India economic update

Milind S. Kothari

Managing Partner
BDO India LLP
milindkothari@bdo.in

The Prime Minister Mr. Narendra Modi-led National Democratic Alliance (NDA) completes 3 years at the Centre this month. From a seemingly slow start to reforms and economic recovery, the Modi juggernaut is picking up rapid pace and seems unstoppable as it enters the final phase of this term that is to end in 2 years, before the next general elections. At this time, it almost seems a certainty that this Government would win the next elections which translates into a near 7 years of political certainty that would be unprecedented in the modern era.

In the latest reform move, the Government abolished Foreign Investment Promotion Board (FIPB), an inter-ministerial body housed in the Department of Economic Affairs and responsible for processing foreign direct investment (FDI) proposals and recommending for approval to the finance minister and subsequently to the Cabinet Committee on Economic Affairs if the investment amount exceeded US $ 500 mn. Post abolition, the individual departments of the Government have been empowered to clear FDI proposals in consultation with Department of Industrial Policy and Promotion (DIPP). Also, pending FDI proposals before the defunct FIPB will be sent back to individual line ministries for necessary action.

The report card of the Government during its three years in power is impressive, scoring handsomely on key economic parameters. The biggest bug-bear - inflation is now contained, GDP growth seems comfortably above 7% and significant effort has been put in the promise to undo the parallel economy, referred to as the Black economy, albeit not with the success that was promised.

The Government has invested significant effort in connectivity that would be the lifeline for future economic development. It launched the integrated transportation initiative for roads, railways, waterways and civil aviation. Development programs Sagarmala for construction of new ports and Bharatmala for expressways has been launched. Another initiative, UDAN promotes regional airline connectivity for common people. The clean and renewable energy generation received a major boost under this Government, pushing for electric vehicles.

The Prime Minister, a strong advocate of digitization, continued the good work initiated by the previous Government and introduced several others to accelerate digital governance. The 12-digit unique identification to be issued to every Indian resident is slated to improve service delivery to every citizen. Besides, several measures have been taken to improve e-infrastructure, e-participation and government e-services for addressing transparency. Also introduced is the unified payments interface (UPI); a payment system that allows mobile-enabled money transfers between bank accounts. Several of these initiatives would push India bravely in the digital world.

The ghost of demonetisation that briefly haunted the economy in the last quarter of 2016 has been exorcised and the dividend in the form of nearly 9 mn additional taxpayers and many more would get added in the tax system proving to be a medium-long term benefit.

The imminent rollout of the biggest tax reform since Indian Independence is expected to go live in the form of GST with effect from July 1, 2017. The central IT network, GSTN (Goods and Services Network) is in place to provide robust IT backbone for smooth functioning of the GST regime. With implementation of GST riding on this IT platform, India would take several steps towards digitization. It is expected that there would be challenges as the entire country converges on this digital platform but eventually transform India to a truly tax compliant society, an area where India has significant ground to cover. The implementation also makes a big case for ease of doing business in India as the country would become borderless (state-wise) which is not the case in the existing Indirect Tax regime, fractured by state-led tax regulations.

As the onset of monsoon only a few weeks away with an assurance of another good spell, the stock indices are now at an all-time high with a promise of a robust economic growth and good governance in place, India and the business community are looking forward to a bright future!

India economic update

M & A tracker

Rajesh Thakkar

Partner /Transaction Tax
Tax & Regulatory Services
rajeshthakkar@bdo.in

M&A in India

Between April 2017 and May 2017, around 110 M&A deals were announced / completed aggregating to approx. USD 3.59 billion; dominated by domestic deals (66) followed by cross border deals (44).

In terms of sectors, Consumer Discretionary saw the maximum deal value with deals worth around USD 1.72 billion followed by Information Technology with USD 593 million and Financials with USD 554 million.

Deal announcements

(Deals mentioned in the M&A Tracker do not include those with undisclosed deal values as well as those which have been announced but not closed)

Target Company : Kreditech Holding SSL GmbH
Acquiring Company : PayU Corporate
Deal Value (in mn USD) : 120.52

  • In May 2017, PayU Corporate owned by Naspers invested USD 120.52 million for a minority stake in Kreditech Holding SSL GmbH.
  • The transaction being part of Pay U’s global plan to build on its payment heritage, also consists of global partnership between Kreditech and PayU for delivering a joint proposition for Point of Sale Finance.
  • The acquisition would enable Kreditech to expand its lending as a service offering and enter the Indian markets through PayU India by launching its credit product (underwriting and loan management technology).

