Farmer’s Suicides.. lessons for Digital India Managers

Posted on July 17, 2015 by Vijayashankar Na

india_insurance_logo_2

The vagaries of weather are a risk that Indian farmers need to manage as part of their life. Those who cannot face problems in the form of inability to repay farm loans taken from the loan sharks in the village. This has given rise to many farmers committing suicides and reflecting on the Governance aspects of the relevant State Governments. The Central Government is trying tackle the problem with its own policy on “More Crop for Every Drop” and encouraging drip irrigation to conserve water and ensure a larger area of irrigation. Today the RBI has also moved in the right direction reiterating the need for Banks to participate in direct farm lending so that low cost funds become available to the farmers and their dependence on local loan sharks is reduced. In the last few years, the emphasis on farm loans for Banks had been reduced and hence the flow of credit had fallen.

The response of Modi’s Government and the RBI are pragmatic and could reduce the farmer’s vows. It shows that the Government and RBI is learning lessons from past mistakes and inaction.

It would however be wiser if we can anticipate the adverse impact of a policy on the society and respond pro-actively than reacting to the adverse events after it has taken away precious lives.

Digital India is now calling for similar pragmatism and wisdom from the Government. If the Government has not realized the threat of Cyber Frauds in the increased digitization of the Banking and Governance systems in India, we can only say that the Government is blind. While the Ministry of IT has come up with a report on Net Neutrality, it has not yet come up with any report or policy on “Cyber Frauds”.

In the case of farmer’s suicides it is the inability to repay the loans and only those farmers who feel humiliated by being an insolvent commit suicide. But Cyber Frauds make a comfortable citizen suddenly turn a pauper when his bank account is wiped out. This is more shocking than the vows of the farmer. If there are any suicides in this class of Cyber Fraud victims, it is unlikely that it will get the same publicity as the farmer’s suicides until a time when thousands of frauds get reported simultaneously.

Let the Government take notice that frauds are happening in hundreds and not all of them get reported. May be the losses are in smaller amounts of less than a lakh and hence the victims are some how absorbing the risks.

The Government on the other hand has done pretty little in this area. In fact it has not been able to put the Cyber Judiciary in place. The Chair Person for Cyber Appellate Tribunal has not yet been appointed and Adjudicators in States are non functional. But the DEITY remains unconcerned. Mr Ravi Shankar Prasad remains stoic. Mr Modi in the mean time keeps pushing the Digital India process. This is a recipie for disaster.

I would like to highlight here that any policy change that does not take into account the problems of the society will lead to disaster. It is therefore necessary for the Government of India to address the issue of securing the public against Cyber Fraud losses before it is too late.

It is in this context that Naavi.org demands “Cyber Insurance For All” as a policy of the Government. To us, this is more important than the Net Neutrality debate.

Will the Government wake up?

P.S: If you have not participated in the India Cyber Insurance Survey 2015, it is time you do so now and record your views. You can access the survey form here.

Naavi

Posted in Cyber Law | Leave a comment

Should IRCTC obtain Cyber Insurance?

Posted on July 16, 2015 by Vijayashankar Na

Naavi.org has in the past discussed the information security issues from the consumer perspective in the IRCTC website and demanded suitable security audits. It is good to note that it has now been reported that STQC is conducting an information security audit on the new reservation system. We welcome the move.

Related Article

In this context, we can also draw attention to another aspect. IRCTC has seen many cyber crimes being committed on the platform. One kind of crime is stealing of consumer data including financial information which is “Sensitive Personal Information” under Section 43A of ITA 2008 and booking of tickets using stolen credit card purchased elsewhere.

In such cases, the issue to be settled is “Is IRCTC an intermediary?” ” Is IRCTC a Body Corporate”?

If IRCTC is a corporation having rights to sue and be sued in its own name, it is a “Body Corporate” having obligations under Section 43A ITA 2008. It is also an intermediary which exposes it to liabilities under Section 79 to follow the “Due Diligence” responsibilities.

