications of the circular sync in, they will not be able to sleep properly at least for some time now.

Naavi has been critical of RBI management in recent days basically because of its inability to push e-banking security. This circular will address most of these concerns. I only hope that the guidelines will not simply remain on paper and RBI will develop its own plan of action to monitor the implementation over the next few quarters.

Pushing Banks for compliance should not be forced on Netizen activists through RTI applications and should be part of the responsibility of a person in RBI who should be designated as a “Compliance Monitoring Official”.

Hopefully, Mr R.Ravikumar, the CGM who has issued this circular should consider himself the “Chief Cyber Security Compliance Monitoring Officer” and develop a road map/check list for himself to follow up.

I would have appreciated that the circular had also mandated submission of a monthly compliance report signed by the Chairperson and Managing Director to RBI before 5th of every month and to be placed before the Board in subsequent meetings for their post-facto information and approval.

Perhaps this can still be done and I suggest RBI to add this guidance.

To summarize, great news for Customers of E Banking… difficult time for CISOs and Independent Directors in Banks.

Naavi

It appears that, of late, the US FDA has been tightening the implementation of CFR part 11 regulations regarding maintenance of records in electronic form.

The tremors are being felt now in India since these regulations also affect Indian pharma companies whose drugs are in the US market. Non compliance may lead to FDA warning notices to the Pharma companies.

These regulations not only affect the Pharma companies, seeking FDA clearances for their drugs or equipments, but also the IT companies who provide services to such companies.

Hence  “CFR Part 11 compliance” has now become a point of focus even for the Indian IT industry who manufacture software and provide other cloud based services to the FDA regulations exposed entities in USA.

It appears that  there has been significant resistance from the US Pharma industry to the regulations to the extent that the regulator himself is apologetic about implementing the regulations in a “narrow” manner, very much unlike the aggressive stance taken by HIPAA regulators.

One of the objections is of course because the industry thinks that compliance will cost a bomb. However, this is only a bogey raised by the industry to escape the regulation.

I wish the Indian stakeholders donot get perturbed by the US tirade that this compliance is expensive and therefore prefer to defer it. I have  been working on HIPAA regulatory compliance for Indian Business Associates since more than a decade and assure that  this CFR part 11 compliance is neither expensive nor technically problematic.

With my earlier experience on HIPAA compliance and ITA 2008 compliance, I am already in the process of setting up a suitable framework for both Indian Pharma industries and  Indian software industries which should make the implementation uncomplicated.

In my considered opinion,  if a company implements a good ITA 2008 compliance program, it is not difficult to also be in compliance of CFR part 11.

However most companies at present are not compliant with ITA 2008 and some have only a name sake compliance of ITA 2008. Since the Indian regulatory authorities are not strong on implementation, companies are able to declare themselves to be ITA 2008 compliant though they are really far from being compliant.

Hence even those companies who declare themselves to be ITA 2008 compliant or ISO 27001 compliant or PCI DSS compliant may not pass the muster for CFR Part 11 compliance.

Directors of such companies therefore need to personally look into the requirements of CFR part 11 compliance without going by the assertion of their subordinates that they are compliant either to ITA 2008 or CFR part 11.

If therefore there is any organization in India which is exposed to CFR Part 11 regulations such as

1. The Pharma Companies
2. Software development company with a product offer to the Pharma companies
3. Mobile App development company with a product offer to the Pharma companies
4. Cloud service operators who provide hosting and data management services to pharma companies, etc.,

I suggest that they  immediately review their compliance program and take steps for compliance as may be required.

I would be happy to provide any further clarification to any company which wants further information on this new domain of compliance.

Naavi

For the last few weeks, intense debate has ensued on whether the RBI Governor, Mr Raghuram Rajan should get a second term or not.

The media has been batting for an extension of Mr Rajan’s tenure as if he is a Messiah for the Indian future and without him the economy is doomed. They however seem to be reacting more to the fact that Dr Subramanya Swamy has been in the camp that has an opinion that Mr Rajan need not get an extended term.

Dr Swamy has his reasons both economic and others. The way the media anchors of all major English channels are reacting, it is clear that they are trying to build the case for extension as if it is a PR campaign.

Fortunately, Mr Jaitely, Mr Modi or Mr Amit Shah have not given enough ammunition for the media anchors to make it a BJP vs Rajan issue and it remains a  Swamy Vs Rajan issue.

Naavi.org has also been commenting on the role of the Governor of RBI not from the point of view of his contribution to control inflation but his failure not to address the issue of “Security for Depositors”, arising out of insecure banking practices, information security oriented risks and Cyber Frauds. The media has not however made any comment on the failures of RBI on this Cyber Fraud prevention front.

