Telecom service providers have said they are ready to pay the penalty than do an external information system audit as required by the Cyber Security Bylaw 2020.

As per the bylaw, service providers have to conduct internal and external audits, but they say they would rather skip the pricey external audit because the fine is cheaper.

They say it costs Rs600,000 to Rs1.2 million to have an audit done by external auditors, and the penalty they have to pay the telecom regulator for not doing one is Rs50,000.

Insiders have warned that not doing a security audit is a serious matter because it puts data privacy at risk.

“We have been inundated with requests from telecommunication service providers to amend the bylaw and remove the provision requiring external audits,” said Achyuta Nand Mishra, deputy director of the Nepal Telecommunications Authority.

“The service providers say they are having a hard time complying with the Cyber Security Bylaw because of its stringent provisions.”

He said the regulator was sympathetic to the service providers. “We will be amending the bylaw,” he added.

The Internet Service Providers Association Nepal too has urged the regulator to change the rules.

On August 2, the Nepal Telecommunications Authority had requested the service providers to submit their suggestions to amend the bylaw.

“We are collecting feedback from the service providers,” said Mishra.

The Cyber Security Bylaw 2020 aims to protect information and communication systems from cyber attacks and other associated risks. Insiders say that it would not be advisable to do away with external auditing services.

During an external audit, the certified auditors check whether there are any breaches or leaks in the information system, and whether the system is right for data security, privacy and protection.

An information security audit is a step-by-step assessment of the complete network infrastructure done by professional auditors who check the equipment and the latest upgrades in order to prevent any data leakage.

A security audit, also known as a cyber security audit, is a comprehensive assessment of any organisation’s information system.

A comprehensive security audit will assess an organisation’s security controls relating to the physical components of the information system and the environment in which the information system is housed.

It also checks network vulnerabilities, including public and private access and firewall configurations, including how companies collect, share and store highly sensitive information.

In Nepal, according to the management information report of the telecom regulator, there were two telephone service providers and 128 internet service providers operating in the country as of mid-April.

In the fiscal year 2020-21 when the Cyber Security Bylaw was introduced, only three service providers—Ncell Axiata, Smart Telecom and Techminds Network—had submitted their internal information system and cloud audit reports to the regulator.

With regard to external audit, Subisu Cable Net and Vianet Communications were the only two telecommunications service providers to submit their reports.

In fiscal 2021-22, only 11 telecommunication service providers had submitted their internal information system and cloud audit reports to the authority. They were AccessWorld Tech, Airlink Communication Service Provider, CG Communications, Cosmic Net, Ncell Axiata, Pathivara Network, Pokhara Internet, Smart Telecom, Subisu Cable, Techminds Network and Unified Communications.

Meanwhile, six telecommunications service providers, namely AccessWorld Tech, Airlink Communication Service Provider, Ncell Axiata, Pokhara Internet, Smart Telecom and Subisu Cable Net submitted their external information system and cloud audit reports.

State-owned Nepal Telecom has not submitted either internal or external audit reports. Nepal’s largest internet service provider, WorldLink Communication, too, has not handed in its audit reports.

The Cyber Security Bylaw 2020 requires companies to conduct an internal security audit of network, system and critical infrastructure every six months. They have to submit external audits annually to verify compliance with international standards.

The service providers need to rectify the vulnerabilities and gaps identified by the information system auditors in their audit reports at the soonest, the bylaw states.

“This is sheer negligence. The service providers are ignoring the audit to become transparent. This is because of weak implementation of the law,” said Santosh Sigdel, founder chairman of Digital Rights Nepal, an advocacy group to strengthen civic space and digital rights.

“It seems that service providers are ready to pay the fine rather than conduct audits,” said Sigdel. “The loose information system makes it vulnerable to attacks or data misuse. This is a serious issue,” Sigdel said.

Paramatma Bhattarai, spokesperson for Nepal Telecom, claimed that the company had conducted an internal security audit in the last fiscal year. “I do not know why the telecom regulator did not endorse our report,” he said.

Ncell said it has accorded top priority to cyber security and data privacy. “At Ncell, we conduct both internal and external security audits as mandated by the bylaw,” the company said in an email to the Post.

“As a responsible corporate, Ncell always abides by the law and has also been submitting the Internal Cyber Security Audit report to the Nepal Telecommunications Authority.”

The service providers, including Ncell, have asked the regulator to remove the data encryption requirement while amending the bylaw. Data encryption is a method of protecting data confidentiality by converting it to encoded information that can only be decoded with a unique decryption key.

“The service providers are saying that it is not possible to apply data encryption in all cases,” said Mishra.

The companies have to use hash or encryption to store sensitive data.

Sudhir Parajuli, president of the Internet Service Providers’ Association Nepal, said that most of the internet service providers had submitted their internal information system audit reports to the regulator.

“But small service providers are not able to conduct the external audit that costs Rs800,000,” he said.

Parajuli, who is also the president, founder and board member of Subisu Cable Net, said that the telecom regulator had short listed around 10 companies authorised to conduct external audits.

"The licence fee of an internet service provider is Rs300,000 for five years, and paying another Rs800,000 for an audit annually is not possible for many small operators," said Parajuli.

"Telecommunications service providers are earning billions but they are defying the rules which has endangered data security, privacy and protection of customers," said digital rights activists.

The government has recently formed a high-level panel to prepare a draft report to implement a cyber security policy.