At the same time, since we are discussing the topic of Cyber Insurance, one can also ask a question if IRCTC should cover itself with Cyber Insurance to avoid liabilities that may arise under Section 43A or Sec 79.

india_insurance_logo_2

STQC which would be conducting information security audit,need to recommend if part of the risk needs to be transferred to a Cyber Insurance company.

Another collateral question that arises is that there are several e-initiatives of the Government both at the center and states where liabilities could arise on account of cyber crimes. One legal view is that any organization like a Government department that can enter into contracts in its own name should be considered as a “Person” under law and therefore is also exposed to the liabilities under ITA 2008.

If so, can the Government department which is doing some kind of E-Business obtain Cyber Insurance? Or Should Cyber Insurance be limited to private sector companies? or to only Individuals? or to all of them?

This is a question on which India Cyber Insurance survey is tying to capture the perception of the market.

If you have not yet participated in the survey and recorded your view, please do so now.

You can access the survey here.

Posted in Cyber Law | Leave a comment

Why ITA 2008 Compliance enhances Insurability?

Posted on July 16, 2015 by Vijayashankar Na

It is one of the established principles of Insurance that when the Insurance Company pays a claim, it does make its efforts to recover its loss in whatever manner possible. When the loss has been caused on account of a Cyber Crime, the Insurance Company tries to recover its losses by pursuing the legal options against the criminals/accused.

In order to pursue legal options against the accused, the Insurance Company needs to step into the shoes of the victim and fight the case in a Court of law. This right is called the “Right Of Subrogation”. This is considered a natural ingredient of all Insurance Contracts. The principle of subrogation also creates certain responsibilities to the insured. It is expected that despite having insurance, the insured has to take such protective measures about the insured asset as he would take as if there was no insurance. In other words, the insured should not be negligent in his security measures because there is an insurance company to cover his losses.

Obtaining insurance therefore does not absolve the company to have a good Information Security practice. In fact, Insurance creates a fiduciary responsibility for the insured to protect the interests of the insurance company. One such responsibility is to be in a good legal position to pursue recovery of losses against the accused.

If the insured company has a legal right against the crime accused, it can transfer this right to the insurance company after the claim is settled so that the insurance company can continue its legal action. However, if out of negligence the insured has lost legal remedy against the accused, it is possible for the Insurance company to take a stand that the insured company has not acted in good faith in protecting the legal interests of the insurance company upon exercise of its right of subrogation.

Normally, we donot expect the Insurance company to take such an unfriendly stance. But if the loss is substantial, it is not prudent to ignore this risk.

When a claim is made an assessor of the Insurance company will not only assess the value of the loss but also the reason for the loss and the status of the subrogation rights. For the claim to be approved, the reason of loss should not indicate abetment of a crime by the insured and also an irresponsible reckless attitude that might have caused the loss or makes it impossible for the subrogation rights to be effectively pursued.

The means by which an insured company can document and prove that it has not lost the subrogation rights by negligence is following the principle of “Due Diligence” as envisaged under ITA 2008. Hence ITA 2008 compliance could be the differentiator between the insurance company having an effective subrogation right or a diluted or lack of subrogation rights.

In other words, an Insurance Company could prefer a company with ITA 2008 compliance to another without it, for determining the eligibility for insurance or for considering a premium reduction or for easy claim settlement. Hence ITA 2008 compliance could improve the insurability of a company under a Cyber Insurance policy.

Not all Information Security professionals may agree with this stand. May be Insurance Companies also contest that they are not that mean as to reject a claim for lack of subrogation rights. Well opinions may differ. The best thing to do when there is disagreement is to know what the majority of people in the market and the experts think. This is one of the views that the India Cyber Insurance Survey 2015 aims to capture.

Don’t miss to participate in the survey and express your opinion today. Also ensure that your friends also participate in the survey by passing on this information and sharing it with your social media friends.

Naavi

india_insurance_logo_2

Posted in Cyber Law | Leave a comment

Is Domain Name an Insurable Asset?

