Naavi.org

One of the customers of SBI has reported a faulty behaviour of the NEFT system in SBI which needs to be explored both by SBI and the RBI. It could be considered as causing a “Legal Risk” both to the Bank itself as well as the customers.

The customer has sent video evidence of the incident which is with me and I am not immediately posting it in public domain since it contains information that is confidential. It can however be shared with SBI or RBI if it is requested.

The observation reported is this:

As we all know, when a customer logs into the account, he can view the previous transactions. In the incident referred to, the customer observed that there was an NEFT receipt from one Mr X. But when the customer refreshes the transactions, each time he sees different names as the remitter of the NEFT credit. One time it says money received from X or and another time Y or Z and so on. The amount and the transaction number  remains the same but only the name changes.

The customer has not so far lost any money due this peculiar behaviour which appears to be a bug in the software and it is said that the changing of the names of the remitter stops after lapse of a period which could be after the transaction moves to a different status in the server.

However, my objection is this:

If I capture the screen record at one point of time, it will show all the details of the customer and an evidence  that a remittance with a certain transaction ID has been received from Mr X. At another time, the same transaction is shown as money received from Y and yet another time it is shown as Z and so on.

This means that the evidence presented by the server is unreliable and any other information from a similar source presented as evidence either under Section 65B or under Banker’s Book of Evidence Act will be unacceptable in a Court of Law.

We can interpret this issue in two ways:

1. We can demand that no Court should henceforth accept any evidence presented from SBI server showing a remittance since it is unrelaible and could be a result of a faulty software. or
2. We can say that SBI has manipulated the evidence to show a person who has not sent the money as the remitter.

-This is “Tampering” with the electronic file and an offence under Section 65, 66 and other sections of ITA 2000/8.

-These are cognizable offences under which the SBI officer responsible for the business and the CEO and Directors may face prosecution.

I request SBI and RBI to undertake an investigation of this incident and whether this is a one off occurrence with the particular customer or it occurs with others.

This report appearing in a public website is to be treated as an “Incident” coming to the knowledge of SBI and RBI and should be documented in the books of SBI.  Also, according to the recent “Cyber Security Framework” released by RBI  it should be reported to the RBI in the periodical report along with its resolution.

(P.S: If after a time, an RTI with RBI does not show the report of this incident, then it would confirm that there was non compliance of the RBI guideline.)

I look forward to appropriate action from SBI and RBI, though I would not be least surprised if both of them simply ignore this public notice and carry on with the “All is Well Syndrome”.#

#”All is Well Syndrome” is a behavioural trait often expressed by Information Security professionals,  businessmen, regulators and software professionals that nothing will go wrong and has gone wrong in their systems and occasional reports of bugs are better ignored… a trait which is the bane of all compliance managers.

Naavi

Recently, NASSCOM (through DSCI) conducted product promotion seminars for FIDO alliance at Mumbai and Bangalore, introducing some online authentication solutions along with some partners of FIDO alliance in India like Persistent Systems.

According to the website of FIDO alliance, FIDO stands for Fast IDentity Online and FIDO alliance is a US based non profit organization [Section 501(c)(6) organization] nominally formed in July 2012 and has certain solutions which are aimed at helping the users who need strong authentication in the form of strong passwords but find it difficult to remember multiple passwords across different service providers. FIDO claims that they are creating a new open, scalable, interoperable set of mechanisms that supplant reliance on passwords to securely authenticate users of online services. The objective is said to be to remove the world’s dependency on passwords.

FIDO claims membership of several organizations including Microsoft, Google, Paypal, Qualcomm, Bank of America etc who represent online service providers who need their customers to use passwords and two factor authentication for using their services.

Membership to the FIDO alliance is open to different organizations with the following fee structure.

a) Board Member : US $ 50,000

b)Sponsor : US $25,000

c) Government: US$ 15,000

d) Associate: US$ 2,500 to 15,000

Members may also pay fees for testing and certification after they implement the “Online authentication standard”. Basically, the members will be entitled to different commercial benefits such as use of FIDO alliance trademark, etc.

Each of the members may implement the common standards which are tested and certified to enable interoperability of what is called the “Standards” so that they may use the process as part of their authentication mechanism.

