 Hi everyone. Thank you so much for coming for this open house on security practices in fintech. I'm Uddhav Tiwari and I work as a program manager at the Center for Internet and Society which is an NGO research organization based out of Bangalore and Delhi. What I'll quickly be doing is sort of running you through what we'll be doing at this open house which is broadly telling you about what the research goal and questions that we have when it comes to security practices in fintech are. What is the work that we've done so far in this space? Certain guiding points for the participants who are there at the open house we don't I mean I don't intend to talk for maybe more than like maybe another five or seven minutes because this is largely an exercise to gather input from the industry to make sure that I can look at as a part of the research what the what people in the industry and civil society generally think should be a part of security standards for financial technologies and we'll be doing that under certain headings should I just recap and in which we'll be looking at management technical and other miscellaneous parts which are three sort of broad categories within our research in which we've decided to look at how fintech operates in the country and then finally we'll sort of look at concluding points. Now the first like four three points shouldn't take more than about five minutes and most of the session should ideally is going to be about guiding points for the participants where I'm sort of going to ask either both ask questions or just sort of leave the floor open for inputs that individuals will like to provide once you understand our research a little better and then from there we'll probably have some sort of a discussion on what should or should not be a part of this standard. So just a very very quick overview the Center for International Society is a research NGO that has offices in Bangalore and Delhi and we've been operating in the tech policy space for about nine years now where we've largely worked on privacy internet governance accessibility access to knowledge where Wikipedia India large parts of Wikipedia India based out of CIS in Bangalore our work has had fairly decent amount of impact we've been a part of a couple of government committees the AP Shah committee that looked at privacy and came out of the first government report on what or how the right to privacy should be implemented in India. Some of this work has been used by the government and at very high levels like for example very recently we were the only NGO and think tank depending on what you want to call us in India that was quoted by the Supreme Court in the right to privacy judgment so the government has takes like at least a little bit of care to listen to what we're saying on certain subjects which we always try to ensure we do by gathering inputs from all the relevant stakeholders when it comes to a particular topic whether it be industry civil society consumer interest groups and the government itself. We've started working in the cyber security space very very recently only since 2016 and we noticed that while we wanted to work on financial technologies there was in conversation that we had with certain consumer interest groups as well as some fintech companies that there was a lack of coordination between regulators in India which are broadly either the reserve bank of India the finance ministry and the ministry of information technology which broadly regulate or have the remit to work in the fintech space and therefore we've decided to sort of pursue participation in standards development to ensure that we can contribute to this debate. Now we do this both domestically and internationally so we participate in the international standards organization as members of India where and we are a part of the committee that develops ISO 27001 which is a standard that I'm sure at least some of you all are familiar with and also domestically where we take part in the Bureau of Indian Standards that also develops a local and domestic financial standards as well. So the research goal that we essentially decided to embark upon this project I think about four months ago was to help the government and industry create a sectoral standard to govern security practices in the fintech industry in India. Now there was a very pressing need that we felt when we spoke to the industry of consistency and of uniformity in what an organization that's working in the digital finance space should follow in order to be compliant with the law and this standard is sort of one means of doing that because of co-regulation which I'll come to in a little bit. So the research questions that we asked ourselves were what are the current fintech security practices in the industry what are the areas of governance and regulations when it comes to cyber security that could be that could benefit from co-regulation and I'll explain the term co-regulation in some time what form should this co-regulation take and what should be the substantive content of such a standard to satisfy the industry government and civil society. Now the answer to the first question which is what are current fintech security practices in the industry we broadly realize that at least when it comes to fintech there are none officially that are negotiate like there are at least passed by the government what we did notice was there were guidelines by the Reserve Bank of India on how cyber security should be implemented in banks and I think at this point is sort of important to distinguish fintech organizations which tend to work in either peer-to-peer lending or digital payments as distinct from banks both for the level of regulation that is imposed upon them by the government as well as the duty and obligation that they have to their consumers in order to ensure that they're carrying out best like a certain minimum standard of best practices for security and privacy. So as when we realized that there was very little that was happening in the fintech security space in India and especially post demonetization that the space was booming I think we've seen over 400 to 500 growth in digital transactions largely pushed by initiatives such as the UPI as well as pushing digital payment methods over cash by the government and which is why we signed an MOU with NCIIPC which is the National Critical Information Protection Center in India. It's a central government agency based under one of India's SPI agencies which is the NTRO the National Technical Research Organization that has the remit to control India and to control and to protect India's critical infrastructure from attacks by foreign parties both physical so little physical protection but also digital which includes cyber security. So we have a memorandum of understanding with them with the goal of eventually helping NCIIPC talk to the prime minister's office and some other organizations to ensure that there is some sort of uniformity in how the digital finance space is approaching security in the Indian context and I think we signed this MOU sometime early like mid this year in March yeah March April 2017. So once we did that we realized that we looked at sort of what are what form this co-regulation could take right so co-regulation just to sort of explain it really quickly is when the entity that is being regulated as well as the government which will pass the regulation essentially decide to come into a room and carry out a form of regulation where there is accountability and a certain minimum standard that the government imposes upon them but the actual and maybe even perform some level of enforcement which is the government's primary job when it comes to regulation but the actual content of this regulation as well as the manner in which it's implemented in the country is done with by the industry what that essentially ensures is that these sort of regulations tend to be a lot more fluid a lot more relevant to the industry and there is a given take between the regulators and the industry as to what should or should not be a part of the standard. Now the reason that this is particularly important for the fintech industry is twofold one despite the numbers that we keep hearing about the fintech industry in India is