Header image alt text

Naavi.org

Building a Responsible Cyber Society…Since 1998

In the context of huge regulatory fines envisaged under GDPR, there is a renewed interest in Cyber Insurance among Data Processors everywhere. Since liability under GDPR may arise not only for payment of compensation to data owners but also for making payment of fines that may be imposed by the regulatory authorities, the companies do demand that they should be covered by some Cyber Insurance policy for any liability that comes out of processing of EU citizen’s data.

As for as Indian data processors are concerned, their liability will be restricted to what is indicated in the data processing contract. Some of these contracts may be vague and not determine the exact liability or compliance responsibilities. It may make a reference to the liability that may arise on the Data Controller under GDPR and extend the liability in the form of an “Indemnity” to the associate data processor in India. Indian data processors some times assume that they would be liable directly under GDPR and rush to obtain insurance cover for large amounts. This could hurt the profitability of their operations.

If any data is compromised by an Indian data processing company then it would be as a result of a “Cyber Crime”. The cause of action lies with the persons who have lost money. Most of the time however, data compromise is recorded but the actual loss may not fructify or fructify only to a small extent not commensurate with the number of data elements lost.

Hence out of the total loss, the loss arising out of “Compliance” requirements which may include sending of notices, arranging identity theft protections for all the suspected compromised data subjects would be a huge cost even when not a single of the compromised data might result in actual loss. Similarly in such cases the regulator would impose millions of dollars fine depending on the nature of breach, the attitude shown by the data controller before and after the breach to protect the data subjects etc.

When a Cyber Insurance policy is invoked in such cases, an obvious question that would arise is whether the loss occurred more out of the negligence of the Company as a whole in implementing proper policies etc and whether the company should be protected against its own negligence. If Cyber Insurance routinely covers such breaches, then there will be no incentive for companies to improve their security.

Hence it is necessary and natural that the Cyber Insurance Company raises an objection or try to limit its liability citing that the cause of loss was “Not Insurable”.

A question has therefore arisen on “Whether Regulatory Fines are Insurable at law”. In this context, the article “GDPR Fines and Cyber Insurance”

presents some interesting thoughts as may be relevant in the Great Britain. Since India generally follows the English Law and the Insurance law has dependence on the British practices, it is presumed that the English law is also relevant for the Indian Context. Hence the points mentioned in this article are very much relevant to Indian companies both in the GDPR context as well as in other instances of fines arising out of non compliance of HIPAA, Non Compliance of ITA 2008 and even when there is a ransomware attack due to lack of proper security practices in a company.

One of the concepts discussed here is “illegality of defence” which may prevent a claimant from pursuing a civil claim based on the claimant’s own illegal acts.

The dividing line however is whether there was “Illegality” on the part of a company that caused the fine or there was merely “Negligence” in implementing the regulatory precautions.

As long as the negligence is related to “Best practice suggestions” that are made by sectoral regulatory bodies or industry practice, the cause may be contained within the concept of “negligence” unless the level of negligence is “ridiculous”. But if there is a statutory law which has been ignored then such negligence cannot be called anything other than “Illegal”.

To be more specific, if a Bank ignores RBI guideline, it may be “Negligence”. But if it ignores “ITA 2008”, then it would be “Illegal”.

Secondly what distinguishes “Negligence” from “Gross Negligence” or “Recklessness” is the precautions taken by an organization before an event occurs and also its response immediately after the occurrence of an incident.

If an organization has taken reasonable precautions which any other prudent person under similar circumstances would have undertaken but failed in some minor aspects, then the level of negligence is in the lower end. If however, there was no precaution taken or the precaution was ridiculously low, then the breach would be attributed to callous attitude and may be considered as a “Contributory Negligence” or even a “Passive Assistance” to a fraudster.

If we take the recent incident of PNB fraud and another fraud that followed at City Union Bank, it appears that the negligence at City Union Bank which allowed a compromise of its SWIFT system may fall under the category of “Negligence but Not Recklessness”. On the other hand, the PNB negligence which involved allowance of customer’s executives using the passwords of Bank officials to create their own “Sanction letters” and the sharing of passwords between multiple officers of the Bank can be called an abject complicity in the offence itself.

Even if there was no “Mensrea” at least for some of the executives of the Bank, the “Recklessness” was attributable to all employees of PNB who were aware that SWIFT messaging system was not linked to CBS and passwords were being shared.

