CISO Office 2nd Floor, 1/1A Adi Shankaracharya …...CISO Office 2nd Floor, 1/1A Adi Shankaracharya...
Transcript of CISO Office 2nd Floor, 1/1A Adi Shankaracharya …...CISO Office 2nd Floor, 1/1A Adi Shankaracharya...
CISO Office
2nd Floor, 1/1A Adi Shankaracharya Marg, Opp. Powai Lake, Powai, Mumbai-400072
Date: 03rd February, 2020
Corrigendum Please refer to our Expression of Interest (EOI) for Appointment of Cyber Insurance Broker published on 20th January, 2020. Some of the interested bidders have raised queries with regard to the EOI. We are appending below the queries raised by them and our response thereof. Please take into account these clarifications/amendments while submitting your response against the EOI requirement.
SN REFERENCE QUERY/SUGGESTION REPLY
1 Page No: 17, Point
2. of Technical
Evaluation:
Number of Cyber
Insurance policies
successfully placed
for Scheduled
Commercial banks
in the last 3
years.(Documents
supporting the
same should be
enclosed with
proposal)
We would request if this criteria is
changed to cyber insurance policies
placed for banks in the last three
years instead of restricting it only to
SCBs? As the bank is concerned with
the experience of the broker for
placing cyber insurance policy for
varied banks which may include
several co operative banks as well as
RRBs who have faced large claims in
the past. It would be noteworthy to
include all banks as arranging a cover
for banks other than SCB?s also
involves a deep understanding of the
risk structure of the banks and
accordingly designing cyber
insurance policies for them. Hence
restricting this criteria to SCBs will
limit competition. Also we would
want to add that since the bank is
evaluating a brokers credential in
handling end to end placement and
management of a cyber risk
insurance policy for banks, the policy
of the bank being in force or not
should be immaterial for the bank
and we request if the same can be
deleted. Also in the parameter it is
mentioned to provide the last 3 years
Only Policies which are
in force on the date of
submission of
Bid/Response will be
considered for
awarding the marks.
Page 2 of 12
cyber policies, but in the criteria for
awarding marks it states 2 marks will
be awarded for each in-force cyber
security policy? These two
statements are contradicting so we
request you to please provide clarity
on this.
2 Page No: 17, Point
4. of Technical
Evaluation:
Average Annual
Turnover of
company from
Insurance business
for last 3 FY 2016-
17, 2017-18, 2018-
19 (Documents
supporting the
claim to be
enclosed)
With regards to this point we wish to
highlight that there are very few
brokers who have an annual turnover
of more than Rs 100 Crores. Out of
these few brokers, extremely limited
brokers have the experience of
placing cyber risk insurance policy
for banks. This criteria will result in
extremely skewed competition for
the bank and hence we request if the
below table can be accepted by the
bank. PARAMETER: Average Annual
Turnover of company from insurance
business for last 3 FY 2016-17, 2017-
18 and 2018-19 (Documents
supporting the claim to be enclosed).
Criteria for awarding marks: More
than Rs. 50 Crores and above - 20;
More than Rs. 20 Crores to Rs. 50
Crores - 15; Above Rs. 10 Crores to
Rs. 20 Crores - 10 with Maximum
Marks as 20.
Be guided as per the
Expression of Interest
for Appointment of
Cyber Insurance Broker
document published on
20.01.2020.
3 General Criteria:
Definition of
Scheduled
Commercial Banks
Criteria: Scheduled Commercial
Banks (to exclude Foreign Banks).
Reason: It is proposed that the
expertise of Brokers who have
serviced insurance programs for both
Private and Public Sector Banks i.e.
Scheduled Commercial Banks be
considered. However, currently
consideration has also been provided
to foreign banks that have their
liaison office/ corresponding
branches in India. We would like to
For the purpose of
determining experience
of Broker, any Cyber
Insurance Policy issued
through Bidder for
Scheduled Commercial
Banks will only be
considered.
