Connect with us

Business

Rethinking cyber insurance and what to consider beforehand

Source: Finance Derivative

By Niall McConachie, regional director UK & Ireland at Yubico

To mitigate the potential reputational and financial implications of a cyberattack, CISOs should always be aware of emerging trends across the cyber threat landscape. With cyberattacks becoming increasingly powerful and complex, more and more organisations are considering cyber insurance – either for the very first time or for expanded coverage.

However, cyber insurance premiums are also becoming more costly, by 150-300 per cent in some instances. When approaching an insurer, applicants must do their due diligence before entering negotiations for better premiums on policies that will pay out in dire circumstances.

Considerations before opting for cyber insurance

Most cyber insurers operate by assuming that data breaches are rare events, and only pay out in the most critical cases. However, reports reveal that over 81 per cent of UK businesses were targeted by at least one cyberattack within the last year. With the increased volatility and frequency demonstrated by today’s cyberattacks, insurance providers have also increased the costs of their premiums, needing to offset surges in customer policy pay-outs. Cyber insurance pricing in the UK has consequently increased by 20 per cent thus far, and is only expected to rise.

The value of cyber insurance should not be underestimated, as policies can be a determining factor in ensuring the continuity of a business. However, insurance policies only help to recuperate financial losses following a cyberattack and do not offer cybersecurity preventative measures. Therefore, it’s the customer’s responsibility to implement the measures needed to thwart an emerging attack from the start.

Niall McConachie

Insurance applicants with proof of robust protections already in place will be offered a lower premium than other applicants, as they are less likely to make a claim soon after. Therefore, organisations looking to take out cyber insurance coverage should first consider these six factors to successfully prevent a cyberattack from occurring.

  1.       Protect the remote workforce

There are more employees working from home than ever before, on either a hybrid or fully remote basis. Subsequently, the decentralised security which resulted from these work models has caused the number of emerging attack vectors to soar. This has not been ignored by cyber insurers. Cybercriminals are not shy to prove just how advanced their attack capabilities truly are, with hackers no longer breaking in, but simply logging on via stolen login credentials. In fact, weak and stolen login details contribute to over 80 per cent of successful cyberattacks. Thus, CISOs must think beyond firewalls, web proxies, and data protection. Instead, robust multi-factor authentication (MFA) should be the way forward to ensure the protection of remote workers.

  1.       Be aware of policy changes

With customer policies, cyber insurers will avoid paying out large sums – or at all, if possible. To prevent this, it’s important to document the downtime and all losses from the first instance of a cyberattack or security-related event. Insurance providers will also want to reduce losses of their own. In doing so, insurers may allocate items of a protection policy into specific categories such as identity protection, hardware and system replacements, ransomware pay-outs, and losses due to downtime. Before, these categories would have been offered as one customer package. However, nowadays, it is customary for these items to be separated. This prompts insurance agencies to spread the risk through reinsurers, making cyber insurance policies even more difficult to navigate as a result.

  1.       Last-minute security initiatives

If an organisation needs cyber insurance quickly, there may not be enough time to go through a full round of security updates. Alternatively, organisations in these circumstances can implement quick cybersecurity initiatives to include in their applicant profiles. These last-minute initiatives can include improved cybersecurity measures, implementing MFA solutions, or enforcing business-wide cyber training.’

  1.       Execute a business-wide review

According to the US’s National Institute of Standards and Technology (NIST) Risk Management Framework, cyber risk evaluations must be scheduled regularly to review any internal and external threats. This process should incorporate a thorough assessment of all user permissions, including IT administrators and critical staff. It’s also important to decide what the most valuable data is and focus cybersecurity efforts on security breach cases that are most likely to occur.

Implementing business-wide MFA should be the minimum objective when performing a cybersecurity review. Following a thorough review, applicant organisations should share the detailed results with the insurer, as this will position the organisation more favourably to negotiate their coverage premiums.

  1.       Passing the insurer’s requirements

Most often, cyber insurers will require a cyber vulnerability evaluation by applicants to assess any existing security gaps and other possible concerns. As global governments continue to implement additional cybersecurity regulations, the use of usernames and passwords will no longer be enough to pass minimum cyber insurer requirements or new de facto industry standards. Previously, the minimum applicant requirement was met with just a CISO’s signature to verify that standards were being followed. This is no longer the case as insurance companies now require more exhaustive processes – especially when it comes to higher-risk or higher-liability policies.

  1.       Ensuring a policy pay out

It is important for applicants to follow best practices to ensure they have a complete understanding of what the insurance policy will involve and that their most critical assets are insured appropriately. Therefore, organisations should review all proposed insurance policies with the same amount of scrutiny as the insurer may have when assessing new customers.