The Association of employees in PNB has tried to put the blame on the top management. Similarly, the employees of Mehul Chokshi firm has placed their current loss of jobs to the Mehul Chokshi led Board. But if one is honest, we all know that if a fraud of this magnitude had taken place, then several persons within Mehul Chokshi or Nirav Modi companies as well as PNB, Other lending Banks, RBI, and the Ministry of Finance must have smelt that some thing wrong was going on.

What has collectively failed in the system of “Whistle Blowing” that RBI already has in place but has completely failed to work. The complaint that one franchisee Mr Hari Prasad made to PMO is like many complaints that are forwarded to PMO and are directed to appropriate departments for enquiry.

But each of the Banks had their own Whistle blowing systems and RBI  had a Whistle blowing system for the entire Banking system and it appears no body had the courage to report the possibility of such a fraud. The reason could be that the heads of each Bank involved as well as the Governor of RBI themselves were all friend of the then prevalent political system and personally appointed by Mr P.Chidambaram and hence no body trusted them to take action.

If the Whistle blowing system ensures that the whistle blower is protected, then the skeletons would have tumbled as soon as a junior Bank officer acquires a flat costing Rs 3-4 crores or throws up a fancy party in a five star hotel etc.

In all such cases therefore, the negligence is unpardonable and hence there should be no protection from Cyber Insurance.

Cyber Insurance contract being an  uberrimae fidei contract, the Insurance company is unlikely to discuss these issues with the clients at the time the Insurance policy is bought. But if the liability is huge and the client invokes the insurance, then the legal departments in these insurance companies may certainly raise the “Illegal Defence” clause.

The principle in Insurance is always, “Take as much precautions as you would take as if there was no insurance” and there after, if the loss materializes, it is an “Accident” for which the Insurer should gladly assume liability. If one takes decisions recklessly because there is an insurance to back up, then the insurer would definitely feel cheated and raise objections at the first instance.

Naavi

Cyber Security specialists have recently demonstrated how a commercially sold car can be effectively taken control of by a remote “Hacker” leading to disastrous consequences.

This article in Washington Post graphically sketches how a hacker can cut off the engine or disable the brakes or even turn the steering wheel by hacking in to the Jeep Cherokee marketed by Chrysler. What is more alarming is that this is not a “Google Car” meant to be remotely driven but a conventional car with the infotainment connected to the internet and perhaps independent subsystems that are managed by electronic sub systems in the car.

Apparently, the hackers have gained access to the infotainment system through the internet and once into the subsystem within the Car’s electronic system was able to jump across to other subsystems taking control of each one of them.

It is obvious that malicious hackers can exploit similar vulnerabilities and cause death and mayhem on the roads.

While Chrysler in response has reportedly recalled about 1.4  million vehicles and also issued a patch to plug the vulnerability, the risk of cars being vulnerable to hackers is staring all Car manufacturers as well as Car users.

india_insurance_logo_2

The biggest beneficiary of this demonstration is however the info-sec community as it opens up more critical job opportunities for them in the automobile sector. But the automobile users will now remain under constant threat of being exposed not only to risks of mechanical failures but also the technological failures and additionally, the cyber criminals.

In the context of Cyber Insurance that we are discussing through these columns, it now appears that a Car accident can happen due to such hacking incidents and the Insurance companies may have to deal with claims of accidents that cannot be logically attributed either to a driver’s mistake or to any identifiable external reasons. The claimants will have a lot of difficult to explain the cause of an accident as finding evidence will be extremely difficult. Perhaps the damage assessers need to be not only mechanical engineers who check the mechanical failures but also “Cyber Forensic” specialists who will check the log records of all electronic systems in the Car.

The question that arises in settlement of the claim is whether the policy which covers “Mechanical Failures” will also cover “Electronic Failures” and “Cyber Crimes”. Ideally the current policy should cover damages occurring due to malfunction of a mechanical part whether it is because of internal defect or an external hacking, unless the risk is specifically excluded.

