Connect with us

Technology

MODERNISING THIRD-PARTY CYBER RISK MANAGEMENT: WHOSE RISK AGENDA ARE YOU TRYING TO SATISFY?

– Ewen O’Brien, Head of Third-Party Managed Cyber Risk Service, BlueVoyant

 

Managing third-party cybersecurity risk in today’s highly connected businesses isn’t easy. Security and risk management teams are pulled in competing directions as they respond to the demands of regulators – echoed by the Board – to comply with legislation. Simultaneously they need to monitor and mitigate emerging risks that don’t appear on a regulator’s checklist but could have a critical impact on the business. The tension between competing risk agendas stretches in-house resources to breaking point and raises the possibility that, when new risk surfaces in the supply chain, the business is busy looking the other way.

Part of the problem is measurability. It is easier to understand, measure and demonstrate compliance with regulations than it is to understand the complex issues of devolved cyber risk in the supply chain. It is hard to put a value on the actions that prevent a breach from happening in the first place, whereas it is simpler to point to the penalties avoided when regulatory compliance is achieved. This can lead organisations to focus attention on the compliance side of the balance rather than on the deeper challenge of identifying vulnerabilities in the extended supplier ecosystem.

As a result, actions do not always genuinely reduce risk for the organisation. Also, an unhelpful assumption remains that some supply chain cyber risk, especially that coming from the long tail outside an organisation’s tier one vendors, is inevitable and unavoidable.

Attempts to resolve the tension and make third-party cybersecurity management more quantifiable have only partly succeeded. Security ratings, for example, which deliver an objective benchmark of a vendor’s security posture, are helpful to a point. But they need to be viewed in the context of the vendor’s relationship to your business – a vendor might achieve a relatively good rating, but if there is zero tolerance in the business for that risk, good might not be good enough.

And it is also worth considering that even if a partner has a good cybersecurity rating, it doesn’t mean they won’t get breached, in the same way that compliance with regulations is no guarantee of protection. So, what is the way forward? How can organisations gain genuine, actionable insight into the risk in their supply chain while also satisfying regulatory requirements, using the resources they have? It’s a case of knowing where to look and what to look for.

 

Where to look: beyond tier one vendors

The issue most businesses face when managing supply chain risk is scale. With thousands of existing vendors and new ones coming onboard every week, the size of the task is immense. That’s when businesses settle for the theory that the biggest vendors represent the biggest risk and devote resources to assessing and monitoring tier one suppliers. However, this is a dangerous assumption. The aggregate risk from vendors outside tier one more than outweighs those big suppliers. In fact, attackers know that big brands have better security; they are much more likely to target the lower tier, less well-defended partners that can give them a route into the targets they’re looking for. Yet those lower tier partners are typically relegated to annual point-in-time compliance questionnaires, leaving a significant blind spot between assessments.

A classic example of this third-party risk and scale problem was the 2017 NotPetya attack. In this attack the servers of Ukrainian software company Linkos Group, vendors of accounting package M.E.Doc, were hacked and trojan software injected. This went on to infect M.E.Doc customers, ultimately crippling multinational companies from shipping giants Maersk to food producer Mondelēz and many more. At the time this attack was assumed to be highly sophisticated and a situation where the victims could have done little to prevent it. But that is not wholly true; the attack was bold, but not complex. Where the real danger emerged was in the fact that Linkos was simply not important enough in any of those large companies’ hierarchy of suppliers to be the focus of cyber risk scrutiny. If it had been, a simple scan likely could have identified its security failings and the potential risk it posed.

Scaling a risk program to cover the long tail of the vendor ecosystem and flag material risks that may have previously been beneath the radar has to be done in an intelligent way, acknowledging that information overload is a key problem. The data is obtainable and automated systems can gather it, but its sheer volume is unmanageable – if you have a team of six risk managers and an ecosystem of 10,000 vendors, a 100-page report on each vendor is almost as bad as no data at all. Add to this the high volume of false positive alerts generated by automated systems and the problem becomes even more untenable.

Ultimately, data must be viewed and prioritised through a lens that takes into account the business’s risk appetite and sector-specific risks, the frameworks and regulations with which it must comply, and the importance and extent of each vendor’s links to the organisation. Here, knowing what to look for is key to identifying and prioritising risk.

 

What to look for: trends and exceptions

It is not possible to analyse the detail of absolutely everything that is happening through the vendor ecosystem. Instead identify the important emerging trends and exceptions and focus on what they mean for your business. At BlueVoyant we ask clients to identify a set of critical factors and key indicators, including business-specific issues and regulatory requirements, that we use to carry out thematic investigations across the ecosystem – informed by external threat detection datasets – to identify where risk lies. We map this to the organisation’s frameworks and reporting requirements, so the data has context for the business. The results make sense of the data and allow us to advise clients on how they can efficiently triage risk alerts, eliminate false positives and prioritise actions so they focus resources where they will have greatest impact – both in terms of reducing organisational risk and satisfying compliance demands.