in a very nascent stage which means that there are new startups that are pretty much starting up every single day in the fintech space that offer a variety of financial services whether it be payment service providers on the web whether it be wallet apps whether it be transactional apps like that enable UPI to be used in them and regulation essentially can be a very big barrier to letting startups and young companies carry out what the goal of their organization is especially if these tend to be too cumbersome for entities that can be very very young. So in a conversation that I had with Nemo I think about four three four four five weeks ago he told me when razor pay started off when it comes to the number of employees present in the country in the company there were just two employees when razor pay actually started off and if to say ask a company that has two employees to follow a standard like ISO 27001 which is a really detailed standard that takes lakhs if not crores of rupees to get yourself certified by and has some very detailed requirements is an incredibly heavy task and the reason I mentioned ISO 27001 is India actually already has a sort of a co-regulatory mechanism that is present in our law when it comes to information technology. So the IT Act and the 2000 level rules for reasonable security and best practices have two provisions to say that an organization has met the threshold for carrying out best practices when it comes to security and privacy. What this means is that if you can say that you have carried out the standards or the requirements under that section then if you suffer from a breach or if you suffer from data then you are not immediately culpable for breaching the law or not protecting your consumer data in or causing harm to your consumers. So this doesn't mean that as long as you say follow ISO 27001 you are free and you can get away with everything but it is the minimum standard that the law imposes upon you to say that you have carried out reasonable security and privacy best practices. The two things that the 2011 rules say about this are one that you simply get certified by ISO 27001 and the second is that a sector in an industry can come together create its own set of standards and then get them certified by the government and if the government certifies those standards then these become the standards for that industry and as long as you follow that industry created but government certified standard then you cannot or then you will be in compliance with the law when it comes to reasonable security and privacy best practices. Now even though this was passed 2011 most of the research that we have done shows us that there hasn't been a single instance of any industry passing such a standard and there are some industries that are far more long ingrained in lot less agile like say the energy sector which tends to consist of multi-billion dollar plants and energy grids that even that still haven't managed to really come up with this sectoral standard and get it certified by the industry but these have been present in the rules and we therefore thought that this would be a really good way to not only help the fintech industry create a standard but also then to take it to the government and say that this is an avenue of co-regulation where you can work with the industry to make sure that the standard that you impose is a standard that is ultimately followed by hopefully as many fintech players as possible and the semantics of that is something that we actually hope to discuss in this open house and finally we decided that that the substantive content of these standards while it could be based on other fintech standards like ISO 27001 and like PCI DSS and I'm going to come to that can normally be very disabling for young or young startups or young organizations to follow because of the weight of their requirements so we essentially decided that in the work that we've done so far we decided to categorize the requirements from laws and regulations that are already that have already been passed for security in the digital finance space by both Metis and RBI as well as looking at digital finance standards like ISO 27001 that is more security than digital finance and PCI DSS which is very specifically related to entities that deal with credit card information and what we've done so far is we've gone through these regulations and I'll be happy via Bishik to share excel sheet with all of you for the work that we've done so far in this categorization but we've essentially categorized these requirements on the basis of what of what they do in that organization so for example there are certain technical there are certain technical things like ensuring that your server's updated regularly ensuring that you have a password policy for how long the password has to be and how frequently you have to change it so very granular technical details to broader things like ensuring that the building in which the server is housed must necessarily have a physical access system and that this physical access system must necessarily undergo audits and the entire system and the infrastructure must go regularly undergo audits by auditors who are certified by ISO 27001 and these are just like small examples of I think easily over 350 to 400 points of different requirements under these laws and standards that we sort of categorized and we currently have them in an excel sheet which I will share with you post this talk and then after that we've now also had some interviews with experts and industry practitioners to look at what they think about the industry what their feeling is about does India need one if India needs one how should it be implemented what should be a part of it how easy should it be how difficult should it be what should be the minimum standard that even if you are a startup with just one individual you must necessarily have to ensure that if you're providing digital finance services there is a base level of security and we've learned about four to five of these interviews so far and we're now in the process of sort of also gathering community feedback to look at what the community thinks about this and what the industry thinks should be a part of the standard as well and that's broadly the work that we've done so far these are the discussion points that I'm pretty much going to leave open to the house after the short introduction on each point and then I'm going to ask a couple of questions to which I would request your to answer or give your opinions in whichever level to whichever level you can and also to have a free flow discussion on each of them I was hoping to give about at least 10 minutes to each of these points over the next hour so that we can collect enough information but if it turns out that one thing is more important than the other then we can definitely keep it agile so the first question and to this internally at CIS at least we certainly already have a bit of an answer and that answer is yes but is there a need for a sectoral standard when it comes to the financial technology space we answer this question broadly at two levels one by looking at the Indian ecosystem but also at looking at other countries that tend to have very active financial regulators like the United Kingdom like Singapore like Australia all of which at some level do have security guidelines and standards that FinTech companies even companies that operate inside regulatory sandboxes in these countries have to follow before they can provide services to the public at lunch and a lot of the points we've gathered have also been from these regulations in other countries to look at how they are doing this industry and consumer interest balance point as well so at CIS looking at the fact that other countries are doing it and looking at the fact that reports of everything from debit card breaches to people's information being stolen from their wallets to poor security practices being followed in payment apps in e-wallets we sort of positively affirmed the need for why sectoral standards in the FinTech industry are important the challenge that we had after we came to that conclusion is defining what the FinTech industry would be so say should a digital payments provider who operates a