Category Archives: findings tech

Automated Security Assessments: Expectations and Preparation

What to expect during an automated security assessment and how to prepare for it - findings.co

Automated security assessments are one of the most talked about features in the supply chain management industry. Organizations have turned to automated solutions to enhance their risk management and supply chain compliance after recognizing the need to eliminate the burdensome and time-consuming task of manually auditing and tracking numerous vendors. It makes sense after all. Who wants to spend hours on end of manual work to audit and chase hundreds of thousands of vendors? 


The answer is: no one. 


Findings’ comprehensive platform has gone above and beyond to automate risk management and supply chain compliance, saving organizations of all sizes extensive manual work and reducing friction. 


Now, let’s break down some things you should expect to see when using the platform that will ultimately help you prepare. 


  1. Assessment Logic 


When managing assessments in Findings platform, you can create an assessment from scratch with branching logic or upload pre-existing assessments and tweak it to suit your needs. When you create an assessment from scratch, you can create a question with various answer choices. If the answer choices are branching types such as the Radio button, multiply select, or dropdown, you can create a follow-up question based on a certain response chosen. 


When it comes to uploading assessments from pre-existing documents, you can edit the subjects and alter the logic to suit the vendor’s needs via our assessment wizard. Once the assessment has been uploaded you can clone, edit and tailor custom it with various app integrations for the associated vendors. 


  1. Findings and Remediation:


Imagine the ability to pre-create remediation plans and suggestions. Essentially, rather than sending out an assessment to a vendor and having to review it and write out compliance corrections and suggestions manually, this is pre-prepared before the vendor even begins the assessment. For any answer choice that is not in compliance, you can create a remediation suggested plan for that answer and change the risk level that will affect the vendor’s overall score. When the vendor completes the assessment, they already have a remediation plan ready for them, so that they can bridge the gaps without all the time-consuming back and forth. 


  1. Response Repository (NLP):


Our response repository is based on neuro-linguistic programming and is one of the biggest assets our users hold. When a vendor or customer completes an assessment, our system scans the answers and creates a respiratory for similar written questions the next time an assessment is completed. The next time a user completes an assessment, our automated suggested answers pop up and the user can insert the answers based on the relevant match. This saves numerous hours of manual work by having to complete assessments from scratch. Within seconds, your assessment can be completed and you can focus on other essential tasks. 


Automated security assessments provided by Findings are perfect for organizations seeking efficient risk management and streamlined supply chain compliance. By automating the assessment process, organizations of all sizes can save valuable time and resources that would otherwise be spent on manual audits and vendor follow-ups. By utilizing the features we offer, organizations can complete assessments quickly and focus on other essential tasks, ultimately improving their overall security posture and supply chain management.






Learn More Today

Benefits of Automating Security Assessments for Your Organization

Findings.co explores the benefits of automating security assessments

It is indeed true that companies that fail to leverage automated tools are overlooking significant opportunities. This hold particularly true when it comes to security and compliance. Companies are finding it increasingly challenging to proactively identify, address, and mitigate security issues, since, well – there’s more threats than ever. Conducting regular security assessments is essential to detect vulnerabilities and reduce the risk of future breaches. However, relying on manual methods and outdated procedures can be unreliable and diminish the effectiveness of risk mitigation strategies. To ensure secure and robust networks, as a business leader, you must prioritize the implementation of automated security assessments. They not only minimize risk exposure, but they can shorten the sales cycle and save a company money, and they also strengthen cybersecurity defenses, making it a crucial investment for your company. 

(Source: CISA – Continuous Diagnostics and Mitigation Learning Program: Benefits of Automating Security Control Assessments)

Automation Speeds Up Reaction and Activity:

Automation plays a vital role in streamlining processes and driving transformation in modern industries. By automating the risk assessment process and management, organizations can make informed financial decisions, streamline risk and compliance procedures, and enhance their overall risk profile. This automation eliminates human error, enables faster response times, and promotes growth. Real-time threat information and risk reports empower security teams to handle threats more effectively and improve response and action times. Automated risk management strategies can efficiently compile, classify, upload, and organize incoming data, which allows for the identification of similar incidents and the implementation of prepared actions or responses.