Naavi.org did point out on occasions that Mr Rajan has been obsessed with his role as an “Economist” and has not fulfilled his role as “A Regulator of the Indian Banking System”. It was as if he was suffering from a “Role Set” and could not see beyond the interest rate regime, the CRR/SLR regime and lately the NPA regime. All these are fine. But they cannot be the only objectives of the institution of RBI.

Let’s now see some of the areas on which media should research and provide us information on the following:

During the last few years there has been serious issues of farmer’s debt leading to many suicides and also creating a political backlash on the Modi Government.

Did Rajan undertake any steps to improve rural debt system to ease the difficulties of the farmers? ..No.

Has Mr Rajan ever commented on the raising retail prices due to hoarding of essential commodities by select wholesalers and how RBI could help in controlling the same? ..No

Has Mr Rajan ever espoused the cause of Small and Medium industries who are unable to meet the growing import competition from China?

Has he ever made any policy tinkering to support the “Make in India” campaign which the Government wants to push hard? …No

As regards Cyber Frauds,

Has Mr Rajan ever even recognized the growing problems which small banking customers are facing because of Mobile and Internet Frauds?

Has he ever commented on how Banks have been unfairly treating the fraud victims dragging them to Courts and enjoying the fruits of the Bank’s negligence?

Has he responded to the repeated requests from the undersigned that “Cyber Insurance” should be made mandatory for Banks at least as a part of the new Bank licensing process?

Has Mr Rajan taken action against Banks for their failure to follow KYC causing frauds of various types including cloning f Cards, Cloning of Cheques, Phishing etc…..

Answers to all these are No, No and No.

Mr Raghuram Rajan has thrust Core Banking on all Urban Cooperative Banks and allowed Social Media Banking in a few Banks without appreciating that these Banks are unprepared for the leap in technology.

All these failures have resulted in the Risk of technology Banking being unfairly hoisted on poor customers of Banks. It was only during the last one month that a “Cyber Security Subsidiary” has been spoken of. We are yet to see how this project takes off during the next term of the next Governor, who ever he is.

I therefore demand the Media anchors including the anchors of CNN IBN, NDTV, India Today, Times Now etc try to evaluate the performance of Mr Rajan more comprehensively than what they are doing now.

Dr Swamy has not only pointed out the failure of Mr Rajan in bringing down interest rates which Dr Swamy feels could have stimulated the economy and helped in achieving a higher growth, but also indicated that Mr Rajan tried to help Mr Karti Chidambaram by leaking some information from ED.

If Dr Swamy makes such an allegation, it cannot be brushed aside since Dr Swamy is not a  Kejriwal. Dr Swamy is methodical and when he makes an allegation, he knows that he needs to back up with prima facie evidence and most of the times, single handedly takes it to its logical conclusion in Courts. So, I would not make the mistake of ignoring his accusations.

During many occasions in the past, Mr Rajan has given an impression that he is against the policies of the current Government. Though we can accept part of it as a positive aspect of the Governor being independent, the possibility of him trying to discredit the current Government as Dr Swamy suspects, cannot be ruled out.

Under the circumstances, extending his term by another three years could be considered as a “Risk” by the current Government.

While the media may continue to debate and try to create a favourable opinion to get him an extension, and Mr Rajan may also try to make a last minute effort to drop the interest by 0.5 % in the next policy due in a couple of days, Modi Government should find out a good substitute and give a happy farewell to Mr Rajan.

This would be good for both the Government and Mr Rajan himself since any further disclosures from Dr Swamy may embarass everybody. I am sure that Dr Swamy would not escalate the issue if Government decides to replace Mr Rajan at the end of his term instead of taking any action now.

Naavi

Related Articles:

Has RBI really woken up from its slumber?

What does the new RBI Governor has to say for this?

At naavi.org, we have been discussing the issues of Cyber Crimes and Cyber Law since 1998. After initial years of focus on Cyber  Laws, we moved to discussing the proactive defense in the form of Techno Legal Information Security and Cyber Law Compliance.

Recently, we have moved into discussion on  “Cyber Dispute Resolution” in the form of ADR/ODR.

Along with this we need to also devote some attention on “Cyber Insurance” since it engulfs all other aspects of Cyber Security which we have discussed so far in the different niche areas.

A few months back, Naavi initiated an all India survey on Cyber Insurance to document the current status of the Cyber Insurance industry in India, along with a few other like minded persons. Some aspects of this survey has been shared in some of the earlier articles.