payment gateway on the web and on mobile be be put to the same standard that a peer-to-peer lender should or is there some sort of a base minimum criteria that if you are dealing with technology that is dealing with technology that deals with money or finance in any form at all that you need to follow as if you are providing it to the public at large and we've largely decided that while it is important to look at the different aspects of the FinTech industry that digital payments is the area where the need for the standard is the greatest and that the minimum standards that we would come up with for digital payments could possibly be cross applicable to some of the other areas in FinTech as well which is something that we're not sure about so the question that I would ask you all is do you all think the FinTech industry needs sectoral standards and if so why but far more importantly because we're very interested in the counter discourse if you don't think there is a need for a sectoral standard in the FinTech industry in India why do you think that shouldn't be one and how can then security practices be ingrained into day-to-day services of providers so I leave this question sort of opened to the floor if any points or opinions or questions that you have will be incredibly useful I mean so could you give us some and we've come across some of these but could you give us some examples of standards or documents that at some level are binding that do have such diverse absolutely absolutely so no that's something that we considered because the problem at least in the Indian context was that even if you look at some of the biggest FinTech apps in India that have billions of dollars of funding and are used by millions of people in India a majority of these practices that I am certain the developers working in these organizations would be aware about simply are not followed and the reason they aren't followed can of course be to fold the first one is like you correctly pointed out awareness the fact that people don't know that these things can exist but the second is that there isn't enough over regulatory impetus for you to do that no so regulation can also impose a standard that should be followed so for example if in the security standard we say that for when it comes to both application and infrastructure security you need to follow these two things where we don't specify any of that detail at all and whatever at that point in which you're getting certified the details that are present within those standards are things you have to follow the only way that becomes binding or the only way that you can ensure that if you are a FinTech company say with a turnover of more than 10 lakh then you have to follow it and that's something that is not going to be a part of the standard but can be a part of the regulatory recommendations that we make to the government then they will have to follow those developments that are clearly being created by industry and developers globally but in the form of a standard the alternative of course is that this is actually ingrained into law which means it will become stagnant it probably won't change for 10 to 15 years and obviously the space evolved so fast that it's really really difficult for individuals to keep like in like also be compliant with law or and also follow later security practices or if they're following later security practices and sometimes even not complying with the law because things get complicated all the time so that's actually absolutely belly the office may have been supported by special forces or just the way please standard in any case should have been burdened on importance or regulations we have two different activities which are important but it boils down to that awareness and some bigger awareness absolutely so the only response that I have for that is at a certain level I think maybe not the entirety of the standard maybe not the not the bulk of the processes but if the question of certification unlike the way it is right now and you're completely right that it's sort of you then you need to be empaneled with certain bodies and only the people who are empaneled can do it and the people who are empaneled tend to be the big four or certain other auditing agencies that have already been around for a long enough time that they tend to get all the business and even they charge for the exorbitant rates that you know young startups can never really get certified by that or some of those things are process fixes and in some of the conversations that we've had with the government the government is more than willing to modify that process or change that process when it comes to financial technology for example there is a very there's a very very high chance that within the next three to four months there is going to be a payments board just independent of the RBI that is going to be set up within the ministry of information technology that is going to do a lot of this regulation so say and because it's going to be a clean start like a fresh body to whom if the industry representation is made that if certification is the only form of enforcement and which is why then it becomes different from regulation then the certification should be easy openly enforceable maybe even should be self-certifiable where there is a sim there's literally a checklist with maybe 120 points at the end which a company can say I have done and tick off and then maybe just by self certifying themselves they would save a lot of the costs probably you would have to hire some consultants but would save a lot of the cost but would be liable if they haven't followed that minimum threshold as well so these these are things that we are counting for in the standard these are also process oriented because I mean this like these are independent of the content of the standard itself and that's the sort of two part of it which is why if you see component of the sectoral standards in strategies for balancing industry and consumer interest a lot of the stuff that we've discussed in the last maybe five minutes would actually come in the strategies for balancing industry and consumer interest but no thank you so much that was very useful and it's also very interesting to get on record at some level the fact that the current regulatory and certifying system when it comes to being available to different sector broadly is broken and if the standard way to say just be plugged into that and become another thing that you have to follow a follow a certified and it would just create more problems and not solve any thank you so I completely agree with you in fact we've had some discussions with some fairly high level people in government about the enforcement of cyber like you could say broadly the IT act on things like breaches especially when it comes to privacy and why they aren't really prosecuted and why there's a problem in that and the only real response to that that I have is that I think they are two separate problems that are that are interrelated but with this project at least one of those problems which is the problems of if you want to decrease the odds of those breaches happening then what are the things that the industry should possibly be doing even if they're just self certifying themselves so if there is a 10 page period that they can download the check boxes at the end and as long as they check all those boxes the odds of a breach happening are much lesser than a couple of developers over beers programming something and making sure that like I'm releasing it into the wild the next day okay so certainly you know I completely agree with that and which is why I said the second part of everything that he said about enforcement effect like how effective it is ensuring that the attacks if they do take place which they obviously will in fact maybe you're even painting a target on your back by self certifying yourself as an argument so I mean to that when it comes to various other jurisdictions that are fairly more business friendly especially to startups than India is whether it be the United States of America whether it be the United Kingdom and whether it be Australia do have complicated mechanisms some such as regulatory sandboxes where startups don't follow this standard but