by Ewen O’Brien, VP of EMEA, BitSight
The security ratings market is still relatively immature but it is fast growing and as such there is quite a bit of hype from the vendors that play in this space who are all jostling for position. So now with a number of offerings to choose from – some of which are marketed in misleading ways – it can be tough for decision makers to cut through the noise and put in place a ratings platform that will truly make a difference to their business.
As someone who has worked in this industry for many years, with deep expertise in ratings, I thought it would be helpful for me to dispel some of those myths about security ratings, honing in on a number of key areas that I think are important for organisations to consider. Here in the first of a series of articles, I’m putting a spotlight on the importance of integrity and context.
What I hear often in this market is that it is all about getting the highest rating. At a basic level this is true, but these ratings must be robust, stand up to scrutiny, have integrity and without context the ratings may not be meaningful to your stakeholders and/or your customers.
But before diving into what I mean about context, first off let me provide an explanation around security ratings.
Security ratings are a data-driven, objective and dynamic measurement of an organisation’s security performance. Thousands of organisations around the world use security ratings tool to address a variety of critical interconnected internal and external use cases at scale, in order to enable more effective decision making throughout their business ecosystem.
Security ratings are useful to manage cyber risk in any inter-organisational interaction where transparency has historically been lacking. Likewise, security ratings improve an organisation’s ability to manage cyber risk from business partners and understand the risk posed by a third party or supply chain business relationship. They can be used for insurance underwriting pricing, and risk management, allowing carriers to gain better visibility into the security performance of insurers in order to assess and price risk. Ratings can also be used for investment in or acquisition of a company, allowing organisations to perform enhanced cybersecurity due diligence and ongoing monitoring of the investment or the M&A target. And they enable governments to better understand and manage the cybersecurity performance of critical organisations.
Additionally, security ratings are useful for managing an organisation’s internal cyber risk by continually assessing the security posture of one’s own organisation and providing transparency to key stakeholders. They can be used to benchmark and compare performance with peers in the industry and ratings provide greater assurance to customers, insurers, regulators and other third-party stakeholders about your cybersecurity performance.
In short, security ratings provide a comprehensive, outside-in view of a company’s overall cybersecurity posture. Similar to credit ratings for individuals, security ratings deliver much more value to an organisation than simply correlating them to data breaches, for example. They are dynamic and are constantly monitored and measured, rather than being just a point in time assessment. This means that ratings can quickly highlight any changes in security posture. However, there are a number of vendors in this space who essentially enable organisations to ‘mark their own homework’ allowing them to remove legal entities, divisions, or parts of the business that might negatively impact on their rating.
Security ratings are based on the digital footprint of a company with strict governance wrapped around it and we rate everyone in a consistent way. This is important because there is no point in ‘gaming’ ratings to suit your needs as this is a short-sighted approach to the value of ratings and isn’t a true reflection of your security posture. Think about this from a personal perspective and how credit ratings work. Imagine if someone, applying for a new mortgage, was allowed to exclude those two recent mortgage defaults to improve their credit score. This in effect makes a mockery of having a credit rating and exactly the same principles apply in security ratings. This kind of disingenuous approach might enable the security group to reduce workload in the short-term i.e. you got the rating the organisation wanted, but will it make the business any more secure and will it reduce risk? To this point, we lost a large customer a few years back because the security group wanted us to remove certain parts of their business that were not 100 percent owned by them but were absolutely part of their offering and were causing them significant pain. We declined to do this and we lost the customer, but we sustained our obligation to the industry around maintaining the integrity of our ratings.
The great advantage of examining externally observable data associated with domains and IPs mapped to a rated company is that it can be assessed independently and remotely. Furthermore, because every organisation has a similar footprint, assessments can be compared and contrasted in a standardised way. The disadvantage is that this digital footprint is only a subset of the total digital surface of a business and this is where context and other factors come into play. Security ratings should be chosen on the basis that they provide contextual ratings which are not about gaming the system, but about giving true context to particular scenarios.