To be brief, what these standards imply are that there will be two kinds of solutions.

a) One is a solution that substitutes the OTP over mobile process as second factor authentication. (U2F)

b) Second is a solution where the biometrics of the user is used as a password to trigger a digital signature authentication. (UAF)

From the presentations made during the event in Bangalore, the following information emerged.

1. Both UAF and U2F use an USB token
2. In the UAF protocol, an user registers himself at a website (eg at Paypal) providing his biometric along with other profile details such as his name, address etc. This generates an RSA key pair in the token and the public key is sent to the web server where it is stored along with the profile details.
   1. When next time an authentication is required to be used, the user provides his biometric to the token which creates an authentication request encrypted with the private key developed during the registration process and sends it to the web service provider. It is decrypted with the public key already available and authentication is accepted as per the registered records.
   2. The system is said to be able to also capture additional parameters such as facial recognition and key stroke pattern as additional parameters of authentication.
3. In the U2F protocol, the token will have a button which when pressed sends the private key encrypted message to the authentication server. Biometric is not used. This substitutes the current OTP mechanism where the user has to wait for a pin to be received either on his mobile or e-mail and submit it back for authentication.

It is clear that FIDO alliance is a sort of marketing alliance where all have agreed to use a common methodology and implement the “Standard” at their individual costs and benefit by the collective marketing. A 501 (c)(6) entity is called a “Non Profit” organization but is allowed to “perform activities dedicated to improving the conditions of their industry, including lobbying and promotion”. If lobbying is the organization’s primary purpose, it must notify its members of the percentage of dues being allocated to lobbying expenses.

As far as FIDO alliance is concerned, it is fine for the alliance to lobby and enroll members in India. However, NASSCOM joining in the promotion of the FIDO alliance raises certain questions which need to be answered by NASSCOM board and I look forward to their response.

Primarily,the so called “Standard” uses no “KYC” and the person declares himself as who ever he is. Even when a biometric is provided, it is not authenticated. On the other hand, in India we have the e-signature method where a biometric is authenticated with reference to the Aadhar data base which forms a KYC process. Similarly, even the simple OTP process through mobile has the backing of a KYC conducted by the  mobile operator. (We can ignore the problems arising out of inefficient KYC conducted by a Mobile service provider or Aadhaar enumerator at this point of time).

FIDO process is therefore not in conformity with the KYC process which is mandatory in India for Banking transactions above a certain limit.

Secondly, the public-private key pair used in FIDO alliance standard is not the system certified by a licensed certifying authority in India  who is responsible for KYC. (Again we can ignore the inefficiencies in this process).

The FIDO process therefore fails to comply with the RBI requirement of KYC and ITA 2000/8 requirement of a digital signature/electronic signature.

During the interaction, I was informed by one of the implementers namely Persistent Systems (a public limited company based in Pune) that at least two Banks in Mumbai have already signed up for the alliance and it would be necessary to know which are the Banks which have agreed to use this system and whether they have taken any special permission from RBI in this regard. (I look forward to more information in this regard).

Under these doubts it is surprising that NASSCOM is endorsing this event and misleading the industry.

Through these columns

I am requesting NASSCOM and DSCI  to inform me

-How it is endorsing this disguised marketing activity of a non Cyber Law Compliant process of digital authentication.

I am also requesting RBI to get information and reveal

-which are the two Banks which have signed up with Persistent Systems Pune for FIDO alliance system to be used for their authentication purpose and

-whether any assessment has been made on the compliance or otherwise of KYC and ITA 2008 compliance and approval given.

This information can be sought under RTI but I suppose it would not be required.

The objective of this article is to bring to the notice of NASSCOM and RBI that some commercial activities may be unwittingly promoted by Government agencies against the law of the land and if so they need to be identified and corrected.

At this point of time, I am not accusing FIDO alliance of trying to by-pass the Indian law since I presume that they are not aware of the existence of the legal provisions in ITA 2000/8 as well as the KYC procedures mentioned above. I also consider that Persistent Systems may not be aware of these provisions and hence there is no allegation on any of these parties that they have deliberately tried to flout the rules.