a lowered standard as long as it's below a certain level and are put under sort of specific scrutiny so as long as their turnover is below a certain amount or they have fewer than certain employees and they are of a certain age then they can follow reduced standards but are monitored closely to ensure that bad stuff does not happen so you can think of it as a form of incubation of security practices into the organization apart from of course regulatory practices because for things like peer-to-peer financing you need to make sure that the money that you're lending out is backed up by sufficient guaranteeors and things like that so these are reduced as well so it's easier to be a startup in these regulatory sandboxes and the recent tri-consultation paper on data privacy also mentioned the notion of data sandboxes where data from various providers is aggregated into a sandbox and is then available made available to use for certain entities that are specifically given permission to enter that sandbox and then play with the data to see what they can do while they are under scrutiny to make sure that some of the harm that would have happened if this would have just openly been either sold on the market without really looking at what sort of company has access to it or not our solutions from a process way that we would argue are better than nothing happening at all which is the current status quo so at a certain level I would have to agree that this is a barrier and is necessarily going to be a barrier just like registering with the registrar of companies to open your company is a barrier just like paying taxes is a barrier just like making sure that you fireproof your building is a barrier and yeah exactly but a necessary barrier from various levels in what yeah exactly no that I completely agree with but the goal of this I think is to pass it on to the government to make sure that if they do come up with this they don't come up with another law like the 2011 law that is frozen in time incredibly hard to follow and doesn't really fix something so that if the law is made and regardless of whether the industry wants it or not I'm fairly certain that is going to happen like and in a very very short time where people are going to go this security privacy thing is a problem and we need to do something about it even the industry is actually one of the biggest proponents of that in case in terms of talking to the government to making sure that there is some sort of certainty with what should constitutes and doesn't constitute security to inform that discourse so that if it does happen it's as friendly to industry yet as as like aligned with consumer interest as it can possibly be for something that the government is passing so this is just an attempt to make sure that presuming x is going to happen how nice can you make x generally yeah of course incredibly tough okay fine so pranav who's also recording this document has said that only if you want to because I can I understand that you come from companies and maybe your identity is something that you don't want to divulge if you could if you think it's okay if you could introduce yourselves so that you could sort of just take down who is saying this broadly and if you don't want to give your names or organization just what you do would also be a sufficient clean up just so that we also have that on record right yeah so could I just have your details okay so he works it out yeah so any other yeah so answering the second question first are they more successful almost certainly yes like in terms of how much easier it is for the industry to follow them how much easier it is for the industry to comply with them and how much easier it is for the industry to say to the government that we are doing enough in a manner that is compliant with some sort of an international best practice which is what which is why the ISO 27001 has become as popular as the standard as it has become right because they tend to be individuals that would especially young companies either they don't know enough or be the resources that they need to have access to in order to even comply with the regulations tend to be really really you need to hire a lawyer you need to ensure that you're regularly certified you need to make sure you do your due diligence and all of these things tend to be much easier if there is a standardized way of doing them that there are practitioners that become familiar with the entire process as a whole so if you do have to undergo say a security audit or if you're a government organization and you have to use ISO 27001 the ISO now has a document that says that if you're a government organization that uses ISO 27001 ideally this is how we think you should use it that document does make it a lot easier say in this example for even bureaucratic organizations like the government to be able to say that we are doing something which at least some people agree is something that should be done about this and I I know use the word something so many times because that answers your first to lead to the first question which is of leniency yes they do tend to be a lot more lenient the regulation the reason they tend to be a lot more lenient the regulation is because one the industry plays a very big role in creating them the ISO is pretty much full of auditors and companies who are attempting to create standards for new upcoming areas of technology and this does therefore make them more lenient just like the point that was made a little earlier about ensuring that standards don't become a barrier to business which is one and two is that while they do get updated more frequently than regulation for example at the ISO and at the BIS it is compulsory for every standard to be renewed every three years so if I pass the standards if this standard is the BIS or the ISO is passed next year say in March 2018 by 21-22 in that one-year period they will have to review the standard and and during the review the process is actually fairly exhaustive you have to look at who's using the standard is it being used enough when people are using it is there a are they facing problems with implementing it is it too hard is it too easy are there new systems that have come into place that make some parts of the standard redundant is there a better new better standard that maybe covers a part of this standard so well that this standard should refer to that one and this process normally takes between six months to a year and at the ISO every year there are easily between 300 to 200 standards that are retired every year in their renew periods because they're either insufficient or because enough people do not like renew them so if we create a standard that is passed as one and it isn't used for three years then that standard will simply die a death like a very poor one in the normal processes while standards are developed which is remarkably different from regulation because regulation tends to be a lot more broad lot broader for example you can't really have a regulation that says your password needs to be changed every 90 days I mean regulators have a problem doing that because what if what if somebody doesn't do that then are they going to go behind every single person who hasn't changed their password in 90 days or it becomes too specific and you can't like govern generally or like in as broad and normative as a manner as possible which is what regulation normally tends to do so on both those questions I think sectoral standards do tend to be effective and even if you just look at not cyber security related standards and look at stuff like quality control management right the ISO 9000 series is the most widely certified standard series in the world and recently Nissan in Japan lost their 9000 series certification because a couple of the technicians who were and it's a quality control standard who were performing certifications in on cars for where the parts were compliant with security guidelines apparently had faked their certifications and they spent close to 300 million dollars recalling every single car that was ever tested by somebody who had faked their certification and got their standard revoked and now are trying to get that standard back so there are various sectors or or