SEBI tweaks cybersecurity and cyber resilience framework for AMCs

By Fiona Mehta

 

The Securities and Exchange Board of India (SEBI) June 2022 tweaked the cyber security and cyber resilience framework for asset management companies (AMCs) and mandated them to conduct a comprehensive cyber audit at least twice in a financial year.

AMCs have been asked to submit a declaration from the managing director (MD) and chief executive officer (CEO) to stock exchanges and depositories, along with the cyber audit reports, certifying compliance with all Sebi guidelines and advisories related to cyber security issued from time to time, according to a circular. The new framework will come into force on July 15, 2022.

Under the new framework, asset management organisations must identify and classify important assets based on their sensitivity and criticality for company operations, services, and data management.

Further, business-critical systems, internet-facing applications/systems, systems containing sensitive data, sensitive personal data, sensitive financial data, and personally identifiable information data, among others, should all be considered critical assets.

All auxiliary systems that connect to or communicate with critical systems, whether for operations or maintenance, must be designated as critical systems as well.

The board of AMC is required to approve the list of critical systems.

“To this end, Mutual funds/ AMCs shall maintain an up-to-date inventory of its hardware and systems, software and information assets (internal and external), details of its network resources, connections to its network and data flows,” Sebi said.

According to SEBI, they must conduct regular Vulnerability Assessments and Penetration Tests (VAPT) that include critical assets and infrastructure components in order to detect security vulnerabilities in the IT environment and an in-depth evaluation of the security posture of the system through simulations of real attacks on their systems and networks.

AMCs are required to conduct VAPT at least once in a financial year. However, the mutual funds/ AMCs, whose systems have been identified as “protected systems” by National Critical Information Infrastructure Protection Centre (NCIIPC) need to conduct VAPT at least twice in a financial year.

Further, they are required to engage only CERT-In (Indian Computer Emergency Response Team) empanelled organisations for conducting VAPT. Within a month from the completion of the VAPT, the final report must be submitted to Sebi with the approval of the technology committee of respective AMCs.

“Any gaps/vulnerabilities detected shall be remedied on an immediate basis and compliance of closure of findings identified during VAPT shall be submitted to the stock exchanges/depositories within three months post the submission of final VAPT report,” the regulator said.

Earlier, the regulator came out with modified cyber security and cyber resilience framework for stock brokers and depository participants, market infrastructure institutions – stock exchanges, depository and clearing corporations – and KYC registration agencies (KRAs).

WhatsApp Lottery Scam

By Fiona Mehta

 

Scammers are sending WhatsApp messages to users claiming to have won a lottery for Rs 25 lakh, which is a scam to fool people and take their money.

 

In such cyber frauds, fraudsters send WhatsApp messages to unsuspecting victims from unknown numbers, claiming that their mobile number has won a Kaun Banega Crorepati (KBC) lottery worth Rs. 25 lakhs, and that they must contact someone whose number is provided in the same WhatsApp message in order to claim it. This is also knows as the KBC lottery fraud.

When the victim calls the above-mentioned number to claim the money, the scammer informs him or her that they must first pay a refundable fee for lottery processing, as well as GST and other fees. Once the victim has deposited the money, they begin to demand more money under various pretexts. The con artists insist on interacting exclusively over WhatsApp. They get the victim to deposit money in multiple bank accounts, and the scam continues for weeks or even months, depending on how long they can persuade the victim to deposit money.

After a while, they begin informing the victim that the lottery prize has been increased to Rs. 45 lakhs, then Rs. 75 lakhs, and so on, in order to keep the victim engaged and interested. Finally, when the victim becomes adamant about receiving the money or refuses to pay any more, they stop phoning him or her and delete the WhatsApp numbers used in the fraud.

Recently, a 56-year-old woman from Mumbai fell prey to the Kaun Banega Crorepati (KBC) lottery fraud in April 2022, losing Rs 1.32 lakh after she received a message stating that she had won a prize money of Rs 25 lakh.

