Naavi.org

Ujvala Consultants Pvt Limited has developed an online Data Protection Compliance Assessment Tool which can assist in generating a DTS score for an organization.

DTS or Data Trust Score is a measurability of the extent of data protection compliance of an organization. A Complete assessment of DTS requires an audit, a methodology for converting the audit findings into a score and an assessment by an experienced auditor.

However, as a preliminary measure of assessment, an online assessment tool has been developed by Ujvala Consultants Pvt Ltd.

The tool can be used by any DPO to check the preparedness of the organization before a formal audit may be invited. It is also a tool to be used by Ujvala Auditors to develop the Gap assessment.

The tool has been developed on the basis of DPCSI (Data Protection Compliance Standard of India) as a framework and Naavi’s methodology for DTS calculation.

Ujvala Consultants would be using this tool for its Data Protection Compliance audits.

Naavi

The notification from MeitY dated 16th June 2022 declaring the CBS system, RTGS System, NEFT System and the Structured Financial Messaging Server as protected systems and imposing the information security guidelines of 22nd May 2018 is a watershed moment in the history of Cyber Security Management in the country.

The decision indicates that from now onwards, a representative of CERT-IN will sit in the Information Security Governance Committee of ICICI Bank and supervise all policies and their implementation regarding the information security in the Bank.

This development is similar to “Nationalisation of the Information Security System of ICICI Bank” and is a huge embarrassment to the Bank’s credentials as a trusted repository of public funds.

The Press reports that the systems of HDFC Bank and NPCI has been simultaneously declared as “Protected Systems” but details of the gazette notification is available only in respect of ICICI Bank.

Some members of the public would mis-understand this development and consider as if the Government has bestowed an honour on ICICI Bank by giving it’s systems the status of a “Protected System”. Perhaps ICICI Bank would also like to propagate the same perception.

But the truth is different.

Declaration of a system as a “Protected System” is to enable the Government to exercise a close control on the security of the system because the Government apprehends that the the incapacitation or destruction of the system , shall have debilitating impact on national security, economy, public health or safety.

We must observe that most of the Government financial assets such as the Treasury accounts are presently held in State Bank of India and except by market capitalization ICICI Bank is not more critical than SBI in terms of national security or security of national economy.

ICICI Bank on the other hand has been saddled with thousands of data breach incidents in the form of phishing complaints from their customers and we have already pointed out one documentary evidence of how a Phishing website was run from within the ICICI Bank server itself. ICICI Bank was also in the forefront of Crypto transactions and was enabling Bitcoin remittances from abroad.

We can perhaps consider that the Government might have taken notice of these Bitcoin transactions and the thousands of phishing transactions as potential money laundering incidents which may need a closer scrutiny and investigation on a day to day basis.  The ongoing investigation on Mrs Chanda Kochhar also may require a close oversight on the operations of the Bank, the information deletions that have been made in recent times, the background of the custodians of the transaction servers etc.

Unless properly denied, the existence of a huge scam which is about to be unravelled cannot be ruled out.

I trust that the development  is big enough to need a notice to the stock markets under Clause 49 of the listing rules and there has already been a delay in this regard.

ICICI Bank has to also come out with its own official explanation and disclosure of how this development could affect the investors and affect the share price.

Unless immediate action is taken by the Bank to manage the reputational damage through appropriate public messaging, the share prices of the Bank are in the danger of being adversely affected.

It is an immediate necessity that ICICI Bank makes a public disclosure of it having been notified as a “Protected System” and the changes in the policies and information security  Governance system on its website.

I understand that it is a painful situation for the Bank but the gazette notification has already been made and the clock cannot be turned back.

It is an unenviable situation for  ICICI Bank. Substantial damage has already been done and cannot be reversed. Now only containment of further damage is possible and it may require a careful communication strategy avoiding any false statements that can further damage the organization.

I pity the life of the CISO in ICICI Bank which will change permanently and could  be a bed of thorns with the CERT In breathing down its neck on a minute to minute basis. We can also watch out for some attrition in IS workforce in the Bank.

I expect a series of press articles planted by the Bank in the next week highlighting as if the notification is a “Padma Award” for its Information Security department. Good time for journalists.