Page 3 of 12
clarify that in such cases, insurance
is managed overseas, and local policy
is structured in India only for IRDAI
requirement. Since structuring of
such policies in India does not call
for either technical exposure analysis
or coherent policy drafting, we
recommend consideration not be
provided to foreign branch offices in
India. Considering the diverse service
profile of Union Bank of India, it is
relevant to only consider Scheduled
Commercial banks (excluding Foreign
Banks).
4 General Criteria:
Definition of
Scheduled
Commercial Banks
Criteria: Engagement as a direct
broker for a Scheduled Commercial
Bank. Reason: As this is an
appointment criterion of an
intermediary on direct cyber
insurance placement, it is suggested
that only reinsurance placements
done for scheduled commercial
banks should not be considered. The
expertise employed for direct
placements demand a different skill
set as compared to that for are
insurance transaction which is more
of an administrative documentation
For the purpose of this
Expression of Interest
only Direct Insurance
Broker will be
considered.
5 Eligibility Criteria:
New
Criteria: Have a robust IT
infrastructure and enabler tools with
requisite safety and security
features. Reason: Data is a precious
asset and diligence in keeping it
secure helps maintain competitive
advantage and comply with
regulatory requirements under
various statues. This requires a
Broker to possess adequate IT
framework and processes at its end
to ensure that data is used and
stored securely for the purpose for
Be guided as per the
Expression of Interest
for Appointment of
Cyber Insurance Broker
document published on
20.01.2020.
Page 4 of 12
which it was obtained.
6 Eligibility Criteria:
New
Criteria: Data privacy - Please
confirm if your data & its backups
meet the safeguards and
requirements of IRDA regulations and
are warehoused and processed in
India. Reason: Data is a precious
asset and diligence in keeping it
secure helps maintain competitive
advantage and comply with
regulatory requirements under
various statues. This requires a
Broker to possess adequate IT
framework and processes at its end
to ensure that data is used and
stored securely for the purpose for
which it was obtained.
All the Insurance
Broker should
necessarily be in
compliance with the
IRDAI guidelines.
7 Eligibility Criteria:
New
Criteria: Meet the declaration
requirements that form part of the
document as provided in Annexure 1.
Reason: Need for selecting a Broker
with good corporate governance
standards is without doubt a primary
requirement for any client.
The declaration template suggested
in Annexure 1 of this document seeks
to elucidate this requirement and
confirm that the Broker possesses /
deploys adequate standards in its day
to day dealings with its stakeholders.
Be guided as per the
Expression of Interest
for Appointment of
Cyber Insurance Broker
document published on
20.01.2020.
8 Tender
Evaluation: Sub
Clause 3 -
Settlement of
Cyber Insurance
Claim
Proposed: Settlement of Cyber
Insurance Claim for Scheduled
Commercial Banks. Reason: It is
suggested that brokers’ claim
handling expertise be carefully
assessed, based on claims handled
exclusively for Scheduled
Commercial Banks, enabling a rather
refined assessment.
Settlement of Cyber
Insurance Claim during
last 3 years will bring
out required
experience in Broker.
For the purpose of
Cyber Insurance claim
experience, any claim
handled under Cyber
Insurance Policy will
Page 5 of 12
only be considered.
9 Tender
Evaluation: Sub
Clause 3 -
Settlement of
Cyber Insurance
Claim
Proposed: No Partial Settlement or
On-going Cyber Claim to be
considered. Reason: Settlement of a
cyber claim is a long-drawn process
involving technical and legal
expertise that is imperative to work
the claim up to full and final
settlement. As the quantum of cyber
claims in the banking domain is
increasing, any on-going, partial or
petty claim payouts are not relevant
and only fully settled claims should
be considered.
Settlement in the
document means full
settlement of claim
only.
10 Tender
Evaluation: Sub
Clause 6 -
Consultants /
Value Added
Proposition through
third parties with
respect to Cyber
Insurance
Proposed: Consultants / Value
Added Proposition through third
parties with respect to Cyber
Insurance. Specifically, as a full-time
engagement for providing cyber
security rating service. Reason:
Ideally, a broker should enter into an
annual contract with a service
provider to provide cyber security
rating service. The same should be
provided by third party at no
additional cost to Union Bank of India
and hence, should be exactly as per
discretionary criteria mentioned
under Clause 8.Technical Evaluation.
