CISO Office 2nd Floor, 1/1A Adi Shankaracharya …...CISO Office 2nd Floor, 1/1A Adi Shankaracharya...

CISO Office

2nd Floor, 1/1A Adi Shankaracharya Marg, Opp. Powai Lake, Powai, Mumbai-400072

Date: 03rd February, 2020

Corrigendum Please refer to our Expression of Interest (EOI) for Appointment of Cyber Insurance Broker published on 20th January, 2020. Some of the interested bidders have raised queries with regard to the EOI. We are appending below the queries raised by them and our response thereof. Please take into account these clarifications/amendments while submitting your response against the EOI requirement.

SN REFERENCE QUERY/SUGGESTION REPLY

1 Page No: 17, Point

2. of Technical

Evaluation:

Number of Cyber

Insurance policies

successfully placed

for Scheduled

Commercial banks

in the last 3

years.(Documents

supporting the

same should be

enclosed with

proposal)

We would request if this criteria is

changed to cyber insurance policies

placed for banks in the last three

years instead of restricting it only to

SCBs? As the bank is concerned with

the experience of the broker for

placing cyber insurance policy for

varied banks which may include

several co operative banks as well as

RRBs who have faced large claims in

the past. It would be noteworthy to

include all banks as arranging a cover

for banks other than SCB?s also

involves a deep understanding of the

risk structure of the banks and

accordingly designing cyber

insurance policies for them. Hence

restricting this criteria to SCBs will

limit competition. Also we would

want to add that since the bank is

evaluating a brokers credential in

handling end to end placement and

management of a cyber risk

insurance policy for banks, the policy

of the bank being in force or not

should be immaterial for the bank

and we request if the same can be

deleted. Also in the parameter it is

mentioned to provide the last 3 years

Only Policies which are

in force on the date of

submission of

Bid/Response will be

considered for

awarding the marks.

of 12

cyber policies, but in the criteria for

awarding marks it states 2 marks will

be awarded for each in-force cyber

security policy? These two

statements are contradicting so we

request you to please provide clarity

on this.

2 Page No: 17, Point

4. of Technical

Evaluation:

Average Annual

Turnover of

company from

Insurance business

for last 3 FY 2016-

17, 2017-18, 2018-

19 (Documents

supporting the

claim to be

enclosed)

With regards to this point we wish to

highlight that there are very few

brokers who have an annual turnover

of more than Rs 100 Crores. Out of

these few brokers, extremely limited

brokers have the experience of

placing cyber risk insurance policy

for banks. This criteria will result in

extremely skewed competition for

the bank and hence we request if the

below table can be accepted by the

bank. PARAMETER: Average Annual

Turnover of company from insurance

business for last 3 FY 2016-17, 2017-

18 and 2018-19 (Documents

supporting the claim to be enclosed).

Criteria for awarding marks: More

than Rs. 50 Crores and above - 20;

More than Rs. 20 Crores to Rs. 50

Crores - 15; Above Rs. 10 Crores to

Rs. 20 Crores - 10 with Maximum

Marks as 20.

Be guided as per the

Expression of Interest

for Appointment of

Cyber Insurance Broker

document published on

20.01.2020.

3 General Criteria:

Definition of

Scheduled

Commercial Banks

Criteria: Scheduled Commercial

Banks (to exclude Foreign Banks).

Reason: It is proposed that the

expertise of Brokers who have

serviced insurance programs for both

Private and Public Sector Banks i.e.

Scheduled Commercial Banks be

considered. However, currently

consideration has also been provided

to foreign banks that have their

liaison office/ corresponding

branches in India. We would like to

For the purpose of

determining experience

of Broker, any Cyber

Insurance Policy issued

through Bidder for

Scheduled Commercial

Banks will only be

considered.

of 12

clarify that in such cases, insurance

is managed overseas, and local policy

is structured in India only for IRDAI

requirement. Since structuring of

such policies in India does not call

for either technical exposure analysis

or coherent policy drafting, we

recommend consideration not be

provided to foreign branch offices in

India. Considering the diverse service

profile of Union Bank of India, it is

relevant to only consider Scheduled

Commercial banks (excluding Foreign

Banks).

4 General Criteria:

Definition of

Scheduled

Commercial Banks

Criteria: Engagement as a direct

broker for a Scheduled Commercial

Bank. Reason: As this is an

appointment criterion of an

intermediary on direct cyber

insurance placement, it is suggested

that only reinsurance placements

done for scheduled commercial

banks should not be considered. The

expertise employed for direct

placements demand a different skill

set as compared to that for are

insurance transaction which is more

of an administrative documentation

For the purpose of this


only Direct Insurance

Broker will be

considered.