Posted on July 15, 2015 by Vijayashankar Na

Ever since Internet became a key channel of contact with prospective customers for a business entity, domain Names have become an important identifier that enables this customer connect.  Today, a domain name is the most important element of “Brand building”.  Facebook and Twitter handles some time act as extensions of this identity in the social media space. Presently mobile Apps are also gaining importance as business tools and soon the names of mobile apps will also be considered as an important brand contributors.

If I am a corporate CEO, I understand that building a brand costs money as well as time and effort. If therefore I have built a certain value for my brand, I would like to ensure that this value reflects in my asset register and in the balance sheet. At the same time, I am aware that if for any reason, I lose this asset, then my company will lose value. I should therefore protect my “Domain Name” as an asset like any other tangible asset.

Domain Name is a peculiar kind of asset. It is intangible but has a cost and is transferable. It has a cost of acquisition when acquired from the registrar but may be transferred for a premium thereafter.  Though it is an asset created out of a contract between the registrant and the registrar and backed by the system managed by ICANN, it is considered more as an “Intellectual Property” of the type of “Trade Mark” and treated as such in case of disputes.

india_insurance_logo_2

The UDRP process or the accompanying INDRP or URS processes of dispute resolution determines how the property of domain names change hands in case of a dispute.

A CEO should normally be worried of circumstance when a brand on which he has invested money and chosen as a domain name suddenly comes under a dispute and he has to part with it. A natural thought that occurs to him at this stage is “Can I insure this domain name loss risk”?

If Domain Name is an asset, then it is logical that it should be insurable. If so, the issues to be settled are, what is the value to which a domain name is insurable?, What protective measures should a domain name owner should take before registering a domain name, after registering a domain name and when a dispute is raised? He also needs to consider What is the premium payable and what is the claim settlement process?

Presently, there does not seem to be clarity on these issues either with the corporate world or the Cyber insurance companies and we need to find out the current status of insurability of a domain name and other similar assets such as “Potential trademarkable assets”.

The India Cyber Insurance Survey 2015 is expected to throw some light on this issue. If you are a corporate manager or even an ordinary Netizen, you might have a view on this issue and you need to express it by participating in this one of a kind survey that tries to capture the perception of Cyber Insurance as a product.

If you have not so far participated in the survey, do so now.. The online survey questionnaire is available here

Naavi

Posted in Cyber Law | Tagged , | Leave a comment

If there is a “Glassdoor Attack” on my company, am I covered by Cyber Insurance?

Posted on July 14, 2015 by Vijayashankar Na

india_insurance_logo_2

Indian Companies are facing a new kind of reputation attack by  disgruntled employees posting defamatory messages through companies such as Glassdoor who have built a business model around monetizing the disgruntlement of employees.  The essence of this model is to encourage  employees present and former to write a review about their employer so that it would be a guide to others who may be seeking employment in the company. There are also similar companies such as Mouthshut who operate in the area of products and services asking product users to write reviews about the product experience.

At first glance, such services appear to be  oriented towards consumer information as it helps people who would be dealing with the company to get information that can help them make an informed purchase decision.

However, in practice we often find that disgruntled elements use such opportunities to post unsubstantiated defamatory comments which can unfairly hurt the genuine business of the Companies.

Among such  companies who have built a business around publishing consumer responses, those like Glassdoor stand out since they publish remarks from those who pose as present or former employees. Compared to product users, employees have a close emotional attachment to a company and hence when they are dissatisfied,  their reactions tend to be more volatile and vindictive. Also competitors can use the service to hurt their rivals. Human tendency is such that when we feel good about another person, we keep it to ourselves, but when we feel bad, we tend to go an extra mile to “teach a lesson”. Hence negative comments of employees always find more expression than the positive comments. By the very design therefore such services are geared to making money out of negative responses.

Some organizations try to achieve a balance by their PR firms monitoring the negative postings and countering with positive postings to match them. But ethical companies try to avoid such artificial means of creating a positive opinion and try to live with the reputation loss or look for other options.

When the reputation of a company gets hurt by motivated employees who have been either unhappy with their promotions or for having been removed from service, the victim companies need to launch legal action against the erring employee or ex-employee as well as the abetting service provider like Glassdoor. However, many of these services take shelter under privacy concepts and hide the identity of the persons posting the remarks and seek privileged protection under freedom of speech regulations both in India as well as in their countries.