 

Safety Precautions:

  1. Any message informing that you have won a lottery or a prize, is, in all likelihood, a fraud.
  2. A closer look into such messages will show poor drafting, grammatical errors, and other glaring signs that the message is not genuine.
  3. These frauds exploit your greed. You forget to take basis precautions such as discussing with family members, verifying the information through alternate means, etc., as you get blinded by your greed.
  4. In any genuine lottery or prize, the tax component and other charges are cut from the prize money and the winner gets the deducted amount. So ask yourself the question that why you have to pay these charges in advance to get the so-called lottery money. This is because it is a fraud and there is no money that you have won.
  5. In the caller insists on maintaining secrecy, it is a sign that there is something fishy about the whole thing.
  6. Follow the thumb rule: Never transfer funds to unknown persons or entities in anticipation of high returns. This is never going to happen.
  7. If you are defrauded, lodge a complaint in your nearest Police Station describing complete incidence along with the supporting documents.

Centre weighs Panel to rule on Appeals against Social Media Takedowns

By Fiona Mehta

 

The Ministry of Information Technology has requested public feedback on changes to IT rules that went into force last year, with the goal of regulating content and encouraging companies to respond more quickly to legal requests to remove posts and provide information about message originators.

 

The Indian central government is considering establishing an appeals body with the authority to overturn social media companies’ content moderation judgments, the Information Technology ministry announced on June 2, 2022, in what would be the first such action of its type in the world.

The information was revealed in a paper seeking public input on proposed changes to IT rules that went into effect last year and aim to regulate social media content and hold companies like Facebook, YouTube, and Twitter more accountable. According to the paper made public on Thursday, there might be more than one such appeal tribunal. It establishes a 30-day deadline for appeals against company grievance officers’ rulings, followed by another 30-day period for the panels to consider the subject.

Social media companies must already have an in-house grievance redress officer and designate executives to work with law enforcement. In a newly added clause, the draught guidelines state that “the intermediary shall respect the rights guaranteed to individuals under the constitution,” referring to social media businesses.

India ranks among the largest sources worldwide of government requests for content takedowns to Twitter Inc and Meta Platforms Inc. Facebook Sees 38% rise in Hate Speech as well as 86% in Violent Content on Instagram in April 2022.

According to Apar Gupta of the Internet Freedom Foundation, the ministry’s plan will give it more power over social media platforms by allowing it to hire personnel to oversee content moderation decisions. “This is problematic, for this committee will lack any autonomy and is being formed without any statutory, or clear legal basis,” added Gupta, the group’s executive director.

Tensions have risen between India’s nationalist government and Twitter, which refused to completely comply with instructions last year to remove accounts and messages accused of disseminating false information about farmers’ demonstrations against the government.

Last year, government authorities indicated that if social media companies failed to respect domestic information and technology rules, they may no longer be eligible for liability protections as intermediaries or hosts of user content.

Govt. frames cyber security norms: Report breach within six hours

By Fiona Mehta

 

The ministry of electronics and information technology announced its first-ever cyber security policy in May 2022, requiring service providers, intermediaries, data centres, body corporates, and government entities to report any breaches or leaks within six hours of being alerted.

The policy will come into effect within 60 days. It will have far-reaching ramifications as to how the entities mentioned above collect and store, the period for which it will be stored and the mandatory need to share it with the government in case of a breach.

Parallel to this, the government is also working on a new cyber security policy, which has been in the works for over two years and proposes a multi stakeholder framework to check propaganda, deception, disinformation and “adversarial narratives” being peddled on websites of social media companies, people familiar with the matter said. Called National Cyber Security Strategy, 2021, the policy stresses on the need for a legislative framework to address the emerging challenges in the technology space.

Incidents that will be reported under CERT-in policy will include targeted scanning/probing of critical networks/systems, compromise of critical systems/information, unauthorised access of IT systems/data, defacement of website or intrusion into a website and unauthorized changes such as inserting malicious code, links to external websites, malicious code attacks such as spreading of virus / worm / Trojan / Bots / Spyware / Ransomware / Cryptominers, attack on servers such as Database, Mail and DNS and network devices such as routers, identity Theft, spoofing and phishing attacks.