However, it is definitely necessary to bring these objections to the notice of the industry so that no entrepreneur including the start ups in Bangalore who are into many digital activities involving online authentication starts using this service in substitution of the mobile based OTP or e-sign or the traditional digital signature as a means of digital authentication like the two unnamed banks in Mumbai.

If NASSCOM and DSCI agree with my point of view, I expect them to respond and also send out circulars to all the participants of the two seminars in Mumbai and Bangalore disclaiming their responsibility on the legal validity of the said FIDO standard and giving reasons thereof.

I request readers to send this information to the relevant NASSCOM and DSCI members if they have their contacts. In case whatever mentioned above is not correct, I am willing to publish a suitable rejoinder as may be required. Those of the readers who are technically proficient may study the standard specifications available on the website and check if they provide any more information either in support of or in opposition to the views expressed here.

Naavi

RBI has been from time to time providing guidelines to Banks for managing the Information Security aspects. Recently, RBI also has created an Information Security Subsidiary which apart from looking after the Information Security in RBI will also provide policy guidelines to the Banking industry as a whole.

While the IT subsidiary is kicking off its activities with the appointment of a CEO (Mr Nandakumar Sarvade), RBI has come up with a notification on a “Cyber Security Framework for Banks”, vide its circular dated June 2, 2016, RBI/2015-16/418, DBS.CO/CSITE/BC.11/33.01.001/2015-16) as an extension of the circular of April 29, 2011, after the well known GGWG report on which extensive comments were made in 2011.

In particular the new circular of June 2, 2016, recognizes the growing sophistication of attacks in the Banking sector and highlights the need to putting in place an “adaptice Incident Response”, Management and Recovery framework to deal with adverse incidents/disruptions, if and when they occur.

Some of the key aspects of the circular are reproduced here. (Detailed Circular is available here)

1. Banks need to communicate to the Cyber Security and Information Technology Examination (CSITE) cell of the DBOD that they have in place a “Cyber Security Policy” elucidating the strategy containing an appropriate approach to combat Cyber threats.
2. The Cyber Security policy is to be distinct from the broader IT Policy/IS Security policy of a Bank and highlight the risks from cyber threats and measures to address/mitigate these risks.
3. While identifying the inherent risks, banks are required to reckon the technologies adopted, alignment with business and regulatory requirements, connections established, delivery channels, online / mobile products, technology services, organisational culture and internal & external threats.
4. It is mandated that a SOC (Security Operations Centre) be set up at the earliest, if not yet been done. It is  essential that this Centre ensures continuous surveillance and keeps itself regularly updated on the latest nature of emerging cyber threats.
5. Banks, as owners of such data, should take appropriate steps in preserving the Confidentiality, Integrity and Availability of the same, irrespective of whether the data is stored/in transit within themselves or with customers or with the third party vendors; the confidentiality of such custodial information should not be compromised at any situation and to this end, suitable systems and processes across the data/information lifecycle need to be put in place by banks.
6. A Cyber Crisis Management Plan (CCMP) should be immediately evolved and should be a part of the overall Board approved strategy. Cyber-risk is different from many other risks and hence the traditional BCP/DR arrangements may not be adequate. 
7. Banks need to take effective measures to prevent cyber-attacks and to promptly detect any cyber-intrusions so as to respond / recover / contain the fall out. Banks are expected to be well prepared to face emerging cyber-threats such as ‘zero-day’ attacks, remote access threats, and targeted attacks.
8. The adequacy of and adherence to cyber resilience framework should be assessed and measured through development of indicators to assess the level of risk/preparedness.
9. It is reiterated that banks need to report all unusual cyber-security incidents (whether they were successful or were attempts which did not fructify) to the Reserve Bank. Banks are also encouraged to actively participate in the activities of their CISOs’ Forum coordinated by IDRBT and promptly report the incidents to Indian Banks – Center for Analysis of Risks and Threats (IB-CART) set up by IDRBT. Banks are required to report promptly the incidents, in the format given. 
10. The format indicates that the report on  “Cyber Incidents” submitted within two to six hours, which includes an “Impact Assessment” including the “Legal Impact”. (Looks too good to be true!)
11. The material gaps in controls may be identified early and appropriate remedial action under the active guidance and oversight of the IT Sub Committee of the Board as well as by the Board may be initiated immediately. The identified gaps, proposed measures/controls and their expected effectiveness, milestones with timelines for implementing the proposed controls/measures and measurement criteria for assessing their effectiveness including the risk assessment and risk management methodology followed by the bank/proposed by the bank, as per their self-assessment, may be submitted to the Cyber Security and Information Technology Examination (CSITE) Cell of Department of Banking Supervision, Central Office not later than July 31, 2016 by the Chief Information Security Officer.
12. Top Management and Board should also have a fair degree of awareness of the fine nuances of the threats and appropriate familiarisation may be organized.
13. Banks should proactively promote, among their customers, vendors, service providers and other relevant stakeholders an understanding of the bank’s cyber resilience objectives, and require and ensure appropriate action to support their synchronised implementation and testing.
14. It is well recognised that stakeholders’ (including customers, employees, partners and vendors) awareness about the potential impact of cyber-attacks helps in cyber-security preparedness of banks. Banks are required to take suitable steps in building this awareness.
15. Concurrently, there is an urgent need to bring the Board of Directors and Top Management in banks up to speed on cyber-security related aspects, where necessary, and hence banks are advised to take immediate steps in this direction.
16. A Copy of this circular may be placed before the Directors in the ensuing meeting

