Connect with us

Top 10

TIME TO TAKE A SECURITY-FIRST APPROACH TO APIS IN INSURTECH

By Olaf van Gorp, Perforce Software

 

Insurance is one of the latest sectors to start to benefit from advancements in digitalization. A big part of insurance’s digital transformation is the increasing use of APIs, bits of software that connect different services and apps — whether internally or externally — to connect in a friction-free way. Part of the whole open finance movement, APIs remove the need for complex and costly integrations between disparate systems and networks.
Insurers and associated third parties benefit from being able to share data more easily, processes happen faster, workload and unnecessary costs are reduced, and customers get faster response. It’s an all-round win.
However, while one of the reasons for using APIs is that they provide a controlled route to share confidential and sensitive data, APIs can also potentially introduce risk. If an API contains a vulnerability, then that can lead to problems, including cyberattacks and data breaches. Furthermore, once an API is published, there is usually little or no time to remedy the situation.
To understand how easily these weaknesses can be introduced, let’s look at how APIs are created. First, development has always been the point at which vulnerabilities are inadvertently introduced, potentially leading to issues further down the line, including performance and security problems. Second, development teams have traditionally worked siloed from the rest of the business (even from their colleagues in the IT operations team), with little visibility into their work. Plus, traditionally, security has not been their focus: that was something for the QA or test manager to worry about later.

Olaf van Gorp

That culture is changing, particularly with the DevOps movement, whereby the barriers between development and operations teams is broken down, and they work in a more collaborative way. However, with the understandable emphasis on getting an API published as soon as possible, security often still takes a backseat.
Finally, APIs are being created by a much wider group of people (including external agencies), not just software developers. That is good and bad: it makes it easier to keep up with the demand for APIs, but the new breed of API creators may not be trained software engineers, and arguably even more likely to introduce vulnerabilities.
So, what is the solution to this dilemma? APIs are an integral part of the entire financial sector’s future, but they have to be secure. Fortunately, there are some ways in which their security can be improved.

Four ways to improve API security

ONE – create a security-first mindset – get everyone on board on putting security in the spotlight, rather than an afterthought. Bake security into development processes and throughout the API’s entire lifecycle. Make sure everyone understands their roles around risk mitigation, including external contributors. Consider investing in security training for anyone responsible for API development.

TWO – go the extra mile – some compliance and standards already address API security. For instance, in Europe, the banking sector’s PSD2 requires security measures at the API level. In insurance, the NAIC Registry in the USA is putting more emphasis on API security and overall management, with automated filing of standard reporting documentation from insurance providers to meet state-level compliance. We are likely to see more API security requirements worldwide and within all aspects of finance, including insurance. However, open finance standards have a specific scope, and there are other security measures that can be adopted to further reduce risk. A good source is the OWASP API Security Top 10, which covers the most common API vulnerabilities and ways to prevent them.

THREE – put the brakes in place – comprehensive security processes need to cover all deployment and approval processes, people and teams. They should cover: authentication, authorisation, malicious pattern detection, message content security, and rate limiting. An API should also not be published without time-stamped approval from an authorised person, and this is typically a combined manual and automated process, involving the software development’s Continuous Delivery/Continuous Integration pipeline. Finally, make sure that there is a clear audit trail, so that if a problem occurs in the future, it can be traced back to root cause.

FOUR – reduce human intervention – automate security policies as much as possible, because this will not only reduce the risk of manual error, it will also help prevent security becoming a bottleneck. Introducing an API gateway will help achieve this, as well as making it harder for people to switch off security policies at will. Make sure that the chosen API gateway can operate with external contributors, as well as support all the main types of API, and deal with high volume. People still make the final decisions, but automation is the workhorse.

Take away security from developers
This may sound counter-intuitive to what is happening in other parts of software development (especially the Shift Left movement whereby software developers are taken on more responsibility for testing), but take away security from developers. Instead, leave API product managers, security specialists and other people to keep watch on API security. Use software tools to continually inspect code so that any issues are found early. Again, this can be a largely automated process, with humans then taking action depending on the results.
APIs are transforming financial services of all kinds, opening up faster and more efficient ways to communicate. By making security a priority across an API’s lifecycle, this will make it easier to reap the rewards of APIs, to reduce costs, speed up processes, and keep customers satisfied.