Enhanced Cybersecurity Risk Management:

Automated assessments provide organizations the ability to manage cybersecurity risks more comprehensively and effectively. These assessments offer security teams up-to-date and detailed data about ALL their vendors that can be shared with senior management and executives. By eliminating manual tasks and enabling real-time monitoring, automation allows risk managers to focus on risk avoidance and mitigation. Furthermore, automation expedites the entire risk management process by instantly uploading fresh data and promptly reporting any issues. Through continuous monitoring and real-time visibility, organizations can identify gaps in their cybersecurity posture and take the necessary security measures to rectify them.

Standardizing Data and Improving Collaboration:

In many organizations, different departments rely on separate and potentially incompatible data to analyze and assess cyber risks. With so much data floating around in different hands, conflicting reports create confusion among managers. Automated security assessments provide a centralized platform for data collection, ensuring consistent and standardized data across the organization. This eliminates discrepancies and enables effective collaboration among departments. Executives and managers can access accurate and comprehensive information, leading to better-informed decision-making and improved cyber risk management strategies.

Scaling Security Risk Assessment:

Automation significantly simplifies the scalability of security risk assessment processes within a company. Automated assessment platforms like Findings are designed to handle both small and large-scale tasks, allowing organizations to adapt to changing demands without the need for hiring and training new personnel. Predictability is another advantage of automation, as most response actions can be anticipated, making it easier to manage various system interactions securely. Additionally, automation provides better tracking capabilities, allowing organizations to monitor progress, identify completed assessment components, and address pending tasks more efficiently.

Measuring ROI of Automation:

Calculating the return on investment (ROI) for automated security risk assessment involves considering the time and resources saved by automating time-consuming tasks and preventing adverse outcomes. While evaluating the ROI for automated security risk assessment may differ from other business operations, the goal is to demonstrate to IT management that the investment was worthwhile, considering the resources and time allocated.

Out With the Old, in With the New:

In today’s digital landscape, where cyberattacks are a constant threat, automating security assessments is not just beneficial but imperative for organizations aiming to protect their assets, maintain customer trust, and ensure business continuity. It is an investment that pays off in terms of enhanced security, streamlined processes, and improved risk management.

Collaborating with companies like Findings – who specialize in security risk assessment automation can help organizations identify weaknesses and risks more effectively. Automated security risk assessments provide a proactive approach to maintaining the security of organizational systems, preventing potential breaches, and ensuring a safe operating environment. By leveraging automation, organizations can improve response times, standardize data, enhance collaboration, and scale security risk assessment processes. It is crucial for businesses to embrace automation.


Learn More Today

How to: Stop Creating a Tedious Sales Cycle

Findings.co shares what IT leaders can do to save their sales teams from tedious sales cycles

Concerned about the time and effort required to close your B2B sales cycle?



There’s no doubt that B2B sales cycles are getting longer and more complex. According to a recent study, 68 percent of B2B customers say the buying cycle has lengthened, with the average time taken to close a deal being 4 to 6 months.


On average, only 47 percent of sales deals are closed across industries, while in the software sector, only 22 percent of deals are closed.


Multiple factors – right from the time and effort involved in finding prospects, and scheduling a demo, to conducting compliance due diligence, impact your sales cycle.



Let’s look at the problem (tedious sales cycle) and the smart solution:



The problem: Tedious sales cycles



A typical sales cycle involves multiple steps:


  • – Finding new leads and qualifying them

  • – Setting up the first appointment or a demo

  • – Discovery work and due diligence

  • – Exchanging ideas and proposals

  • – Presenting a proposal

  • – Closing the sale


SDRs, on average, make 52 cold calls each day while a third of SDRs spend about 20 to 23 percent of their time on discovery meetings.


What’s more, an SDR spends only 35.2 percent of their time actively selling, with the rest of the time spent on prospect research and non-selling activities.


This means that a company spends about $50,000 per sales rep, per year (considering USD $81000 as the average pay for a sales rep in the US) on prospect research alone.