components of operations in companies where standards are considered gold and the reason for example it's so important for Nissan to get that standard back is because the Japanese government mandates if you get certain state subsidies for manufacturing of cars and things like that that you need to be compliant with a certain standard so there are other forms of incentives apart from just enforcement that the government can also say for example if you're ISO 27001 compliant maybe you literally need to pay lesser tax on certain transactions um that can be used and also to ensure that there are incentives to actually using a standard that actually lead to proper financial gain along with security for the end user and other intermediate uh yeah I know absolutely so no incentives tend to work yeah exactly exactly and no so it's something that uh at least in the process of the standard we are we're sort of quite heavily thinking about including in the recommendations that one of the one of the other parts of the cyber security projects are economic incentives for cyber security whether this be research grants given to universities to carry out research and cyber security whether it be uh funding in Ravishankar Prasad I think three days ago on uh a speed said that the government is willing to invest funds in startups that are specifically working in cyber security there isn't a policy about it yet but they have said that uh the official Indian government procurement policy that was uh open for comments last to last month officially say that when it comes to governments procurement for cyber security if you're an Indian startup then you would be preferred over other competing startups if we are procuring cyber security startups from you because they want to build an ecosystem so we are looking at economic incentives that's here I mean it's something that you you're going to do in the second year of the project which has started like four years ago so uh you will see some research coming out about what other countries are doing for economic incentives in cyber security how effective they are uh if they are implemented in India how should they be implemented etc etc but uh uh and I think NIPFP which is the national institute for uh financial policy which is in Delhi uh and is pretty much the ministry of finance and RBI's think tank that does a lot of this research is also considering doing research on this as well so one uh we have definitely thought of so almost certainly actually will include recommendations uh along with the standard the process part to say that uh incentive should be a very big part of this where instead of say like the government has been talking about uh charging a security cess in every transaction which is something that the government has been talking about where for every digital uh finance transaction that takes place that charges security cess and then use that money apparently for cyber security uh on the other hand you could create a reverse incentive or positive incentive where you actually make them pay a little less tax if they are following greater security standards and processes and this uh especially in Israel has uh been shown to have some remarkable effects from the startup ecosystem which is why Israel has a reputation it does when it comes to cyber security and outsourcing its cyber security services the government policies and government incentives have a lot big part to do with that as well uh so hopefully having covered the need for sectoral standards components of sectoral standards so you had mentioned uh like uh application security infrastructure security and all of these different parts broadly speaking we would uh put them under uh technical uh but from a management perspective right uh having a policy in place that if a breach does happen what will be done who are the people who will be informed how soon will they be informed how soon do they have to come to a decision do consumers have to be notified or not if they don't to the government be notified or not all of these are also fairly important parts and uh especially considering the scenario that if you presume that the standard may reduce the number of attacks that take place but attacks will still necessarily happen a lot of the management stuff is what will ensure that the harm that can occur post the attack occurring is minimized as much as possible so uh this is also the part that we've spoken about the least in our interviews and our expert uh conversations so far so if you have recommendations for practices that are followed in the organizations you work for uh practices that are followed globally that you think are good practices that if you're aware of are followed by countries either in the form of regulation say consumer breach notification laws or even standards and other more informal forms of regulation that you think uh we should look at as a part of our standard uh we would love to hear that from you especially and this is super important because it's always the industry that will always give us I think the management part of this because uh ISO 27000 man is actually fairly silent on uh things like policies and things like that so they'll say you have to have an IT security policy and the IT security policy needs to cover these five points but these those five points tend to be incredibly generic that the organization itself can define how it is following them and then follow so we would like say if we have to go down the route of self-certification and giving a checklist of things so say we can't just say have a breach policy in the standard we we probably need to say what should be the minimum component of a breach policy everything from notification to internal uh company processes so if there are any recommendations that uh the room has on what we should look at and this could be very very specific if you're aware of uh standards numbers or companies that have good policies you can tell them about tell us about that we can approach these companies independently to see if we can have a look at them so that we can include them as a part of the standard and as well as if you have specific suggestions like like super specific is fine then we'd like to include them as well sure that'll be wonderful okay so just to quickly answer that it sort of does it's a very nascent industry uh some of the very big players like AIG which are global uh cyber insurance like sort of behemoths have entered into India and just sort of like quickly answering the question of cost cost is the reason businesses pursue cyber security because the cost of if things go wrong can can be so catastrophic in the age of this much communication that balancing that cost via insurance is actually one of the best ways to ensure that cyber security practices are being followed so uh I was in conversation with someone from AIG about three months ago and they said that before they ensure any organization above a certain level for cyber insurance they themselves conduct an audit in order to come up with a quote of what should be which actually goes through your security processes and sees what are the odds of a fact you will suffer a breach and if you suffer from a breach what are the processes that you have in place in order to be able to deal with them so here we have uh the cost and then the insurance industry automatically sort of acting as a counter to ensure that even if the cost is a problem the organization or company follows certain minimum security standards in order to make sure that their insurance premiums aren't too high or if to make sure that their coverage is wide enough so that's a very very valid point it's something that people have started talking about in India uh some of the big four have started talking about as well I think PwC has some reports uh on this and about why it's important that India enter the space but one of the biggest reasons for example why two factor authentication isn't a thing for credit card transactions in the developed world is simply because of the insurance industry because every time there is a cost they simply offset it with that so if it becomes blanket and completely applicable there is an argument to be made if you're coming from the pure privacy and security