Connect with us

Top 10

THE INSURANCE INDUSTRY’S SAVING GRACE: AUTOMATED CYBER RISK QUANTIFICATION

Published

on

By Miles Tappin, VP of EMEA at ThreatConnect

 

The emergence of sophisticated attacks, particularly ransomware, has placed a cloud over the cyber insurance market. As a result, in recent years, more firms have sought insurance protection to transfer risk and ultimately safeguard themselves and their customers. However, neither carriers nor those seeking insurance have the capacity to automate cyber risk quantification.

The sophistication of cyberattacks and their frequency has resulted in a rise in demand for policies and rising prices. Several carriers have increased rates by 30% to 50%, as well as enacting more stringent policy terms and coverage restrictions. According to some insurance brokers, carriers have reduced the amount of coverage offered by millions, and at least one major insurer, European insurance giant AXA, has stopped providing ransomware coverage altogether.

Ultimately, the cyber insurance industry is confronted with three major problems. When it comes to obtaining data and analysing a company’s cyber risk exposure, insurance underwriters use a very manual, point-in-time method. However, these underwriters are unable to link loss data to vulnerabilities, insufficient controls, misconfigured hardware or software, or an attacker’s ability to successfully infiltrate a vital application or system. Security evaluations are performed only once before binding coverage and are not repeated until the policy is due to be renewed. Security evaluations performed on behalf of an underwriter are frequently never disclosed with the firm seeking insurance.

 

Miles Tappin

Urgent need to automate the quantitative process

It’s hard to believe, but just one year ago, most cybersecurity insurance questionnaires consisted of less than ten questions, and underwriters would give companies 60 to 90 days to get the required controls in place. Today, most applications involve dozens of questions, are still highly manual, and companies only get 30 days to get their security controls in order.

Today’s manual application process means underwriters are writing policies based on guesswork that is only valid on the day it was produced. Thus, the requirement to automate the quantitative process could not be more urgent.

Automated cyber risk quantification is now a reality. Organisations should move quickly to understand their business more accurately and prioritise efforts so that critical business processes, applications, and data are protected. Automated CRQ provides three specific benefits. It enables companies to proactively model and predict risk, mitigate and monitor for changes and see ‘what-if’ scenarios and recommendations that drive smart actions, mitigation, and response.

 

The Operationalisation of Risk Data

Cybersecurity insurance is different from other forms of insurance primarily because cyberattacks involve two things insurance can’t measure — the attacker and the defences they try to beat.

The struggle to understand loss exposure in cybersecurity isn’t the lack of loss data – it’s the lack of being able to correlate it to a vulnerability, a deficient control, a misconfigured software or hardware, or the ability of an attacker to reach a critical system or application.

Risk quantification automatically enters data into a risk model and automation engine. Those inputs include data from your organisation as well as industry, attack, and vulnerability data aggregated through various sources. That information is then applied to the risk model and automation engine to determine the financial impact of cyber risks and the probability of success of specific attacks.

These calculations drive a variety of other activities within risk quantification that lead to the operationalisation of information across the rest of your organisation, including:

  • Prioritisation of vulnerabilities – not only by CVSS score but by relevance in terms of the financial impact to your
  • ‘What-if’ analysis to help you understand what specific effects certain changes may have on your cyber risk before making those
  • Producing short- and long-term recommendations on how specific changes may affect Annual Loss Expectancy (ALE) and provide guidance into any ‘low hanging fruit’ that may

 

Tolerate, Treat or Transfer?

Given the advanced capabilities of cyber adversaries and their tactics, techniques, and procedures, the current cyber insurance model almost guarantees that insurance carriers will be forced to pay claims. As a result, point-in-time assessments that are manual guesswork are inadequate for protecting enterprises from the onslaught of cyberattacks.

Being able to track cyber financial risk over time, understand the impact of budget decisions, and ultimately justify spending is now driving business decisions on which risks to tolerate, treat or transfer.

While the first step is to understand your organisation’s exposure in financial terms, the next is to decide how to mitigate risk. Risk quantification models leverage many different types of attackers and attacks that may infiltrate an organisation, its controls, vulnerability data and critical applications.

Most risk quantification customers have their controls actively updated inside the tool to assess which applications are most vulnerable. Also, they provide vulnerability data that allows risk quantification to provide short-term recommendations on Common Vulnerabilities and Exposures (CVEs).

The capabilities of risk quantification can give insurance underwriters and their clients a clear picture of inherent and residual risk in a dynamic fashion. Not only is the threat landscape and the parts of it that are relevant to your business changing, but the controls, applications, endpoints, and type of data present in your environment are changing as well. Risk quantification enables you to apply these changes instantaneously to your models, allowing cyber risk measurement to move beyond point-in-time assessments and become programmatic.