Target Company : Gumberg India Private Limited, The North Country Mall
Acquiring Company : Virtuous Retail South Asia
Deal Value (in mn USD) : 108.72

  • In May 2017, Virtuous Retail South Asia (VRSA) acquired 50% stake of The North Country Mall from SUN-Apollo India Real Estate Fund and 50% stake of Gumberg India Private Limited to establish its presence in North India.
  • With this acquisition, VRSA plans to strengthen its presence in North India. VRSA’s India retail portfolio now stands at 5.5 million sq. ft. The acquisition has resulted into in an expansion of their retail leasable space by 1 million square feet.
  • The acquisition is in line with VRSA’s expansion strategy through both ground up development and acquisition of existing high-quality assets.
  • The acquisition expands VRSA’s footprint into North India

Target Company : Indiabulls Ventures Limited
Acquiring Company : Clermont Consultants CH SA
Deal Value (in mn USD) : 103.78

  • In April 2017, Clermont Consultants CH SA acquired 21.22% through its affiliates Cinnamon Capital Limited and Tamarind Capital Pte Limited in Indiabulls Venture Private Limited.
  • The consideration of USD 103.78 million was paid by issue of Equity Shares on preferential allotment basis.
  • Accordingly, Cinnamon Capital Limited subscribed to 9.69% shares of Indiabulls Ventures Ltd at a price per share of INR 58.40 and Tamarind Capital Pte Limited subscribed to 11.81% shares at a price per share of INR 97.40.

Target Company : Puravankara Limited, Three Subsidiaries
Acquiring Company : Hetero Drugs Ltd
Deal Value (in mn USD) : 73.07

  • In the end of March 2017, Hetero Drugs Limited along with its subsidiary, Hetero Labs Limited, acquired the three subsidiaries of Puravankara Limited in order to acquire the 19- acre land in Hyderabad.
  • The three subsidiaries of Puravankara Limited includes Purva Land Limited, Puravankara Hotels Limited and Purva Marine Properties Private Limited
  • The consideration resulted in 1.78 times return on investment to Puravankara.
  • Puravankara Projects plans to use the money to reduce debt. Puravankara initially wanted to build a hotel project on the land and incorporated the subsidiaries in 2007.
  • Puravankara is preparing at the balance sheet level to look for distress opportunities in the market and also take up half complete projects that need funds for completion.

Target Company : Euro Ceramics Limited, Sanitaryware Business
Acquiring Company : Jaquar and Company Private Limited
Deal Value (in mn USD) : 15.34

  • Jaquar and Company Private Limited acquired the sanitary-ware business of Euro Ceramics Limited.
  • The acquisition by Jaquar also includes the manufacturing plant, land& building of Euro Ceramics located in Kutch district of Gujarat.
  • The plant, which has a workforce of over 400 people, will make a new range of designer sanitary-ware products in partnership with design firms such as London-based Danelon Meroni and Bangalore-based Foley Design.
  • Jaquar has various business plans which include investing in setting up a new plant and upgrade the technology of plants to enhance the production capacity.
M & A tracker

Feature story

Akshay Garkel

Partner/ IT Advisory
Risk Advisory Services
akshaygarkel@bdo.in

Information and Cyber Security Framework– Security Framework for Insurers Issued By IRDAI

Background
With the constantly evolving threat landscape, securing business for organizations will remain the greatest task in hand. India is also not excluded from various security attacks and threat events during this era of business transformation. Due to the recent cyber-attacks, cyber security in all sectors has gained prominent importance. With reference to this & many other factors, Insurance Regulatory and Development Authority of India (IRDAI) has released a comprehensive cyber security circular issued to insurance companies in India. IRDA is a statutory body set up for protecting the interests of the policyholders while regulating, promoting and ensuring orderly growth of the insurance industry in India.