(P.S: The situation in HDFC Bank is similar. We are yet to access the notification regarding HDFC Bank and NPCI and hence not commented on the impact of the decision on these organizations in detail. There are many other large Banks such as PNB where also a largescale risk of data breach exists and may require a CERT-IN supervision of the security systems)

Naavi

On 16th of June, 2022, the Government of India issued a Gazette Notification declaring some of the digitals assets of ICICI Bank as “Protected System” under Section 70 of ITA 2000.

At present only a copy of the Gazette Notification regarding ICICI Bank is available in  public, though the press reports suggest that HDFC bank and NPCI systems have also been declared as protected systems. There is no information on SBI though SBI maintains most of the Government accounts.

The Meity Website and the egazette.nic.in are yet to publish the notifications for public knowledge.

The ICICI Bank website does not report the development.

This information needs to be notified by ICICI Bank to the stock exchanges and SEBI and so far no such indications are available on the NSE website.

It appears that ICICI Bank is stunned by these developments and does not know how to react.

It is not clear why the Government took this action and whether there was any credible intelligence that the Bank was under attack and NIA has to investigate the same in national security interest. This possibility alone seems to justify why the Government has not notified SBI which is the Bank which holds most of the Government treasury accounts and other assets.

The notification related to ICICI Bank available through another source has been reproduced here.

MINISTRY OF ELECTRONICS AND INFORMATION TECHNOLOGY
NOTIFICATION
New Delhi, the 16th June, 2022

S.O. 2808(E).— In exercise of the powers conferred by sub-section (1) of section 70 of the Information Technology Act, 2000 (21 of 2000), the Central Government hereby declares the computer resources relating to the Core Banking Solution, Real Time Gross Settlement and National Electronic Fund Transfer comprising Structured Financial Messaging Server, being Critical Information Infrastructure of the ICICI Bank, and the computer resources of its associated dependencies to be protected systems for the purpose of the said Act and authorises the following
personnel to access the protected systems, namely: –

(a) any designated employee authorised by the ICICI Bank;
(b) any authorised team members of contractual managed service provider or third-party vendor who have been authorised by the ICICI Bank for need-based access; and
(c) any consultant, regulator, government official, auditor and stakeholder authorised by the ICICI Bank on case to case basis.

2. This notification shall come into force on the date of its publication in the Official Gazette.

[F. No. AA-11018/2/2021-CL&ES]
Dr. RAJENDRA KUMAR, Addl. Secy.

Since this is the first time a private sector network has been declared as a “Critical IT Infrastructure” and Section 70 invoked, it is necessary to study the impact of the declaration on the organization.

We can reproduce Section 70 of ITA 2000 to understand the objective of the section.

Section 7o: Protected system (Amended Vide ITAA-2008)

(1)The appropriate Government may, by notification in the Official Gazette, declare any computer resource which directly or indirectly affects the facility of Critical Information Infrastructure, to be a protected system.

Explanation: For the purposes of this section, “Critical Information Infrastructure” means the computer resource, the incapacitation or destruction of which , shall have debilitating impact on national security, economy, public health or safety.

(Substituted vide ITAA-2008)

(2)The appropriate Government may, by order in writing, authorize the persons who are authorized to access protected systems notified under sub-section (1)

(3) Any person who secures access or attempts to secure access to a protected system in contravention of the provisions of this section shall be punished with imprisonment of either description for a term which may extend to ten years and shall also be liable to fine.

(4) The Central Government shall prescribe the information security practices and procedures for such protected system. (Inserted vide ITAA 2008)

After the amendment of ITA 2000 in 2008/9, Section 70 can be invoked only for “Critical Information Infrastructure”. Critical  Information infrastructure needs to be a “computer resource, the incapacitation or destruction of which, shall have debilitating impact on national security, economy, public health or safety.”

A justification of why the declared system is considered “Critical Information Infrastructure”  needs to be provided along with the notification. So far we donot see such justification in the notification.

It is necessary for the Government by order in writing to authorize the persons who are authorized to access the declared system and also prescribe the information security practices and procedures for such a protected system.

