 Hi everyone. Thank you so much for coming for this open house on security practices in fintech. I'm Uddhav Tiwari and I work as a program manager at the Center for Internet and Society, which is a NGO research organization based out of Bangalore and Delhi. What I'll quickly be doing is sort of running you through what we'll be doing at this open house, which is broadly telling you about what the research goal and questions that we have when it comes to security practices in fintech are. What is the work that we have done so far in this space? Certain guiding points for the participants who are there at the open house. We don't, I mean I don't intend to talk for maybe more than like maybe another five or seven minutes because this is largely an exercise to gather input from the industry to make sure that I can look at as a part of the research what the what people in the industry and society generally think should be a part of security standards for financial technologies and we'll be doing that under certain headings should I just reconnect and in which we'll be looking at management, technical and other miscellaneous parts which are three sort of broad categories within our research in which we've decided to look at how fintech operates in the country and then finally we'll sort of look at concluding points. Now the first like four three points shouldn't take more than about five minutes and most of the session should ideally is ideally going to be about guiding points for the participants where I'm sort of going to ask either both ask questions or just sort of leave the floor open for inputs that individuals will like to provide once you understand our research a little better and then from there we'll probably have some sort of a discussion on what should or should not be a part of this standard. So just a very very quick overview the Center for International Society is a research NGO that has offices in Bangalore and Delhi and we've been operating in the tech policy space for about nine years now where we've largely worked in privacy, internet governance, accessibility, access to knowledge where Wikipedia India, large parts of Wikipedia India based out of CIS in Bangalore. Our work has had fairly decent amount of impact we've been a part of a couple of government committees the AP Shah committee that looked at privacy and came out of the first government report on what or how the right to privacy should be implemented in India. Some of this work has been used by the government and at fairly high levels like for example very recently we were the only NGO and think tank depending on what you want to call us in India that was quoted by the Supreme Court in the right to privacy judgment so the government has takes like at least a little bit of care to listen to what we're saying on certain subjects which we always try to ensure we do by gathering inputs from all the relevant stakeholders when it comes to a particular topic whether it be industry, civil society, consumer interest groups and the government itself. We've started working in the cyber security space very very recently only since 2016 and we noticed that while we wanted to work on financial technologies there was in conversation that we had with certain consumer interest groups as well as some fintech companies that there was a lack of coordination between regulators in India which are broadly either the Reserve Bank of India, the Finance Ministry and the Ministry of Information Technology which broadly regulate or have the remit to work in the fintech space and therefore we've decided to sort of pursue participation in standards development to ensure that we can contribute to this debate. Now we do this both domestically and internationally so we participate in the international standards organization as members of India where and we are a part of the committee that develops ISO 27001 which is a standard that I'm sure at least some of you all are familiar with and also domestically where we take part in the Bureau of Indian Standards there also develops a local and domestic financial standards as well. So the research goal that we essentially decided to embark upon this project I think about four months ago was to help the government and industry create a sectoral standard to govern security practices in the fintech industry in India. Now there was a very pressing need that we felt when we spoke to the industry of consistency and of uniformity in what an organization that's working in the digital finance space should follow in order to be compliant with the law and this standard is sort of one means of doing that because of core regulation which I'll come to in a little bit. So the research questions that we asked ourselves were what are the current fintech security practices in the industry, what are the areas of governance and regulations when it comes to cyber security that could be that could benefit from core regulation and I'll explain the term core regulation in some time, what form should this core regulation take and what should be the substantive content of such a standard to satisfy the industry, government and civil society. Now the answer to the first question which is what are current fintech security practices in the industry we broadly realized that at least when it comes to fintech there are none officially that are negotiated like there are at least passed by the government. What we did notice was there were guidelines by the Reserve Bank of India on how cyber security should be implemented in banks and I think at this point is sort of important to distinguish fintech organizations which tend to work in either peer to peer lending or digital payments as distinct from banks both for the level of regulation that is imposed upon them by the government as well as the duty and obligation that they have to their consumers in order to ensure that they're carrying out best like a certain minimum standard of best practices for security and privacy. So when we realized that there was very little that was happening in the fintech security space in India and especially post demonetization that the space was booming I think we've seen over 400 to 500 percent growth in digital transactions largely pushed by initiatives such as the UPI as well as pushing digital payment methods over cash by the government and which is why we signed an MOU with NCI IPC which is the National Critical Information Protection Center in India. It's a central government agency based under one of India's spy agencies which is the NTRO the National Technical Research Organization that has the remit to control India and to protect India's critical infrastructure from attacks by foreign parties both physical so little physical protection but also digital which includes cyber security. So we have a memorandum of understanding with them with the goal of eventually helping NCI IPC talk to the Prime Minister's office and some other organizations to ensure that there is some sort of uniformity in how the digital finance space is approaching security in the Indian context and I think we signed this MOU sometime early like mid this year in March yeah March April 2017. So once we did that we realized that we looked at sort of what form this co-regulation could take right so co-regulation just to sort of explain it really quickly is when the entity that is being regulated as well as the government which will pass the regulation essentially decide to come into a room and carry out a form of regulation where there is accountability and a certain minimum standard that the government imposes upon them but the act and maybe even perform some level of enforcement which is the government's primary job when it comes to regulation but the actual content of this regulation as well as the manner in which it's implemented in the country is done with by the industry what that essentially ensures is that these sort of regulations tend to be a lot more fluid a lot more relevant to the industry and there is a given take between the regulators and the industry as to what should or should not be a part of the standard now the reason that this is particularly important for the FinTech industry is twofold one despite the numbers that we keep hearing about