Ultimately, we do the heavy lifting of data collation and analysis and present the outcomes in the context of the genuine risk posed to the business, together with recommended actions and the facility to implement and manage those actions to achieve resolution, if required. This means risk managers can unify and satisfy competing risk agendas and deliver clearly evidenced value back to the business in terms of risks resolved, rather than drowning in a deluge of data.

This approach, which looks beyond tier one vendors and analyses threat data in context closely aligned to the business, is key to modernising third-party cyber risk management and making it achievable by more businesses.

 

Finance

HOW COVID-19 HAS RESHAPED THE PAYMENTS LANDSCAPE

By Mohamed Chaudry, Group Chief Financial Officer of FoodHub

 

The year 2020 may well have sounded the death knell for the saying cash is king. As the pandemic took over our world, consumer behaviour altered considerably as people embraced contactless payment, e-commerce and delivery services for many of the things we once handed over notes to buy.

Finextra reports that research carried out by YouGov for the ATM network Link found that 58% of Brits are using cash a lot less often thanks to the pandemic, with 54% avoiding it altogether and using alternative payment methods.

Some 76% of those questioned by YouGov added that they think the crisis will affect their future use of cash over the next six months.

 

Adapt to survive

Many businesses, particularly those in the food sector, quickly worked out they needed to pivot and adapt if they were to survive. Social distancing measures, lockdowns and the economic downturn hit the hospitality industry hard.

Safe and convenient online payments provide food businesses with a solid foundation from which to operate. The year 2020 saw the rise of payment gateways and the size of the market is likely to escalate in the coming months, giving online merchants more choice over the gateways they choose to work with.

Many of these platforms are embracing the changes in innovative ways, adapting to the altered way of life and creating different ways to facilitate recurring online payments and members’ due models. They can also put in place order ahead services for restaurants and expanded delivery options.

 

‘Seamless’ payments process

As lockdown restrictions continue to drive more people online, the e-commerce industry needs to offer seamless online payments to maximise its soaring popularity. The right payments provider should be able to guarantee security, offer access to fast-growing markets and a plethora of relevant payment methods for each market, all components that provide expansion opportunities and a better consumer experience.

Payment providers allow food businesses to focus on their core business and meet new customer demand while they take over the non-core competency tasks. Platforms such as online food portals need to design their site or app to make it as easy as possible for merchants to onboard and customers to use.

As the use of online payments racks up, online security has never been more important. Increases in one inevitably result in the increase of fraud or cyberattacks. Platforms and businesses must ensure customer data is protected. Payment partners can ensure security is key, their greater size and expertise providing the added edge to small businesses that do not have that capability.

 

Building a loyal customer base

Payment security is what will encourage—and keep—customers who haven’t previously used online food portals. Building a loyal, local customer base can encourage businesses to consider expansion—perhaps opening more venues in their region or county or even nationwide.

Promoting the ways in which a platform can benefit customers and a community—in the midst of a pandemic, for example, many people will be conscious that their local takeaway/restaurants, etc., are suffering and they’ll be anxious to help—is another way to broaden a platform’s appeal. An app that doesn’t charge a service fee or take a commission from its partners is one way to do this.

Covid-19 has accelerated consumers’ whole-scale move to online payments faster than anyone can have imagined, and they want convenient, relevant and secure payment services for markets that have previously been served mainly by cash or card.

The pressure is on for retailers (and especially food retailers who want to survive) to ensure they can meet this demand.

 

Continue Reading

Business

NAVIGATING UNCERTAINTY WITH ACCURATE MACHINE LEARNING

Richard Harmon, Managing Director, Financial Services at Cloudera 

 

2020 will undoubtedly prove to be an unforgettable year. The pandemic has been unforgiving, plunging the UK into a recession, and many industries have faced closure and untold disruption. In the Financial Services sector in particular, 86% of profit warnings in the first seven months of 2020 cited Covid-19. But Covid-19 is not the only thing on the sector’s mind – another sizable challenge looms large on the horizon: Brexit. Individually both are highly disruptive events, together they create a double shock wave with a long tail of unknowns: how long the COVID-19 pandemic will last? What the fallout from Brexit will be? How resilient is the UK economy in the longer term? A key topic for discussion is therefore, how will we adapt to these seismic events and how can technology help?