Naavi has been a strong advocate for developing Cyber Insurance industry in India since atleast a decade but the response of the industry has been luke warm. It is only in the last three years that some Insurance companies have been seriously talking of Cyber Insurance. However the user industry is still not keen on adoption since there is a mismatch between the expectations of the Insurers and the user  industries regarding the coverage and cost.

It was one of the objectives of the survey that we bring a focus on the industry so that both the service offeror and the potential customer of the insurance products understand what is on the table.

It was known that the current knowledge of the product in the user industry would be low and hence the response on the survey also would be low. At the same time, it was also known that the insurers were few and would not like to share their views in a survey. Despite this known handicap we went about the survey trying to contact over 1000 information security professionals to elicit responses through e-mail. Finally, we had a small sample of 50 who gave the complete response and had to settle for closing the survey though the initial target aimed was at least 100..

During the time of the survey and before, I have also personally tried to draw the attention of the decision makers upto Prime Minister Mr Modi as well as Mr Raghuram Rajan the Governor of RBI through all known means to make Cyber Insurance concept a part of their policy initiatives.

However, it was regrettable to note that neither the visionary Mr Modi nor the much acclaimed economist Governor Rajan seemed to appreciate the importance of even initiating a preliminary discussion on Cyber Insurance.

Mr Modi introduced and pushed some insurance products for farmers and rural folk in the form of Crop insurance and low cost life insurance. However, he failed to respond to the need of Cyber Insurance though his other programs on “Digital India” are increasing the Cyber Risk even for the rural folk at an alarming rate.

Similarly, Mr Raghuram Rajan is increasingly driving RBI policies on technology to the use of high risk Mobile and Social Media platforms without a corresponding protection either in the form of increased information security initiatives or Cyber Insurance. Naavi urged RBI to make Cyber Insurance mandatory for new Banks being licensed, but RBI would take no such initiative.

We also have to take on record that the Union Ministry of IT under Mr Ravishankar Prasad and the CERT-IN have also been completely oblivious to the increasing Cyber Risks and the need for Cyber Insurance.

It was also observed that the insurance regulator and the top insurance industry players also did not respond to many of the approaches made by the undersigned either to start discussing the subject in their forum or to actively participate in the survey. In fact I was surprised that the Insurance industry leaders were still grappling with the problem of using IT in Insurance industry rather than providing insurance cover against Cyber Crimes. The industry leaders are at least 10 to 15 years behind the current market developments and are not expected to be able to understand the requirements of the Cyber Insurance industry for long time to come. The few companies who have started offering Cyber Insurance policies are only reproducing the policies of their international partners. This represents a very depressing state of affairs in the Insurance industry for whom Cyber Insurance could be a huge opportunity.

(P.S: I would be glad to be challenged on these comments and welcome industry players to raise their objection if any)

In the light of this all round apathy on protecting the interests of Netizens who are every day bombarded with news of Cyber Crimes and losses in E-Banking and M-Banking, it is left to a few individuals such as the undersigned to continue their mission on educating the market on the need for Cyber Insurance with the hope that some day others will wake up from their slumber.

In this endeavour, I would like to share the detailed findings through a series of forthcoming articles so that more people would be interested in the subject.

The objective of unraveling this series of articles is to enhance the understanding of the subject of Cyber Insurance amongst Netizens so that sooner or later they start pressurizing the institutions to introduce cyber insurance as a standard warranty to their products.

We hope that Mr Modi’s team will wake up from their “All is Well Syndrome” and start working on Cyber Insurance along with the Digital India and Smart City programs.

……..This is Naavi’s proposition to BJP/NDA in the eve of their review of  “Two years in Governance”

…..Watch out for more in the coming articles….

Naavi

When on July 16, 2013, naavi.org pointed out in its article “Loans Through SMS?”,it was the first time that it was pointed out that some thing fishy was going on under the website: http://www.cgtmse-govt.in . It was pointed out that the website could be a fraudulent site trying to lure innocent loan seekers and impersonated a Government website.

Subsequently, one of the readers (Mr Vinod) made some personal investigation and confirmed that the physical addresses given on the site was non existent.  At that time the main focus was that there was impersonation of a website cgtmse-govt.in. It was repeatedly pointed out that Government should take action in bringing down this phishing site.

However, Government did not do anything and the fraudulent website continued even after the Government changed in the Center from UPA to NDA. The site content promptly changed to suit the change in the Government.

Much later, with some of the efforts of people in Nagpur including Mr Mahendra Limaye, the site was closed.