the FinTech industry in India is in a very nascent stage which means that there are new startups that are pretty much starting up every single day or in the FinTech space that offer a variety of financial services whether it be payment service providers on the web whether it be wallet apps whether it be transactional apps like that enable UPI to be used in them which and regulation essentially can be a very big barrier to letting startups and young companies carry out what the goal of their organization is especially if these tend to be too cumbersome for entities that can be very very young so in a conversation that I had with Nemo I think about four three four four five weeks ago he told me when Razer Bay started off when it comes to the number of employees present in the country in the company there were just two employees when Razer Bay actually started off and if to say ask a company that has two employees to follow a standard like ISO 27001 which is a really detailed standard that takes lakhs if not crores of rupees to get yourself certified by and has some very detailed requirements is an incredibly heavy task and the reason I mentioned ISO 27001 is India actually already has a sort of a co-regulatory mechanism that is present in our law when it comes to information technology so the IT Act and the 2000 level rules for reasonable security and best practices have two provisions to say that an organization has met the threshold for carrying out best practices when it comes to security and privacy what this means is that if you can say that you have carried out the standards or the requirements under that section then if you suffer from a breach or if you suffer from data then you are not immediately culpable for breaching the law or not protecting your consumer data in or causing harm to your consumers so this doesn't mean that as long as you say follow ISO 27001 you are free and you can get away with everything but it is the minimum standard that the law imposes upon you to say that you have carried out reasonable security and privacy best practices the two things that the 2011 rules say about this are one that you simply get certified by ISO 27001 and the second is that a sector and industry can come together create its own set of standards and then get them certified by the government and if the government certifies those standards then these become the standards for that industry and as long as you follow that industry created but government certified standard then you cannot then you will be in compliance with the law when it comes to reasonable security and privacy best practices now even though this was passed 2011 most of the research that we've done shows us that there hasn't been a single instance of any industry passing such a standard and there are some industries that are far more long ingrained in a lot less agile like say the energy sector which tends to consist of a multi-billion dollar plants and energy grids that even that still haven't managed to really come up with the sectoral standard and get it certified by the industry but these have been present in the rules and we therefore thought that this would be a really good way to not only help the FinTech industry create a standard but also then to take it to the government and say that this is an avenue of co-regulation where you can work with the industry to make sure that the standard that you impose is a standard that is ultimately followed by hopefully as many FinTech players as possible and the semantics of that is something that we actually hope to discuss in this open house and finally we decided that that the substantive content of these standards while it could be based on other FinTech standards like ISO 27001 and like PCI DSS and I'm gonna come to that can normally be very disabling for young or young startups or young organizations to follow because of the weight of their requirements so we essentially decided that in the work that we've done so far we decided to categorize the requirements from laws and regulations that are already that have already been passed for security in the digital finance space by both Meti and RBI as well as looking at digital finance standards like ISO 27001 that is more security than digital finance and PCI DSS which is very specifically related to entities that deal with credit card information and what we've done so far is we've gone through these regulations and I'll be happy via Bishik to share Excel sheet with all of you for the work that we've done so far in this categorization but we've essentially categorized these requirements on the basis of what they do in that organization so for example there are certain technical things like ensuring that your servers updated regularly ensuring that you have a password policy for how long the password has to be and how frequently you have to change it so very granular technical details to broader things like ensuring that the building in which the server is housed was necessarily have a physical access system and that this physical access system must necessarily undergo audits and the entire system and the infrastructure must go regularly undergo audits by auditors who are certified by ISO 27001 and these are just like small examples of I think easily over 350 to 400 points of different requirements under these laws and standards that we sort of categorized and we currently have them in an Excel sheet which I will share with you post the stock and then after that we've now also had some interviews with experts and industry practitioners to look at what they think about the industry what their feeling is about does India need one if India needs one how should it be implemented what should be a part of it how easy should it be how difficult should it be what should be the minimum standard that even if you are a startup with just one individual you must necessarily have to ensure that if you're providing digital finance services there will be a base level of security and we've done about four to five of these interviews so far and we're now in the process of sort of also gathering community feedback to look at what the community thinks about this and what the industry things should be a part of the standard as well and that's broadly the work that we've done so far these are the discussion points that I'm pretty much going to leave open to the house after the short introduction on each point and then I'm going to ask a couple of questions to which I would request you all to answer or give your opinions in whichever level to which ever level you can and also to have a free flow discussion on each of them I was hoping to give about at least 10 minutes to each of these points over the next hour so that we can collect enough information but if it turns out that one thing is more important than the other then we can definitely keep it agile so the first question and to this internally at CIS at least we certainly already have a bit of an answer and that answer is yes but is there a need for a sectoral standard when it comes to the financial technology space we answer this question broadly at two levels one by looking at the Indian ecosystem but also at looking at other countries that tend to have very active financial regulators like the United Kingdom like Singapore like Australia all of which at some level do have security guidelines and standards that FinTech companies even companies that operate inside regulatory sandboxes in these countries have to follow before they can provide services to the public at large and a lot of the points we've gathered have also been from these regulations in other countries to look at how they are doing this industry and consumer interest balance point as well so at CIS looking at the fact that other countries are doing it and looking at the fact that reports of everything from debit card breaches to people's information being stolen from their wallets to poor security practices being followed in payment apps in e-wallets we sort of positively affirmed the need for why sectoral standards in the FinTech industry are important the challenge that we had after we came to that conclusion is defining what the FinTech industry would be so say should a digital payments provider who