The Circular
With reference to the above, IRDAI vide its Circular (ref. no: IRDA/IT/CIR/MISC/216/10/2016) dated 31st Oct 2016 formed a working group of CIOs for ‘Formulating a comprehensive framework for Information and cyber security for insurance sector’ which in turn formed the following three sub-groups to work on various issues related to Information and Cyber Security

  • Group-1: All four layers of Security (Data, Applications, Operating Systems and Network Layers)
  • Group-2: Security Audit
  • Group-3: Legal Aspects on Cyber Security

This framework covers various layers of security such as data, applications, operating systems and network layers, besides legal aspects pertaining to cybercrimes.

What Should Organizations Do?

Organization can adopt a well-defined approach to address IRDA cyber security framework requirements which in turn will help to further strengthen the security posture of the organization.


Figure 1 - Approach towards IRDA Cyber Security Compliance

A six-phased approach can be one way to look at –

  • One-time assessment–conduct a gap assessment against the guidelines of the circular. Identify the gaps and assign recommendation.
  • Prioritization & Reassessment–Prioritize the closure of the gaps based on a risk matrix and conduct a quick reassessment on the gaps identified
  • Gap Implementation–Implementation of the gaps identified with adequate amount of controls
  • Manage & Monitor –Manage the compliance levels of the controls including regular updates to the dashboard on the compliance levels to the guidelines of the circular
  • Compliance check & audit readiness - Conduct periodic comprehensive audits over a period of time till considerable and acceptable level of compliance is achieved

Next Steps

With reference to the cyber security framework, IRDAI has asked insurance companies to have board approved information/cyber security policy by 31st July 2017. Further to this IRDAI has asked the insurance companies to have a cyber-security assurance program to be approved by the board by 30th September 2017.

Text Box: KEY FRAMEWORK COVERAGE    Layers of Security  •	Enterprise security  •	Network Security   •	Access Management  Security Audit  •	Third Party Risk Management  •	Information Security Audit  Legal Aspects of Cyber Security  •	Security Logging and monitoring  •	Service Level Agreements

IRDAI has asked insurers to appoint Chief Information Security Officer (CISO) who would be responsible for enforcing policies to protect information and information assets. CISO would be the lead of risk management practice and will work with the CIO. Additionally, IRDAI has asked insurance companies to form an Information Security Committee comprising of operations, IT, legal, finance, compliance etc. – headed by a senior official reporting into Board.

To enforce segregation of duties, IRDAI has asked insurance companies to segregate between the IT & Information Security (IS) functions.

Text Box: KEY CONTROLS    Segregation of duties  Periodic review of access  Implementation of the security tools  Approval for the changes  Backing up of data  Logging and monitoring of the devices

The following sub-groups comprising of experts drawn from insurance companies were formed for arriving at a comprehensive framework for information and cyber-security.

In pursuit of development of a strong risk management system and mitigation strategies, insurance companies shall set up a separate risk management committee to implement the company’s Risk Management Strategy. IRDA issued exposure draft containing the draft framework on 2nd March 2017. Having considered the feedback received from the stakeholders to the Exposure Draft, IRDA now issues the attached ‘Guidelines on Information and Cyber Security for insurers’ by exercising the powers vested with the Authority under Sub-Section (1) of Section 14 of IRDA Act 1999.

The boards of the insurance companies should approve the overall approach to information security policy and strategy and information security assurance programme, including cyber security.

In order to improve security and comply with the IRDAI cyber security framework, insurance companies should implement all the aspects of the framework such as application, data, audits, legal etc. within the provided deadlines by IRDAI.

References

Feature story

Guest column

Sameer Saxena

Managing Director – Asia and Middle East
Information Security Media Group, India
ssaxena@ismg.io

Language of IT Advisory Risk

TGG

With 7 publication brands and 28 media properties worldwide focused vertically on highly regulated industries such as financial services,government, and healthcare – and topically on information risk management, data breach prevention and response, and information security careers and certifications – ISMG covers the entire spectrum of concerns facing today’s security professionals.

It is the fastest growing security community reaching over 4 million professionals worldwide.


Cybersecurity has transitioned from being a technical problem to becoming a risk-based issue. The transition has been top of mind among cybersecurity professionals, executives, board members, shareholders, analysts and other thought leaders.

Cyber-risks should become a top priority for the majority of board members alongside other risks such as financial, regulatory, and legal. Boards should speak the language of risk and should hold security leaders accountable for doing the same. The challenge to the board members is the data being presented to them is too technical.