Be guided as per the
Expression of Interest
for Appointment of
Cyber Insurance Broker
document published on
20.01.2020.
11 Point No 5 of the
EOI – Eligibility
Criteria
Point 3 which reads as - The Broking
Firm/Company should have
experience in handling end to end
Cyber Insurance program including
issuance of Cyber Insurance Policy of
at least one reputed Bank with
business mix (Advances and Deposit)
of Rs. 1 Lakh Crore and above as on
31.12.2019.
Proposed: Can a reputed NBFC with
business mix (Advances and Deposit)
of Rs. 1 Lakh Crore and above as on
Be guided as per the
Expression of Interest
for Appointment of
Cyber Insurance Broker
document published on
20.01.2020.
Page 6 of 12
31.12.2019 be applicable to this
point in place of reputed Bank.
12 Page 9, 1st
Paragraph
The Bidder must be able to provide
Cyber Security Rating service of the
banks on a monthly basis. Proposed:
Instead of word Bidder, if it can be
changed to Third Party Service
Provider. Since only the Third Party
Service Provider will be providing
you the Cyber Security Rating
Service.
It is optional for the
Bidder to provide Third
Party Cyber Security
rating services or
similar services free of
cost to the Bank.
13 Page 9, 1ST
Paragraph
The Cyber Security Ratings must be
generated in a non-intrusive manner.
Reason: A non-intrusive report would
only be able to give you a holistic
view of your systems but later in the
paragraph, it’s also mentions the
report should include “botnet
infections, malware infections,
potentially unwanted applications,
open ports, SSL certificates and
configuration, server patching,
desktop and mobile operating system
& browser versions. The report must
include Common Vulnerabilities and
Exposures (CVE) number for all the
key vulnerabilities found “for which
a full deep study into your systems
are required. Explanation sought:
Brief us what our esteemed bank
meant by the above statement. Also
if you can throw some light on how
the incumbent Service Provider is
doing the same.
This is optional service
which Bidder may like
to propose and provide
to the Bank. Service
expectation given in
the EOI is generic in
nature and may vary
from Service Provider
to Service Provider.
14 Page 15, Eligibility
Criteria Pt no:3
Under Supporting Document
required: Pt 2. Letter of
Confirmation that Cyber Insurance
Policy Process is completed.
Explanation sought: Let us know if
CA Certificate is adequate
Letter of confirmation
from the Bank or
Insurance Company or
Insurance Policy Cover
Note to prove claim of
Bidder of having
completed Cyber
Page 7 of 12
Insurance issuance
process. Bidder will
also be required to
provide customer
contact details for the
purpose of verification.
15 Page 17, Technical
Evaluation Criteria
Pt no:2
Under Parameter: Number of Cyber
Insurance Policies successfully placed
for scheduled commercial banks in
last 3 years (Documents supporting
the same should be enclosed in the
proposal). Explanation sought: we
have signed NDA with all the banks
we work with, we won’t be able to
submit any policy copies with respect
to the supporting documents. So we
request if we can submit CA
Certificate for the same
Letter of confirmation
from the Bank or
Insurance Company or
Insurance Policy Cover
Note to prove claim of
Bidder of having
completed Cyber
Insurance issuance
process. Bidder will
also be required to
provide customer
contact details for the
purpose of verification.
16 Page 17, Technical
Evaluation Criteria
Pt no 2
Under Criteria for awarding marks: 2
Marks will be awarded for each in-
force Cyber Security Policy as on 31st
December 2019.
Explanation sought: If we can keep
it as on today or as on 10.02.2020,
(the last date for Tender Submission)
Any Cyber Insurance
Policy in force as on
date of submission will
be considered for the
purpose of determining
experience.
17 Page 17, Technical
Evaluation Criteria
Pt no 2
Under Criteria for awarding marks: 2
Marks will be awarded for each in-
force Cyber Security Policy as on 31st
December 2019. Request: To
consider exclusive mandate letter
issued for Cyber Insurance Policy
from Scheduled Commercial Banks
also for evaluation criteria and
award 2 Marks for the same.