The publicity now generated to the hacking event should be sufficient to consider that the Insurance company is aware of such risks and hence if the risk is not specifically excluded, it should be considered as “Included”. In other words, the Insurance companies will have to accept the  uncomfortable truth that  the current Vehicle insurance policies are also “Cyber Insurance Policies”

The problem demonstrated in respect of the Chrysler automobile is also relevant to the managers of Digital India who need to manage an environment which includes “Internet of Things”.  With a similar argument we can say that the current insurance policies that insure damages of white goods or other properties should be also considered as covering risks arising out of electronic component failure either due to natural causes or through hacking.

While the manufacturers of internet exposed devices need to worry about the information security aspects, the Insurers need to worry about how they would cover these risks.

The future of the Cyber Insurance industry appears to be exciting.

Naavi

Related Article:

In USA today

In Cnet.com

If you have not yet responded to the online India Cyber Insurance Survey 2015, please do so now.

 

Is Domain Name an Insurable Asset?

Posted by Vijayashankar Na on July 15, 2015
Posted in Cyber Law  | Tagged With: , | No Comments yet, please leave one

Ever since Internet became a key channel of contact with prospective customers for a business entity, domain Names have become an important identifier that enables this customer connect.  Today, a domain name is the most important element of “Brand building”.  Facebook and Twitter handles some time act as extensions of this identity in the social media space. Presently mobile Apps are also gaining importance as business tools and soon the names of mobile apps will also be considered as an important brand contributors.

If I am a corporate CEO, I understand that building a brand costs money as well as time and effort. If therefore I have built a certain value for my brand, I would like to ensure that this value reflects in my asset register and in the balance sheet. At the same time, I am aware that if for any reason, I lose this asset, then my company will lose value. I should therefore protect my “Domain Name” as an asset like any other tangible asset.

Domain Name is a peculiar kind of asset. It is intangible but has a cost and is transferable. It has a cost of acquisition when acquired from the registrar but may be transferred for a premium thereafter.  Though it is an asset created out of a contract between the registrant and the registrar and backed by the system managed by ICANN, it is considered more as an “Intellectual Property” of the type of “Trade Mark” and treated as such in case of disputes.

india_insurance_logo_2

The UDRP process or the accompanying INDRP or URS processes of dispute resolution determines how the property of domain names change hands in case of a dispute.

A CEO should normally be worried of circumstance when a brand on which he has invested money and chosen as a domain name suddenly comes under a dispute and he has to part with it. A natural thought that occurs to him at this stage is “Can I insure this domain name loss risk”?

If Domain Name is an asset, then it is logical that it should be insurable. If so, the issues to be settled are, what is the value to which a domain name is insurable?, What protective measures should a domain name owner should take before registering a domain name, after registering a domain name and when a dispute is raised? He also needs to consider What is the premium payable and what is the claim settlement process?

Presently, there does not seem to be clarity on these issues either with the corporate world or the Cyber insurance companies and we need to find out the current status of insurability of a domain name and other similar assets such as “Potential trademarkable assets”.

The India Cyber Insurance Survey 2015 is expected to throw some light on this issue. If you are a corporate manager or even an ordinary Netizen, you might have a view on this issue and you need to express it by participating in this one of a kind survey that tries to capture the perception of Cyber Insurance as a product.

If you have not so far participated in the survey, do so now.. The online survey questionnaire is available here

Naavi

india_insurance_logo_2

Indian Companies are facing a new kind of reputation attack by  disgruntled employees posting defamatory messages through companies such as Glassdoor who have built a business model around monetizing the disgruntlement of employees.  The essence of this model is to encourage  employees present and former to write a review about their employer so that it would be a guide to others who may be seeking employment in the company. There are also similar companies such as Mouthshut who operate in the area of products and services asking product users to write reviews about the product experience.

At first glance, such services appear to be  oriented towards consumer information as it helps people who would be dealing with the company to get information that can help them make an informed purchase decision.

However, in practice we often find that disgruntled elements use such opportunities to post unsubstantiated defamatory comments which can unfairly hurt the genuine business of the Companies.

Among such  companies who have built a business around publishing consumer responses, those like Glassdoor stand out since they publish remarks from those who pose as present or former employees. Compared to product users, employees have a close emotional attachment to a company and hence when they are dissatisfied,  their reactions tend to be more volatile and vindictive. Also competitors can use the service to hurt their rivals. Human tendency is such that when we feel good about another person, we keep it to ourselves, but when we feel bad, we tend to go an extra mile to “teach a lesson”. Hence negative comments of employees always find more expression than the positive comments. By the very design therefore such services are geared to making money out of negative responses.