Additionally, applicants should be wary of generic cyber insurance policies, as the insurer may have their own set of specific cyberattack scenarios, how they may occur, and what attack vectors they should be aware of. Here, enlisting the help of a qualified legal consultant familiar with cyber insurance policies can greatly benefit applicant organisations. With a consultant’s help, stakeholders can set their own specific cybersecurity vulnerabilities to be covered by insurance.

Organisations should only sign an insurance agreement with full confidence in their decision. Only once the specifics of the policy are understood and accounted for can the applicant organisation make an informed decision about which cyber insurance policy is truly right for them.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Business

Resilient technology is the most important factor for successful online banking services

Source: Finance Derivative

By James McCarthy, Director of Solutions Engineering, NS1

More than 90 percent of people in the UK use online banking, according to Statista and of these, over a quarter have opened an account with a digital-only bank. It makes sense. Digital services, along with security, are critical features that consumers now expect from their banks as a way to support their busy on-the-go lifestyles.

The frequency of cash transactions is dropping as contactless and card payments rise and the key to this is convenience. It is faster and easier for customers to use digitally-enabled services than traditional over-the-counter facilities, cheques, and cash. The Covid pandemic, which encouraged people to abandon cash, only accelerated a trend that was already picking up speed in the UK.

But as bank branches close—4865 by April of 2022 and a further 226 scheduled to close by the end of the year, Which research found—banks are under pressure to ensure their online and mobile services are always available. Not only does this keep customers satisfied and loyal, but it is also vital for compliance and regulatory purposes.

Unfortunately, their ability to keep services online is often compromised. In June and July of this year alone, major banks including Barclays, Halifax, Lloyds, TSB, Nationwide, Santander, Nationwide, and Monzo, at various times, locked customers out of their accounts due to outages, leaving them unable to access their mobile banking apps, transfer funds, or view their balances. According to The Mirror, Downdetector,  a website which tracks outages, showed over 1500 service failures were reported in one day as a result of problems at NatWest.

These incidents do not go unnoticed. Customers are quick to amplify their criticism on social media, drawing negative attention for the bank involved, and eroding not just consumer trust, but the trust of other stakeholders in the business. Trading banks leave themselves open to significant losses in transactions if their systems go down due to an outage, even for a few seconds.

There are a multitude of reasons for banking services to fail. The majority of internet-based banking outages occur because the bank’s own internal systems fail. This can be as a result of transferring customer data from legacy platforms which might involve switching off parts of the network. It can also be because they rely on cloud providers to deliver their services and the provider experiences an outage. The Bank of England has said that a quarter of major banks and a third of payment activity is hosted on the public cloud.

There are, however, steps that banks and other financial institutions can take to prevent outages and ensure as close to 100% uptime as possible for banking services.

Building resiliency strategies

If we assume that outages are inevitable, which all banks should, the best solution to managing risk is to embrace infrastructure resiliency strategies. One method is to adopt a multi-cloud and multi-CDN (content delivery platform) approach, which means utilising services from a variety of providers. This will ensure that if one fails, another one can be deployed, eliminating the single point-of-failure that renders systems and services out of action. If the financial institution uses a secondary provider—such as when international banking services are being provided across multiple locations—the agreement must include an assurance that the bank’s applications will operate if the primary provider goes down.

This process of building resiliency in layers, is further strengthened if banks have observability of application delivery performance, and it is beneficial for them to invest in tools that allow them to quickly transfer from one cloud service provider or CDN if it fails to perform against expectations.

Automating against human error

Banks that are further down the digital transformation route should consider the impact of human error on outage incidents and opt for network automation. This will enable systems to communicate seamlessly, giving banks operational agility and stability across the entire IT environment. They can start with a single network source of truth, which allows automation tools to gather all the data they need to optimise resource usage and puts banks in full control of their networks. In addition it will signal to regulators that the bank is taking its provisioning of infrastructure very seriously.

Dynamic steering 

Despite evidence to the contrary, downtime in banking should never be acceptable, and IT teams can make use of specialist tools that allow them to dynamically steer their online traffic more easily. It is not unusual for a DNS failure (domain name system) to be the root cause of an outage, given its importance in the tech stack, so putting in place a secondary DNS network, or multiple DNS systems with separate infrastructures will allow for rerouting of traffic. Teams will then have the power to establish steering policies and change capacity thresholds, so that an influx of activity, or a resource failure, will not affect the smooth-running of their online services. If they utilise monitoring and observability features, they will have the data they need to make decisions based on the real time experiences of end users and identify repeated issues that can be rectified.