5 Eligibility Criteria:

New

Criteria: Have a robust IT

infrastructure and enabler tools with

requisite safety and security

features. Reason: Data is a precious

asset and diligence in keeping it

secure helps maintain competitive

advantage and comply with

regulatory requirements under

various statues. This requires a

Broker to possess adequate IT

framework and processes at its end

to ensure that data is used and

stored securely for the purpose for



for Appointment of



20.01.2020.

of 12

which it was obtained.


New

Criteria: Data privacy - Please

confirm if your data & its backups

meet the safeguards and

requirements of IRDA regulations and

are warehoused and processed in

India. Reason: Data is a precious

asset and diligence in keeping it

secure helps maintain competitive

advantage and comply with

regulatory requirements under

various statues. This requires a

Broker to possess adequate IT

framework and processes at its end

to ensure that data is used and

stored securely for the purpose for

which it was obtained.

All the Insurance

Broker should

necessarily be in

compliance with the

IRDAI guidelines.


New

Criteria: Meet the declaration

requirements that form part of the

document as provided in Annexure 1.

Reason: Need for selecting a Broker

with good corporate governance

standards is without doubt a primary

requirement for any client.

The declaration template suggested

in Annexure 1 of this document seeks

to elucidate this requirement and

confirm that the Broker possesses /

deploys adequate standards in its day

to day dealings with its stakeholders.



for Appointment of



20.01.2020.

8 Tender

Evaluation: Sub

Clause 3 -

Settlement of

Cyber Insurance

Claim

Proposed: Settlement of Cyber

Insurance Claim for Scheduled

Commercial Banks. Reason: It is

suggested that brokers’ claim

handling expertise be carefully

assessed, based on claims handled

exclusively for Scheduled

Commercial Banks, enabling a rather

refined assessment.

Settlement of Cyber

Insurance Claim during

last 3 years will bring

out required

experience in Broker.

For the purpose of

Cyber Insurance claim

experience, any claim

handled under Cyber

Insurance Policy will

of 12

only be considered.

9 Tender

Evaluation: Sub

Clause 3 -

Settlement of

Cyber Insurance

Claim

Proposed: No Partial Settlement or

On-going Cyber Claim to be

considered. Reason: Settlement of a

cyber claim is a long-drawn process

involving technical and legal

expertise that is imperative to work

the claim up to full and final

settlement. As the quantum of cyber

claims in the banking domain is

increasing, any on-going, partial or

petty claim payouts are not relevant

and only fully settled claims should

be considered.

Settlement in the

document means full

settlement of claim

only.

10 Tender

Evaluation: Sub

Clause 6 -

Consultants /

Value Added

Proposition through

third parties with

respect to Cyber

Insurance

Proposed: Consultants / Value

Added Proposition through third

parties with respect to Cyber

Insurance. Specifically, as a full-time

engagement for providing cyber

security rating service. Reason:

Ideally, a broker should enter into an

annual contract with a service

provider to provide cyber security

rating service. The same should be

provided by third party at no

additional cost to Union Bank of India

and hence, should be exactly as per

discretionary criteria mentioned

under Clause 8.Technical Evaluation.



for Appointment of



20.01.2020.

11 Point No 5 of the

EOI – Eligibility

Criteria

Point 3 which reads as - The Broking

Firm/Company should have

experience in handling end to end

Cyber Insurance program including

issuance of Cyber Insurance Policy of

at least one reputed Bank with

business mix (Advances and Deposit)

of Rs. 1 Lakh Crore and above as on

31.12.2019.

Proposed: Can a reputed NBFC with

business mix (Advances and Deposit)

of Rs. 1 Lakh Crore and above as on



for Appointment of



20.01.2020.

of 12

31.12.2019 be applicable to this

point in place of reputed Bank.

12 Page 9, 1st

Paragraph

The Bidder must be able to provide

Cyber Security Rating service of the

banks on a monthly basis. Proposed:

Instead of word Bidder, if it can be

changed to Third Party Service

Provider. Since only the Third Party

Service Provider will be providing

you the Cyber Security Rating

Service.

It is optional for the

Bidder to provide Third

Party Cyber Security

rating services or

similar services free of

cost to the Bank.

13 Page 9, 1ST

Paragraph

The Cyber Security Ratings must be

generated in a non-intrusive manner.

Reason: A non-intrusive report would

only be able to give you a holistic

view of your systems but later in the

paragraph, it’s also mentions the

report should include “botnet

infections, malware infections,

potentially unwanted applications,

open ports, SSL certificates and

configuration, server patching,

desktop and mobile operating system

& browser versions. The report must

include Common Vulnerabilities and

Exposures (CVE) number for all the

key vulnerabilities found “for which

a full deep study into your systems

are required. Explanation sought:

Brief us what our esteemed bank

meant by the above statement. Also

if you can throw some light on how

the incumbent Service Provider is

doing the same.