operates a payment gateway on the web and on mobile be be put to the same standard that a peer-to-peer lender should or is there some sort of a base minimum criteria that if you are dealing with technology that is dealing with technology that deals with money or finance in any form at all that you need to follow as if you are providing it to the public at large and we have largely decided that while it is important to look at the different aspects of the FinTech industry that digital payments is the area where the need for the standard is the greatest and that the minimum standards that we would come up with for digital payments could possibly be cross applicable to some of the other areas in FinTech as well which is something that we're not sure about so the question that I would ask you all is do you all think the FinTech industry needs sectoral standard and if so why but far more importantly because we're very interested in the counter discourse if you don't think there is a need for a sectoral standard in the FinTech industry in India why do you think that shouldn't be one and how can then security practices be ingrained into day-to-day services of providers so I leave these questions are open to the floor if any points or opinions or questions that you have will be incredibly useful I mean so could you give us some and we've come across some of these but could you give us some examples of standards or documents that at some level are binding that do have such diverse absolutely absolutely so no that's something that we considered because the problem at least in the Indian context was that even if you look at some of the biggest FinTech apps in India that have billions of dollars of funding and are used by millions of people in India a majority of these practices that I am certain the developers working in these organizations would be aware about simply are not followed and the reason they aren't followed can of course be to fold the first one is like you correctly pointed out awareness the fact that people don't know that these things can exist but the second is that there isn't enough of a regulatory impact is for you to do that no so regulation can also impose a standard that should be followed so for example if in the security standard we say that for when it comes to both application and infrastructure security you need to follow these two things where we don't specify any of that detail at all and whatever at that point in which you're getting certified the details that are present within the standards are things you have to follow the only way that becomes binding or the only way that you can ensure that if you are a FinTech company say with a turnover of more than 10 lakh then you have to follow it and that's something that is not going to be a part of the standard but can be a part of the regulatory recommendations that we make to the government then they will have to follow those developments that are clearly being created by industry and developers globally but in the form of a standard the alternative of course is that this is actually ingrained into law which means it will become stagnant it probably won't change for 10 to 15 years and obviously the space evolved so fast that it's really really difficult for individuals to keep like in like also be compliant with law or and also follow latest security practices or if they're following later security practices sometimes you will not comply with the law because things get complicated all the time so that's actually absolutely so the only response that I have for that is at a certain level I think maybe not the entirety of the standard maybe not the bulk of the processes but if the question of certification unlike the way it is right now and you're completely right that it's sort of you then you need to be unpaneled with certain bodies and only the people who are unpaneled can do it and the people who are unpaneled tend to be the big four or certain other auditing agencies that have already been around for a long enough time that they tend to get all the business and even they charge for the exorbitant rates that you know young startups can never really get certified by that or some of those things are process fixes and in some of the conversations that we've had with the government the government is more than willing to modify that process or change that process when it comes to financial technology for example there is very there's a very very high chance that within the next three to four months there is going to be a payments board just independent of the RBI that is going to be set up within the Ministry of Information Technology that is going to do a lot of this regulation so say and because it's going to be a clean start like a fresh body to whom if the industry representation is made that if certification is the only form of enforcement and which is why then it becomes different from regulation then the certification should be easy openly enforceable maybe even should be self-certifiable where there is a sim that's literally a checklist with maybe 120 points at the end which a company can say I have done and tick off and then maybe just by self certifying themselves they would save a lot of the cost probably you would have to hire some consultants but would save a lot of the cost but would be liable if they haven't followed that minimum threshold as well so these these are things that we're accounting for in the standard these are also process oriented because I mean this like these are independent of the content of the standard itself and that's the sort of two part of it which is why if you see component of the sectoral standards and strategies for balancing industry and consumer interest a lot of the stuff that we've discussed in the last maybe five minutes would actually come in the strategies for balancing industry and consumer interest but no thank you so much that was very useful and it's also very interesting to get on record at some level the fact that the current regulatory and certifying system when it comes to being available to different sector broadly is broken and if the standard were to say just be plugged into that and become another thing that you have to follow a certified and it would just create more problems and not solve so I completely agree with you in fact we've had some discussions with some fairly high-level people in government about reinforcement of cyber like you could say broadly the it act on things like breaches especially when coming to privacy and why they aren't really prosecuted and why there's a problem in that and the only real response to that that I have is that I think they're two separate problems that are that are interrelated but with this project at least one of those problems which is the problems of if you want to decrease the odds of those breaches happening then what are the things that the industry should possibly be doing even if they're just self certifying themselves so if there is a 10 page period that they can download the checkboxes at the end and as long as they check all those boxes the odds of a breach happening are much lesser than a couple of developers over beers programming something and making sure that like I'm releasing it into the next day okay so certainly you know I completely agree with that and which is why I said the second part of everything that he said about enforcement effect like how effective it is ensuring that the attacks if they do take place which they obviously will in fact maybe you're even painting a target on your back by self certifying yourself as an argument so I mean to that when it comes to various other jurisdictions that are fairly more business friendly especially to startups than India is whether it be the United States of America where it would be the United Kingdom and whether it be Australia do have complicated mechanisms some such as regulatory sandboxes where startups don't follow this standard but a lowered standard as long as it's below certain level and I'll put under sort of specific scrutiny so as long as they turn over is below a certain amount or they have fewer than certain employees and they're over a certain age then they can follow reduced standards but our monitor closely to