Most organisations don’t operate as one big silo but rather align their infrastructure to match product lines, geographic regions, divisions and segments. So we have a global or primary rating which can be combined with a self-published rating whereby companies can monitor and manage segments of their business whose structure they only have visibility into. For example, a company can monitor regional offices and compare these, or break out ratings for specific product lines.
These self-published ratings can be used for internal purposes or they can be shared with other users. Combined with primary ratings they provide a level of context no one else in the security ratings industry can match. However, where competitors often take the word of a company that an identified issue shouldn’t be a concern and remove the item from their records, it’s important to remain objective, create mechanisms for businesses to communicate context. This ultimately helps companies make better informed, risk-averse decisions.
Security ratings enable organisations to manage their own risk and the organisations that they do business with. This in turn creates a standardised model of risk by which organisations can be measured, allowing for better business decisions. But if a vendor suggests that you can manipulate data yourself to improve your ratings, then understand that this won’t improve your own security posture, and it could in fact create threat vectors that you are currently blind to.
ENTERPRISE BLOCKCHAIN: DRAGGING INSURANCE OUT OF THE DARK AGES
Ryan Rugg, Global Head of The Industry Business Unit at R3
The history of insurance traces back to the development of modern business and insuring against its risks; property, cargo, medical and death. Insurance helps mitigate losses, wary of the financial losses a capsized ship could cause, forward-thinking vessel owners established communal funds that could pay for damages to any individual’s ship within the group. While this basic concept holds strong to this day, insurance is now a multi-trillion dollar industry that impacts almost every other sector of business, from healthcare to capital markets and aviation.
Despite the insurance industry’s image of being a conservative sector, insurers have been consistently innovative in the property and perils they protect against, but the supporting technologies and infrastructure have remained antiquated and unfit for purpose. Operational inefficiency is the single biggest threat facing the insurance industry today, and insurers are now taking steps to tackle this challenge head-on with purpose-built enterprise blockchain technology.
Inefficiency and fragmentation
Blockchain provides a solution to drive efficiency and security that would allow private data to be shared in a secure manner. Many policies are still sold over the phone rather than online, and the policies themselves are then processed on paper contracts, introducing huge potential for manual errors in claims and payments. This anachronistic infrastructure is even more surprising when you consider the complexity of the insurance ecosystem and the amount of parties involved in a transaction, including consumers, brokers, insurers, reinsurers and more.
The costs of this inefficiency and fragmentation are well documented. Inaccurate, disparate sources of data acquisition lead to long underwriting cycles and inaccurate risk profiling. Extensive manual intervention is required across the insurance value chain, ranging from contract placement to claims settlement. Archaic billing systems and complex billing processes lead to high reconciliation costs. Ambiguity in loss conditions, assessment procedures and claim settlement delays leads to increased litigation risk. It has been estimated that as much as 60% of customer premiums is consumed by these inefficiencies.
In addition, increasingly stringent and dynamic regulatory requirements continue to impact areas such as renewals and claims assessment. Insurers often have a complete lack of visibility of their liabilities and obligations, and a lack of transparency across the entire business. In today’s regulatory climate, it is unsurprising that authorities are beginning to demand more from insurers.
Blockchain technology is not a panacea for all of these problems, but with the right architecture a platform can address and reduce inefficiencies. There are also new revenue and growth opportunities in cutting-edge sectors such as cyber insurance that blockchain technology can help enable.
Tackling the blockchain privacy challenge
Blockchain offers insurance firms a new way to coordinate information between each other, by using a pre-agreed technology solution instead of relying on a third party’s bookkeeping. The technology enables disparate parties to connect via a shared platform environment. While this premise may appear simple at first glance, the insurance industry has specific requirements in relation to privacy and security that only certain blockchain platforms can fulfil.