 

Predicting the unpredictable

When it comes to planning, Machine Learning (ML) models have become an integral part of how most financial institutions operate, because of its ability to improve the financial performance for both businesses, and their consumers, through data. United Overseas Bank is a key example of a business that has used ML to make it’s customers’ banking experience simpler, safer and more reliable. Through analysing the thousands of files that are uploaded to the platform everyday, the ML models have a more comprehensive view of customer and transaction data to optimize their business processes, design distinctive customer experiences, and to improve detection of financial crimes.

However, in these circumstances of heightened uncertainty, the accuracy of ML models come into question. This is because the majority of ML models that are in use today have been built using large volumes and long histories of extremely granular data. With the world being as unpredictable as it is right now, it will take some time for ML models to catch up and adjust to this year’s events. The most recent example of such complications and abnormalities, at a global scale, was the impact on risk and forecasting models during the 2008 financial crisis. Re-adjusting these models is by no means a simple task and there are a number of questions to be taken into consideration when trying to navigate this uncertainty.

 

Adjusting to the ‘new normal’

The first step is to determine whether the disruption we are facing right now can be defined as a ‘Structural Change’ or a once in a blue moon ‘Tail Risk Event’. A structural change would represent a situation where the COVID-19 pandemic has had a seismic impact on how the world as a whole, and financial institutions in particular, operates. This would result in the world settling into a ‘new normal’, one that is fundamentally different from the pre-COVID-19 world. This shift would require institutions to develop entirely new ML models that rely on sufficient data to capture this new and evolving environment. On the other hand, if the COVID-19 pandemic is perceived to be a one-off ‘tail risk’ event, then as the world recovers and businesses, financial markets and the global economy return to some sort of normality, they should operate in a similar way to the pre-COVID-19 days. The challenge for ML models in this situation is to avoid becoming influenced and biased by a rare, and hopefully, once-in-a-lifetime event.

 

Readjust and reinvest

There’s no one size fits all solution for businesses, however there are some key steps financial institutions can take to them navigate today’s current climate:

  • Modify existing models: This is where all data science teams should start. Modifying models can range from using the latest data elements while creating scenario-based projections adjusted for various levels of model bias. There are a range of alternative ML-based approaches that can be used to revamp existing models.  One of the more innovative approaches to the lack of rich relevant data is a meta-learning approach. From a deep learning perspective, meta-learning is particularly exciting and adoptable for three reasons: the ability to learn from a handful of examples, learning or adapting to novel tasks quickly, and the capability to build more generalizable systems. These are also some of the reasons why meta-learning is successful in applications that require data-efficient approaches; for example, robots are tasked with learning new skills in the real world, and are often faced with new environments.
  • Stress testing: This is a fundamental step as it helps businesses gain a clearer understanding of their vulnerabilities before it’s too late. This isn’t just the job for one team, cross collaboration from finance leaders to Chief Risk Officers is required to set up multiple, dynamic stress testing scenarios. The learnings from these tests should then be implemented and then retested, to ensure businesses are in the best position possible.
  • Industrialisation of ML: If businesses haven’t already done so, now is the perfect time to invest in a platform that supports the entire ML lifecycle, from building and validating processes, to managing and monitoring all of their models across the entire enterprise. Nowadays, enterprises are faced with increasing amounts of data on their customers, entering the organisation from a range of different sources, from the customer service team to social media platforms. For ML models to work at their best, they need to take every stream of data into account, while being able to understand what the different data is saying, and quickly. This can only be achieved with a unified enterprise data cloud platform.
  • Prescriptive Analytics: This approach is complementary to ML and uses simulations for more accurate decision-making for different scenarios, brought on by shocks or market changes. One common approach is Agent-Based Modeling (ABM), a bottom-up simulation for modelling of complex and adaptive systems. ABMs help businesses project thousands of future scenarios without having to depend upon the limitations of historical data.

 

Businesses have had to cope with a lot this year and those that have survived have faced a steep learning curve. When faced with such a crisis, they need to look inwards, towards the technology they have invested in, review whether it’s working in the new circumstances, and whether crucial tools such as ML models are being deployed in the best way possible. Financial institutions shouldn’t look at the issue as a one-off, but instead as a chance to implement longer-term strategies that enable them to prepare and tackle the next crisis head on. Businesses that invest the time now to re-evaluate their ML models are the ones that will set themselves up for success, now and into the future.

Continue Reading

Magazine

Trending

Finance3 hours ago

HOW COVID-19 HAS RESHAPED THE PAYMENTS LANDSCAPE

By Mohamed Chaudry, Group Chief Financial Officer of FoodHub   The year 2020 may well have sounded the death knell...

Business3 hours ago

CREATING A PEOPLE-CENTRIC WORKPLACE CENTERED ON FLEXIBILITY, EXPERIENCE AND WELLBEING

By Anne Marie Ginn, Head of Video Collaboration, Logitech EMEA   The light is appearing at the end of the...