The role of the cybersecurity professional was created based on technology-based needs. How many Distributed Denial of Service (DDoS) events were blocked? How many vulnerabilities do we need to patch today? Cybersecurity professionals lived and breathed technology; they worked in a silo and were known across the business as the “IT team in the corner office.”

Considering cybersecurity professionals came from this deeply rooted, technology-focused place, shifting to speaking risk is almost like learning a foreign language. So how can they make the transition as smooth and seamless as possible?

Cybersecurity professionals must first learn how to think risk, which begins with defining it. Risk is the potential of loss caused by some event - it is a consequence of the alignment of threats and vulnerabilities against an asset of value.

A threat without a vulnerability or a vulnerability without a threat does not present a risk.

When assessing their cyber-risk, cybersecurity professionals must first focus on identifying the most valued information assets, those that could cause the most damage if compromised, and then apply the risk equation. They should look at the threats to their most valued assets, identify associated vulnerabilities, determine the probability of those two meeting, the impact the compromise would have, and apply their cybersecurity resources accordingly.

If they think like a true risk professional, speaking the language of risk comes easily. When reporting to the board, security professionals should:

  • Paint a picture that highlights the past, present and future state of the company’s cyber-risk, including lessons learned, goals and progress against those goals
  • Focus on asset value and impact to the business if those assets were compromised.
  • Present the top risks impacting the business, with the top being the intersection between the most likely and the most impactful cyber-risks to the company
  • Show the trend of how these risks have increased/decreased through their organization's actions or lack thereof, ultimately based on the board’s guidance
  • Show how they expect their proposed actions or lack thereof, will impact these trends
  • Use specific data points about threats and vulnerabilities that are important supporting information to show the actions that affect the various cyber risks, but make sure these data points are supporting not leading
  • Use a consistent format from month to month, with metrics that can be continually compared and trended over time for progress

Security leaders who are constantly in a reactive mode are being left behind. Their goal should be to understand the company’s cyber-risks and manage those risks in line with the board's direction and appetite.

Guest column

India economic update

Milind S. Kothari

Managing Partner
BDO India LLP
milindkothari@bdo.in
India economic update

M & A tracker

Rajesh Thakkar

Partner /Transaction Tax
Tax & Regulatory Services
rajeshthakkar@bdo.in
M & A tracker

Feature story

Akshay Garkel

Partner/ IT Advisory
Risk Advisory Services
akshaygarkel@bdo.in
Feature story

Guest column

Sameer Saxena

Managing Director – Asia and Middle East
Information Security Media Group, India
ssaxena@ismg.io
Guest column
X

The Prime Minister Mr. Narendra Modi-led National Democratic Alliance (NDA) completes 3 years at the Centre this month. From a seemingly slow start to reforms and economic recovery, the Modi juggernaut is picking up rapid pace and seems unstoppable as it enters the final phase of this term that is to end in 2 years, before the next general elections. At this time, it almost seems a certainty that this Government would win the next elections which translates into a near 7 years of political certainty that would be unprecedented in the modern era.

In the latest reform move, the Government abolished Foreign Investment Promotion Board (FIPB), an inter-ministerial body housed in the Department of Economic Affairs and responsible for processing foreign direct investment (FDI) proposals and recommending for approval to the finance minister and subsequently to the Cabinet Committee on Economic Affairs if the investment amount exceeded US $ 500 mn. Post abolition, the individual departments of the Government have been empowered to clear FDI proposals in consultation with Department of Industrial Policy and Promotion (DIPP). Also, pending FDI proposals before the defunct FIPB will be sent back to individual line ministries for necessary action.

The report card of the Government during its three years in power is impressive, scoring handsomely on key economic parameters. The biggest bug-bear - inflation is now contained, GDP growth seems comfortably above 7% and significant effort has been put in the promise to undo the parallel economy, referred to as the Black economy, albeit not with the success that was promised.

The Government has invested significant effort in connectivity that would be the lifeline for future economic development. It launched the integrated transportation initiative for roads, railways, waterways and civil aviation. Development programs Sagarmala for construction of new ports and Bharatmala for expressways has been launched. Another initiative, UDAN promotes regional airline connectivity for common people. The clean and renewable energy generation received a major boost under this Government, pushing for electric vehicles.