This is optional service

which Bidder may like

to propose and provide

to the Bank. Service

expectation given in

the EOI is generic in

nature and may vary

from Service Provider

to Service Provider.

14 Page 15, Eligibility

Criteria Pt no:3

Under Supporting Document

required: Pt 2. Letter of

Confirmation that Cyber Insurance

Policy Process is completed.

Explanation sought: Let us know if

CA Certificate is adequate

Letter of confirmation

from the Bank or

Insurance Company or

Insurance Policy Cover

Note to prove claim of

Bidder of having

completed Cyber

of 12

Insurance issuance

process. Bidder will

also be required to

provide customer

contact details for the

purpose of verification.

15 Page 17, Technical

Evaluation Criteria

Pt no:2

Under Parameter: Number of Cyber

Insurance Policies successfully placed

for scheduled commercial banks in

last 3 years (Documents supporting

the same should be enclosed in the

proposal). Explanation sought: we

have signed NDA with all the banks

we work with, we won’t be able to

submit any policy copies with respect

to the supporting documents. So we

request if we can submit CA

Certificate for the same


from the Bank or




Bidder of having

completed Cyber

Insurance issuance


also be required to

provide customer




Evaluation Criteria

Pt no 2

Under Criteria for awarding marks: 2

Marks will be awarded for each in-

force Cyber Security Policy as on 31st

December 2019.

Explanation sought: If we can keep

it as on today or as on 10.02.2020,

(the last date for Tender Submission)

Any Cyber Insurance

Policy in force as on

date of submission will

be considered for the

purpose of determining

experience.


Evaluation Criteria

Pt no 2

Under Criteria for awarding marks: 2

Marks will be awarded for each in-

force Cyber Security Policy as on 31st

December 2019. Request: To

consider exclusive mandate letter

issued for Cyber Insurance Policy

from Scheduled Commercial Banks

also for evaluation criteria and

award 2 Marks for the same.

Typically, from the date of issuance

of a mandate letter it typically takes

8 months to One year for the policy

to be placed. There has never been

any incidence in the past where a

broker has been given an exclusive


from the Bank or




Bidder of having

completed Cyber

Insurance issuance


also be required to

provide customer



of 12

mandate for placing the cyber-

insurance policy and he hasn’t

placed it.

Also, our esteemed bank, Union Bank

of India itself came out with a Cyber-

Insurance Broker Empanelment

Tender on 24th July 2017 & final

technical bid for cyber-insurance

policy was opened on 6th April 2018.

The approximate time between

Broker Empanelment & Policy

Placement was around 8 Months.

18 Page 18, Pt 14- List

of Documents

/Information to be

submitted along

with EOI

Under Pt 12 – Copy of Experience

Certificate. Explanation sought:

Since our Broker Empanelment letter

itself is an adequate proof of our

experience. Can you please explain

us in detail, what exactly has to be

provided under this certificate?


from the Bank or




Bidder of having

completed Cyber

Insurance issuance


also be required to

provide customer



19 Page 19 Under Pt 16 – The Portal Access must

be made available for atleast 14

days. Explanation sought: clarify if

this is the portal of the Third Party

Service Provider who will be

providing the Cyber Security Ratings

for your Bank.







nature and may vary



20 Page 23, Pt VII

Indemnity

An Insurance Broker has a

Professional Indemnity policy which

is in compliance to the applicable

provisions of the IRDAI (Insurance

Brokers) Regulations, 2018. The

Regulation mandates every insurance

broker to take out and maintain a

Maximum liability

would be limited as per

IRDAI guidelines and in

absence of any such

guidelines from IRDAI,

it will be as per EOI

of 12

professional indemnity insurance

cover throughout the validity of the

period of the license granted to them

by the IRDAI.

The insurance cover must indemnify

an insurance broker against:

a) any error or omission or

negligence on their part or on the

part of their employees and

directors;

b) any loss of money or other

property for which the insurance

broker is legally liable in

consequence of any financial or

fraudulent act or omission;

c) any loss of documents and costs

and expenses incurred in replacing or

restoring such documents

d) dishonest or fraudulent acts or

omissions by insurance brokers’

employees or former employees.

Inference made: Accordingly, the

maximum aggregate liability of

Insurance Broker under all

circumstances while acting as your

insurance risk consultant / broker/

advisor, shall be limited to the

insurance cover under the

Professional Indemnity Insurance

policy prescribed under the

Regulations.

document.