For example, if a blockchain has the appropriate data privacy architecture in place, each insurance firm can maintain the same amount of control over their data as today, but with more flexibility. Unlike the traditional permission-less blockchain platforms – in which all data is shared with all parties – Corda shares information with those who have a “need to know,” ensuring the confidentiality of trades and agreements while also capturing the benefits of a shared distributed ledger infrastructure.
Blockchain platforms such as R3’s Corda have been purpose built for enterprise usage in industries such as insurance and tackle issues such as data privacy, scalability and security head-on. Following a period of experimentation with multiple consortia and technologies, insurers are now consolidating their blockchain efforts around Corda.
Testament to this is the recent decision of the industry-leading B3i consortium to port from IBM’s Fabric to Corda or RiskBlock decision to port from Ethereum. All the major insurance groups and ecosystems are coalescing on Corda in order to effect change and form standards. As Metcalfe’s Law states, the value of a network is proportional to the number of connections in the network squared – the more insurers that build upon on a common platform, the more valuable the platform becomes to all participants due to the interoperability of applications. The consolidation around Corda creates network effects industry-wide.
Contract placement: leveraging the network effect
To more tangibly examine the benefits of these network effects, we can look at a specific insurance use case that involves a network of many different entities and counterparties – contract placement.
Contract placement is the process of negotiating a potential insurance contract between a broker and an insurer in order to issue the contract to provide coverage for an end customer. For most commercial and specialty insurance scenarios, except for small commercial and some mid-market products, this is an arduous, complex process involving several entities – a broker, one or more insurers, and potentially a reinsurer and reinsurance broker. Furthermore, outsized risks generally mean that multiple insurers come together to insure the risk at the requested limit price, resulting in additional complexity for the broker in managing the placement process.
Contract placement, with the extensive negotiation cycle between a broker and insurers, as well as between an insurer and reinsurers – with or without a reinsurance broker thrown in – has several inefficiencies related to inter-firm coordination. Extensive manual intervention and reconciliation is required for brokers, insurers and reinsurers to keep track of requests and responses; high IT spend is required for all participating parties to maintain an audit trail of the negotiation history between different entities; and each firm must make heavy investments in document storage systems to maintain separate contracts over the policy lifecycle.
Leveraging the network effect by connecting brokers, insurers and reinsurers onto the same blockchain platform can deliver numerous benefits. These include:
- Near-instantaneous communication between participating parties to eliminate delays associated with reconciliation and coordination;
- Real-time consensus among all parties involved in the contract on coverage, price, terms and conditions;
- Complete audit trail from all sides of negotiations and data exchanges;
- Greater regulatory compliance throughout the insurance industry due to instantaneous communication of in-force contracts to the regulator;
- Eliminating the “double spend” problem of having the customer buy the same policy from different insurers by involving the notary (regulator);
- Reduced IT spend for individual firms, with eventual decommissioning of legacy document storage systems and reducing spend on document generation systems.
A brighter future
Blockchain technology offers great promise across many avenues, not only contract placement. Platforms like Corda can add value to many insurance business segments – commercial and specialty insurance, life insurance, personal lines and health insurance, along with niche areas like marine and trade credit.
The industry’s recent consolidation around Corda reaffirms that data privacy is pivotal for a network of enterprises and that the platform’s peer-to-peer data sharing approach matters for insurance blockchain applications going into production. For a highly regulated industry like insurance, only Corda can ensure that the entire supply chain of brokers, insurers, reinsurers and consumers can interact in a seamless, secure and private manner.
From contract placement to insurance as an industry, we are excited to see the new opportunities and efficiencies that blockchain technology will enable between this wide ecosystem of participants now that the right network – Corda – is in place.
THE EVOLUTION OF THE TECH CFO
Gavin Fallon,General Manager, UK, Nordics & South Africa Board International
Chief Financial Officers (CFOs) have traditionally been seen as behind the technological curve – the luddite of the boardroom, too attached to their Excel spreadsheets to move with the times. But the role of the CFO is now shifting and becoming more strategically significant to the business, putting them in the ideal situation to make much needed changes in the boardroom.