Another factor that contributes to the complexity is the compliance due diligence process which can take anywhere from weeks to months.


Regulatory compliance, however, is vital to protect your business against numerous financial, legal, and reputation-related risks.



Why regulatory compliance is vital



According to an estimate, cybercrime costs are expected to reach USD $10.5 trillion annually by 2025. As the number of cyberattacks increases, so do the regulations designed to protect against them. 


The most recent regulation is the proposed IoT cybersecurity law in the EU. If this bill is cleared, noncompliance with cybersecurity requirements can potentially cost IoT manufacturers a whopping €15 million.


How can non-compliance with cybersecurity laws affect your sales cycles and contracts? For starters, it can affect the value of the deal in addition to impacting the sales win and business reputation.


A case in point is the acquisition proposal of Yahoo! Inc. by Verizon Communications. While the original proposed price was USD $4.83 billion, the price was cut down to $350 million after seven months. The reason? Verizon discovered undisclosed data breaches at Yahoo! while conducting cyber due diligence.



The Solution: Automate compliance due diligence



Thanks to the ever-changing regulatory landscape, most companies struggle to keep up with the constant changes. 


Automating the process can help speed up the sales cycle and make it more efficient. At Findings.co, we have built a smart tool that automates your compliance due diligence to reduce time, improve accuracy, and improve sales win rates.


An automated risk assessment tool captures the threats and vulnerabilities of potential contractors while including recommendations for risk mitigation.


Built-in response automation ensures a quick turnaround time for responding to security incidents and a quicker containment of incidents. With these features, organizations can improve their overall security posture and accelerate compliance due diligence, setting up a win-win situation for the parties involved in the contract.

ESG companies are outperforming their peers in recent years – why?

Findings.co | supply chain | security | ESG

Higher ESG rating, higher return

Indeed the ultimate goal of any investment is to earn a maximum return. But as the focus has increased on sustainability, investors worldwide are resorting to smart investing strategies. In the current investment scenario—where environmental sustainability and corporate social responsibility are driving business decisions—investors place a great deal of emphasis on the environmental, social, and governance (ESG) rating of a company they wish to invest in.

Take a look how to easily automate, monitor and assess your ESG posture:

ESG criteria are becoming increasingly popular amongst investors to evaluate the ability of companies to be stewards of nature, managers of social relationships, and trailblazers of excellent leadership. Now, ESG companies that uphold the principles of smart investing while catering to the needs of socially conscious investors are seen outperforming their peers in a big way, especially after the COVID-19 pandemic.

In 2020, the year of extreme and dramatic changes trigged by the pandemic, the median total return on equity funds of ESG companies focused on sustainability exceeded that of their peer funds by 4.3 percentage points. Funds of such companies provided better returns almost every month of the year. Their focus on sustainability is essentially indicative of the quality of their board and management.

Low beta, high quality 

The companies with higher ESC ratings fell and rose less dramatically as the markets collapsed and recovered sharply in April 2020 than those with lower ESG ratings. The pattern suggests that stocks of such companies also have a low-beta-high-quality factor. Such funds are also less affected by volatility in the larger market.

There’s been a significant rise in the popularity of ESG investing. It is mainly triggered by fears of the global community over climate change. As such, socially conscious investors, especially millennials, now consider the impact of their funds as they have started investing. It’s crucial to note and understand that ESG risk is an investment risk; those firms that meet ESG standards are more unlikely likely to be sustainable enterprises.

Similar trends were observed when fixed income ESG stocks were analyzed from January to September 2020. The bonds of ESG companies with high ratings performed better on average than their lower-rated peers. The stocks of companies with an A-rated ESG score lost around 0.5 percent on average during the period compared to low-rated stocks, which lost 4.6 and 4.4 percent.

A peek into the future.

ESG and smart investing with a focus on sustainability are expected to grow. The attitude of retail investors towards sustainable investment has also been shifting. In the U.S., close to half of individual investors adopt sustainable investing. Also, 80 percent of asset-owner institutions are seen incorporating sustainability factors in their investment processes.