The National Informatics Centre, that runs most government servers, has in itself been a target of several phishing attacks, wherein email ids of senior officials were compromised.

Moreover, for the purposes of cyber incident response, protective and preventive actions related to cyber incidents, the service provider, intermediary, data centre, body corporate is mandated to take action or provide information or any such assistance to CERT-In, which may contribute towards cyber security mitigation actions and enhanced cyber security situational awareness. They have also been asked to appoint a point of contact officer.

The above-mentioned entities have also been asked to enable logs of all their information and communications technology systems and maintain them securely for a rolling period of 180 days within the Indian jurisdiction. If needed, these will have to be shared along with reporting of any incident or when ordered/directed by it.

Maintain Accurate Information:

Aside from this, “virtual private server (VPS) providers, cloud service providers and virtual private network service (VPN service) providers, have been asked to register the following accurate information to be maintained for a period of five years or longer duration as mandated by the law”. The information includes validated names of subscribers/customers hiring the services, period of hire including dates, IPs allotted to/being used by the members, email address and IP address and time stamp used at the time of registration/on-boarding, purpose for hiring services, validated address and contact numbers and ownership pattern of the subscribers/customers hiring the services.

Know your customer:

As far as the virtual asset service providers, virtual asset exchange providers and custodian wallet providers (as defined by ministry of finance from time to time) are concerned, they shall “mandatorily maintain all information obtained as part of Know Your Customer (KYC) and records of financial transactions for a period of five years so as to ensure cyber security in the area of payments and financial markets for citizens while protecting their data, fundamental rights and economic freedom in view of the growth of virtual assets”.

Cyber Crime against Women in India

By Fiona Mehta

 

With increased traffic in the virtual world, the risk of becoming a victim of cyber crime grows all the time, especially for women, who are typically perceived as easy targets. The types of internet crimes against women have grown, and the wave hasn’t stopped in India. Cyber flames, cyber eve-teasing, and cyber flirting and cheating are a few additional new generation crimes worth mentioning.

  1. Phishing – According to the National Crime Records Bureau (NCRB), cybercrime against women increased by 110% in India between 2018 and 2021.  Offenders are sending fake emails with a link to a specific webpage in order to trick victims into entering personal information such as bank account numbers, contact information, and passwords, or to install harmful viruses on the victim’s device as soon as they open the link. These emails and texts look to be from trustworthy sources. The criminals then utilize the victim’s bank account and other personal information to make fraudulent transactions from the victim’s account to their own.

 

  1. Cyber Stalking and Hacking – Usually, a cyber stalker’s victim is new to the internet and unfamiliar with internet safety standards. Over 75% are females, according to estimates. With a few mouse clicks or key strokes, a cyber stalker can easily locate confidential information about a potential victim. Women began becoming victims of cyber hacking by clicking on virus links, which downloaded all of their personal information, activated the camera and microphone, and captured intimate photos and videos. Offenders then utilise this information and photographs for sextortion and other favours.

 

  1. Cyber Defamation – The internet and social media are undoubtedly beneficial to individuals and society as a whole, but they are also a particularly rapidly growing field for potentially defamatory claims. In India, defamation is considered both a tort and a crime. It damages a person’s reputation and status, making the wrongdoer as accountable as if the wrongdoer had injured the person’s body.

 

  1. Sextortion – During the epidemic, this was the most common cybercrime perpetrated against women. By blackmailing the victims into revealing their private photos or modified photographs, the perpetrators began extorting money or sexual favours. Threatening women with sexual video calls/images or messages was a result of the pandemic and lockdown frustration. In addition, the loss of revenue prompted them to extort money from the victim by threatening them with modified photographs.

 

Legal Provisions:

There are no specific provision in the IT Act, 2000 that specifically deal with the crime against women as does the provisions of the Indian Penal Code, the Constitution of India or the Code of Criminal Procedure for that matter.

 

Precautions:

  • Keep a watch out for insignificant/false phone/email messages.
  • Do Not Respond or click on emails that request personal information.
  • Keep an eye out for bogus websites that attempt to steal your personal information.
  • If a victim is a victim of cybercrime, he or she should inform the nearby cyber cell or police department in their city.