viewpoint that it may be a little bit of a bad thing which is why for example even though that they've had the technology to enforce OTPs OTPs for decades now the really real reason it hasn't been done is because they don't have to because it's cheaper to pay the premium and get all the losses covered then actually go through that complete infrastructural change so some of the changes that are taking place in the european union especially with the GDPR that's going to come into force next year are forcing companies to change that which is yeah no i mean at least from my conversations with the auditors at the ISO they're crying about interesting yeah so i mean at the minimum i think this is an attempt to make sure that there is something there that if people do want to follow it so clearly then in this like along with the recommendations that we make along with the standard apart from just pure consumer awareness even developer awareness and that's this is now a question of pretty much education right because ensuring that it's a part of curriculum ensuring that uh if there is industry certifications they mandate a certain level of like updated security practices are probably the only organic long-term definitely not short or medium down way to fix some of those problems but yeah no we'll make sure to take note of that by then thanks uh so right so yeah no so security reports don't necessarily have to be released to the public but i think there is a middle ground between doing what happened in itachi and doing everything and i thought yeah and it is uh it's part of the monopoly because of government regulations to begin with it is very difficult to uh get to the point where you can uh no i mean all my knee hacks like things are harder to disclose but i mean a system fraud is something where they should have been following the standard the other author in the state is home and state all of the customers with possible frauds that may have happened in the future or go forward and do you know you have to have an FTC that sort of suits the company on behalf of the fact that's just not like is more useful to reach notifications they had a fraud right and they figured out uh absolutely so i mean two angles one uh at a minimum consumer breach notification would not apply to that because consumers didn't get affected the bank did and uh if you like one two uh i would love for there to be a consumer breach notification now which we have we don't we don't even have that maybe even imposes that obligation upon companies that if you suffer like suffer a loss at a certain level or above a certain magnitude then you have to report it at a minimum if not to the public then to the government so that the government can then take the call of whether it should be reported to the public or not whether there should be an annual audit report whether government comes out maybe once every year maybe even partially anonymized if it has to if it's really sensitive but largely like Amy said i think like the public shaming and public disclosure is one of the best incentives that consumers as entities and presuming that they do have rights in this entire game of profit and loss and barriers to companies uh can take can like do is to ensure that like you said right if if the money is going to move somewhere else and if people are going to go and say to individuals i'm not going to use your product and services if those products and services screw them over then it's their obligation to make sure that they know that they got screwed over before these consumers move on somewhere else so at least internationally speaking right like the the arguments that you made is the singular reason America does not have a federal breach notification law yet but 51 states in America have a breach notification law because even though there hasn't been national consensus on this and the days maybe 30 60 or 90 and a lot of semantics have been debated about but even countries in which technology is a far greater part of their ecosystem and contributes to a far bigger part of their GDP than it even does in India have decided to proceed down this road and regulators have gone we understand that this is going to be a barrier or it's going to be a harm and there are some times in which it can get completely out of control but nevertheless we do have to do this because this is given how fast this space is changing and how much harder it is to regulate and that's with that i'm trying to sort of answer your question right like when it comes to enforcement and regulation there are two broad ways in which you do so one is competition like following sort of model where the competition commission of india works right so the competition commission of india uh can investigate you for competition crimes in two ways one is if someone complains and then there's a report and an investigation and the second is it can proactively decide to conduct something known as dawn drains where they literally just turn up and say hi so can we have a look at like these logs and these records and when it comes to judicial power they are incredibly powerful so the fdc is an organization that does this in the united states of america the cci is this in india and like they have investigatory powers anything that the police can do the competition commission of india can come and ask you for all of that information while respecting your confidentiality which is also present in the law but you can never tell the competition commission of india we think this is private or this is our source code you can tell them you can tell them you can see this if if you share this with anyone then you have to compensate us for any loss that we suffer from and like there are agreements that are signed between like uh regulators and companies sometimes but they have the right to come and investigate at any point that they want and sometimes they do this due to uh whistleblower mechanisms where if people think that something is happening for example just what you said with the bank right and those many thousands of credit cards that were leaked and how nobody really found out about it if anyone in that bank and if such a unique uh say entity was present in india for digital crime if there was whistleblower protection where the person could have gone and told the and told the regulator this happened in the bank this caused this much loss this clearly showed that security pressures were not being followed in the bank can you please come and investigate this because i think it's a problem as a whistleblower recognizing that he is doing something despite being a part of their organization then in places like america there are protections given to such individuals both sometimes even no not at all so this was answering his standard like whistleblower protection is definitely not going to be a part of the standard at all this is just to answer the question of breach notifications and if yeah no so then there's uh then obviously that that is a legal thing that you will have to prove if someone comes to you and said you had a breach but you never found out about it and if they make the statement we never found out and they'll have to prove the statement that they never found out and if they never found out then if it's if there wasn't any malified intent because it's very hard to determine i didn't find out about it versus oops i'm sorry i didn't leave those two lines in a log and i ended up losing a hundred million dollars and i think regulators can be smart enough to be able to distinguish that in like the world at least from the way that at least in it operates in other countries right but i also think it'll be sort of wearing off point because it's not really uh related to this so quickly for management uh you told us about the aws security handbook apart from that are there any other practices any other companies who you think have good like sort of systemic processes in place that have a good reputation within the industry would be very useful because then we can approach them and even under an nda if we have to look at them to see what these practices are so that we don't disclose them but learn from them and see what parts of those are easy to follow and can be incorporated otherwise would