It’s also worth noting that the Institute for Sustainable Investing, in 2019, found that sustainable funds had larger market capitalizations on average and hold more stocks in companies that are considered growth stocks. Let’s not forget. Evolving regulations also lead companies to disclose their sustainability practices, providing investors with more data to understand ESG-related risks and growth opportunities. We can hope that the future of sustainability investing delivers on its promises and make a positive global impact in the times to come.

Get started with your ESG journey easily with Findings ESG.

ESG Investing is popular but confusing – here’s how it works

ESG-Investing-is-popular-but-confusing-here’s-how-it-works

ESG investing is becoming popular as awareness grows about the impact of corporate actions on the environment, society, and governance. This article will look at how ESG Investing works and some of the benefits and drawbacks of this growing movement. What should you consider when including this type of investment in your portfolio?

What are the essential characteristics of an ESG investment strategy?

Many factors make up an ESG investment strategy. For a company to be an ESG investment, there must be exposed to environmental and social aspects. Exposure to these factors can be defined by three characteristics: alignment, integration, and recognition. All three of these characteristics must be present to exhibit an entire ESG investment strategy. By adopting one or more of these strategies, they can better prepare themselves in times of need.  It is much easier to come back from challenging situations when you are ready. It takes careful planning, diligence, and perseverance to fully adopt an ESG investment strategy. However, if done correctly, these practices will strengthen your company and increase its value over time and preserve its reputation within its community.

How do I make sure my fund managers follow an ethical approach?

The first and most basic way to make sure your fund managers take ESG into account is to ask them. As with any other question, you should call them up and ask if they use sustainability metrics in their investment process. They’ll tell you, Of course, we do (which might or might not be true), and that will give you a sense of how serious they are about ESG investing. If you like what you hear and want to invest, you can trust that your money isn’t funding unethical companies. But if they seem mysterious, or worse—dismissive—then it could mean that there aren’t good incentives in place to keep fund managers accountable for their actions. That would indicate an unethical culture at your mutual fund management firm.

Why is this different from other kinds of socially responsible investing?

The social responsibility aspect of ESG investing isn’t just about environmental or social impact but may include these factors. It also aims to be financially responsible and considers an investment’s impact on other financial indicators such as price volatility, liquidity, earnings growth, operating efficiency, and capital preservation. These features are often not found in socially responsible investments as they tend to focus on issues surrounding environmental or social effects. As a result, many consider ESG to be more than just socially accountable investing — because it includes financial indicators and increased engagement with companies — while others think it is just another kind of SRI.

When did this become popular? And why should I care now?

After decades of playing second fiddle to shareholder-value investing, ESG has emerged as a star in its own right. Even though sustainability and corporate ethics are still relatively new concepts in business management, concerns about social issues have been around for thousands of years—and they show no signs of fading away. That’s why more and more investors are looking at companies through an ESG lens.

Some examples of funds in this space and their returns over time.

Newfield ESG Long/Short Fund (EQLIX), Calvert Social Investment Strategy Fund (CSLFX), Vanguard FTSE Social Index Fund ETF (VFTSX). After a rocky start, there are signs that environmentally conscious investing has been growing in popularity—more than 150 socially responsible mutual funds with $200 billion in assets under management. Still, concerns remain about what kinds of businesses these investment funds hold and their role in helping companies change their behavior to protect employees and the environment better. 

Want to save time and automate your ESG processes? Use best-practices? Findings ESG is at your service.



The Insider Guide To Coordinated Vulnerability Disclosure Programs

The-Insider-Guide-To-Coordinated-Vulnerability-Disclosure-Programs

When you co-ordinate a vulnerability disclosure program, you follow a systematic process for communicating about, responding to and remediating vulnerabilities. Keep reading for tips on how coordinated vulnerability disclosure programs work, why they’re important and 5 steps to creating one.

 

What Is a Coordinated Vulnerability Disclosure Program?