ensure that bad stuff does not happen so you can think of it as a form of incubation of security practices into the organization apart from of course regulatory practices because for things like peer-to-peer financing you need to make sure that the money that you're lending out is backed up by sufficient guaranteeors and things like that so these are reduced as well so it's easier to be a startup in these regulatory sandboxes and the recent tri-consultation paper on data privacy also mentioned the notion of data sandboxes where data from various providers is aggregated into a sandbox and is then available made available to use for certain entities that are specifically given permission to enter that sandbox and then play with the data to see what they can do while they are under scrutiny to make sure that some of the harm that would have happened if this would have just openly been either sold on the market without really looking at what sort of company has access to it or not our solutions from a process way that we would argue are better than nothing happening at all which is the current status quo so at a certain level I would have to agree that this is a barrier and is necessarily going to be a barrier just like registering with the registrar of companies to open your company is a barrier just like paying taxes is a barrier just like making sure that you fireproof your building is a barrier and yeah exactly but a necessary barrier from various levels in what yeah exactly no that I completely agree with but the goal of this I think is to pass it on to the government to make sure that if they do come up with this they don't come up with another law like the 2011 law that is frozen in time incredibly hard to follow and doesn't really fix something so that if the law is made and regardless of whether the industry wants it or not I'm fairly certain that is going to happen like and in a very very short time where people are going to go this security privacy thing is a problem and we need to do something about even the industry is actually one of the biggest proponents of that in case in terms of talking to the government to making sure that there is some sort of certainty with what should constitutes and doesn't constitute security to inform that discourse so that if it does happen it's as friendly to industry yet as as like aligned with consumer interest as it can possibly be for something that the government is passing so this is just an attempt to make sure that presuming X is going to happen how nice can you make X generally yeah of course incredibly tough okay fine so Pranav who's also recording this document has said that only if you want to because I can I understand that you come from companies and maybe your identity is something that you don't want to divulge if you could if you think it's okay if you could introduce yourselves so that you could sort of just take down who is saying this broadly and if you don't want to give your names or organization just what you do would also be a sufficient enough just so that we also have that on record yeah so could I just have your details okay so he works it up yeah so any other yeah so answering the second question first are they more successful almost certainly yes like in terms of how much easier it is for the industry to follow them how much easier it is for the industry to comply with them and how much easier it is for the industry to say to the government that we are doing enough in a manner that is compliant with some sort of an international best practice which is what which is why the ISO 27001 has become as popular as a standard as as it has become right because they tend to be individuals that would especially young companies either they don't know enough or be the resources that they need to have access to in order to even comply with the regulations tend to be really you need to hire a lawyer you need to ensure that you're regularly certified you need to make sure you do your due diligence and all of these things tend to be much easier if there is a standardized way of doing them that there are practitioners that become familiar with the entire process as a whole so if you do have to undergo say a security audit or if you're a government organization and you have to use ISO 27001 the ISO now has a document that says that if you're a government organization that uses ISO 27001 ideally this is how we think you should use it that document does make it a lot easier say in this example for even bureaucratic organizations like the government to be able to say that we are doing something which at least some people agree is something that should be done about this and I know use the word something so many times because that answers your first to lead to the first question which is of leniency yes they do tend to be a lot more lenient the regulation the reason they tend to be a lot more lenient the regulation is because one the industry plays a very big role in creating them the ISO is pretty much full of auditors and companies who are attempting to create standards for new upcoming areas of technology and this does therefore make them more lenient just like the point that was made a little earlier about ensuring that standards don't become a barrier to business which is one and two is that while they do get updated more frequently than regulation for example at the ISO and at the BIS it is compulsory for every standard to be renewed every three years so if I pass the standards if this standard at the BIS or the ISO is passed next year say in March 2018 by 21-22 in that one-year period they will have to review the standard and during the review the process is actually fairly exhaustive you have to look at who's using the standard is it being used enough when people are using it is there a are they facing problems with implementing it is it too hard is it too easy are there new systems that have come into place that make some parts of the standard redundant is there a better new better standard that maybe covers a part of this standard so well that this standard should refer to that one in this process normally takes between six months to a year and at the ISO every year there are easily between 300 to 200 standards that are retired every year in their renew periods because they're either insufficient or because enough people do not like renew them so if we create a standard that is passed as one and it isn't used for three years then that standard will simply die a death like an a very poor one in the normal processes while standards are developed which is remarkably different from regulation because regulation tends to be a lot more broad lot broader for example you can't really have a regulation that says your password needs to be changed every 90 days I mean regulators have a problem doing that because what if what if somebody doesn't do that then are they going to go behind every single person who hasn't changed their password in 90 days or becomes too specific and you can't like govern generally or like in as broad and normative as a manner as possible which is what regulation normally tends to do so on both those questions I think sectoral standards do tend to be effective and even if you just look at not cyber security related standards and look at stuff like quality control management right the ISO 9000 series is the most widely certified standard series in the world and recently Nisan in Japan lost their 9000 series certification because a couple of the technicians who were and it's a quality control standard who were performing certifications and on cars for whether parts were compliant with security guidelines apparently had faked their certification and they spent close to 300 million dollars recalling every single car that was ever tested by somebody who had faked the certification and got their standard revoked and now are trying to get that standard back so there are various sectors or components of operations in companies where standards are considered gold and the reason for example it's so important for Nisan to get that standard back is because the Japanese government mandates if you get certain state subsidies for manufacturing of cars and things like that that you need to be compliant with a