 

Business

JUMP-STARTING PROCUREMENT TRANSFORMATION WITH A CLEAR AND REALISTIC PLAN

Published

on

By

by Alex Klein, COO at Efficio Consulting

 

Following a period of ongoing economic uncertainty, business spend has risen high up on the C-Suite agenda, with the procurement function shifted into the hot seat as the enablers of not only rapid cost-cutting but future profitability. In fact, according to Efficio’s experts and authors of recently released PROFIT FROM PROCUREMENT, companies that break down the silos between departments and effectively optimise the procurement function can expect to add 30% to their bottom line.

But where to begin? In order to successfully embark on a roadmap to profitability, a concrete and realistic plan must be put in place – one that has clear objectives and actions agreed amongst all involved. Unfortunately, this is not something that can be achieved overnight. As with anything worth having, this involves a program of gradual transformation and is likely to take no less than 18 months to really drive an impact. With a long lead time to success, the CPO must ensure that the program makes the desired splash – proving its value and keeping internal stakeholders engaged throughout. This requires a plan that will have a high impact, high visibility, cross-functionality, and be fully resourced. Only then can procurement’s profit potential be truly unleashed.

 

Take a step back and listen

When embarking on a Procurement Transformation mission, getting to know the key stakeholders involved will be a crucial first step to getting the project off the ground. Whether that be the CEO, CFO, functional heads, or business unit heads – the CPO must take the time to listen and understand their expectations, needs, and requirements before a vision for the road ahead can be formed.

Suppliers are often forgotten in this mix, yet they are equally as crucial. Questions need to be asked, such as – what improvement options do they see? How could they help us to reduce cost? And how can we help them in return? What each stakeholder wants from procurement, and where they see value will likely differ, so it is important to have all cards on the table upfront. Not only should these considerations sit at the heart of your plan, but they can actually assist in making it a reality.

 

Determining the desired outcomes

Next up, and at the top of the pyramid that comprises your plan, needs to be a clear vision. Whilst the outcome of your efforts may seem pre-defined – such as, to cut costs and release profitability – the scope of this can span as wide or as narrow as you’d like. Now is the time to consider how far you want to stretch this outcome, and the only way to determine this is to ask yourself, “what does the next level of procurement look like in my organisation”?

This procurement vision, of course needs to link back to the businesses overall corporate strategy. For example, if the business is looking towards aggressive growth, procurement should help facilitate this by aiming for scalability. If the strategy is to rapidly digitise, procurement can play a part in digitising the supply chain.

As part of this vision, the CPO must also consider their desired role and remit. For example, how do you see procurement’s way of working changing? How do you see your procurement people interacting with the rest of the business? What do you want your suppliers to say about you?  Once defined, a clear ambition can keep Procurement Transformation on track and aligned. Without it, and with every stakeholder having varying needs, the desired outcome can quickly become lost.

 

Establishing a step by step improvement plan

So, you now have a solid vision – you’ve spent time listening to your internal customers – surely, you’re now ready to focus on getting there? Not so fast – you now need to think about the various facets of the function, including the organisation, people, and processes to establish where you currently stand. This will act as a baseline, in which a roadmap can then be developed and will require set objectives along the way to keep the journey on track. “House of Procurement tools” can be particularly effective here – these frameworks break down the procurement function in terms of strategy, organisation, people, processes, and systems – marking them against a benchmark of bad, average, and good. By plotting against this framework, you can tackle transformation in chunks, setting concreate objectives as a sub-factor level.

Once the current state of play has been established, the goal can then be plotted at the other end of the roadmap, with the activities needed to get to this end goal plotted in between. Key to plotting such a roadmap will be a review of which activities matter, what people are doing currently, and whether these tasks having a meaningful impact. This may require a restructure of the current team, which may require investing in additional strategic procurement resources as well as upgrading internal capability.

Nevertheless, this plan must be granular, and it must be actionable. It is all well and good having great ambition, but it is nothing unless you know exactly how and what it takes to get there. Transformation takes time, and it will certainly not happen overnight, so make sure to break down your roadmap into smaller, more achievable, chunks. Rather than focusing on a single  end goal 18 months down the track, ensure you have milestones to aim for after month three and month six, that contribute to the overall picture. Assembling such a plan is no easy task, but it is the very foundation needed for procurement teams to jump-start transformation.

So, what comes next? Buy in from the rest of the business of course. After all, a plan can only be successful once it has board level approval and sufficient investment. In part two of this series, Alex Klein will explore the stages that follow, including: developing a savings execution plan, building a business case for procurement investment, and ensuring program structure and governance.