 

Cyber Crime: Bank Robbery of nearly Rs. 2 crore via 6 missed calls.

By Fiona Mehta

 

A businessman from Mumbai, reported that he lost Rs 1.86 crore, via Missed calls scam in the night of December 27-28, he received 6 missed calls from Indian and UK code between 11 PM and 2 AM. He is now a victim of SIM swapping, the latest con technique to cheat cell phone users.

When he awoke and attempted to call these numbers, he discovered that his SIM had been deactivated. He suspected danger and checked his bank account, only to discover that Rs 1.86 crore had been stolen. The money was stolen in 28 transactions across 14 bank accounts by the con artists. The police were able to retrieve Rs 20 lakh, but the rest of the money was withdrawn and bank accounts were closed, leaving no evidence of who was involved.

BKC Cyber Crime Police Station has filed the case under Indian Penal Code sections 420 (cheating), 419 (impersonation) and 34 (criminal act done by several people in furtherance of common intention) and sections 43 (damage to computer system and 66D (impersonation) of the Information Technology Act.

 

How does a SIM swap scam take place?

Fraudsters had gotten access to V Shah’s SIM number, which is printed on the backside of the SIM, according to police authorities from the BKC Cyber Crime Police Station. They used this to replicate the SIM card and deactivate his original SIM. After that, stealing money was a piece of cake: they launched the money transfer, which required simply an OTP, which they had.

It is reported that last month Rs 6.8 lakh was stolen via SIM Swap, and that money was syphoned off using UPI. The police are still looking for the scammers who stole Rs 93 lakh in November by cloning Airtel SIM cards.

The police explained that a person’s details can be compromised if he or she ever opens a fake website of their bank account. As every bank account is now linked with a mobile number, SIM swapping seems the easiest way to hack into any bank account, and steal the money.

 

Why Missed Calls?

Because by giving missed calls, the robbers assures that the victim’s number is working, and nothing shady is happening.

As per the police, his telecom operator received the request to duplicate SIM at 11.30 PM, and it takes around 4 hours to duplicate the SIM, and deactivate the old SIM. The missed calls were given to assure the victim that everything is fine.

 

How can we protect ourselves?

Every time one visits unsecured web-connections, personal details get compromised.

  1. Do not open any links sent to you no matter how secured they look.
  2. Download and buy a subscription for an antivirus on you mobile phone, computers and laptops. This will prevent you from opening websites which can steal your personal information and protect you from fake websites.
  3. Do not share your personal information with anyone.
  4. Check if your data has been breached by checking your email on this website:https://www.f-secure.com/en/home/free-tools/identity-theft-checker
  5. If your data has been breached, change your important passwords.
  6. If your security/ privacy has been breached, report to the relevant authorities and freeze your bank accounts.

WhatsApp Scam: Stealing money with a missed call

By Fiona Mehta

 

Cyber Crime in India has increased substantively over the past few years. A recent complaint on 6th May 2022 was registered in the cyber crime department by a girl.

In her complain, she states that she got a call from an unknown number saying that she had filed a complaint regarding internet/ network issues. The scammer asked her to dial *401* following a phone number, so that they can help her with her complaint. By following this procedure, she got a notification from WhatsApp saying that ‘you have logged in from a new device’ and she was eventually unable to access her WhatsApp account.

When you dial this number what happens is that you give access to call forwarding. This way the scammer is able to receive all the calls received on your mobile number and eventual access WhatsApp account. After this, the scammer keeps messaging your contacts for money.

A similar scam has been running on Facebook for several years where a link is forwarded to everyone in your friends list through the messenger app and clicking on this link hacks your account. By hacking your account, they can contact all your friends impersonating as you and steal money.

 

Precautions you can take to save yourself from such scams:

  1. Verify the caller, verify the source of the message received, and refrain from clicking on the link no matter how tempting it looks. Block or report the number you got the message or call from.
  2. Active 2 factor verifications on all your social media apps.
  3. If you get a call asking you to put any number prefix (*), do not do so. Prefer going to your network provider in person and dealing with any issue you have.
  4. Do not share your personal information.