certain standard so there are other forms of incentives apart from just enforcement that the government can also say for example if you're ISO 27001 compliant maybe you literally need to pay less tax on certain transactions that can be used and also to ensure that there are incentives to actually using a standard that actually lead to proper financial gain along with security for the end user and other yeah no absolutely no incentives tend to work yeah exactly exactly and no so it's something that at least in the process of the standard we have sort of quite heavily thinking about including in the recommendations that one of the one of the other parts of the cybersecurity projects are economic incentives for cybersecurity whether this be research grants given to universities to carry out research in cybersecurity whether it be funding in Ravi Shankar Prasad I think three days ago on a speed said that the government is willing to invest funds in startups that are specifically working in cybersecurity there isn't a policy about it yet but they have said that the official Indian government procurement policy that was open for comments last to last month officially say that when it comes to government's procurement for cybersecurity if you're an Indian startup then you would be preferred over other competing startups if we are procuring cybersecurity startups from you because they want to build an ecosystem so we are looking at economic incentives that's here I mean it's something that you're going to do in the second year of the project which has started like four days ago so you will see some research coming out about what other countries are doing for economic incentives in cybersecurity how effective they are if they are implemented in India how should they be implemented etc etc but and I think NIPFP which is the National Institute for financial policy which is in Delhi and is pretty much the Ministry of Finance and RBI's think tank that does a lot of this research is also considering doing research on this as well so one we have definitely thought of so almost certainly actually will include recommendations along with the standard the process part to say that incentive should be a very big part of this where instead of say like the government has been talking about charging a security cess in every transaction which is something that the government has been talking about where for every digital finance transaction that takes place that charges security cess and then use that money apparently for cybersecurity on the other hand you could create a reverse incentive or positive incentive where you actually make them pay a little lesser tax if they are following greater security standards and processes and this especially in Israel has been shown to have some remarkable effects on the startup ecosystem which is why Israel has a reputation it does when it comes to cybersecurity and outsourcing its cybersecurity services the government policies and government incentives have a lot big part to do with that as well so hopefully having covered the need for sectoral standards components of sectoral standards so you had mentioned like application security infrastructure security and all of these different parts broadly speaking we would put them under technical but from a management perspective right having a policy in place that if a breach does happen what will be done who are the people who will be informed how soon will they be informed how soon do they have to come to a decision do consumers have to be notified or not if they don't for the government be notified or not all of these are also fairly important parts and especially considering the scenario that if you presume that the standard may reduce the number of attacks that take place but attacks will still necessarily happen a lot of the management stuff is what will ensure that the harm that can occur post the attack occurring is minimized as much as possible so this is also the part that we've spoken about the least in our interviews and our expert conversations so far so if you have recommendations for practices that are followed in the organizations you work for practices that are followed globally that you think are good practices that if you are aware of are followed by countries either in the form of regulation say consumer breach notification laws or even standards and other more informal forms of regulation that you think we should look at as a part of our standard we would love to hear that from you especially and this is super important because it's always the industry that will always give us I think the management part of this because ISO 27000 is actually fairly silent on things like policies and things like that so they'll say you have to have an IT security policy and the IT security policy needs to cover these five points but these those five points tend to be incredibly generic that the organization itself can define how it is following them and then follow so we would like to say if we have to go down the route of self-certification and giving a checklist of things so say we can't just say have a breach policy in the standard we probably need to say what should be the minimum component of a breach policy everything from notification to internal company processes so if there are any recommendations that the room has on what we should look at and this could be very very specific if you're aware of standards numbers or companies that have good policies you can tell them about tell us about that we can approach these companies independently to see if we can have a look at them so that we can include them as a part of the standard and as well as if you have specific suggestions like super specific is fine then we'd like to include them as well sure that'll be wonderful so just to quickly answer that it sort of does it's a very nascent industry some of the very big players like AIG which are a global cyber insurance like sort of behemoths have entered into India and just sort of like quickly answering the question of cost cost is the reason businesses pursue cyber security because the cost of if things go wrong can can be so catastrophic in the age of this much communication that balancing that cost via insurance is actually one of the best ways to ensure that cyber security practices are being followed so I was in conversation with someone from AIG about three months ago and they said that before they ensure any organization above a certain level for cyber insurance they themselves conduct an audit in order to come up with their quote of what should be which actually goes through your security processes and sees what are the odds of a fact you will suffer a breach and if you suffer from a breach what are the processes that you have in place in order to be able to deal with them so here we have the cost and then the insurance industry automatically sort of acting as a counter to ensure that even if the cost is a problem the organization or company follows certain minimum security standards in order to make sure that their insurance premiums are too high or if to make sure that the coverage is wide enough so that's a very very valid point it's something that people have started talking about in India some of the big four have started talking about as well I think PWC has some reports on this and about why it's important that India enter the space but one of the biggest reasons for example why two factor authentication isn't a thing for credit card transactions in the developed world is simply because of the insurance industry because every time there is a cost they simply offset it with that so if it becomes blanket and completely applicable there is an argument to be made if you're coming from the pure privacy and security viewpoint that it may be a little bit of a bad thing which is why for example even though that they've had the technology to enforce OTPs OTPs for decades now the really real reason it hasn't been done is because they don't have to because it's cheaper to pay the premium and get all the losses covered then actually go through that complete infrastructural change so some of the changes that are taking place in the European Union especially with the GDPR that's going to come to force