Naavi.org

18^th September 2015

To

Sri Narendra Modi , Honourable Prime Minister, Government of India

Sub:  “Cyber Insurance For All Netizens of India

 Dear Sir,

One of the distinguishing features of the Governance model adopted by your Government is its reliance on technology. “Smart Governance through E-Governance” is the recognizable face of this Government.

In pursuance of this policy, you have adopted the “Aadhar” as the core citizen identity and linking every welfare programs of the Government to this e-identity of the Citizens. In a way you are converting every Citizen to a Netizen. With the ambitious projects such as “Smart Cities” and “Digital India” in the anvil, the dependence of the society on technology is only going to increase.

I am fully in support of this push for using of technology for development and have been advocating such a policy for a long time as documented at www.naavi.org. I had also advocated a “Charter of Demand for Netizens” which included several initiatives including “Digital ID for all Citizens of India” and “E Consumer Protection”. I request you to kindly take some time to look into these suggestions.

I firmly believe that success or failure of your Government will be hugely influenced by the success or failure of the E-Governance model which you are adopting and hence no stones should be left unturned to make it a success.

However, I always keep recalling how Mr Chandrababu Naidu lost an election despite his many good E-Governance measures in Andhra Pradesh and this should be remembered as a lesson for people like you who want to do good things but the society may not be fully ready for absorbing the long term thoughts.

 Cyber space has its fair share of risks and any society dependent on Cyber technology is open to the adverse effects of cyber attacks from cyber criminals, cyber terrorists and Cyber war capable nations.

It is therefore a certainty that such cyber attacks will have to be faced by the society from time to time. Measures to prevent an adverse fall out  therefore should be considered as inevitable.

We know that Cyber risks are an essential evil that has to be endured with, but politicians in the opposition will easily use any adverse attack as a consequence of “Anti People Policies” of the Government.

For example, in case there is a Cyber attack on the Indian Banking system and 10000 customers lose their money in their JanDhan accounts, opposition will say that it is a scam and all the money has been misused by BJP politicians. In a charged atmosphere that may follow, the perception battle is more likely to be won by the opposition than the Government.

If therefore your Government needs to insulate itself from the risks of being blamed for Cyber risks, you need to go an extra mile to ensure that citizens don’t lose out of cyber attacks.

In this context, I suggest that there is a need for a policy of “Cyber Insurance for All” as a means of protecting the Netizens from the vagaries of Cyber risks.

“Cyber Insurance” is a protection against financial losses arising out of cyber crimes such as “Phishing”, “Identity Theft”, “Denial of Services”, “Hacking” etc. It includes frauds involving cloning of credit cards, debit cards, ATM cards,  Aadhar data, etc. It includes mobile related frauds which will be one of the biggest threats of the future where a large number of victims will each lose a small amount making it impossible for them to invoke any traditional legal remedy such as approaching the Courts.

Just as “Drip Irrigation” is essential to fight the vagaries of failure of rains in the agricultural sector, “Cyber Insurance” is essential to fight the risks of cyber attacks in the Digital environment.

In the Motor Insurance area there is already a concept of Mandatory Third Party insurance. A similar policy is required in the E Commerce and E Banking area.

Of late, RBI has issued many licenses for Payment Banks and Small Banks as well as new generation Banks. These will all be heavily technology dependent and the customers will hold all the risks. Hence RBI should be persuaded to mandate that all new Banking licensees introduce mandatory Cyber Insurance for its customers.

Kindly don’t be swayed by any argument that Cyber risks are not “insurable” since it is too huge a risk to be covered or that no insurance company may be interested etc. Presently, insurance companies are doing a profitable cyber insurance business but are restricting it to companies and not extending it to individuals. They are milching the higher end of the market and are avoiding the lower end because they feel it is expensive to manage. They need to be persuaded and incentivized to provide the retail cyber insurance policies.

If the Rs 12 per year accident insurance policy for a cover of Rs 2 lakhs against accidents is commercially feasible, the individual cyber crime insurance policy that protects the individuals against any loss say to the extent of say Rs 10000/- to Rs 25000/- per incident must be also feasible.