Typically, from the date of issuance
of a mandate letter it typically takes
8 months to One year for the policy
to be placed. There has never been
any incidence in the past where a
broker has been given an exclusive
Letter of confirmation
from the Bank or
Insurance Company or
Insurance Policy Cover
Note to prove claim of
Bidder of having
completed Cyber
Insurance issuance
process. Bidder will
also be required to
provide customer
contact details for the
purpose of verification.
Page 8 of 12
mandate for placing the cyber-
insurance policy and he hasn’t
placed it.
Also, our esteemed bank, Union Bank
of India itself came out with a Cyber-
Insurance Broker Empanelment
Tender on 24th July 2017 & final
technical bid for cyber-insurance
policy was opened on 6th April 2018.
The approximate time between
Broker Empanelment & Policy
Placement was around 8 Months.
18 Page 18, Pt 14- List
of Documents
/Information to be
submitted along
with EOI
Under Pt 12 – Copy of Experience
Certificate. Explanation sought:
Since our Broker Empanelment letter
itself is an adequate proof of our
experience. Can you please explain
us in detail, what exactly has to be
provided under this certificate?
Letter of confirmation
from the Bank or
Insurance Company or
Insurance Policy Cover
Note to prove claim of
Bidder of having
completed Cyber
Insurance issuance
process. Bidder will
also be required to
provide customer
contact details for the
purpose of verification.
19 Page 19 Under Pt 16 – The Portal Access must
be made available for atleast 14
days. Explanation sought: clarify if
this is the portal of the Third Party
Service Provider who will be
providing the Cyber Security Ratings
for your Bank.
This is optional service
which Bidder may like
to propose and provide
to the Bank. Service
expectation given in
the EOI is generic in
nature and may vary
from Service Provider
to Service Provider.
20 Page 23, Pt VII
Indemnity
An Insurance Broker has a
Professional Indemnity policy which
is in compliance to the applicable
provisions of the IRDAI (Insurance
Brokers) Regulations, 2018. The
Regulation mandates every insurance
broker to take out and maintain a
Maximum liability
would be limited as per
IRDAI guidelines and in
absence of any such
guidelines from IRDAI,
it will be as per EOI
Page 9 of 12
professional indemnity insurance
cover throughout the validity of the
period of the license granted to them
by the IRDAI.
The insurance cover must indemnify
an insurance broker against:
a) any error or omission or
negligence on their part or on the
part of their employees and
directors;
b) any loss of money or other
property for which the insurance
broker is legally liable in
consequence of any financial or
fraudulent act or omission;
c) any loss of documents and costs
and expenses incurred in replacing or
restoring such documents
d) dishonest or fraudulent acts or
omissions by insurance brokers’
employees or former employees.
Inference made: Accordingly, the
maximum aggregate liability of
Insurance Broker under all
circumstances while acting as your
insurance risk consultant / broker/
advisor, shall be limited to the
insurance cover under the
Professional Indemnity Insurance
policy prescribed under the
Regulations.
document.
21 Page 23, Pt VI
Return or
Destruction
Data is automatically backed up on
our servers as part of our Cyber
Security Protocols. Assertion: Hence
Data doesn’t get destroyed. It is
saved on our servers in an encrypted
format. But we assure you that all
physical copies of data will be
destroyed or will be returned back to
your authorities.
Executing and abiding
by Non disclosure
Agreement (NDA) and
Service Level
Agreement (SLA) by
successful Broker will
suffice.
22 Page 5, Pt 4.10 The Bank may enlarge or modify the Scope of Work will
Page 10 of 12
scope of work at any point of time
depending upon its need.
Clarification: Clarify that the
modified scope of work will be
within the limits of the Cyber
Insurance Program of the Bank and
nothing beyond it.
remain related to
Insurance.