In the meantime many people had lost money responding to the offer from the website. One such entity was Tushar Kant Mohanty of Raipur who had lost Rs 22.36 lakhs.  The amount was transferred from the victim’s account to the account of the fraudsters in Axis Bank and Punjab National Bank, two Banks frequently used by fraudsters due to prevailing  lose KYC practices.

Fortunately, the victim has now been able to recover his amount from the balance that was available at PNB through an order from the Chattisgarh Adjudicator.

Mr Mahedra Limaye must be congratulated on the successful conclusion of his client’s case and obtaining him the relief.

However, it is observed that the adjudicator has not found fault with CGTMSE which is was grossly negligent in facilitating the fraud particularly after it was informed way back in June 2013 that a fraud was being committed in its name. The Mohanty fraud occurred in April 2014 nearly an year after the fraud was brought to light and all those who contributed to the fraud through negligence and in action should have been made to pay a price for it.

Similarly, the Adjudicator has only ordered recovery of the credit balance that was available in the PNB’s account and has not penalized PNB and Axis Bank for being “Fraudster’s Bankers”.

Axis Bank has also not been made the respondent and hence escaped liability.

The Adjudicator should realize that Mohanty’s case is a representative case of the many other frauds that these fraudsters have committed and it is the duty of the Adjudicator to protect the interest of all these victims some of whom might not be in Chattisgarh or Maharashtra and were not the complainants in this particular complaint.

However, the Adjudicator had the power to take suo moto recognition of all such frauds and held PNB, Axis Bank and CGSMTE liable for facilitating the fraud through their negligence and lack of due diligence under Sections 79 and Section 85 of ITA 2000/8.

He could have also provided further damages to Mohanty to cover his expenses.

While we appreciate the Adjudicator for the order at a time when there are no other Adjudicators in the Country taking up such complaints, we would have been happier if the order had been simultaneously been made that the Banks and CGTMSE were liable for all others who had been defrauded by these fraudsters. He could have collected a fraud recovery amount of around 100 lakhs, from CGTMSE, PNB and AXIS Bank, acted as a receiver, collected applications from other victims and settled their claims. This would have set a precedent that would have helped in driving a sense of responsibility to these Banks and other agencies like CGTMSE.

Probably, Mahendra Limaye should file an additional petition on behalf of “Unknown Victims” and get a compensation awarded collectively like a “Class Action”. I suppose ITA 2000/8 has necessary powers.

 I hope PNB or the fraudster does not challenge the order so that the victim can atleast be happy that his actual loss has been recovered. Since the Cyber Appellate Tribunal is not operating appeal if any may arise only in Chattisgarh High Court. I urge that High Court should not intervene to grant any stay on this order if an appeal is made to them.

Naavi

Reference: Copy of the order

Hewlett Packard Enterprise has released its latest report (HPE Cyber Risk Report 2016) providing an interesting perspective on the threat landscape prevailing in 2015. The report is compiled by an analysis by the  research team of data collected from open source intelligence.

The research highlights the following key themes.

1. Collateral damage
2.  Overreaching regulations
3. Need for Broad impact solutions
4. Decoupling Privacy and Security efforts
5. Persistence of earlier threats
6. Attacks on Applications
7. Monetization of Malware

The detailed report is available here.

The report highlighted that in several instances, attacks touched people who never dreamed they might be involved in security breach, causing collateral damage. Two cases cited as example for such collateral damage were the cases involving the United States Office of Personnel Management and Ashley Madison. 

The report also highlighted that the reaction from the regulators to the attacks were often damaging and counter productive. It was observed that the over reaching regulations pushed legitimate security research underground.

The report indicated that the fixes to vulnerabilities should move from releasing patches to individual vulnerabilities to building sustainable defences to prevent attacks. It  urges Adobe and Microsoft in particular to invest in broad asymmetric fixes that knock out many vulnerabilities at once.

An interesting observation held out in the report is that in the wake of revelations by Edward Snowden and other whistle blowers have led to moves to erode “Privacy” rights in preference to “Security” needs.

It was also observed that many of the incidents arose from bugs already known to the market indicating that there was negligence in implementing security patches of the earlier years.

Report indicates that attackers have shifted efforts to attack applications directly rather than attacking the perimeter network.  It observes that with increasing use of Mobiles, the perimeter of a network is in the user’s pockets and the security practitioner needs to recognize this.

The report also highlights the growing malware market which has strengthened the attack industry and increased its disruptive capabilities.

Security professionals need to study the report in detail and factor the observations while building the security in their respective environments.

Naavi