The Prime Minister, a strong advocate of digitization, continued the good work initiated by the previous Government and introduced several others to accelerate digital governance. The 12-digit unique identification to be issued to every Indian resident is slated to improve service delivery to every citizen. Besides, several measures have been taken to improve e-infrastructure, e-participation and government e-services for addressing transparency. Also introduced is the unified payments interface (UPI); a payment system that allows mobile-enabled money transfers between bank accounts. Several of these initiatives would push India bravely in the digital world.

The ghost of demonetisation that briefly haunted the economy in the last quarter of 2016 has been exorcised and the dividend in the form of nearly 9 mn additional taxpayers and many more would get added in the tax system proving to be a medium-long term benefit.

The imminent rollout of the biggest tax reform since Indian Independence is expected to go live in the form of GST with effect from July 1, 2017. The central IT network, GSTN (Goods and Services Network) is in place to provide robust IT backbone for smooth functioning of the GST regime. With implementation of GST riding on this IT platform, India would take several steps towards digitization. It is expected that there would be challenges as the entire country converges on this digital platform but eventually transform India to a truly tax compliant society, an area where India has significant ground to cover. The implementation also makes a big case for ease of doing business in India as the country would become borderless (state-wise) which is not the case in the existing Indirect Tax regime, fractured by state-led tax regulations.

As the onset of monsoon only a few weeks away with an assurance of another good spell, the stock indices are now at an all-time high with a promise of a robust economic growth and good governance in place, India and the business community are looking forward to a bright future!

M&A in India

Between April 2017 and May 2017, around 110 M&A deals were announced / completed aggregating to approx. USD 3.59 billion; dominated by domestic deals (66) followed by cross border deals (44).

In terms of sectors, Consumer Discretionary saw the maximum deal value with deals worth around USD 1.72 billion followed by Information Technology with USD 593 million and Financials with USD 554 million.

Deal announcements

(Deals mentioned in the M&A Tracker do not include those with undisclosed deal values as well as those which have been announced but not closed)

Target Company : Kreditech Holding SSL GmbH
Acquiring Company : PayU Corporate
Deal Value (in mn USD) : 120.52

  • In May 2017, PayU Corporate owned by Naspers invested USD 120.52 million for a minority stake in Kreditech Holding SSL GmbH.
  • The transaction being part of Pay U’s global plan to build on its payment heritage, also consists of global partnership between Kreditech and PayU for delivering a joint proposition for Point of Sale Finance.
  • The acquisition would enable Kreditech to expand its lending as a service offering and enter the Indian markets through PayU India by launching its credit product (underwriting and loan management technology).

Target Company : Gumberg India Private Limited, The North Country Mall
Acquiring Company : Virtuous Retail South Asia
Deal Value (in mn USD) : 108.72

  • In May 2017, Virtuous Retail South Asia (VRSA) acquired 50% stake of The North Country Mall from SUN-Apollo India Real Estate Fund and 50% stake of Gumberg India Private Limited to establish its presence in North India.
  • With this acquisition, VRSA plans to strengthen its presence in North India. VRSA’s India retail portfolio now stands at 5.5 million sq. ft. The acquisition has resulted into in an expansion of their retail leasable space by 1 million square feet.
  • The acquisition is in line with VRSA’s expansion strategy through both ground up development and acquisition of existing high-quality assets.
  • The acquisition expands VRSA’s footprint into North India

Target Company : Indiabulls Ventures Limited
Acquiring Company : Clermont Consultants CH SA
Deal Value (in mn USD) : 103.78

  • In April 2017, Clermont Consultants CH SA acquired 21.22% through its affiliates Cinnamon Capital Limited and Tamarind Capital Pte Limited in Indiabulls Venture Private Limited.
  • The consideration of USD 103.78 million was paid by issue of Equity Shares on preferential allotment basis.
  • Accordingly, Cinnamon Capital Limited subscribed to 9.69% shares of Indiabulls Ventures Ltd at a price per share of INR 58.40 and Tamarind Capital Pte Limited subscribed to 11.81% shares at a price per share of INR 97.40.