21 Page 23, Pt VI

Return or

Destruction

Data is automatically backed up on

our servers as part of our Cyber

Security Protocols. Assertion: Hence

Data doesn’t get destroyed. It is

saved on our servers in an encrypted

format. But we assure you that all

physical copies of data will be

destroyed or will be returned back to

your authorities.

Executing and abiding

by Non disclosure

Agreement (NDA) and

Service Level

Agreement (SLA) by

successful Broker will

suffice.

22 Page 5, Pt 4.10 The Bank may enlarge or modify the Scope of Work will

of 12

scope of work at any point of time

depending upon its need.

Clarification: Clarify that the

modified scope of work will be

within the limits of the Cyber

Insurance Program of the Bank and

nothing beyond it.

remain related to

Insurance.

23 Page 19 Pt 15 & 16 With respect to Cyber Security

rating, we would like to request if

the Third Party Service Provider who

will be providing the Cyber Security

Rating does the first review prior to

the placement to assist the

underwriters. So that underwriters

have requisite information to

underwrite the risk.

Subsequent reviews to ensure that

the rating is not diluted thereby

jeopardising the cover.







nature and may vary



24 Under the Clause

Number 5 -

Eligibility Criteria

Serial number 3 on page number 6

we raise an objection to the

wordings “with business mix

(Advances and Deposit) of Rs. 1 Lakh

Crore and above”

The Serial number 3 is in order if it

reads “The Broking Firm/Company

should have experience in handling

end to end Cyber Insurance program

including issuance of Cyber Insurance

Policy of at least one reputed as on

31.12.2019.”



for Appointment of



20.01.2020.

25 In view of the

above, we register

our humble protest

and ask you to

delete the words

““with business

mix (Advances and

Deposit) of Rs. 1

Lakh Crore and

The additional words “with business

mix (Advances and Deposit) of Rs. 1

Lakh Crore and above” seems to be

incorporated with a view of

accommodating a particular

insurance broker who has been

fortunate of working with a bank

where Advances and deposits are 1

Lakh Crore and this would definitely

ensure that the eligibility criteria



for Appointment of



20.01.2020.

of 12

above” would be in favour of that insurance

broker. Under the circumstances this

clause would not be fair under the

tender and could also be challenged

under the provisions of CVC.

Furthermore this would in no way

ensure that an insurance broker

working with a reputed bank where

Advances and Deposits of 1 Lakh

Crore or more is more experienced

under the cyber insurance policy

than the other licensed insurance

brokers. Suggestion: In view of the

above, we register our humble

protest and ask you to delete the

words ““with business mix (Advances

and Deposit) of Rs. 1 Lakh Crore and

above”

26 Page 8 Consultant/Broker can propose value

added services free of cost. Query:

As per IRDA Guidelines, we can’t

provide Value Added Services free of

Cost. Request if this particular

requirement is removed







nature and may vary



27 Page 17, Point no 3 Settlement of Cyber Insurance Claim

(Certificate to be enclosed) during

last 3 years. Query: Will a CA

Certificate is enough

Documentary proof

from Insurance

company would be

sufficient. Otherwise

letter / communication

from an organisation

can be considered with

details of the contact

person of the

organisation with

official contact email

ID and contact numbers

for the Bank to

authenticate the claim

of 12

of the Bidders.

28 Page 17, Point no 2 Number of Cyber Insurance policies

successfully placed for Scheduled

Commercial Banks in the last 3 years.

(Documents supporting the same

should be enclosed with proposal).

Query: If I had placed a Cyber

Insurance Policy in 2018-19 will that

be considered for awarding Marks.

Since you had mentioned last three

years.

For the purpose of

awarding marks, only

Policies which are in

force as on date of

submission of response

will be considered.

29 Page 17 , Point no

6

Consultants / Value Added

Proposition through third parties

with respect to Cyber Insurance.

Query: We request that this

particular be removed. Since as an

Insurance Broker we can provide only

Insurance Broking Services.



for Appointment of



20.01.2020. It is

optional for the Bidder

to propose such

services as per their

choice.

Bidders are hereby also informed that this is the last and final clarification issued by the Bank and no further queries will be accepted by the bank. All other terms and conditions will remain unchanged. Please submit your response on or before 10.02.2020 up to 16:00 Hours and bids will be opened at 16:.30 Hours on the same day.

Sd/-

(Dy. General Manager & CISO)

CISO Office 2nd Floor, 1/1A Adi Shankaracharya …...CISO Office 2nd Floor, 1/1A Adi Shankaracharya...

Documents

Transcript of CISO Office 2nd Floor, 1/1A Adi Shankaracharya …...CISO Office 2nd Floor, 1/1A Adi Shankaracharya...