Banks are some way into their transformation journeys, and building reputations based on the digital services that they offer. It is essential that they deploy resilient technology that allows them to scale and deliver, regardless of whether the cloud providers they use experience outages, or an internal human error is made, or the online demands of customers suddenly and simultaneously peak. Modern technology will not only speed up the services they provide, but it will also arm them with the resilience they need to compare favourably in the competition stakes.

Continue Reading

Business

Solving the Future of Decarbonisation in Real-Time

Source: Finance Derivative

Jamil  Ahmed, Distinguished Engineer at Solace

The energy sector has faced many disruptions and challenges in recent years, from pipeline disruption to the growing demand for hydrogen. However, the most significant of all of these is the global desire to decarbonise. The growing concern over fossil fuels has created intense pressure for businesses to transition towards renewable energy sources and cut carbon emissions. Governing bodies have begun to impose regulations on organisations to force them to cut emissions by 3.4 gigatons of carbon dioxide equivalent (GtCO2e) a year by 2050, which amounts to a 90 per cent reduction in current emissions.

The constant development of markets and digital transformations will only increase the demand for energy in the future across all industries. Therefore, reducing emissions, in reality, is no small feat, however harsh or impressive the targets may be. To make decarbonisation a reality in the near term, businesses must adopt an inward-looking strategy to reduce emissions through their own operations. These are termed Scope 1 emissions and refer to emissions released as a direct result of one’s own current operations. Achieving this requires companies to streamline their operations, and improve their internal visibility to measure and track energy consumption.

Detecting emissions

The major challenge companies face in accurately measuring their energy consumption lies in overcoming the mass amounts of siloed data within their system. These data silos not only diminish productivity but also bury these useful insights, compiled into a mountain of data that is hard to identify and analyse. Ultimately, data silos are a result of organisational infrastructure built for a previous era, one with limited technological adoption, and limited pathways for dataflows. Over time these have created complex organisational barriers.

The lack of data transparency in organisational infrastructure is severely undermining businesses’ ability to gain insight from their existing data. This also impacts their ability to share data with external partners in search of meaningful solutions for decarbonisation. The value of data sharing cannot be overstated when searching for innovative solutions. A recent study shows that 45% of businesses in the energy sector see analytics and innovation as critical tools. With the entire energy sector’s ability to effectively decarbonise hinging on data sharing to drive innovation, gaining greater data insights are non-compensatory.

Another major consideration in decarbonisation is power reliability planning when transitioning to renewable energy sources. Solar and wind energy rely on changeable weather factors for operability, the varying levels of power readiness in these energy sources make them difficult to implement into the national grid. This makes reliably planning this an increasingly complex and important part of the decarbonisation journey as the sector must test for long-term stability and the potential for energy transfers and storage. A solution must be found that can address these real-time concerns.

Reliability in Real-time

Real-time data is the information that is delivered immediately after collation and enables businesses to respond to information at lightning speed. Real-time data has a host of usages in the energy sector, from alerting major weather changes that may impact power reliability to detecting overheating or electrical wastage in appliances. These information transfers are known as an ‘event’ that requires further action or response.

Real-time capabilities play a major role in overcoming data transparency issues associated with the sector, in its ability to connect interactions across systems and processes could enable energy providers to effectively identify opportunities in reducing energy wastage.

Event-driven Decarbonisation

Enter event-driven architecture (EDA), the structure that underpins an organisation’s ability to view event series that occur in their system. EDA decouples the events from the system so that they can be processed and then sent in real-time as a useful information resource. This can then be analysed by resource companies to assist with optimising decarbonisation initiatives.

The strength of EDA is its scalable integration platform, as this allows companies to manage enormous quantities of data traffic coming from multiple data streams and energy sources. From this, energy companies can develop durable systems by aggregating information. This can then be sent to control systems to identify power outages or extreme weather events and conditions.

To achieve this, an architectural layer known as an event mesh is required. An event mesh enables EDA to break down data silos and facilitate the real-time integration of people, processes and systems across geographical boundaries. Implementing an event mesh also upgrades and streamlines existing systems/processes to enable better data transparency in real-time data sharing. It is unsurprising that given the great benefits of EDA both in terms of its scalability, durability and agility that a recent study found 85% of organisations surveyed view EDA as a critical component of their digital transformation efforts.