Some organizations try to achieve a balance by their PR firms monitoring the negative postings and countering with positive postings to match them. But ethical companies try to avoid such artificial means of creating a positive opinion and try to live with the reputation loss or look for other options.

When the reputation of a company gets hurt by motivated employees who have been either unhappy with their promotions or for having been removed from service, the victim companies need to launch legal action against the erring employee or ex-employee as well as the abetting service provider like Glassdoor. However, many of these services take shelter under privacy concepts and hide the identity of the persons posting the remarks and seek privileged protection under freedom of speech regulations both in India as well as in their countries.

As a result, the Victim companies are denied legal remedy available to them through Courts.  A legal discussion on the rights of such companies to hide behind the glass door of privacy and throw stones at others is out of place here. These companies survive more because the cost of pulling them up legally is considered uneconomical for most business entities. Indian law under ITA 2008 coupled with IPC is still strong enough to deal with such issues despite the erroneous deletion of Section 66A by the Supreme Court.

This loss on account of reputation risk cannot be avoided since employer-employee relations do go sour for various reasons. There is one employer and many employees and it is unthinkable that there would be any company which does not have one or more disgruntled employees to contend with.

Information Security professionals cannot defend against this type of risk through technical means. Hence the risk cannot be mitigated as well.

The only other options are “Risk Absorption” and “Risk Transfer”.

But Corporate risk managers consider it necessary to defend such risks which have an adverse impact on the business of the company and cannot absorb the risk indefinitely.

The natural corollary to this is therefore whether such a risk is covered by a Cyber Insurance Policy? so that it can be transferred.

If a Cyber Insurer is made to pay for the reputation damage caused by a defamatory remark posted on say glassdoor.com, then the Cyber insurance company will take up the legal battle against the offending website which has abetted the disgruntled, vindictive employee or at least bear the cost of such legal fight.  The advantage for the Insurance company in fighting such battles is that it can aggregate several losses of this kind and find the means to fight a battle even in a foreign country. The legal fight therefore becomes feasible for an Insurance company.

If you are a corporate manager therefore, you would like to know if Cyber Insurance policies cover such reputation damages.  We are trying to understand what the market perception on this is, through the India Cyber Insurance Survey 2015. Participate in the survey and record your views so that it will become a guide to the Insurance companies in structuring the policies.

Naavi

india_insurance_logo_2

Cyber Insurance is a means of transferring the risk that an organization is unable to avoid,  mitigate or absorb.

However when a company approaches a Cyber Insurer or a Cyber Insurance Broker, and a question of the cost of insurance crops up, an Information Security Professional is bound to ask a question if his company is considered as a “Standard Risk” or a “Sub Standard Risk” or a “Super Standard Risk”?. The expectation is that if a Company has undertaken more than average measures to secure itself and reduce the risks, it should get some advantage in the premium front.  For example, if a Company has spent money in getting itself certified for ISO 27001, it is a natural expectation that the risk levels in that company should be lower than other comparable entities. Hence it should be considered as a “Super Standard Risk” and a corresponding reduction in premium. Conversely, if the information security preparedness of an organization is low, then the insurance company is entitled to consider the subject as a “Substandard Risk” and charge a risk premium.

In practice however, companies may not know how much of value benefit its ISO 27001 certificate would provide. Alternatively, it may not know what  a COBIT audit or a PCI DSS or multiple audits are worth. Many times an entity would have undergone a security audit from its client though not certified by an ISO or COBIT. In such cases, the company would like to know if there is any difference in the premium charged by an Insurance company.

This is also a very important aspect for Information Security professionals since any reduction in Cyber Insurance Premium on the consideration of the Information Security implementation status of a subject company would directly determine the Return on Investment for investments made on the CISO or the ISMS.

Well, it is time that we the potential buyers of Cyber Insurance or the Information Security professionals know what benefit that a Cyber Insurance Company attributes to our Information Security initiatives.

We expect that some light will be thrown on this issue in  the Indian Cyber Insurance Survey 2015 presently being undertaken in India. The survey will capture what the industry expects in this regard and hopefully we will also capture if there is any gap in perception between what we think it should be and what it actually is.

On your part, please participate in the survey and let your views be recorded.

Naavi