A close observation of the guidelines indicate that this is significantly different and aggressive than the earlier guidelines and comes close to what Naavi has been suggesting as “Techno Legal Information Security”. RBI must be congratulated for coming up with these guidelines.

The responsibility of the Directors is being emphasized by the insistence of placing the circular in the next meeting. The circular also recognized that the data is processed by the Bank as an “Owner” and not as an “Intermediary” which was often a point of difference in my discussions with the Bankers. Another notable feature is that by including the “Zero day” attacks in the list of threats, the expectation on the security measures required has been significantly enhanced.

The CISOs will no longer be feeling comfortable with this circular which actually will force Banks to create a separate “Cyber Security Policy” over and above the “Information Security Policy”. This may also require a seggregation of duties by designating a separate “Cyber Security Compliance Officer” in addition and above the CISO.

The policy also highlights the need for Banks to consider “Data with outsource vendors” as “Data owned by the Bank” and ensure its security. This will require a significant additional oversight on the vendors.

A new measurement criteria has been suggested to be developed by the Banks to assess their preparedness and this calls for some effort from the Banks.

Obviously the “Gap Assessment” will be one of the requirements that banks have to immediately undertake and this will develop the further road map for the Bank. Since “Gap Assessment” is an assessment of the current status, it can be and should be ordered immediately. Hence, the Board of Directors after taking note of this circular should immediately order a Gap assessment and expect the results to be available by the  next board meeting. Otherwise they need to record a delay in compliance at that meeting, failing which, their oversight will itself show a shortfall.

Independent directors should take special note of this requirement and should not allow this circular to be brushed under the carpet.  (They can expect numerous RTI applications from industry watch dogs which should keep them on their toes).

Overall, the circular has brought a “Quantum Jump” in the  Reasonable Security Practice criteria of ITA 2008 which should shake up the industry.

We may add however that in the past RBI has been good in providing advisories to the Banks but has not cared to follow up. Major Banks have used their clout in IBA to delay or defer good practices that RBI has tried to initiate. This circular should not be allowed to be treated in a similar manner.

Now that RBI has also set up an IT Subsidiary in addition to the Cyber Security and Information Technology Examination (CSITE) Cell referred to above, it would be interesting to observe the role segregation between the IT subsidiary and CSITE. Perhaps CSITE should continue to monitor the member Banks while the subsidiary will get busy with the Information Security within the RBI.

Also the role of IDRBT which was hither to taking care of advising Banks on security matters including providing security clearances on applications (which might have been ignored in recent years) may get revised since the CSITE and the IT subsidiary already will be addressing similar concerns.

It would be interesting to watch how the CISOs of Banks start reacting to this circular. I am sure that if the implications of the circular sync in, they will not be able to sleep properly at least for some time now.

Naavi has been critical of RBI management in recent days basically because of its inability to push e-banking security. This circular will address most of these concerns. I only hope that the guidelines will not simply remain on paper and RBI will develop its own plan of action to monitor the implementation over the next few quarters.