This written instructions should ideally accompany the notification since any attempt to access the system  in contravention of the section could be punished with an imprisonment of 10 years.

In other words the notification is introducing a serious criminal law provision which could impact several persons associated directly or indirectly with the system.

At present the instruction is vaguely expressed in the notification in generic terms such as that the declared systems (resources relating to the Core Banking Solution, Real Time Gross Settlement and National Electronic Fund Transfer comprising Structured Financial Messaging Server,) may be accessed by

(a) any designated employee authorised by the ICICI Bank;
(b) any authorised team members of contractual managed service provider or third-party vendor who have been authorised by the ICICI Bank for need-based access; and
(c) any consultant, regulator, government official, auditor and stakeholder authorised by the ICICI Bank on case to case basis.

In other words the notification is authorizing ICICI Bank to designate the employees or contract persons any consultant, any regulator, any government official, any auditor and any stakeholder authorized by the Bank . The “Stakeholder” may include the customers of the Bank who have to access the CBS system for managing their accounts.

The order therefore abdicates the responsibility of the Government and delegates the powers under the section to the Bank itself.

This appears to be ultra-vires the Act.

On 22nd May 2018, Meity had notified (S.).2235(E) the information Security Practices and Procedures for Protected system.

Now this notification will be binding on ICICI Bank and over ride any other policy that may be in place.

One of the requirements of this policy is that the Bank should constitute an Information Security Steering Committee (ISSC) which should include a representative/s of CERT IN, the Director General of which has been declared as the Nodal officer NCIIPC under Section 70A and 70B of the ITA 2000.

The detailed IS policy as provided in the notification of May 2018 needs to be implemented by the CISO of the Bank who should continuously report to the CERT-IN.

In other words, the CISO of ICICI Bank will now be considered as a subordinate of the CERT-IN and CERT-IN effectively takes over the responsibility for guiding the bank on all its IS measures.

This arrangement is similar to the system where Financial Institutions nominate their representatives in the Boards of companies which they have financed and perhaps turned sick.

In other words, the Government of India has expressed loss of confidence in the ability of the Bank to maintain the security of its systems and found it necessary to exercise a direct supervision.

The “Access Control” mechanism of the Bank will now come directly under the scrutiny of the CERT IN.

The current vague instructions in the Gazette notification which allows any ‘Tom Dick and Harry’ to access the system is highly dangerous to the CERT In since it now becomes answerable to any system intrusions.

The undersigned has brought a sample of an intrusion to the notice of CERT IN and sought its reaction to the same. This refers to an e-mail which the Bank has identified as a “Phishing Email” which however indicates that the phishing URLs are hosted in the ICICI Bank server itself.

The email is reproduced here for the information of the security professionals

One can observe the URL https://verification.icicibank.com through which the malicious web page appears to have been has been activated.

Now such incidents become the responsibility of CERT IN and if they fail to exercise adequate control on such happenings, the officials of CERT IN would be liable for their negligence.

Further, if Section 70 is invoked on ICICI Bank, HDFC Bank today, there is no reason why it should not be invoked on SBI or PNB or even large hospital chains etc.

Whether CERT IN be able to handle the responsibilities of multiple large private companies is a moot question. Perhaps they need to expand their work force several times to handle such responsibilities.

We shall watch the developments of how this new trend of Government Security infrastructure being extended to protect private digital assets work on the ground.

I wish a proper assessment of the Risks to CERT IN arising out of such responsibilities had been made before such a momentous decision was taken.

(Comments invited)

The MeitY had announced Intermediary Guidelines and Digital Media Ethics guidelines on 25th February 2021 which had evoked the Anti-CAA kind of response from the industry. Several High Courts (Kerala, Bombay and Madras)came up with their own interim orders  truncating the notification and the matter landed up in Supreme Court.

Now an amendment notification has been issued on 6th June 2022 for which public comments have been invited. A public consultation meeting with stakeholders was also conducted yesterday by the honourable minister Mr Rajeev Chandrashekar.

The window for public comments will be open upto July 6th.