I therefore suggest and also urge you to adopt  the “Cyber Insurance for ALL” as a new policy of the Government to support its Digital India initiative.

Regards

Yours faithfully

 Na.Vijayashankar (Naavi)

Founder: www.naavi.org

In pursuance of Naavi’s efforts to promote the concept of Cyber Insurance in India, Naavi has launched a dedicated website Cyber Insurance.org.in to discuss all issues of Cyber Insurance in India.

Naavi considers Cyber Insurance an important developing field because in the era of increasing Cyber threats accompanied by an increasing usage of Internet in a Digital India, the Netizen community needs to be protected against the risks.

Naavi also considers that Cyber Insurance is an extension of the Techno Legal Information Security activities since “Risk Transfer” is one of the four ways Risks can be managed in business, the others being Risk avoidance, Risk absorption and Risk Mitigation.

For the last several years, Naavi has been discussing the issue of Cyber Insurance with several industry players but found very little interest on the subject in the market place.

The reasons are many. Some may consider that like many of Naavi’s obsessions, this is ahead of its time and the business is yet to mature. Some may have no confidence that this is a viable business. Some may think it is some body elses’s responsibility.

The recent India Cyber Insurance Survey 2015 and the interactions Naavi has had with professionals in the Insurance industry do suggest that there is still lot of grounds to be covered in this field by both the Insurance industry as well as the Information Security industry.

But Naavi considers that this ground has to be covered if our dream of Digital India does not end up as a disaster.

Naavi has urged PM Mr Narendra Modi that just as he launched the life and accident insurance schemes for the masses as a part of his national agenda, he needs to push Cyber Insurance as part of Digital India agenda.

We hope that in due course this would be accepted as a policy in the Government.

In the meantime, we shall continue our efforts to popularize the concept of Cyber Insurance and also provide whatever assistance that is required by the industry to enhance the use of Cyber Insurance.

For some time there may be dual posting of articles between naavi.org and cyberinsurance.org.in.

However, I expect that Cyberinsurance.org.in should attract contributions from other professionals and develop into a community website.

I welcome contributions.

Naavi

Technology has disrupted many traditional business practices. For example, Banking before and after technology has never been the same. Same way, ever since Cyber Laws became a prominent practice area, lawyers have found that their traditional practice domain has been disrupted.

Today, it is almost impossible to run an efficient litigation without using Cyber evidence and Cyber law. If any firm is unable to make proper use of evidence most of which is in electronic form and also be able to run a good cross examination of witnesses trying to prove or disprove electronic evidences presented, they would find it difficult to be effective as a litigation lawyer. Hence good legal firms have found it necessary to use the services of experts where required and also develop in house expertise in Cyber Forensics.

When it comes to using the services of high end experts, the firms have a difficulty in forging a long term association because those professionals may not be qualified advocates and hence cannot be partners in business.

At the same time, the Chartered Accountants who are already in the domain of whatever is called “Auditing” have also been fighting to get into the space of “Forensics” since their internal audit work in any Corporate environment lands them in fraud investigation in electronic environment and associated Cyber Forensics.

They also have difficulty in forging long term association with Techno Legal experts who can assist them in the auditing work when it comes to “Compliance Audit” or “Fraud Audit”.

Actually, “Cyber Forensics” is an area which is highly technical and should have been a natural domain of a software or hardware specialist. Professionals in this tech field should normally be found in organizations such as Computer Society of India but they seem to be absent in the race for business in Cyber Forensics. There is also a professional group belonging to the “Information Security Domain” which includes those who are certified with diplomas such as “Certified Ethical Hacker”, “CISSP”, “Network Forensics” etc who also claim to be experts in Cyber Forensics and have a say in this domain. But this set of professionals donot have a strong organization and hence most of the Information Security audit work is done by Chartered Accountants with CISA qualification rather than core information security expertise.