Pushing Banks for compliance should not be forced on Netizen activists through RTI applications and should be part of the responsibility of a person in RBI who should be designated as a “Compliance Monitoring Official”.

Hopefully, Mr R.Ravikumar, the CGM who has issued this circular should consider himself the “Chief Cyber Security Compliance Monitoring Officer” and develop a road map/check list for himself to follow up.

I would have appreciated that the circular had also mandated submission of a monthly compliance report signed by the Chairperson and Managing Director to RBI before 5th of every month and to be placed before the Board in subsequent meetings for their post-facto information and approval.

Perhaps this can still be done and I suggest RBI to add this guidance.

To summarize, great news for Customers of E Banking… difficult time for CISOs and Independent Directors in Banks.

Naavi

It appears that, of late, the US FDA has been tightening the implementation of CFR part 11 regulations regarding maintenance of records in electronic form.

The tremors are being felt now in India since these regulations also affect Indian pharma companies whose drugs are in the US market. Non compliance may lead to FDA warning notices to the Pharma companies.

These regulations not only affect the Pharma companies, seeking FDA clearances for their drugs or equipments, but also the IT companies who provide services to such companies.

Hence  “CFR Part 11 compliance” has now become a point of focus even for the Indian IT industry who manufacture software and provide other cloud based services to the FDA regulations exposed entities in USA.

It appears that  there has been significant resistance from the US Pharma industry to the regulations to the extent that the regulator himself is apologetic about implementing the regulations in a “narrow” manner, very much unlike the aggressive stance taken by HIPAA regulators.

One of the objections is of course because the industry thinks that compliance will cost a bomb. However, this is only a bogey raised by the industry to escape the regulation.

I wish the Indian stakeholders donot get perturbed by the US tirade that this compliance is expensive and therefore prefer to defer it. I have  been working on HIPAA regulatory compliance for Indian Business Associates since more than a decade and assure that  this CFR part 11 compliance is neither expensive nor technically problematic.

With my earlier experience on HIPAA compliance and ITA 2008 compliance, I am already in the process of setting up a suitable framework for both Indian Pharma industries and  Indian software industries which should make the implementation uncomplicated.

In my considered opinion,  if a company implements a good ITA 2008 compliance program, it is not difficult to also be in compliance of CFR part 11.

However most companies at present are not compliant with ITA 2008 and some have only a name sake compliance of ITA 2008. Since the Indian regulatory authorities are not strong on implementation, companies are able to declare themselves to be ITA 2008 compliant though they are really far from being compliant.

Hence even those companies who declare themselves to be ITA 2008 compliant or ISO 27001 compliant or PCI DSS compliant may not pass the muster for CFR Part 11 compliance.

Directors of such companies therefore need to personally look into the requirements of CFR part 11 compliance without going by the assertion of their subordinates that they are compliant either to ITA 2008 or CFR part 11.

If therefore there is any organization in India which is exposed to CFR Part 11 regulations such as

1. The Pharma Companies
2. Software development company with a product offer to the Pharma companies
3. Mobile App development company with a product offer to the Pharma companies
4. Cloud service operators who provide hosting and data management services to pharma companies, etc.,

I suggest that they  immediately review their compliance program and take steps for compliance as may be required.

I would be happy to provide any further clarification to any company which wants further information on this new domain of compliance.

Naavi

For the last few weeks, intense debate has ensued on whether the RBI Governor, Mr Raghuram Rajan should get a second term or not.

The media has been batting for an extension of Mr Rajan’s tenure as if he is a Messiah for the Indian future and without him the economy is doomed. They however seem to be reacting more to the fact that Dr Subramanya Swamy has been in the camp that has an opinion that Mr Rajan need not get an extended term.

Dr Swamy has his reasons both economic and others. The way the media anchors of all major English channels are reacting, it is clear that they are trying to build the case for extension as if it is a PR campaign.

Fortunately, Mr Jaitely, Mr Modi or Mr Amit Shah have not given enough ammunition for the media anchors to make it a BJP vs Rajan issue and it remains a  Swamy Vs Rajan issue.