next year are forcing companies to change that which is yeah no I mean at least from my conversations with the auditors at the ISO they're crying about interesting yeah so I mean at the minimum I think this is an attempt to make sure that there is something there that people do want to follow it so clearly then in this like along with the recommendations that we make along with the standard apart from just pure consumer awareness even developer awareness and that's this is now a question of pretty much education right because ensuring that it's a part of curriculum ensuring that if there is industry certifications they mandate a certain level of like updated security practices are probably the only organic long-term definitely not short or medium-term way to fix some of those problems but yeah no we make sure to take note of that point yeah no so security reports don't necessarily have to be released but I think there is a middle ground between doing what happened in itachi and doing everything and I thought it's more useful to reach on occasion Some thousands of credit cards were generated and there was a loss and it was not a loss. Absolutely, so I mean two angles. One, at a minimum consumer breach notification would not apply to that because consumers didn't get affected, the bank did. And if you like one, two, I would love for there to be a consumer breach notification now, which we don't even have, that maybe even imposes that obligation upon companies that if you suffer a loss at a certain level or above a certain magnitude, then you have to report it at a minimum, if not to the public then to the government, so that the government can then take the call of whether it should be reported to the public or not, whether there should be an annual audit report, whether the government comes out maybe once every year, maybe even partially anonymized if it has to, if it's really sensitive. But largely like Amy said, I think like the public shaming and public disclosure is one of the best incentives that consumers as entities and presuming that they do have rights in this entire game of profit and loss and barriers to companies can take, can like do is to ensure that, like you said, right, if the money is going to move somewhere else and if people are going to go and say to individuals, I'm not going to use your product and services, if those products and services screw them over then it's their obligation to make sure that they know that they got screwed over before these consumers move on somewhere else. So at least internationally speaking, right, like the arguments that you made is the singular reason America does not have a federal breach notification law yet, but 51 states in America have a breach notification law because even though there hasn't been national consensus on this and the days maybe 30, 60 or 90 and a lot of semantics have been debated about, but even countries in which technology is a far greater part of their ecosystem and contributes to a far bigger part of their GDP than it even does in India have decided to proceed down this road and regulators have gone, we understand that this is going to be a barrier or it's going to be a harm and there are some times in which it can get completely out of control. But nevertheless, we do have to do this because this is given how fast this space is changing and how much harder it is to regulate and that with that I'm trying to sort of answer your question, right, like when it comes to enforcement and regulation, there are two broad ways in which you do so. One is competition, like following sort of model where the competition commission of India works, right. So the competition commission of India can investigate you for competition crimes in two ways. One is if someone complains and then there's a report and an investigation. And the second is it can proactively decide to conduct something known as dawn rains where they literally just turn up and say, hi, so can we have a look at like these logs and these records? And when it comes to judicial power, they are incredibly powerful. So the FTC is an organization that does this in the United States of America. The CCI is this in India and like they have investigatory powers. Anything that the police can do, the competition commission of India can come and ask you for all of that information while respecting your confidentiality, which is also present in the law. But you can never tell the competition commission of India, we think this is private or this is our source code. You can tell them, you can tell them you can see this. If you share this with anyone, then you have to compensate us for any loss that we suffer from. And like there are agreements that are signed between like regulators and companies sometimes, but they have the right to come and investigate at any point that they want. And sometimes they do this due to whistleblower mechanisms, where if people think that something is happening, for example, just what you said with the bank, right. And those many thousands of credit cards that were leaked and how nobody really found out about it. If anyone in that bank and if such an, say, entity was present in India for digital crime, if there was whistleblower protection where the person could have gone and told the regulator, this happened in the bank, this caused this much loss. This clearly showed that security pressures were not being followed in the bank. Can you please come and investigate this because I think it's a problem as a whistleblower, recognizing that he is doing something despite being a part of their organization. Then in places like America, there are protections given to such individuals, both sometimes even not at all. So this was answering his standard like whistleblower protection is definitely not going to be a part of the standard at all. This is just to answer the question of breach notifications. And if yeah, no, so then there's, then obviously that that is a legal thing that you will have to prove if someone comes to you and said you had a breach, but you never found out about it. And if they make the statement we never found out, then they'll have to prove the statement that they never found out. And if they never found out, then if it's if there wasn't any malefied intent, because it's very hard to determine I didn't find out about it versus oops, I'm sorry, I didn't leave those two lines in a log. And I ended up losing $100 million. And I think regulators can be smart enough to be able to distinguish that in like the world, at least from the way that at least in its operates in other countries. Right? But I also think we sort of wearing off point because it's not really related to this. So quickly for management, you told us about the AWS security handbook. Apart from that, are there any other practices any other companies who you think have good like sort of systemic processes in place that have a good reputation within the industry would be very useful because then we can approach them. And even under an NDA, if we have to look at them to see what these practices are, so that we don't disclose them, but learn from them and see what parts of those are easy to follow and can be incorporated. Otherwise, would be very useful. This doesn't have to be something that you do in a public forum. My ID is there at the end of this email, if you can just share that it would be very useful just to inform us and what we could and could not do. Yeah. Okay, that we've seen. Awesome. So Google AWS. And then apart from that, I mean, if there are any things that you think you can share, even privately, we super helpful. Okay, yeah, so those I've seen definitely. Yeah, so I mean, some parts of that are there in our breach section notification section. But I'll be sure to look at them again to see if there are more things, most some of that we sort of included in miscellaneous, but I look at it again from the management lens and see if there's other stuff that we can pick out from that. Now, the other thing in this we've actually had a fair bit of discussion, at least in the interviews, what should be the technical makeup of the standard? How specific should it be? How generic should it be? Should you say do simple things like literally mandate