This Economic Times Report highlights the emerging Turf war between law firms and the Big Four accounting firms. It is stated that law firms are poaching forensic experts from BigFour firms and even launching legal action charging the Big Four firms of running unauthorized legal practice. (See this report)

Essentially, Law Firms are trying to take protection from the “Advocates Act” which tries to reserve legal practice to registered members of the Bar Council. This tendency for “Reservation” is also present in the Chartered Accountants who also prevent non CAs to join firms run by CAs in providing corporate advise. The Company Secretaries and Computer Society professionals are not so well organized to fight for their own turf in the corporate scenario.

Now that the Delhi Bar Council has taken the issue to the Court, there is going to be a big fight for “Reservation” of business between the Advocates and Chartered Accountants.

Given that the Judicial Community has emerged only from the advocate community, the judicial fight may be skewed towards the advocate community and there is a huge conflict of interest between the Judiciary and this dispute.

The undersigned has always opposed every kind of reservation in life and is not comfortable with the professional agencies using their clout to reserve parts of the business to themselves. ( Naavi himself has faced issues in forging partnership with law firms and CA firms though both use his services for improving the quality of their services.)

However, the Cyber Forensic business is a new business area which involves Technology, Law and Auditing expertise. We can even say that Forensic involves analysis of “Behaviour” of the technology user which is a “Behavioural Science” skill. Naavi has been a pioneer in projecting Information Security as a three dimensional expertise of Technology, Law and Behavioural Science. However in view of the fact that these domains of expertise developed in recent years and there were no formal degrees and diplomas in these fields until recently. As a result  the law graduates who claim their right to litigate Cyber Crime cases have no relevant qualification in Cyber Laws nor the Chartered Accountants who qualified in the past and claim their right to auditing today are  exposed to technology issues as they should be. Hence the claims of reservation of business based on qualifications appear to be unreasonable.

It appears that a day has come where the “Disruptive” aspect of technology has come into the area of “Reserved Professional Practice” and it is time that the restrictions placed on legal firms partnering non legal practitioners as well as Chartered Accountant forms partnering non CAs should be summarily removed. We must recognize that the technology areas requires collaboration of people with different skills and in the interest of clients who require efficient services, a legal firm needs technology, accounting and behavioural science experts, in their fold and the Big Four or other CA firms also need Cyber Law experts and Experts in international law, taxation law etc in their fold.

Instead of the top legal firms fighting with top accounting firms in Courts, they need to forge an alliance and ensure that the mutual exclusions which they have used in the past which I call as “Reservation Mentality” is dropped and “Merit” prevails in the profession.

We however would advise that both the legal firms and Big Four should not compromise to keep the Information Security professionals outside the area of Information Security Audit and Forensics. In fact these professions should study the case which Delhi Bar Council has brought and implead themselves to put up their arguments if required so that they are not pushed out by the law firms and Big Four from the field of Cyber Forensics.

Probably the case brought up by the Delhi Bar Council has more to do with corporate advisory services in the area of Mergers and Acquisitions and less on Cyber Forensics. However, the principles of “Exclusivity in Professional Practice” is a potential “Frankenstein” and should be curbed before it gains any judicial validity through this case. If IS professionals are negligent, then lawyers and chartered accountants may declare that Cyber forensics is their exclusive business domain and make IS professionals subordinate to either of the professions!.

Naavi

It is reported that Mumbai police are pursuing a data theft complaint against a senior Bank employee in Mumbai.  According to this TOI report the senior employee, (a lady), with 20 years of working in the Bank in the past, resigned and is due to join another Bank.

The allegation is that some time after resignation, she  has taken away  some confidential information belonging to the Bank to her pen drive. The complaint has been made by the Bank manager.

The report

There are many inconsistencies in the report and there is every indication that it could be  a motivated report. More clarification is required before it is given credence.

According to the Bank manager, “She got access, after quitting the job, on the pretext of taking down data stored in her computer system in her office”. Bank officials complained that she took the data without the knowledge of anyone present on the premise.

The complaint was lodged on September 9, 2015 where as the person has left the Bank on April 21. It is not clear when she got the access and how the manager came to know the “pretext” when no body was present in the premises.

According to the TOI report, a spokes person of the Bank is supposed to have stated “The data was related to Reserve Bank of India rules and banking policies, which the suspect can misuse”.