 

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Finance

WHY SUBSCRIPTIONS ARE KEY TO THE FUTURE OF THE FINANCIAL SERVICES SECTOR

Michael Mansard, Principal Director – Subscription Strategy at  Zuora

 

The business world is wondering: what does post-pandemic growth look like?

A phenomenon known as the “Subscription Economy” might give us a clue. This term describes a new business model where customers pay a recurring fee at regular intervals — weekly, monthly, yearly, or just based on a customer’s usage — to access a product or service.

Unlike the more well-known “Product Economy”, which relies on one-off transactions, subscription business models are built around generating stronger lifetime customer value.

For the financial services sector, this could mean more opportunities to upsell and cross sell services to customers, helping to reduce customer churn and to unlock new revenue streams.  Amid a decade of challenging regulatory frameworks, a wave of digital disruptors, failure to pivot business models accordingly could spell the end for many businesses operating within the financial services industry.

 

Signing up to the Subscription Economy

The subscription economy is just getting started, and use cases are likely to continue evolving as the technology develops to meet demand. During the COVID-19 lockdowns, many digital-based subscription business models fared well due to their promise of convenience and strong business continuity. Research from our recent Subscription Economy Index has shown that companies that embraced subscription-based models grew at 400% on average over the last 8.5 years, outpacing S&P 500 revenues by almost 6x during the pandemic last year.

One of the recurring success factors for these organisations across the board is personalisation – those that embrace customer-centric business practices prevail over those that don’t.

Tailoring a product or service to a customer’s needs in a time of immense change is a sure-fire way to gain loyalty and win over those who previously favoured more traditional financial organisations.

Subscriptions also help cast a wider net to expand an organisation’s addressable market. Financial services companies can expand their addressable market by making their products and services more affordable, not necessarily by reducing the overall cost, but by allowing customers to spread their payments over a longer time period. Given their ability to grow user bases, subscriptions can boost revenue growth in the long run.

 

Accelerating digital transformation with subscription services

Though the transition to the Subscription Economy is still in its infancy for the financial services industry, we are seeing significant traction from organisations in this area, outlined in our recent whitepaper, A new formula for growth for The Financial Services Industry (FSI).

Multinational wealth management and financial advisory company, Charles Schwab, for instance, shifted to the subscription model on just one of their product lines. Charles Schwab automated investing to build and manage clients’ portfolios for $30/ month fee for accounts with at least $25,000, and in doing so brought in $1B in new client assets, primarily from younger investors.

Financial services company Wells Fargo took a slightly different approach, leveraging subscription services to develop a hybrid digital advice platform. The service provides access to both a robo-advisor and human advisor through an annual subscription model which was recently lowered to 0.35%, with the aim to attract more mass and emerging affluent clients taking their first steps into investing.

Insurance provider Metromile, on the other hand, used their subscription model to offer pay-per-mile car insurance through its driving app, basing pricing on usage in addition to a monthly base rate. Metromile claims that the service allows its customers to save on average $741/year.

Meanwhile, in the B2B space, Serai (by HSBC) leverages HSBC’s trade banking client network, connecting buyers and sellers around the world and helping them to simplify the complexities of international trade. For “high touch” B2B offerings, the sales force is a crucial building block of sales strategy.

Since most established FSI players are using the same operating models they’ve used for decades, a shift to a completely new approach can seem daunting. Industry transformations are never fast, and never easy. But the good news is that financial services companies don’t have to dive in and completely change their business model to reap the benefits: new revenue streams, churn reduction, upsell and cross-sell to name a few.

Transitioning to the Subscription Economy can be an iterative, try-and-learn approach. That said, in a time of upheaval and rapid industry changes, financial services companies can’t afford to ponder the relative merits of the Subscription Economy for their business. Industry leaders need to be asking not if, but how they can adopt subscription models to position their organisation for growth and success.

 

Continue Reading

Technology

THE FINTECH REVOLUTION: BALANCING INNOVATION AND SECURITY

By Altaz Valani, Director of Insights Research at Security Compass.