23 Page 19 Pt 15 & 16 With respect to Cyber Security
rating, we would like to request if
the Third Party Service Provider who
will be providing the Cyber Security
Rating does the first review prior to
the placement to assist the
underwriters. So that underwriters
have requisite information to
underwrite the risk.
Subsequent reviews to ensure that
the rating is not diluted thereby
jeopardising the cover.
This is optional service
which Bidder may like
to propose and provide
to the Bank. Service
expectation given in
the EOI is generic in
nature and may vary
from Service Provider
to Service Provider.
24 Under the Clause
Number 5 -
Eligibility Criteria
Serial number 3 on page number 6
we raise an objection to the
wordings “with business mix
(Advances and Deposit) of Rs. 1 Lakh
Crore and above”
The Serial number 3 is in order if it
reads “The Broking Firm/Company
should have experience in handling
end to end Cyber Insurance program
including issuance of Cyber Insurance
Policy of at least one reputed as on
31.12.2019.”
Be guided as per the
Expression of Interest
for Appointment of
Cyber Insurance Broker
document published on
20.01.2020.
25 In view of the
above, we register
our humble protest
and ask you to
delete the words
““with business
mix (Advances and
Deposit) of Rs. 1
Lakh Crore and
The additional words “with business
mix (Advances and Deposit) of Rs. 1
Lakh Crore and above” seems to be
incorporated with a view of
accommodating a particular
insurance broker who has been
fortunate of working with a bank
where Advances and deposits are 1
Lakh Crore and this would definitely
ensure that the eligibility criteria
Be guided as per the
Expression of Interest
for Appointment of
Cyber Insurance Broker
document published on
20.01.2020.
Page 11 of 12
above” would be in favour of that insurance
broker. Under the circumstances this
clause would not be fair under the
tender and could also be challenged
under the provisions of CVC.
Furthermore this would in no way
ensure that an insurance broker
working with a reputed bank where
Advances and Deposits of 1 Lakh
Crore or more is more experienced
under the cyber insurance policy
than the other licensed insurance
brokers. Suggestion: In view of the
above, we register our humble
protest and ask you to delete the
words ““with business mix (Advances
and Deposit) of Rs. 1 Lakh Crore and
above”
26 Page 8 Consultant/Broker can propose value
added services free of cost. Query:
As per IRDA Guidelines, we can’t
provide Value Added Services free of
Cost. Request if this particular
requirement is removed
This is optional service
which Bidder may like
to propose and provide
to the Bank. Service
expectation given in
the EOI is generic in
nature and may vary
from Service Provider
to Service Provider.
27 Page 17, Point no 3 Settlement of Cyber Insurance Claim
(Certificate to be enclosed) during
last 3 years. Query: Will a CA
Certificate is enough
Documentary proof
from Insurance
company would be
sufficient. Otherwise
letter / communication
from an organisation
can be considered with
details of the contact
person of the
organisation with
official contact email
ID and contact numbers
for the Bank to
authenticate the claim
Page 12 of 12
of the Bidders.
28 Page 17, Point no 2 Number of Cyber Insurance policies
successfully placed for Scheduled
Commercial Banks in the last 3 years.
(Documents supporting the same
should be enclosed with proposal).
Query: If I had placed a Cyber
Insurance Policy in 2018-19 will that
be considered for awarding Marks.
Since you had mentioned last three
years.
For the purpose of
awarding marks, only
Policies which are in
force as on date of
submission of response
will be considered.
29 Page 17 , Point no
6
Consultants / Value Added
Proposition through third parties
with respect to Cyber Insurance.
Query: We request that this
particular be removed. Since as an
Insurance Broker we can provide only
Insurance Broking Services.
Be guided as per the
Expression of Interest
for Appointment of
Cyber Insurance Broker
document published on
20.01.2020. It is
optional for the Bidder
to propose such
services as per their
choice.
Bidders are hereby also informed that this is the last and final clarification issued by the Bank and no further queries will be accepted by the bank. All other terms and conditions will remain unchanged. Please submit your response on or before 10.02.2020 up to 16:00 Hours and bids will be opened at 16:.30 Hours on the same day.
Sd/-
(Dy. General Manager & CISO)