Despite many business functions being transformed by data, the boardroom remains a place where paper presentations are annotated around the table and, when it comes to finance, the focus is placed on the traditional statutory profit and loss structure. This may remain useful for reviewing historical performance but provides no insight into what may happen in the future. As global events – from political upheaval to health crises – have an impact on organisations, the ability to react in real-time becomes more important than ever. It is here that CFOs have the opportunity to make seismic changes in their business.
CFOs now sit in a unique position
CFOs now sit in a unique position, where the traditional responsibility of keeping an eye on the bottom line is wrapped with analytical and operational knowledge to create a far more strategic role. It is by sitting at this unique crossroads and holding a huge amount of knowledge about every area of the organisation that CFOs have the potential to change many aspects of how the boardroom operates. However, in order to fully realise the potential, CFOs must be empowered to take a digital lead.
A lot of the CFO’s most important work takes place on Excel and Essbase, systems that remain rife with risk. In fact, 56 percent of finance professionals believe the spreadsheets they use in their reporting processes are well-controlled and error free, which may well be why 40 percent also believe their reporting is based on potentially inaccurate information (FSN 2018). Not only prone to human error, spreadsheets are also static and do not allow for real-time forecasting or modelling. While CFOs are well aware of this challenge, the fact they have for too long been tied to legacy systems has led to an unintentional knowledge gap about the technology available to enable them to move away from making decisions based on what happened last year, quarter or week.
Seeing the bigger picture
With a greater understanding of the technology available comes an evolution and expansion of the CFO’s role within a business. It is no longer enough to make decisions based on static reporting, focusing on the traditional statutory profit and loss structure. Instead they need to use the tools available to play a strategic role with a keener eye on the future, seeing the bigger picture, anticipating what is next, and having the correct contingency plans in place to mitigate risk.
Technology can provide CFOs with full visibility of the entire company at a single glance, with data at their fingertips enabling them to take into account everything from KPIs to operations, distilling instant insights. This offers a level of clarify that means the answer to ‘what happened’ is obvious, allowing for more attention to be placed on ‘what will happen?’.
Consider a board meeting that is discussing headcount requirements based on the launch of a new product. Using traditional methods, a business may well make presumptions based on experiences when previous launches took place. But since that time, there is likely to have been a whole host of changes, both within the company itself as well as in the wider market – from market conditions for the product to the salary expectations of potential recruits.
The use of such technology, however, does not solely require the buy-in from the CFO, or even the finance function. To fully realise its potential in fundamentally changing how an organisation operates, the value will need to be seen by the entire board to, in effect, create a digital boardroom. While such technology has an impact on all areas of the business, allowing senior leadership to understand the impact of a factory in the supply chain closing, for example, it is the finance function that is best placed to show the value and drive adoption.
Primed to integrate the business like never before
The CFO is becoming more strategically important, combining analytical, operational and strategic value into a single role. They are primed to integrate the business like never before, acting as the central thread that ties all aspects of decision-making together in a single, unified process. To do so, requires a radical transformation of their role, as the pioneers of new technology. Already a trusted advisor, CFOs can now elevate their role with the ability to effectively forecast and help spearhead the organisational culture change that is required for the shift in mindset that comes with such digital transformation. To maximise the potential of this unique position, the CFO must be equipped with the technology that provides them with the full visibility of the company and clarity in decision-making they require.
ENTERPRISE BLOCKCHAIN: DRAGGING INSURANCE OUT OF THE DARK AGES
Ryan Rugg, Global Head of The Industry Business Unit at R3 The history of insurance traces back to the development...
DISPELLING BIOMETRIC MYTHS AND MISCONCEPTIONS
By Lina Andolf-Orup, Head of Marketing at Fingerprints Gangsters cutting off enemies’ fingers to access secret locations and spies lifting...