If the data related to RBI guidelines, it is not clear what is the confidentiality involved.

If the Bank is concerned it could as well be a case of some information which the Bank is afraid would harm its reputation.  If it was simply rules and policies, there is no reason for the Bank to file a complaint except as a vendetta against a parting executive.

It would be interesting to observe how the case develops.

If the Police conduct a proper investigation, there is every possibility that the complainant himself may turn out to have indulged in some offence.

There is however a need for the defense to handle this technical case with some intelligence as otherwise the weight of the complainant’s organization may have a bearing on the way the case proceeds from now on.

Naavi

During our childhood, we have heard of stories of a Fox and Bear who agree for collaborative cultivation. For the first crop they agree that whatever grows above the soil belongs to Fox and whatever grows underneath the soil belongs to the Bear. Fox suggests that they grow tomatoes. Bear works hard and when the cultivation is ready, Fox walks off with all tomatoes and the Bear is unhappy. Fox convinces the bear for the next crop and agrees that what grows above the soil will now belong to the Bear and what grows underneath the soil belongs to the Fox. Bear agrees. Fox suggests that they grow ..potatoes…. so the story goes…

It appears that Maharashtra Government has now implemented a PPP model of a similar nature where the Government and Mumbai Police in particular will promote a PPP project in which all the revenue goes to a private party while the Government and the Police is only used to promote the project for the benefit of the private partner.

I refer to a project called coin.org.in which is projected as a platform for global law enforcement people with information, training and support for investigation of cyber crimes. However it also invites public to become members of the project at a membership cost upto Rs 24000/- per year.

The website however does not provide any information on the revenue sharing between the Government and the Private partner.

Some time back, we had exposed the case of  e2labs which had used the Union Home Ministry, CERT IN etc to promote its business and tried to convince investors to invest in its company. On verification with CERT IN it was found that the claims made by e2labs in the investment promotion presentation prepared by a well known investment banker, were false . The information was later withdrawn.

Presently the coin.org.in project appears to be heading in the same direction.

For records, we appreciate the nature of the venture. We have no issue of the project being a commercial project. However, using the Government and Mumbai Police to project as if this is a Government project but retaining the entire commercial revenue with itself is not considered ethical. The disclosures on the website as of now donot provide a truthful representation of the status of the project and there is every attempt to mislead and misrepresent the public to give an impression that this is a joint venture with Mumbai Police. The previous Mumbai Commissioner Mr Rakesh Maria’s speech made at the time of launching of the website has been  used for promotion along with the name of the Chief Minister Mr Fadnavis who inaugurated the event in which the website was launched.

We here by call upon the Maharashtra Government and the Mumbai Police to clarify

a) if they have an equity stake in the project and a claim on the revenue and if so what is the share distribution?.

b) If not, will they clarify if they are happy with the use of the Government for promotion with the revenue being entirely kept by the private partner? Or

c) Was the project envisaged as a non-profit venture and the private promoter has introduced a commercial element without the knowledge of the Government?

We also call upon the Private partner to clarify the nature of arrangement between them and the Government and whether they have the permission to put Rakesh Maria’s speech on the website copyright of which is claimed by them.

We request both the Government and the Private partner to review their arrangement and make the service as a free service (which may be restricted to the law enforcement personnel if required) and remove the commercial aspects of the project.

If there has to be a commercial project in which the Government wants to pass on benefits to a private party, there will be needless questions on what was the procedure adopted in selection of the private partner, whether any public notice was given of such a project, whether any other entities competed for the project etc.. All these will raise the issue of “Transparency” in Government administration and I request the BJP Government in Maharashtra not to make yet another mistake that may show Mr Narendra Modi in bad light.

Naavi

The India Cyber Insurance Survey 2015 which tries to capture the views of the stake holders on what is the current status of the  Cyber Insurance industry in India is, is shortly set to close.

If you have not yet participated in the survey, kindly do so now. Your views would be valuable. To participate in the survey you need not be knowledgeable in Cyber Insurance nor an expert in Information Technology. If you donot find any question not relevant to you, mark it as “neutral” and proceed.

Click on the above image or here for the form

Naavi