Decarbonising for the future

Regulations on the energy sector are rapidly increasing, most recently the US Senate passed the Inflation Reduction Act (IRA) on August 6th of this year. This Act signals the intense pressure on the energy sector to immediately undertake significant decarbonisation initiatives. It is designed to accelerate the production of greener and more renewable energy sources such as wind and solar. Once nations like the US have begun higher production of the technology that can harness these energy sources, others will follow suit. The only way the large-scale adoption of renewable energy sources will occur is if businesses build real-time capabilities to become event-driven businesses. Only then can the transition to decarbonisation and achieving net zero become a reality.

Continue Reading

Business

Know Your Business (KYB): Exceeding KYC

Source: Finance Derivative

Victor Fredung, CEO at Shufti Pro

Money laundering costs the UK more than £100 billion pounds a year, according to the National Crime Agency, emphasising the need for stringent ID verification of individuals and businesses.

ID verification, however, remains a moving target. The UK’s fraud prevention community CIFAS has warned of surging ID theft. The National Fraud Database increased by 11% in the first six months of 2021, with almost 180,000 instances of fraudulent conduct filed in the first six months of the year. This reflected the aftermath of the 2008 financial crisis, which recorded a 32% increase in identity fraud the following year. CIFAS is warning UK businesses and consumers to expect a continuation of the steep rise in identity fraud for 2021 and 2022 as criminals exploit businesses under pressure.

Businesses can respond with resilient Know Your Customer (KYC) software and protocols. KYC establishes customer identity; understands customers’ activities; qualifies the legitimacy of funding sources; and assesses money laundering risks associated with customers. To date, almost 6,000 financial institutions are using the SWIFT KYC Registry to publish their KYC data and receive data from their correspondent banks.

KYC regulations and procedures are appropriate when the customer or consumer is a named individual.  However, it’s not enough to verify the identity of individuals. It is also important to verify the identity of businesses.  Know Your Business (KYB) tools and regulations are designed for cases where the customer is a business or corporate entity. KYB is particularly important as criminals seek to exploit crypto currencies which can thwart verification techniques, such as anti-money laundering (AML) and KYC.

KYB verifies businesses by obtaining official commercial register data via APIs. By using the registration numbers and jurisdiction code of a business, a digital KYB service can collect confirmable information for the business. This enables corporate organisations to determine if they are dealing with authentic businesses or fake shell companies. KYB services particularly help financial institutions handling the funds of a large customer base and corporate entities.  During this process businesses must improve the customer digital enrolment and authentication experience. End-users resist proving their identity through for example, showing scans of their bank account statements and may abandon service providers whose online enrolment processes increase friction.

Usefully, KYB uses access to automated commercial registers through a data-powered business verification service, expedites due diligence and eliminates errors.  With advances in digital technologies and virtual data sets, KYB compliance and verification tools can mark businesses involved in undercover activities, gathering background data on the company including the registered address, status, company type, ultimate beneficial ownership structures, previous names and trademark registration. A financial summary of the company’s operational accounts is also provided by the authentication service, to help validate its authenticity.

Here, Artificial Intelligence (AI) can come into its own, determining the identity of individuals and the financial risk attached to that person with AML Compliance solutions. AML services can check the involvement of an individual company in any watchlist or financial risk database, at scale. Machine learning algorithms can detect forged documents or disguised ownership structures. Nationality verification and geolocation targeting can determine the true country of origin of international clients and the jurisdiction of the company.

However, adoption of KYB processes has been sluggish: last year research undertaken by kompany indicated only 5% of financial institutions (FIs) have an automated B2B or corporate banking onboarding process, with 75% of FIs still relying on Google searches to identify Ultimate Beneficial Owners (UBOs), annual filings and financial accounts. Financial services organisations also struggle to manage the complexity of KYB, and the siloed approach to managing information within an FI can make KYB adoption more challenging.

A further challenge for KYB compliance lies in accessing beneficial ownership information, especially in jurisdictions that do not require companies to submit relevant documentation. A lack of shareholder information makes it harder to investigate money trails and business authenticity. Timely availability of data, across international borders in the right format, is another hindrance, especially as company structures and management change over time. This is why geography and industry specific vendors will be of value to businesses needing to conduct ID checks. It is also why businesses must find the right vendors who can be a one stop shop to manage their KYB adoption and must prioritise the user-experience for frictionless onboarding and regulatory compliance.

Banks have experienced difficulties with KYC verification for their customer onboarding, transaction authentication, and remote banking services. This why they may find it hard to trust a KYB service provider. However, FIs and businesses face a pressing need to determine the ultimate beneficial ownership structure of the corporations they are dealing with. The need for a credible, cross-border KYB provider has rarely been more pressing, and according to Forrester, Know-your-business IDV will ‘make or break Identity Verification players.