Target Company : Puravankara Limited, Three Subsidiaries
Acquiring Company : Hetero Drugs Ltd
Deal Value (in mn USD) : 73.07

  • In the end of March 2017, Hetero Drugs Limited along with its subsidiary, Hetero Labs Limited, acquired the three subsidiaries of Puravankara Limited in order to acquire the 19- acre land in Hyderabad.
  • The three subsidiaries of Puravankara Limited includes Purva Land Limited, Puravankara Hotels Limited and Purva Marine Properties Private Limited
  • The consideration resulted in 1.78 times return on investment to Puravankara.
  • Puravankara Projects plans to use the money to reduce debt. Puravankara initially wanted to build a hotel project on the land and incorporated the subsidiaries in 2007.
  • Puravankara is preparing at the balance sheet level to look for distress opportunities in the market and also take up half complete projects that need funds for completion.

Target Company : Euro Ceramics Limited, Sanitaryware Business
Acquiring Company : Jaquar and Company Private Limited
Deal Value (in mn USD) : 15.34

  • Jaquar and Company Private Limited acquired the sanitary-ware business of Euro Ceramics Limited.
  • The acquisition by Jaquar also includes the manufacturing plant, land& building of Euro Ceramics located in Kutch district of Gujarat.
  • The plant, which has a workforce of over 400 people, will make a new range of designer sanitary-ware products in partnership with design firms such as London-based Danelon Meroni and Bangalore-based Foley Design.
  • Jaquar has various business plans which include investing in setting up a new plant and upgrade the technology of plants to enhance the production capacity.

Information and Cyber Security Framework– Security Framework for Insurers Issued By IRDAI

Background
With the constantly evolving threat landscape, securing business for organizations will remain the greatest task in hand. India is also not excluded from various security attacks and threat events during this era of business transformation. Due to the recent cyber-attacks, cyber security in all sectors has gained prominent importance. With reference to this & many other factors, Insurance Regulatory and Development Authority of India (IRDAI) has released a comprehensive cyber security circular issued to insurance companies in India. IRDA is a statutory body set up for protecting the interests of the policy holders while regulating, promoting and ensuring orderly growth of the insurance industry in India.

The Circular
With reference to the above, IRDAI vide its Circular (ref. no: IRDA/IT/CIR/MISC/216/10/2016) dated 31st Oct 2016 formed a working group of CIOs for ‘Formulating a comprehensive framework for Information and cyber security for insurance sector’ which in turn formed the following three sub-groups to work on various issues related to Information and Cyber Security

  • Group-1: All four layers of Security (Data, Applications, Operating Systems and Network Layers)
  • Group-2: Security Audit
  • Group-3: Legal Aspects on Cyber Security

This framework covers various layers of security such as data, applications, operating systems and network layers, besides legal aspects pertaining to cybercrimes.

What Should Organizations Do?

Organization can adopt a well-defined approach to address IRDA cyber security framework requirements which in turn will help to further strengthen the security posture of the organization.


Figure 1 - Approach towards IRDA Cyber Security Compliance

A six-phased approach can be one way to look at –

  • One-time assessment – conduct a gap assessment against the guidelines of the circular. Identify the gaps and assign recommendation.
  • Prioritization & Reassessment – Prioritize the closure of the gaps based on a risk matrix and conduct a quick reassessment on the gaps identified
  • Gap Implementation – Implementation of the gaps identified with adequate amount of controls
  • Manage & Monitor – Manage the compliance levels of the controls including regular updates to the dashboard on the compliance levels to the guidelines of the circular
  • Compliance check & audit readiness – Conduct periodic comprehensive audits over a period of time till considerable and acceptable level of compliance is achieved

Next Steps

With reference to the cyber security framework, IRDAI has asked insurance companies to have board approved information/cyber security policy by 31st July 2017. Further to this IRDAI has asked the insurance companies to have a cyber-security assurance program to be approved by the board by 30th September 2017.

Text Box: KEY FRAMEWORK COVERAGE    Layers of Security  •	Enterprise security  •	Network Security   •	Access Management  Security Audit  •	Third Party Risk Management  •	Information Security Audit  Legal Aspects of Cyber Security  •	Security Logging and monitoring  •	Service Level Agreements

IRDAI has asked insurers to appoint Chief Information Security Officer (CISO) who would be responsible for enforcing policies to protect information and information assets. CISO would be the lead of risk management practice and will work with the CIO. Additionally, IRDAI has asked insurance companies to form an Information Security Committee comprising of operations, IT, legal, finance, compliance etc. – headed by a senior official reporting into Board.