 

Continue Reading

Finance

THE IMPORTANCE OF MANAGING DATA RISK IN THE FINANCE FUNCTION 

Published

on

By

Written by Steph Charbonneau, Senior Director of Product Strategy, Vera by HelpSystems  

 

CFOs and financial controllers play a pivotal role in how organisations evaluate and manage data risk. Analyst firm Gartner reports that more than 30% of organisations will use financial risk assessments of their data assets to prioritise investment choices for IT, analytics, security, and privacy by 2022.

Data is particularly at risk within the finance function. Sensitive data such as customer and supplier information, financial statements, and personnel records are processed and shared daily both inside and with vendors outside the organisation. The finance team communicates with banks, auditors, and lawyers on a regular basis and while laws and policies exist to provide protection, there’s no certainty as to where your data could end up, and you can’t control it once it is sent. The information that resides outside the organisation’s security perimeter is accessible with equal permissions, meaning access is not restricted once someone gains it.

 

Assess Your Vulnerability 

All of this presents an immense risk. Understanding what the risks and potential costs are is an important component of organisational planning. How would the organisation react if sensitive information were disseminated to the wrong audience? What could it cost? Simply thinking ‘it won’t happen to me’ or assuming a party erroneously receiving sensitive data will act with integrity and delete the information can no longer be justified. Data breaches are common and can have a significant impact on your business.

The financial risk of a data breach is typically the cost of lost revenue, compliance challenges, cost of litigation, privacy regulation penalties, and reputational damage. Revenue loss risk and litigation costs risk are tangible impacts that can be measured. However, it is more difficult to quantify the probability. On that front, understanding your data’s level of vulnerability is important. If you are SOC2 compliant, your risk will be mitigated by the controls within the internal bounds of your system. On the flip side, it is difficult to assess the probability for data that leaves your repositories. Internal compliance, including SOC2, cannot address it.

Thankfully, there’s a multitude of methods to protect assets and minimise your cyber risk. Consider securing and managing your data with technology like digital rights management (DRM), data loss prevention (DLP), data classification and security incident and event management (SIEM) software. There are network controls you can put in place, and you should have a process for evaluating the security of any apps you use to minimise your vulnerability. Evaluate your cyber risk holistically to ensure nothing slips through the net, otherwise your vulnerability remains.

 

Implementing Data Security Best Practices

Cybersecurity can be very complex depending on the size and industry of the organisation. New attack methods and new technologies to deal with those attack vectors show up all the time. To maximise efforts at assessing security risk, allocate resources so the most effective tools and strategies (such as encryption or digital rights management) are used to protect the most important information assets.

Finance leaders should follow these best practices to manage their team’s cyber risk.

  • Identify exposures in either tools or processes and work with the IT team to close the gaps in security.
  • Classify your files and with it, understand where your sensitive data is located and how access is provided to parties that need it, especially those outside your organisation. Company policies and processes often overlook, or have no direct control of, data outside the organisation so this awareness is important.
  • Adopt a zero-trust approach to protecting your sensitive data and implement technology that allows you to manage your risk. Software such as digital rights management,for example, protects your most valuable data assets no matter where they travel, allowing you to secure, track, audit, and revoke access if data accidentally or maliciously falls into the wrong hands.
  • Educate and train finance team members to recognise and manage risk. Employees need to understand the importance of the data they are using and have access to the right tools and processes so that it is handled correctly.

 

Protect Your Most Valuable Assets

Evaluating an organisation’s cyber risk starts with clearly understanding the company’s risk tolerance. Is the organisation risk tolerant, or extremely risk averse? The answer may differ depending on what needs to be protected and what industry you operate in. In the finance function, what level of risk are you willing to accept and still justify and defend to stakeholders? Start by identifying those assets where the risk is unacceptable and where access needs to be carefully controlled and managed and focus your execution from there.

 

Continue Reading

Magazine

Trending

News2 days ago

FINTECH COMPANY PAYEN CHOOSES AQILLA FOR ITS LIMITLESS SCALABILITY AND SUPERIOR MULTI-CURRENCY FEATURES

Payen is a fast-growing FinTech company that provides gateway Payment and FX services to online merchants. Having launched in 2010,...

Business2 days ago

THE ACCELERATION TOWARDS A MOBILE FIRST ECONOMY

By Brad Hyett, CEO at phos   Over the last year, we have seen a big shift towards contactless payments....

News2 days ago

NEW RESEARCH REVEALS KEY ROLE OF KYC COMPLIANCE IN DRIVING CUSTOMER LOYALTY, ADVOCACY AND NEW BUSINESS

The impact of financial crime for institutions goes beyond crippling fines   A piece of original research conducted by RegTech...