At a time of significant disruption for the financial services industry, a sector forecasted to be worth $300bn by 2022, organisations are facing important decisions when it comes to digital transformation.

Among ever growing customer expectations and the need to comply with changes in the regulatory landscape, fintech companies are under increasing pressure to ensure innovation is properly implemented.

Failure to do so comes with a significant cost; that of security breaches and exposure to new vulnerabilities. From AI and biometric authentication to Robotic Process Automation, the growing adoption of technology among the financial services industry is intensifying the volume of customer data at risk.

Internal and external threats

To mange this risk carries both internal and external challenges for fintechs. Internally, the main challenges are centred around cyber skills, knowledge and expertise; externally, coordination with regulation is demanding.

Balancing an ever-increasing appetite for innovation and growth with robust security and risk management processes is absolutely crucial. Cyber threats continue to grow and diversify, and every new digital product and service carries an ever-evolving array of security risks.

Solving the cloud puzzle

Historically, due to the perceived value of the information held, the financial services industry is one of the primary targets for data breaches. This is why many financial services organisations have turned to the cloud as a solution for their IT infrastructure.

However, migrating to the cloud increases the attack surface of applications. That is why the importance of meeting security and compliance requirements cannot be overlooked in the rush for deploying new apps directly in the cloud or developing analytics-as-a-service or automation-as-a-service capabilities.

Strategically aligning digital delivery and security is one of the most complex challenges facing financial service businesses, and so many are turning their attention to Balanced Development Automation (BDA).

BDA: Aligning DevOps with security

To ensure success and competitive edge in the long run, fintechs need to create synergies between their DevOps, security, and business teams. This is where BDA comes in because it aligns DevOps with security, ensuring the latter is “baked” into the software development process. It acts as a guide through every step of software development, ensuring that security checks are built into the process from the beginning, and ultimately enabling DevOps teams to deliver secure products.

Consider it a three-step process:

1) Security should equip the development team with awareness of what is required from a security controls perspective. The same goes for risk and compliance. Developers need to know from the outset what these parameters are and factor them into their work from the get-go.

2) The next stage is examination of security metrics based on existing controls and emerging risks. The result of this might be the creation of new controls, but they have to be developed with an understanding of impact based on cost and business exposure. Ultimately, it is a business decision to determine the right risk threshold.

3) The third and final stage of the BDA process lies with governance at an audit and board level. Metrics collected from the first two stages are rolled into this and KPIs measured at this level are based on core business concerns around compliance, resilience, reputation, cost, and so on.

Balancing innovation with security

Ultimately, the success or failure of the fintechs of today can hinge on how they balance the adoption of new technologies with maintaining the privacy of their customers and the security of their customers’ data. This is a delicate balance, and one which requires action from the very start to identify and address risks.

Building security into applications from the very beginning of the software development lifecycle enables financial services companies to align security, compliance and risk priorities with business needs. This is ultimately a recipe for success.

Continue Reading

Magazine

Trending

Finance8 hours ago

WHY SUBSCRIPTIONS ARE KEY TO THE FUTURE OF THE FINANCIAL SERVICES SECTOR

Michael Mansard, Principal Director – Subscription Strategy at  Zuora   The business world is wondering: what does post-pandemic growth look...

Banking9 hours ago

MODERN BANK HEISTS: FINANCIAL INSTITUTIONS ARE BEING HELD HOSTAGE

By Tom Kellermann, Head of Cybersecurity Strategy, VMware Security Business Unit, @TAKellermann   The modern bank heist has escalated to...

Finance9 hours ago

FUTURE-PROOFING FOR THE FINTECH INDUSTRY WITH NETWORK INNOVATION

Alan Hayward, Sales & Marketing Manager at SEH Technology   As the years pass, it is becoming far more difficult...

News9 hours ago

HSBC JOINS BIAN TO COLLABORATE ON IT ARCHITECTURE DEVELOPMENT

The global bank brings an international perspective to the not-for-profit organisation   BIAN, the independent not-for-profit, and HSBC today announce that...

Business9 hours ago

FASTER REACTIVITY TO END-OF-LIFE DEADLINES IS KEY TO COMPLIANCE

Mat Clothier, CEO, Cloudhouse   Across global industries, the financial services sector is among the most regulated. Ensuring compliance is...