Naavi.org has also been commenting on the role of the Governor of RBI not from the point of view of his contribution to control inflation but his failure not to address the issue of “Security for Depositors”, arising out of insecure banking practices, information security oriented risks and Cyber Frauds. The media has not however made any comment on the failures of RBI on this Cyber Fraud prevention front.

Naavi.org did point out on occasions that Mr Rajan has been obsessed with his role as an “Economist” and has not fulfilled his role as “A Regulator of the Indian Banking System”. It was as if he was suffering from a “Role Set” and could not see beyond the interest rate regime, the CRR/SLR regime and lately the NPA regime. All these are fine. But they cannot be the only objectives of the institution of RBI.

Let’s now see some of the areas on which media should research and provide us information on the following:

During the last few years there has been serious issues of farmer’s debt leading to many suicides and also creating a political backlash on the Modi Government.

Did Rajan undertake any steps to improve rural debt system to ease the difficulties of the farmers? ..No.

Has Mr Rajan ever commented on the raising retail prices due to hoarding of essential commodities by select wholesalers and how RBI could help in controlling the same? ..No

Has Mr Rajan ever espoused the cause of Small and Medium industries who are unable to meet the growing import competition from China?

Has he ever made any policy tinkering to support the “Make in India” campaign which the Government wants to push hard? …No

As regards Cyber Frauds,

Has Mr Rajan ever even recognized the growing problems which small banking customers are facing because of Mobile and Internet Frauds?

Has he ever commented on how Banks have been unfairly treating the fraud victims dragging them to Courts and enjoying the fruits of the Bank’s negligence?

Has he responded to the repeated requests from the undersigned that “Cyber Insurance” should be made mandatory for Banks at least as a part of the new Bank licensing process?

Has Mr Rajan taken action against Banks for their failure to follow KYC causing frauds of various types including cloning f Cards, Cloning of Cheques, Phishing etc…..

Answers to all these are No, No and No.

Mr Raghuram Rajan has thrust Core Banking on all Urban Cooperative Banks and allowed Social Media Banking in a few Banks without appreciating that these Banks are unprepared for the leap in technology.

All these failures have resulted in the Risk of technology Banking being unfairly hoisted on poor customers of Banks. It was only during the last one month that a “Cyber Security Subsidiary” has been spoken of. We are yet to see how this project takes off during the next term of the next Governor, who ever he is.

I therefore demand the Media anchors including the anchors of CNN IBN, NDTV, India Today, Times Now etc try to evaluate the performance of Mr Rajan more comprehensively than what they are doing now.

Dr Swamy has not only pointed out the failure of Mr Rajan in bringing down interest rates which Dr Swamy feels could have stimulated the economy and helped in achieving a higher growth, but also indicated that Mr Rajan tried to help Mr Karti Chidambaram by leaking some information from ED.

If Dr Swamy makes such an allegation, it cannot be brushed aside since Dr Swamy is not a  Kejriwal. Dr Swamy is methodical and when he makes an allegation, he knows that he needs to back up with prima facie evidence and most of the times, single handedly takes it to its logical conclusion in Courts. So, I would not make the mistake of ignoring his accusations.

During many occasions in the past, Mr Rajan has given an impression that he is against the policies of the current Government. Though we can accept part of it as a positive aspect of the Governor being independent, the possibility of him trying to discredit the current Government as Dr Swamy suspects, cannot be ruled out.

Under the circumstances, extending his term by another three years could be considered as a “Risk” by the current Government.

While the media may continue to debate and try to create a favourable opinion to get him an extension, and Mr Rajan may also try to make a last minute effort to drop the interest by 0.5 % in the next policy due in a couple of days, Modi Government should find out a good substitute and give a happy farewell to Mr Rajan.

This would be good for both the Government and Mr Rajan himself since any further disclosures from Dr Swamy may embarass everybody. I am sure that Dr Swamy would not escalate the issue if Government decides to replace Mr Rajan at the end of his term instead of taking any action now.

Naavi

Related Articles:

Has RBI really woken up from its slumber?

What does the new RBI Governor has to say for this?

At naavi.org, we have been discussing the issues of Cyber Crimes and Cyber Law since 1998. After initial years of focus on Cyber  Laws, we moved to discussing the proactive defense in the form of Techno Legal Information Security and Cyber Law Compliance.