Know-your-business IDV can make critical difference in identity verification.  With the increase in B2B commerce it has become more urgent to verify both individuals and organisations and their representatives.

The cost of not adopting KYB technology is dwarfed by the prospect of data breaches, fraud and reputational damage. For financial institutions, legitimacy and verification of the business is key for growth. The software solutions exist and are ready to be implemented.  he National Fraud Database increased by 11% in the first six months of 2021, with almost 180,000 instances of fraudulent conduct filed in the first six months of the year. This reflected the aftermath of the 2008 financial crisis, which recorded a 32% increase in identity fraud the following year. CIFAS is warning UK businesses and consumers to expect a continuation of the steep rise in identity fraud for 2021 and 2022 as criminals exploit businesses under pressure.

Businesses can respond with resilient Know Your Customer (KYC) software and protocols. KYC establishes customer identity; understands customers’ activities; qualifies the legitimacy of funding sources; and assesses money laundering risks associated with customers. To date, almost 6,000 financial institutions are using the SWIFT KYC Registry to publish their KYC data and receive data from their correspondent banks.

KYC regulations and procedures are appropriate when the customer or consumer is a named individual.  However, it’s not enough to verify the identity of individuals. It is also important to verify the identity of businesses.  Know Your Business (KYB) tools and regulations are designed for cases where the customer is a business or corporate entity. KYB is particularly important as criminals seek to exploit crypto currencies which can thwart verification techniques, such as anti-money laundering (AML) and KYC.

KYB verifies businesses by obtaining official commercial register data via APIs. By using the registration numbers and jurisdiction code of a business, a digital KYB service can collect confirmable information for the business. This enables corporate organisations to determine if they are dealing with authentic businesses or fake shell companies. KYB services particularly help financial institutions handling the funds of a large customer base and corporate entities.  During this process businesses must improve the customer digital enrolment and authentication experience. End-users resist proving their identity through for example, showing scans of their bank account statements and may abandon service providers whose online enrolment processes increase friction.

Usefully, KYB uses access to automated commercial registers through a data-powered business verification service, expedites due diligence and eliminates errors.  With advances in digital technologies and virtual data sets, KYB compliance and verification tools can mark businesses involved in undercover activities, gathering background data on the company including the registered address, status, company type, ultimate beneficial ownership structures, previous names and trademark registration. A financial summary of the company’s operational accounts is also provided by the authentication service, to help validate its authenticity.

Here, Artificial Intelligence (AI) can come into its own, determining the identity of individuals and the financial risk attached to that person with AML Compliance solutions. AML services can check the involvement of an individual company in any watchlist or financial risk database, at scale. Machine learning algorithms can detect forged documents or disguised ownership structures. Nationality verification and geolocation targeting can determine the true country of origin of international clients and the off shore status of a company.

However, adoption of KYB processes has been sluggish: last year research undertaken by kompany indicated only 5% of financial institutions (FIs) have an automated B2B or corporate banking onboarding process, with 75% of FIs still relying on Google searches to identify Ultimate Beneficial Owners (UBOs), annual filings and financial accounts. Financial services organisations also struggle to manage the complexity of KYB, and the siloed approach to managing information within an FI can make KYB adoption more challenging.

A further challenge for KYB compliance lies in accessing beneficial ownership information, especially in jurisdictions that do not require companies to submit relevant documentation. A lack of shareholder information makes it harder to investigate money trails and business authenticity. Timely availability of data, across international borders in the right format, is another hindrance, especially as company structures and management change over time. This is why geography and industry specific vendors will be of value to businesses needing to conduct ID checks. It is also why businesses must find the right vendors who can be a one stop shop to manage their KYB adoption and must prioritise the user-experience for frictionless onboarding and regulatory compliance.

Banks have experienced difficulties with KYC verification for their customer onboarding, transaction authentication, and remote banking services. This why they may find it hard to trust a KYB service provider. However, FIs and businesses face a pressing need to determine the ultimate beneficial ownership structure of the corporations they are dealing with. The need for a credible, cross-border KYB provider has rarely been more pressing, and according to Forrester, Know-your-business IDV will ‘make or break Identity Verification players.

Know-your-business IDV can make critical difference in identity verification.  With the increase in B2B commerce it has become more urgent to verify both individuals and organisations and their representatives.

The cost of not adopting KYB technology is dwarfed by the prospect of data breaches, fraud and reputational damage. For financial institutions, legitimacy and verification of the business is key for growth. The software solutions exist and are ready to be implemented.

Continue Reading

Copyright © 2021 Futures Parity.