Finance9 hours ago

HOW DOES THE CREDIT CARD TOKENIZATION WORK?

Narendra Sahoo, Founder and Director of VISTA InfoSec    Credit card tokenization is the process of completely replacing sensitive data...

News9 hours ago

DELOITTE ADVISES AL FALEH EDUCATIONAL HOLDING ON ITS DEBUT LISTING ON THE VENTURE MARKET OF QATAR STOCK EXCHANGE

Deloitte Middle East acted as the listing advisor for Al Faleh Educational Holding Q.P.S.C. (Al Faleh) for listing of 240...

Business4 days ago

PUTTING TECHNOLOGY AND EMPATHY AT THE HEART OF SMB LOAN SERVICING

Luis Huerta, Vice President and Intelligent Automation Practice Head, Europe at Firstsource By the end of March 2021, over one...

Finance5 days ago

THE PUSH AND PULL OF IDENTITY SECURITY ADOPTION IN THE FINANCIAL SERVICES INDUSTRY

Ben Bulpett, Director, SailPoint There is a dual movement spurring on the adoption of identity security in the financial services...

News5 days ago

GENIUS GROUP LAUNCHES 4-WEEK INVESTMENT MICROSCHOOL FOR ENTREPRENEURS TO BUILD A FUTURE-PROOF INVESTMENT PORTFOLIO

In response to the increased volatility in the global financial markets created by the Covid-19 pandemic, Genius Group is launching...

Business5 days ago

THE SPAC BOOM: WHY COMPANIES AND INVESTORS ARE INCREASINGLY LOOKING TOWARDS SPAC IPOs

Maxim Manturov, Head of Investment Research at Freedom Finance Europe Special purpose acquisition companies (SPACs) have long been part of the...

News5 days ago

HARDSOFT KEEPS CUSTOMERS CONNECTED WITH BLOCK DISCOUNTING FROM SIEMENS FINANCIAL SERVICES

One-stop leasing and IT solution expert HardSoft Ltd has expanded its offering with Block Discounting from Siemens Financial Services (SFS)....

Business6 days ago

5 REASONS SMALL BUSINESS OWNERS NEED FINANCIAL ADVISING

With everything else a small business owner has to deal with daily, having a financial advisor to help keep both...

News6 days ago

JSCRAMBLER X DOTCONNECT: JSCRAMBLER ENABLES THE SECURE DELIVERY OF DIGITAL BANKING SOLUTIONS FOR TWO OF THE FASTEST GROWING BANKS IN THE UK

-dotConnect successfully applied Jscrambler during the delivery of digital banking solutions for Al Rayan Bank and UBL UK- -73% of...

Business6 days ago

IT’S TIME SPECIALIST BUILDING SOCIETIES, LENDERS AND BANKS JOINED THE INSTANT ECONOMY

By Andrew Dellow, Director of Strategic Accounts at Modulr, the payments platform. Building societies, lenders and other specialist banks are...

Technology6 days ago

THE FINTECH REVOLUTION: BALANCING INNOVATION AND SECURITY

By Altaz Valani, Director of Insights Research at Security Compass. At a time of significant disruption for the financial services industry, a...

Business6 days ago

THE EVOLUTION OF BUSINESS TRAVEL ACCOMMODATION

By Cherry Wang, Country Manager, UK & Ireland, Homelike. Business travel accommodation is undergoing drastic changes as the sector moves...

Business6 days ago

HOW NEW DATA SOURCES CAN ACCELERATE OUR JOURNEY TO RECOVERY

Jonathan Westley, Chief Data Officer, at Experian UK&I With the growth of e-commerce and streaming of everything from music to...

Business6 days ago

TOP 5 INVESTMENT TRENDS THAT WILL SKYROCKET IN 2021

By Roger James Hamilton, Founder and CEO of Genius Group Since March 2020 we have seen unprecedented movements in the...

Technology6 days ago

GETTING THE TIMING RIGHT FOR CLOUD

Daily life has changed a lot in the past year. Decades of innovation have occurred in mere months, as industries...

Trending