encryption between endpoints or the strength of encryption at a minimum level, not a maximum strength that should be followed. So to make sure that the data is safe in a certain way, two super granular things like your password needs to have special character number and capital letter and stuff like that. So we obviously have to at some level achieve a middle ground, like you cannot be too specific because then it becomes cumbersome, but you also cannot be too high level because if you're providing technical details, especially at an amateur cell certification, it needs to be easily verifiable whether that was followed or not. So we've heard of everything from, discussed everything from having an update policy where if there are in the software that you use, if there is, if there are bugs or vulnerabilities that are publicly reported there needs to be a time bound time in which you fix them in your update policy internally in the organization. So if you use open source or even close source systems and in the CVE tracker in America there is a vulnerability about that system, then you have an obligation to make sure that your consumers are not affected by it in a reasonable frame as possible. That's something that people have discussed. We've discussed app level security where things like both sides, like I've had discussions why code obfuscation is a good thing and I've also had discussions of why security by security is a bad thing and why it can be harmful and it's not good enough. Some discussions about DNSSEC and HTTPS spinning to make sure that end points aren't captured. And so this is an area that, so I'm a lawyer by training, but I'm sort of familiar with technology and it's juggin, nowhere close to other technical competence in this room. But any suggestions that I could get on it would be incredibly useful. Even if these suggestions are, I think these five things are necessary and important and should be there and these five things are so cumbersome that they should definitely not be there even though people have already spoken about them and there has been some discourse about it. So any technical things that in this standard you think should be present would be very useful. And there's something very specific to the Indian context. In the rest of the cases, for example, the path of security, Hannity talks to another stand and says follow NISP. Yes, absolutely. And you can say follow NISP, but these are the Indian set of things, how do you have the exact security information, for example, it's very prevalent in the Indian setting there. So I think those are the things that you try to open up. So you access the NISP 74 with a lot of sort of security numbers, sort of security numbers. And there's more at last, so I'm going to go with it. Okay. So it turns to how you spread it, so you get to where it's defined, so all over time. So even there's very many complications that's just to involve that image. Even if you just have to pass it through and because of some of the things that you have as you see it, because you have other numbers actually are harder than you see it at the end of the day. So we don't have to deal with that. We have disaster. Yeah, we have to see. It's a good version. We have a lot of versions in the years. Oh, yeah. But I'm just saying if you want to create one. No, but I would love to have this set of standard things. Yeah, so. I believe with our data. Yeah. So I mean, at least for what we currently plan to include just like PCI DSS and how it deals with the card number, we plan to sort of come up with an exhaustive list of what is sensitive information that shouldn't be stored in its entirety by the operator, such as all 16 digits or all, if you're using dinosaur 14 digits of your card number, whether it be the other number, whether it be any other form of authentication that primarily essentially serves a username for any authentication based service, apart from maybe the username to the service itself because that would be necessary for you to get in, should never be stored by the provider in plain text and unencrypted format. And even if the provider does deal with them, then it should never store them, which is pretty much how CVV numbers are dealt with in PCI DSS. So for a lot of. Yeah, so which is why, yeah, no. So we definitely plan to, like which is why I said exhaustive. Like it's not going to be a list that says whatever the government defines as PPI, like because if you do that, it ends up becoming almost impossible to run any server because you need to have a unique identifier and unless, and you can't really have that unique identifier sort of encrypted. But to make sure that things that are problematic, like whether it be your Aadhaar number, whether it be your Electoral ID card number, whether it be your passport number, things that are actually sensitive. And we definitely don't plan to include like name and date. Don't plan to include phone numbers after some of the conversations that we've had with people in GEO and some other organizations because of how they internally use it. But we do plan, I think we may play, this is an open-ended area, it's not there in the standard at all, but create a middle ground between what you can do, whatever you want with it. You have to be careful with it. You can never ever touch it at all. Which is sort of how a PCI DSS also does it in that table with what you can do with it as a checkbox for what things you can do. So we sort of plan to recreate that table for the standard and sort of categorize what kinds of information, at least RODO should not be present in it. But yeah, I mean, I think Nemo's question about how other fintech companies are dealing with this broadly in terms of, even if you just want to quote, general industry experience or grapevine information, it would be really useful. So if you have any inputs, then it would be very useful because then we can like go back and study them on the internet and make sure that we're actually following them. Do you want to share that with us, no? Okay, okay, fine. So I hope the cam mic can catch that. But that's technical. If there's anything else in technical that you'd want to talk about, okay, I'm getting the sense not. But if there is, firstly, I'm sure that from both the guidebook, the guidebook that you recommended, I remember has some technical things that individuals can follow as well. We're going to look at that a lot more carefully to see whether we can include stuff. But if you do come across resources generally on the internet, please do share them with us because one of the things, apart from this standard creation that we plan to do is also sort of create a guidebook for companies. Like, I mean, open source is important on the internet, essentially, so that if you are a developer and whether you're starting off or you're like a incredibly big NBFC, you can have a look at what are the top 10 guides that you should read before you develop an application that's dealing with fintech security. So we do plan to do some of that consumer awareness and spreading part, both by tying up with other organizations that do this. Actually, I'm planning to do that. Yeah, okay. Yeah, so I do. But it's because, so how the ICANN, which is the international organization that gives out domain numbers works, is it delegates a national agency in every country. The national agency in India is NICSI. Sort of in there. Because NICSI isn't really very good with some of the stuff that they do on maintenance of, especially the domain name part because now I just, why don't I answer the question to you privately not on a live stream, right? Because mostly it has to do with processes and subcontracting and how well these subcontracts are drafted and the contents of these subcontracts in terms of if we ask you to do something, how soon you have to do it? What sort of responsibility do you have to do it? So it's a fairly complicated process internally, but because of that, a lot of these things simply haven't trickled down yet because the biggest reason is actually the fact that, and this I've heard from in discussions related to the ICANN before because there isn't enough of a demand for it. So unless enough people are asking for it, which in