 

What can you do if you have been scammed?

  1. Inform your family and friends immediately.
  2. If you have been scammed or if anyone has even tried to scam you, report to the National Cyber Crime Portal of India.
  3. Block your sim-card, freeze your bank account and change all your important passwords.
  4. Do not forget to enable 2 factor verification. This way no one will be able to log in even if they get the OTP for verification.

Lok Sabha passes Indian Institutes of Information Technology Laws (Amendment) Bill, 2020

By Legal Bureau

Lok Sabha passed the Indian Institutes of Information Technology Laws (Amendment) Bill, 2020 in New Delhi today. The Indian Institutes of Information Technology Act of 2014 and Indian Institutes of Information Technology (Public-Private Partnership) Act, 2017 are the unique initiatives of the Government of India to impart knowledge in the field of Information Technology to provide solutions to the challenges faced by the country.

Introduction of the Indian Institutes of Information Technology Laws (Amendment) Bill, 2020 will amend the principal acts of 2014 and 2017. It will grant statutory status to five Indian Institutes of Information Technology in Public Private Partnership mode at Surat, Bhopal, Bhagalpur, Agartala and Raichur and declare them as Institutions of National Importance along with already existing 15 Indian Institutes of Information Technology under the Indian Institutes of Information Technology (Public-Private Partnership) Act, 2017;

Speaking after the passing of the Bill, Union HRD Minister Shri Ramesh Pokhriyal ‘Nishank’ thanked the Members of the House for their support in passing the Bill. Shri Pokhriyal said that the Bill will encourage IIITs to promote the study of information and technology in the country through their innovative and quality methods. The Minister said that the Bill will declare the remaining 5 IIITs-PPP along with the existing 15 Indian Institutes of Information Technology in Public Private Partnership mode as ‘Institutions of National Importance’ with powers to award degrees.

The Minister said that under the leadership of the Prime Minister Shri Narendra Modi, Indian institutions are performing well in the global institutional rankings and he hoped that in future all these IIITs will also make a mark  in the world’s top institutions. He informed that among the higher education institutions in the country, the Indian Institutes of Technology (IITs) have improved their global rankings significantly. There are now 24 Indian higher education institutes in the QS list of 1000 global institutes in 2020 against 14 in 2017. Similarly, there are now 36 Indian higher education institutes in Times Higher Education (THE) global 1000 institutes against 3 in 2013.

He assured that with this step, all these institutions will be able to spread the information related to information and technology in the country in a better way.

Shri Pokhriyal informed that this Bill will entitle them to use the nomenclature of Bachelor of Technology (B.Tech) or Master of Technology (M.Tech) or Ph.D degree as issued by a University or Institution of National Importance.  It will also enable the Institutes to attract enough students required to develop a strong research base in the country in the field of information technology, he added.

 

Background   

(i)         IIITs are envisaged to promote higher education and research in the field of Information Technology.

 

(ii)        Under the Scheme of Setting up of 20 new IIITs in Public Private Partnership (IIIT PPP) mode as approved by the Union Cabinet on 26.11.2010, 15 IIITs are already covered by the IIIT (PPP) Act, 2017, while remaining 5 IIITs are to be included under the Schedule of the Act.

 

Implementation Strategy and targets

The objective of the present proposal is for formalization of IIITs at Surat, Bhopal, Bhagalpur, Agartala and Raichur. After passage of the Act by the Parliament, they will be covered under the IIIT (PPP) Act, 2017, similar to the other 15 IIITs established under the scheme in PPP mode.

 

No. of beneficiaries

The emerging needs of the industry and the economy, as a whole for skilled technical manpower is expected to be met from the talent pool of trained personnel of the institutes.

 

States/districts covered

States: Gujarat (Surat), Madhya Pradesh (Bhopal), Bihar (Bhagalpur), Tripura (Agartala), Karnataka (Raichur).

 

Every Institute shall be open to all persons irrespective of gender, caste, creed, disability, domicile, ethnicity, social or economic background