be very useful this doesn't have to be something that you do in a public forum my id is there at the end of this email if you can just share that it would be very useful just to inform us and what we could and could not do yeah okay that we've seen awesome so google aws and then apart from that i mean if there are any things that you think you can share even privately it would be super helpful okay yeah so those i've seen definitely yeah so i mean some parts of that are there in our breach section notification section but i'll be sure to look at them again to see if there are more things uh most some of that we sort of included in miscellaneous but i look at it again from the management lens and see if there's other stuff that we can pick out from that now uh the other thing in this we've actually had a fair bit of discussion uh at least in the interviews uh what what should be the technical makeup of the standard how specific should it be how generic should it be should you say do simple things like literally mandate encryption between endpoints or the strength of encryption at a minimum level not a maximum strength uh that should be followed so to make sure that the data is safe in a certain way two super granular things like your password needs to have special character number and capital letter and stuff like that right so uh we obviously have to at some level achieve a middle ground like you cannot be too specific because then it becomes cumbersome uh but you also cannot be too high level because if you're providing technical details especially at a amateur cell certification it needs to be easily verifiable whether that was followed or not so uh we've heard of everything from uh discussed everything from having an update policy where if there are uh in the software that you use if there is uh if there are bugs or vulnerabilities that are publicly reported there needs to be a time bound time in which you fix them in your update policy internally in the organization so if you use open source um or even close source uh systems and in the cv uh tracker in america there is a vulnerability about that system then you have an obligation to make sure that your consumers are not affected by it in a reasonable frame or as possible that's something that people have discussed we've discussed uh app level security where things like both sides like i've had discussions why code obfuscation is a good thing and i've also had discussions of why obscurity by security uh security by obscurity is a bad thing and why it can be harmful and it's not good enough uh some discussions about dns sec in http are spinning to make sure that um endpoints aren't captured and so this is an area that so i'm i'm a lawyer by training but i'm sort of familiar with technology and it's jargon nowhere close to each other technical competence in this room but uh any suggestions that i could get on it would be incredibly useful uh even if these suggestions are i think these five things are necessary and important and should be there and these five things are so cumbersome that they should definitely not be there even though people have already spoken about them and there has been some discourse about it so uh any technical things that in this standard you think should be present would be very there's something very specific about security yes and i talk to yes absolutely but these are the indian special things how do you handle that kip so uh even if you just have to pass it through uh and i mean uh at least for what we currently plan to include uh just like pc i dss uh and how it deals with the card number we plan to sort of come up with an exhaustive list of what is sensitive information that shouldn't be stored in its entirety by the operator such as all 16 digits or all if you're using dinosaur 14 digits of your card number whether it be the adhar number whether it be any other form of authentication that primarily essentially serves a username for any authentication based service apart from maybe the username to the service itself because that would be necessary for you to get in should never be stored by the provider uh uh in plain text and unencrypted format and even if the provider does deal with them then it should never store them which is pretty much how cvv numbers are dealt with in pc i dss so for a lot of yeah so which is why yeah no so we we definitely plan to like which is why i said exhaustive like it's not going to be a list that says whatever the government defines as a ppi like because if you do that then it ends up becoming almost impossible to run any server because you need to have a unique identifier and unless and you can't really have that unique identifier sort of encrypted uh but uh but to make sure that things that are problematic like whether it be your adhar number whether it be your electoral id card number whether it be your passport number things that are actually sensitive uh and and we definitely don't plan to include like name and uh we don't plan to include four numbers after some of the conversations that we've had with people in geo and some other organizations because of how they internally use it but uh we do play in i think we may play uh this is an open-ended area it's on there and the standard at all but create a middle ground between what you can do whatever you want with it you have to be careful with it you can never ever touch it at all which is sort of how a pc i c i dss also does it in that table with whether what what you can do with it as a checkbox for what things you can do so we sort of plan to recreate that table for the standard and sort of categorize what kinds of information at least rodo should not be present in it uh but yeah no i mean i think uh nimo's question about how other fintech companies are dealing with this broadly in terms of even if you just want to quote general industry experience or grapevine information it would be really useful so if you have any inputs then it would be very useful because then we can like go back and study them on the internet and make sure that we're actually following them okay you want to share that okay fine so i hope they can make them get that but uh uh that's technical if there's anything else in technical uh that you'd want to talk about uh okay i'm getting the sense not but if there is i'm firstly i'm sure that from both the guidebook the guidebook that you recommended i remember has some technical things that individuals can follow as well we're going to look at that a lot more carefully to see whether we can include stuff but if you do come across resources generally on the internet please do share them with us because uh one of the things apart from this standard creation that we plan to do is also sort of create a guidebook uh for companies like i mean put it open sources important on the internet essentially so that uh if you are a developer and whether you're starting out or you're like uh incredibly big nbfc uh you can have a look at like what are the top 10 guides that you should read before you develop an application that's dealing with fintech security so we do plan to do some of that consumer awareness and spreading part both by tying up with other organizations that do this yeah okay yeah so i do but uh it's because uh so how the i can which is the international organization that gives out domain numbers works is uh it delegates a national agency in every country uh the national agency in india is nixie uh yeah sort of when they're because uh uh this isn't really very good with some of the stuff uh that they do uh on uh maintenance of especially the domain name part because uh now i just i i why don't i answer the question to you privately and not on a live stream right because mostly it has to do with processes and subcontracting and how well these subcontracts are drafted and the and the contents of these subcontracts in terms of if we ask you to do something how soon you have to do it what sort of responsibility do you have to do it so um it's a fairly complicated process internally but because of that a lot of these things simply haven't trickled down yet because uh the biggest reason is actually the fact that and this i've heard from in discussions at related to the i can before because there isn't