their eyes is a substantial number or big little conglomerates that are asking for this and actually have an incentive for them to do so, they simply don't think it's worth their time and their money to be able to do it. Unlike most other countries, it's not given to a government agency. It's normally given to some sort of a multi-stakeholder body that has both government and industry present there. So if that ends up happening, then these things tend to be a lot faster in those countries because there's an active conversation about what should happen and what should not happen. But yeah, so that's sort of kind of the reason. And broadly then, if there's anything else miscellaneous that you think should or should not be present in the standard, any other broad comments that you'd like to make, it would be super helpful, no? Okay, I think we've had fairly enough of a discussion. I'll quickly wrap up in saying strategies for balancing industry and consumer interests even in this discussion and in every interview that I've had before this has been the most difficult part of creating such a standard. And CIS in between 2011 to 2013 had a draft privacy bill as well where we worked with industry and civil society to come up with a draft privacy bill that India could possibly pass right after the AP Shah report. And if there's one thing that sort of taught us it was that it is impossible to make everyone happy and it's also impossible to make even some people happy. Like at least in the sectoral standard I'm sure security researchers are good. Like in that we pass, no matter how draft or how final it is, I'm sure every single stakeholder whether it be researchers, academy, civil society, industry, government, everyone's gonna be unhappy about something. Everyone's gonna, like some of them are gonna be a lot of money to make sure something is not in it. Some people are going to be willing to be willing to protest to the end of the earth to make sure something is in it. So it's gonna be a very like, it's a politically flawed task and it's very, very difficult to balance that interest. And in some ways you can also say it's a task that we know that in some level we are never really going to completely succeed in having that 50-50 balance that we actually want to have. What we do want to do is to make sure that we do as good a job as possible and to sort of categorize things into non-negotiables, into things that are open to, that are more open to negotiable but we want them to happen and things that we're okay with losing. And that will require like a fair bit of I mean, whatever level of political maneuvering that we can do in discussions between industry and consumer interest in saying these are your needs, these are their needs. Let's look at what is the best way in which you can come to a common ground. We plan to do this in the form of open round tables and some closed-door round tables that we plan to have in at least four cities, Delhi, Bombay, Bangalore and maybe Chennai or maybe one more in Bombay. We aren't sure about that over the next six months. Okay, fine. Maybe Chennai, okay, anyways. Now, because we want to do, when we do that, the goal of that is essentially going to be to do a lot of this balancing because we're gonna have drafts of the standard that people are gonna be able to see, give their comments on and we'll have comment periods, then discussions and then sort of repeat the process a couple of times to make sure that we arrive at this balance as well as possible. So, I'm gonna share that Excel sheet with you all so that if there are things you, if there are documents you think you're not looking at, you can add them. If there are things you think should or should not be a part, you can tell us. If there are, it's gonna be view-only access so that you can't change it. But if any comments on any part of that sheet that you want to send us by email, we will be more than happy to look at and to include. It's something that we completely recognize as a space that we are young at and new at and the industry itself is changing at such a rapid pace that unless we keep, like a hand in the pulse of what is actually happening, the odds of this actually getting accepted are negligible. So, we need to make sure that like, the main people to whom this is going to affect the KAD industry are aware of it and we are listening to everything that they're going to have to say. Right, so I think that is it. Thank you so much for sitting and listening to me ramble and for all your very, very valuable inputs that I'm sure we learned a fair bit from. And this is my email ID in case you wanna get in touch for sharing items or just gently keeping in touch or learning more about us. And thank you so much to Hasgeek for giving us the venue and for life-streaming it and setting it all up. It's really nice to be able to sort of interface with the industry via Hasgeek, which we also hope to keep doing in the future at their other events. Seven months. Yes, seven to eight months, yeah. Approximately June next year, ideally like 15th June is what we thought could be a time that we want to definitely be done with it. So 15th June is probably like take to the government level and then maybe after government has some more feedback, maybe have another round. So by August done for sure, like finish the project but June, otherwise 15th June. So the next seven months broadly are when most of this work is going to happen. Sir, I have a question. Yes. So how do you think our organization takes this standard and they follow it properly? Yes. I think at larger companies, many of the companies who have extensive compliance with the process are still having compromise in their time. How do you balance the people who are interested in going ahead with this standard and this is not the end of the world. There are other things. Yes, absolutely. And not create a policy for it. Yes. It comes as an end to the standard. Yeah, exactly. So it is definitely that aspect of like security theater and how standard is the security theater just to make people feel like they are safe and secure and whether the people is government, whether the people is consumer interest groups or whether it's your own board, right? Because that's also something that we've had where like security teams within a company is complaining about how much money they get from their board, the amount of leave that they're given in implementing their independent processes that will definitely include security, maybe sometimes even without really increasing costs but they're not allowed to do because it clashes with some other policy. This is especially to really big industry conglomerates. One part of it is I think any reasonably aware person who implements standards from the perspective of making sure they never get breached or hacked again clearly isn't in the right business slash game. And that's something that I think the government is definitely very aware of in the conversation that we've had. They know that just because he passed the standard doesn't mean that maybe the same number of breaks. It's also another very important issue. Exactly. And continuing on the... Continuous awareness. And continuing on the... So, yeah, no, so security theater is a problem and I don't think anyone, I mean, maybe we will include it at the end of the standard as a footnote that this standard does not mean that you are now secure and you definitely need to do a bunch of other stuff so please make sure you're doing it. But, but short of that, no, you're right. I mean, it's an industry. That's actually an industry thing that the industry actually has figured out how it solves. Whether internally in processes, whether in industry bodies like DSCI and NASCARM, which actually does a fair bit. So, DSCI does do a fair bit in sort of educating at least internally individuals about it. Not enough, I personally think, but they do, it's much better than not having it at all. So, yeah, that's the only real way of solving that. And broadly just increasing the level of education and awareness on security practices among developers. You know, but I think, yeah, unless there's anything else or any of the comments, I think we will wrap it up and then we can play call.