FUTURE FX PROMO
FOUR WAYS OPEN BANKING AND AI WILL REVOLUTIONISE ACCOUNTANCY
Ed Molyneux, CEO and co-founder of cloud accounting software company, FreeAgent It’s been just over two years since the...
HOW FINANCIAL SERVICES CAN GET TO GRIPS WITH RISING SUPPLY CHAIN RISK
By Alex Saric, smart procurement expert, Ivalua UK businesses have never been more dependent on their suppliers to help...
TWO TO TANGO? MARKET DATA AND OPINIONS IN INVESTMENT MANAGEMENT
Sebastien Lleo is Associate Professor of Finance at NEOMA Business School (France) Analyst views and expert opinions matter. They...
AN ULTIMATE GUIDE TO TURNING YOUR EARLY RETIREMENT DREAM INTO A REALITY
Rick Pendykoski is the owner of Self Directed Retirement Plans LLC, a retirement planning firm based in Goodyear, AZ. ...
WHAT EVOLUTIONARY AI MEANS FOR FINANCIAL SERVICES
by Babak Hodjat, VP of Evolutionary AI at Cognizant Many banks and other financial services institutions (FIs) are beginning...
HARNESSING ANALYTICS IN THE FIGHT AGAINST FRAUD
By Anna Lykourina, EMEA Fraud Analytics Expert at SAS In the past, the fight against fraud has been a...
ERSTE BANK HUNGARY IMPROVES AND SECURES THE REMOTE BANKING EXPERIENCE WITH ONESPAN MOBILE SECURITY
Leading Hungarian bank deploys OneSpan’s Mobile Security Suite to one million customers to make mobile banking convenient while fighting fraud...
HOW WILL LENDERS TREAT THE FINANCIAL SYMPTOMS OF COVID19?
COULD the coronavirus pandemic spark a financial crisis similar to that which was seen in 2008? Tim Kirby, Group Commercial...
ISO 20022 – THE BEDROCK FOR PAYMENTS TRANSFORMATION
Lauren Jones, Global Payments Ambassador, Icon Solutions The financial services industry has seen ISO 20022 grow firmly over the...
2020 VISION: TRANSFORMING THE LEGAL DOCUMENTATION LANDSCAPE THROUGH STRUCTURED DATA
Jason Pugh, Managing Director, D2 Legal Technology The derivatives industry has been transformed by the proactive engagement of its...
WHY LANDLORDS SHOULD MAKE THE MOVE TO THE ALTERNATIVE PROPERTY INVESTMENT SECTOR IN 2020
Reece Mennie, CEO of leading UK investment introducing firm, Hunter Jones The new decade is expected to bring with...
PROTECTING YOURSELF AGAINST LOSS OF FUTURE INCOME IN A RECESSION
By Gerard Visser, Financial Planning Consultant at Alexander Forbes Financial Planning Consultants. With low GDP growth, credit ratings downgrades and the COVID-19 pandemic,...
MOBEY FORUM TO ADDRESS DATA PRIVACY AND INNOVATION IN THE AGE OF AI WITH NEW EXPERT GROUP
Mobey Forum, the global industry association empowering banks and financial institutions (FIs) to shape the future of digital financial services, today announces...
HOW TO MANAGE YOUR SMALL BUSINESS’S FINANCES
There are a lot of fantastic business ideas that end up failing during the early years. Why? A lack of...
THE EVOLUTION OF THE TECH CFO
Gavin Fallon,General Manager, UK, Nordics & South Africa Board International Chief Financial Officers (CFOs) have traditionally been seen as...
IS FRAUD PREVENTION CONVERGING WITH REGULATORY COMPLIANCE?
By Manuel Rodriguez, Fraud Solutions Manager at SAS Several relevant reports show how the world of fraud and financial crimes is mutable...