Recently, we have moved into discussion on  “Cyber Dispute Resolution” in the form of ADR/ODR.

Along with this we need to also devote some attention on “Cyber Insurance” since it engulfs all other aspects of Cyber Security which we have discussed so far in the different niche areas.

A few months back, Naavi initiated an all India survey on Cyber Insurance to document the current status of the Cyber Insurance industry in India, along with a few other like minded persons. Some aspects of this survey has been shared in some of the earlier articles.

Naavi has been a strong advocate for developing Cyber Insurance industry in India since atleast a decade but the response of the industry has been luke warm. It is only in the last three years that some Insurance companies have been seriously talking of Cyber Insurance. However the user industry is still not keen on adoption since there is a mismatch between the expectations of the Insurers and the user  industries regarding the coverage and cost.

It was one of the objectives of the survey that we bring a focus on the industry so that both the service offeror and the potential customer of the insurance products understand what is on the table.

It was known that the current knowledge of the product in the user industry would be low and hence the response on the survey also would be low. At the same time, it was also known that the insurers were few and would not like to share their views in a survey. Despite this known handicap we went about the survey trying to contact over 1000 information security professionals to elicit responses through e-mail. Finally, we had a small sample of 50 who gave the complete response and had to settle for closing the survey though the initial target aimed was at least 100..

During the time of the survey and before, I have also personally tried to draw the attention of the decision makers upto Prime Minister Mr Modi as well as Mr Raghuram Rajan the Governor of RBI through all known means to make Cyber Insurance concept a part of their policy initiatives.

However, it was regrettable to note that neither the visionary Mr Modi nor the much acclaimed economist Governor Rajan seemed to appreciate the importance of even initiating a preliminary discussion on Cyber Insurance.

Mr Modi introduced and pushed some insurance products for farmers and rural folk in the form of Crop insurance and low cost life insurance. However, he failed to respond to the need of Cyber Insurance though his other programs on “Digital India” are increasing the Cyber Risk even for the rural folk at an alarming rate.

Similarly, Mr Raghuram Rajan is increasingly driving RBI policies on technology to the use of high risk Mobile and Social Media platforms without a corresponding protection either in the form of increased information security initiatives or Cyber Insurance. Naavi urged RBI to make Cyber Insurance mandatory for new Banks being licensed, but RBI would take no such initiative.

We also have to take on record that the Union Ministry of IT under Mr Ravishankar Prasad and the CERT-IN have also been completely oblivious to the increasing Cyber Risks and the need for Cyber Insurance.

It was also observed that the insurance regulator and the top insurance industry players also did not respond to many of the approaches made by the undersigned either to start discussing the subject in their forum or to actively participate in the survey. In fact I was surprised that the Insurance industry leaders were still grappling with the problem of using IT in Insurance industry rather than providing insurance cover against Cyber Crimes. The industry leaders are at least 10 to 15 years behind the current market developments and are not expected to be able to understand the requirements of the Cyber Insurance industry for long time to come. The few companies who have started offering Cyber Insurance policies are only reproducing the policies of their international partners. This represents a very depressing state of affairs in the Insurance industry for whom Cyber Insurance could be a huge opportunity.

(P.S: I would be glad to be challenged on these comments and welcome industry players to raise their objection if any)

In the light of this all round apathy on protecting the interests of Netizens who are every day bombarded with news of Cyber Crimes and losses in E-Banking and M-Banking, it is left to a few individuals such as the undersigned to continue their mission on educating the market on the need for Cyber Insurance with the hope that some day others will wake up from their slumber.

In this endeavour, I would like to share the detailed findings through a series of forthcoming articles so that more people would be interested in the subject.

The objective of unraveling this series of articles is to enhance the understanding of the subject of Cyber Insurance amongst Netizens so that sooner or later they start pressurizing the institutions to introduce cyber insurance as a standard warranty to their products.

We hope that Mr Modi’s team will wake up from their “All is Well Syndrome” and start working on Cyber Insurance along with the Digital India and Smart City programs.

……..This is Naavi’s proposition to BJP/NDA in the eve of their review of  “Two years in Governance”

…..Watch out for more in the coming articles….

Naavi