To enforce segregation of duties, IRDAI has asked insurance companies to segregate between the IT & Information Security (IS) functions.

Text Box: KEY CONTROLS    Segregation of duties  Periodic review of access  Implementation of the security tools  Approval for the changes  Backing up of data  Logging and monitoring of the devices

The following sub-groups comprising of experts drawn from insurance companies were formed for arriving at a comprehensive framework for information and cyber-security.

In pursuit of development of a strong risk management system and mitigation strategies, insurance companies shall set up a separate risk management committee to implement the company’s Risk Management Strategy. IRDA issued exposure draft containing the draft framework on 2nd March 2017. Having considered the feedback received from the stakeholders to the Exposure Draft, IRDA now issues the attached ‘Guidelines on Information and Cyber Security for insurers’ by exercising the powers vested with the Authority under Sub-Section (1) of Section 14 of IRDA Act 1999.

The boards of the insurance companies should approve the overall approach to information security policy and strategy and information security assurance programme, including cyber security.

In order to improve security and comply with the IRDAI cyber security framework, insurance companies should implement all the aspects of the framework such as application, data, audits, legal etc. within the provided deadlines by IRDAI.

References

Language of IT Advisory Risk

TGG

With 7 publication brands and 28 media properties worldwide focused vertically on highly regulated industries such as financial services,government, and healthcare – and topically on information risk management, data breach prevention and response, and information security careers and certifications – ISMG covers the entire spectrum of concerns facing today’s security professionals.

It is the fastest growing security community reaching over 4 million professionals worldwide.


Cybersecurity has transitioned from being a technical problem to becoming a risk-based issue. The transition has been top of mind among cybersecurity professionals, executives, board members, shareholders, analysts and other thought leaders.

Cyber-risks should become a top priority for the majority of board members alongside other risks such as financial, regulatory, and legal. Boards should speak the language of risk and should hold security leaders accountable for doing the same. The challenge to the board members is the data being presented to them is too technical.

The role of the cyber security professional was created based on technology-based needs. How many Distributed Denial of Service (DDoS) events were blocked? How many vulnerabilities do we need to patch today? Cybersecurity professionals lived and breathed technology; they worked in a silo and were known across the business as the “IT team in the corner office.”

Considering cyber security professionals came from this deeply rooted, technology-focused place, shifting to speaking risk is almost like learning a foreign language. So how can they make the transition as smooth and seamless as possible?

Cybersecurity professionals must first learn how to think risk, which begins with defining it. Risk is the potential of loss caused by some event - it is a consequence of the alignment of threats and vulnerabilities against an asset of value.

A threat without a vulnerability or a vulnerability without a threat does not present a risk.

When assessing their cyber-risk, cybersecurity professionals must first focus on identifying the most valued information assets, those that could cause the most damage if compromised, and then apply the risk equation. They should look at the threats to their most valued assets, identify associated vulnerabilities, determine the probability of those two meeting, the impact the compromise would have, and apply their cybersecurity resources accordingly.

If they think like a true risk professional, speaking the language of risk comes easily. When reporting to the board, security professionals should:

  • Paint a picture that highlights the past, present and future state of the company’s cyber-risk, including lessons learned, goals and progress against those goals
  • Focus on asset value and impact to the business if those assets were compromised.
  • Present the top risks impacting the business, with the top being the intersection between the most likely and the most impactful cyber-risks to the company
  • Show the trend of how these risks have increased/decreased through their organization's actions or lack thereof, ultimately based on the board’s guidance
  • Show how they expect their proposed actions or lack thereof, will impact these trends
  • Use specific data points about threats and vulnerabilities that are important supporting information to show the actions that affect the various cyber risks, but make sure these data points are supporting not leading
  • Use a consistent format from month to month, with metrics that can be continually compared and trended over time for progress

Security leaders who are constantly in a reactive mode are being left behind. Their goal should be to understand the company’s cyber-risks and manage those risks in line with the board's direction and appetite.