Business2 days ago

HOW MERCHANTS CAN IMPROVE THE ONLINE PAYMENTS EXPERIENCE

By Alan Irwin, Senior Director of Product at Global Payments UK   The dramatic increase in online shopping over the...

Business2 days ago

JUMP-STARTING PROCUREMENT TRANSFORMATION WITH A CLEAR AND REALISTIC PLAN

by Alex Klein, COO at Efficio Consulting   Following a period of ongoing economic uncertainty, business spend has risen high...

Finance2 days ago

NAVIGATING FINANCIAL SERVICES IN 2021: LOW-CODE TO THE RESCUE

Nick Ford, Chief Technology Evangelist, Mendix   Financial services are the poster child of great digital transformation: today, Britons can...

News2 days ago

PAYSAFECARD AND NEO EXTEND THEIR SUCCESSFUL PARTNERSHIP

paysafecard, a market leader in eCash payment solutions, and NEO, one of the most successful FIFA teams in the world,...

Finance2 days ago

WHY THE NORDICS WILL CONTINUE TO LEAD THE WAY IN DIGITAL PAYMENTS

Kriya Patel, CEO, Transact Payments   While the recent introduction of PSD2 — the second iteration of the EU’s Payment...

Banking2 days ago

COMBINED RISE OF M&A AND CYBER RISK CREATES STORMY SEAS FOR INVESTORS

UK organisations carrying out merger and acquisition (M&A) activities must improve pre-acquisition due diligence of software vulnerabilities By Philippe Thomas,...

News2 days ago

PPRO CLAMPS DOWN ON FINANCIAL CRIME RISKS, PARTNERING WITH AND INVESTING IN AI-DRIVEN TRANSACTION MONITORING STARTUP SENTINELS

PPRO, the leading local payments infrastructure provider, has today announced a strategic partnership and minority investment in Sentinels, Europe’s leading transaction...

Business2 days ago

EMV® IN TRANSIT: WHY AND HOW?

Taoufik Sakhi, Smart Mobility Technical Advisory Director at Fime   Today, contactless cards provide a fast and frictionless payment experience,...

News2 days ago

INSTANDA ENTERS THE MIDDLE EASTERN MARKETPLACE

INSTANDA expands global footprint by working with new client, NewTechMe  First product distributed in the Middle East  Announcement signals INSTANDA’s understanding of NewTechMe’s vision to drive digital transformation in UAE...

News2 days ago

RGU LEADS EUROPEAN INTER-REGIONAL NORTH SEA PARTNERSHIP TO HELP HOMEOWNERS IMPROVE ENERGY EFFICIENCY

NB: Image from left to right includes:   Mike Bauermeister, Kishorn Insulations, Jamal Alabid, RGU, Amar Bennadji, RGU, Richard Laing, RGU,...

News2 days ago

JUMIO APPOINTS JENNIFER N. HARRIS TO BOARD OF DIRECTORS

Addition of veteran CFO comes amid period of record growth and product expansion at Jumio   Jumio, the leading provider...

News2 days ago

WISE LAUNCHES ASSETS, YOUR WISE ACCOUNT INVESTED IN THE WORLD’S LARGEST COMPANIES

Assets offers current account flexibility, with the potential for investment returns Wise, the global technology company building the best way...

Finance3 days ago

A CHECKLIST FOR RETRENCHMENT READINESS

By Shelley van der Westhuizen, head of financial well-being strategy & applied research at Alexander Forbes   Your health may not...

News3 days ago

EQUIDUCT LAUNCHES TRADING IN EXCHANGE TRADED FUNDS FOR RETAIL INVESTORS IN EUROPE

Equiduct will offer 436 ETFs and ETPs for trading through Apex   Equiduct, the pan-European retail exchange, announced today that...

Finance5 days ago

THE IMPORTANCE OF MANAGING DATA RISK IN THE FINANCE FUNCTION 

Written by Steph Charbonneau, Senior Director of Product Strategy, Vera by HelpSystems     CFOs and financial controllers play a pivotal role in how organisations evaluate and manage...

Business5 days ago

THE DEMAND FOR BETTER B2B PAYMENTS

By Brandon Spear, CEO, TreviPay   Business-to-consumer (B2C) payments started adapting to digital processes when consumer shopping habits began shifting...

Finance5 days ago

HOW TO BUY USDT AND AVOID THE HIGH VOLATILITY OF CRYPTO

Understanding and breaking down all the different types of crypto can feel like a huge task—there are so many variations...

Trending