As a result, the Victim companies are denied legal remedy available to them through Courts.  A legal discussion on the rights of such companies to hide behind the glass door of privacy and throw stones at others is out of place here. These companies survive more because the cost of pulling them up legally is considered uneconomical for most business entities. Indian law under ITA 2008 coupled with IPC is still strong enough to deal with such issues despite the erroneous deletion of Section 66A by the Supreme Court.

This loss on account of reputation risk cannot be avoided since employer-employee relations do go sour for various reasons. There is one employer and many employees and it is unthinkable that there would be any company which does not have one or more disgruntled employees to contend with.

Information Security professionals cannot defend against this type of risk through technical means. Hence the risk cannot be mitigated as well.

The only other options are “Risk Absorption” and “Risk Transfer”.

But Corporate risk managers consider it necessary to defend such risks which have an adverse impact on the business of the company and cannot absorb the risk indefinitely.

The natural corollary to this is therefore whether such a risk is covered by a Cyber Insurance Policy? so that it can be transferred.

If a Cyber Insurer is made to pay for the reputation damage caused by a defamatory remark posted on say glassdoor.com, then the Cyber insurance company will take up the legal battle against the offending website which has abetted the disgruntled, vindictive employee or at least bear the cost of such legal fight.  The advantage for the Insurance company in fighting such battles is that it can aggregate several losses of this kind and find the means to fight a battle even in a foreign country. The legal fight therefore becomes feasible for an Insurance company.

If you are a corporate manager therefore, you would like to know if Cyber Insurance policies cover such reputation damages.  We are trying to understand what the market perception on this is, through the India Cyber Insurance Survey 2015. Participate in the survey and record your views so that it will become a guide to the Insurance companies in structuring the policies.

Naavi

Posted in Cyber Law | Tagged , | Leave a comment

If I am ISO 27001 certified, am I getting a premium cut for Cyber Insurance?

Posted on July 13, 2015 by Vijayashankar Na

india_insurance_logo_2

Cyber Insurance is a means of transferring the risk that an organization is unable to avoid,  mitigate or absorb.

However when a company approaches a Cyber Insurer or a Cyber Insurance Broker, and a question of the cost of insurance crops up, an Information Security Professional is bound to ask a question if his company is considered as a “Standard Risk” or a “Sub Standard Risk” or a “Super Standard Risk”?. The expectation is that if a Company has undertaken more than average measures to secure itself and reduce the risks, it should get some advantage in the premium front.  For example, if a Company has spent money in getting itself certified for ISO 27001, it is a natural expectation that the risk levels in that company should be lower than other comparable entities. Hence it should be considered as a “Super Standard Risk” and a corresponding reduction in premium. Conversely, if the information security preparedness of an organization is low, then the insurance company is entitled to consider the subject as a “Substandard Risk” and charge a risk premium.

In practice however, companies may not know how much of value benefit its ISO 27001 certificate would provide. Alternatively, it may not know what  a COBIT audit or a PCI DSS or multiple audits are worth. Many times an entity would have undergone a security audit from its client though not certified by an ISO or COBIT. In such cases, the company would like to know if there is any difference in the premium charged by an Insurance company.

This is also a very important aspect for Information Security professionals since any reduction in Cyber Insurance Premium on the consideration of the Information Security implementation status of a subject company would directly determine the Return on Investment for investments made on the CISO or the ISMS.

Well, it is time that we the potential buyers of Cyber Insurance or the Information Security professionals know what benefit that a Cyber Insurance Company attributes to our Information Security initiatives.

We expect that some light will be thrown on this issue in  the Indian Cyber Insurance Survey 2015 presently being undertaken in India. The survey will capture what the industry expects in this regard and hopefully we will also capture if there is any gap in perception between what we think it should be and what it actually is.

On your part, please participate in the survey and let your views be recorded.

Naavi

Posted in Cyber Law | Tagged , , | Leave a comment