The amendment mainly related to the Grievance Appellate Committee to be set up under the following rule:

Appeal to Grievance Appellate Committee(s): –

(a) The Central Government shall constitute one or more Grievance Appellate Committees, which shall consist of a Chairperson and such other Members, as the Central Government may, by notification in the Official Gazette, appoint;1

(b) Any person aggrieved by an order made by the Grievance Officer under clause (a) and clause (b) of sub-rule (2) of rule 3 may prefer an appeal to the Grievance Appellate committee having jurisdiction in the matter within a period of 30 days of receipt of communication from the Grievance Officer;

 (c) The Grievance Appellate Committee shall deal with such appeal expeditiously and shall make an endeavour to dispose of the appeal finally within 30 calendar days from the date of receipt of the appeal;

 (d) Every order passed by the Grievance Appellate Committee shall be complied by the concerned Intermediary.

The objective of this appellate committee is to address the complaints about content removal received by an intermediary when its decision to remove or not remove a content may be dissented to by a platform user or member of public.

During the public consultation, several thoughts were exchanged. However the discussion failed to address the action that can follow the decision of the Grievance Appellate Committee.

Also some of the discussions revolved around the constitution of the committee and whether it has to be managed by legal/judicial officers or members of the Government.

It appeared that no thought has been spared on the acceptability of the proposal without amendment to the ITA 2000 itself.

At present ITA 2000 has a statutory mechanism of grievance redressal which includes the Adjudicator and the Appellate Tribunal. Though the effectiveness of this system may be questioned, the fact remains that these are part of the law and cannot be superseded by the notification.

However before the dispute reaches the Adjudication, any effort at resolving the dispute through ADR process including Ombudsman, Mediation or With recourse Arbitration can be tried. However at the end of such process if the dispute remains unresolved, it has to be referred to the statutory grievance redressal system which in this case is the Adjudication under Section 46 of ITA 2000.

Hence the proposed Grievance Appellate Committee has a subordinate relationship with the Adjudication process and need not be manned by a high level committee with judicial officers. It can be handled by the officials of Meity with or without some representation from outside experts. If the Meity adopts an ODR approach, it can involve experts from the industry and resolve disputes like a sub committee of the Meity subject to further appeal lying before the Adjudicator.  It would be sufficient if the sub committee is headed by an officer of the rank equivalent to the IT Secretaries of the State or below.

Any attempt to make this committee’s decision binding on the Adjudicators would be ultra-vires the Act. A clarification that appeals about the decision of the committee lies with the Adjudicator would be in order.

I hope the Meity takes this view into consideration.

Naavi

It was a great pleasure for me to read the article today written by Advocate Dr Mahendra Limaye of Nagpur highlighting the need to strengthen the recipient side process of digital payments.

As many of the readers know, Naavi has been pursuing the historical case of S Umashankar Vs ICICI Bank since 2008 in which some money was lost due to unauthorized access of an NRE account at Tuticorin and laundered through another current account of ICICI Bank at Fort Mumbai branch.

In this case the deficiency of security at ICICI Bank at both branches were clearly highlighted. The negligence of the account holding branch at Tuticorin and the negligence and complicity of the Fort Branch were presented with evidence gathered from the Bank’s own records.

The Adjudicator of Tamil Nadu gave the award in favour of the customer based primarily on the negligence of the Tuticorin branch while highlighting the deficiencies of the Fort Branch.

In the appeal, TDSAT highlighted the negligence of the Fort Branch and dismissed the appeal of the Bank once again confirming the award in favour of the customer and against the Bank.

Now the matter is before the Madras High Court and in the final stages of a decision on the further appeal of ICICI Bank. For the time being it is inappropriate to discuss the issues as being presented in the Madras High Court and as we wait for the final decision of the honourable Court.

But what Mr Limaye has written will  surely come for further discussion in the Court.

Naavi

According to a report in Economic Times, SEBI has reportedly advised all mutual fund AMCs to report any information on Cyber incidents within 6 hours to CERT IN and SEBI, within 6 hours of noticing such incidents.

This is keeping with the CERT IN data breach guidelines released on 28th April 2022.

With this the Six hour norm has been set for data breach notification by CERT IN, RBI and SEBI as against the DPA 2021 suggesting a 72 hours window.

Naavi