enough of a demand for it so unless enough people are asking for it which in their eyes is a substantial number or big uh like little conglomerates that are asking for this and actually have an incentive for them to do so they simply don't think it's worth their time and their money to be able to do it uh unlike most other countries uh it's not given to a government agency it's normally given to some sort of a multi-stakeholder body that has both government and industry present there so um if that ends up happening then these things tend to be a lot faster in those countries because there's a active conversation about what should happen and what should not happen uh but yeah so that's sort of kind of the reason um and broadly then if there's anything else miscellaneous that you think should or should not be present in the standard uh any other broad comments that you like to make uh it would be super helpful no okay i think we've had fairly uh enough of a discussion i'll quickly wrap up in saying strategies for balancing industry and consumer interest even in this discussion and in every interview that i've had before this has been the most difficult part of creating such a standard and uh CIS in 2000 between 2011 to 2013 uh had a draft privacy bill as well where we worked with industry and civil society to come up with a draft privacy bill that India could possibly pass right after the APSHA report and if there's one thing that sort of thought us it was that it is impossible to make everyone happy uh and it's also impossible to make like even some people happy like at like at least in this sectoral standard i'm sure security researchers are good like in that we pass no matter how draft or how final it is i'm sure every single stakeholder whether it be researchers academy or civil society industry government everyone's going to be unhappy about something everyone's good like some of them going to be a lot of money to make sure something is not in it some people are uh going to be willing to be willing to protest to the end of the earth to make sure something is in it so it's going to be a very like it's it's a politically flawed task and it's very very difficult to balance that interest um and in some ways you can also say it's a task that we know that in some level we are never really going to completely succeed in having that 50-50 balance that we actually want to have what we do want to do is to make sure that we do as good a job as possible and uh to sort of categorize things into non-negotiables into things that are open to that are more open to negotiable but we want them to happen and things that we're okay with losing and that will require like a fair bit of i mean whatever level of political maneuvering that we can do uh in discussions between industry and consumer interest in saying these are your needs these are their needs let's look at what is the best way in which you can come to a common ground uh we plan to do this in the form of open round tables uh and some closed-door round tables that we plan to have in at least four cities Delhi Bombay Bangalore and maybe Chennai or maybe one more in Bombay we aren't sure about that over the next six months uh okay fine uh maybe Chennai anyway uh uh when uh now because we want to do uh when we do that the goal of that is essentially going to be to do a lot of this balancing because we're going to have drafts of the standard that people are going to be able to see give their comments on and we'll have comment periods then discussions and then sort of repeat the process a couple of times to make sure that we arrive with this balance as well as possible so um i'm going to share that excel sheet with y'all so that uh if there are things you leave there are documents you think we're not looking at you can add them if there are things you think should or should not be a part you can tell us if there are it's going to be view only access so that you can't change it but uh if any comments on any part of that sheet that you want to send us by email we will be more than happy uh to look at and to include it's something that we completely recognize as a space that we are young at and new at and uh the industry itself is changing at such a rapid pace that unless we keep um keep like a hand in the pulse of what is actually happening the odds of this actually getting accepted are negligible so we need to make sure that like the main people to whom this is going to affect aka the industry are aware of it and are and we are listening to everything that they're going to have to say right so i think that is it thank you so much uh for sitting and listening to me ramble and for all your very very valuable inputs that i'm sure uh we learned a fair bit from and uh this is my email id in case uh you want to get in touch for sharing uh items or just generally keeping in touch or learning more about us and thank you so much to Hasgeek for giving us the venue and for live streaming it and setting it all up it's uh really nice to be able to sort of be interface with the industry via Hasgeek which we also hope to keep doing in the future there are other events seven months have yes seven to eight months yeah approximately june next year ideally like 15 june is what we thought could be a time that we want to definitely be done with it uh so 15 june is probably like take to the government level and then maybe after government has some more feedback maybe have another round so by august done for sure like finish the project but june otherwise 15 june so the next seven months broadly are when most of this work is going to happen so i have a question yes so how can we follow it properly yes yes uh looking at larger companies many of the companies would have extensive compliance and software still have been compromised in the event so how do you balance that yeah you know make your people who are interested in going ahead with this standard that this is not the end of the world there are other things yes absolutely yes yeah exactly no so it is definitely like no that that aspect of like security theater and how standard the security theater just to make people feel like you know they are safe and secure and whether the people is government whether the people is consumer interest groups or whether it's your own board right because that's also something that we've had where uh like security teams within companies complain about how much money they get from their board uh the amount of relief that they're given in implementing their independent processes that will definitely include security maybe sometimes even without really increasing costs but they're not allowed to do because it clashes with some other policy this is especially to a really big industry conglomerates uh one one part of it is i think any reasonably aware person who implements standards from the perspective of making sure they never get breached or hacked again clearly isn't in the right business slash game and uh that's something that i think the government is definitely very aware of in the conversation that we've had they know that if just because he passed the standard doesn't mean that maybe the same number of breaks exactly continuous awareness and so uh yeah no so security theater is a problem uh and uh i don't think anyone may i mean maybe we will include it at the end of the standard as a footnote that this standard does not mean that you are now secure and you definitely need to do a bunch of other stuff so please make sure you're doing it but uh but shorter that no that you're right i mean it's an industry that's that's actually an industry thing that the industry actually has figured out how it would act it solves whether internally in processes whether in industry bodies like dhci and ascom which actually does a fair bit so dhci does do a fair bit in sort of educating at least internally individuals about it not enough i personally think but uh they do they it's much better than not having it at all so yeah that's the only real way of solving that um and broadly just increasing the level of education and awareness on security practices among developers right you know but i think yeah unless there's anything else or any other comments i think we will wrap it up and then we can like