News3 hours ago

UK OPEN BANKING FINTECH YAPILY ANNOUNCES EXPANSION IN VILNIUS

Yapily, a London-based fintech startup, has announced plans to set up in Vilnius, the company’s third European office. Yapily joins...

News3 hours ago

FINTECH EEDENBULL SECURES PAYMENT TECHNOLOGY DEAL WITH NATIONAL AUSTRALIA BANK

EedenBull has announced a five year agreement with National Australia Bank (NAB), which allows the bank to deploy EedenBull’s innovative...

Finance3 hours ago

2021 FINTECH PREDICTIONS

2020 has been a year like no other. The way we live, work, socialise and more has completely changed as...

News3 hours ago

MARQETA ANNOUNCES PARTNERSHIP WITH GOLDMAN SACHS ON MARCUS CHECKING OFFERING

Marqeta’s modern card issuing platform will be leveraged by Marcus by Goldman Sachs to build new digital banking offerings.    Marqeta,...

Finance2 days ago

MAKE 2021 THE YEAR YOU DRAW UP A PERSONAL BUDGET

By Neli Mbara, Certified Financial Planner at Alexander Forbes   Budgeting is the most important thing you can do to manage...

News2 days ago

FINTECH EEDENBULL SECURES PAYMENT TECHNOLOGY DEAL WITH NATIONAL AUSTRALIA BANK

EedenBull has announced a five year agreement with National Australia Bank (NAB), which allows the bank to deploy EedenBull’s innovative payment...

Finance2 days ago

GEOSPATIAL DATA VISUALISATION MAKES SENSE OF MASS OF COMMERCIAL PROPERTY INSURANCE DATA

Heikki Vesanto, Manager GIS Data Science, LexisNexis Risk Solutions UK & I   Like most areas of the general insurance...

Top 102 days ago

A GUIDE TO HMO PROPERTY INVESTMENT

Many experienced property investors are turning their attention to HMOs and achieving much higher rental yields as a result. Find...

Finance2 days ago

PROTECTING THE DIGITALLY-EXCLUDED: BIOMETRIC IDENTIFICATION ENSURES ACCESS TO PAYMENTS IN A CASHLESS WORLD

By Vince Graziani, CEO, IDEX Biometrics ASA   The events of this year have exacerbated a number of challenges for...

Interviews2 days ago

‘GLOBAL TRADE IN 2008 VS 2021: GLOBAL IMPACT, DIFFERENT CHALLENGES’

A Q&A with Nawaz Ali Head of Insights at Western Union Business Solutions who draws comparisons between the financial crisis...

Finance2 days ago

FOUR WAYS OF FINDING THE SUPPORT AND RESISTANCE LEVELS

Support and resistance levels are mainly conventional values where a large number of orders assemble to stop a prevailing trend...

Finance3 days ago

TAX-FREE SAVINGS ACCOUNTS OR RETIREMENT ANNUITIES: KNOW THE SAVINGS PRODUCTS AVAILABLE TO YOU

By Michael Kirkpatrick, head of individual consulting best practice, Alexander Forbes   The start of a year is a great time...

News3 days ago

FROM PLASTIC WASTE TO PAYMENT CARD

Giesecke+Devrient invites to join the cause of saving the oceans.   Giesecke+Devrient (G+D) and the environmental organization Parley for the...

Top 104 days ago

AML SYSTEMS FOR THE CRYPTO MARKET – HERE’S WHAT YOU MUST KNOW

In the modern world, criminal activities have taken the virtual road and fraudsters have developed highly sophisticated ways of executing...

Finance1 week ago

DISRUPTING DATA ASSUMPTIONS: WHAT FINANCE MARKETERS NEED TO CONSIDER IN 2021

Carolyn Corda, CMO at ADARA   Data-fuelled marketing has been a go-to in finance for years before it was accepted...

Business1 week ago

NAVIGATING UNCERTAINTY WITH ACCURATE MACHINE LEARNING

Richard Harmon, Managing Director, Financial Services at Cloudera    2020 will undoubtedly prove to be an unforgettable year. The pandemic...

Finance2 weeks ago

TOP TIPS ON HOW TO SECURE A BUSINESS INTERRUPTION LOAN (CBILS)

Effective cashflow management is crucial if your business finds itself in a financial crisis. But what do you do if...

News2 weeks ago

FAST GROWTH REGTECH COMPANY NAPIER CAPTURES TWO INDUSTRY HEAVYWEIGHTS TO STRENGTHEN LEADERSHIP TEAM

Greg Watson and Mariola Marzouk join as Chief Operating Officer and Head of Product   Napier, providers of next-generation anti-money...

Trending