A coordinated vulnerability disclosure program (CVDP) is a structured, systematic strategy for sharing information about vulnerabilities to various internal and external stakeholders whenever a vulnerability occurs. It’s a way of ensuring that information about a known vulnerability is not just available, but also that response operations are as efficient as possible. But remember not all vulnerabilities should or must be disclosed. Deciding how to react, whether to block or avoid is also an important decision.

 

 

The Benefits of Coordinated Vulnerability Disclosure

Coordinated vulnerability disclosure programs ensure that you can react efficiently and minimize the risks that vulnerabilities create. Disclosure programs minimize risks not just for your business, but also for your suppliers, partners and customers. The benefits include:

– Reduced vulnerability impact

The overall impact of the vulnerability is likely to be smaller when stakeholders coordinate their response. Patches can be developed faster, and  rolled out to affected applications or systems before hackers attack them. This translates to a lower risk that the vulnerability will be exploited. 

Consider CVDP as a  “neighborhood watch” for your IT assets by encouraging everyone in your supply chain to report risks they discover.

– Build internal processes

Having a coordinated plan in place for vulnerability disclosure helps ensure that your employees each work efficiently to respond to vulnerabilities. A coordinated program defines what each internal stakeholder needs to do when a vulnerability appears.

– Combined stakeholder response

External stakeholders, too, can coordinate their activities much more effectively via a coordinated vulnerability disclosure program. With a program in place, each affected entity can share information efficiently and collaborate with security researchers as needed. Coordinated programs help to establish trust and positive cooperation across the supply chain with regard to vulnerabilities.

– Avoid surprises

When you have set policies in place for what to disclose and how to react to it, stakeholders from across the supply chain have the information they need to react effectively. This breeds transparency and mitigates the risk of unanticipated actions by one organization (such as a decision that a vulnerability is not severe enough to merit action) that could disrupt the responses of others.

On top of this, when you share information quickly and in a coordinated way, you avoid the risk that affected organizations will learn of a vulnerability from the media. The result is an embarrassing scenario and one that leads to slow, inefficient responses and potential damage to an organization’s reputation.

– Ethical corporate behavior

Finally, there is an ethical element to coordinated vulnerability response. Having set procedures in place, and defining how your business will interact with others during vulnerability response, sends a message that you care about transparent operations that benefit the community as a whole. It’s a sign that you’re not just tracking security risks for your own sake, but because you understand the broader impact (ESG) they can have on suppliers, partners and customers.

 

Did you know that your supply chain security can affect your stock value?

 

5 Steps for Creating a Coordinated Vulnerability Disclosure Program

Now that we know what coordinated vulnerability disclosure means and why it’s important, here’s how to implement it.

1. Create secure reporting channels

As cybersecurity analyst Keren Elazari says, “hackers can be helpful allies” in finding vulnerabilities. What she means is that good-willed third parties who are reviewing your code or systems can be a critical asset for finding security risks that you haven’t seen.

However, you need to provide secure channels through which third parties can report vulnerabilities in order to benefit from them. These channels could be as simple as resources like security.txt” files that identify where and how someone can report a vulnerability to you.

Consider, too, integrating incentives into these reporting channels, for example, by creating a vulnerability reward program – a practice that companies like Google have used with great success.

2. Assess vulnerability severity

Every vulnerability carries a different degree of risk. What’s more, the risk can vary for different stakeholders within the supply chain.

For these reasons, your coordinated response program should include a process for assessing how severe the vulnerability is, then include that information in the disclosure report, along with technical details on how the vulnerability is exploited.

With that information, security analysts at organizations like CISA can disseminate vulnerability data that is as meaningful as possible.

3. Remediation

Determine, too, how the vulnerability should be mitigated. Does it require the creation of a patch by software vendors, for example, or can it be mitigated by changing environment configurations?

This information helps to coordinate vulnerability response because it provides actionable guidance to stakeholders on what they need to do to remediate the vulnerability across the supply chain.

4. Public awareness

In a coordinated response process, the group that identifies a vulnerability will take appropriate steps to notify users about it via all relevant channels – such as vulnerability databases, email lists and media reports.

Included in these notifications should be a timeline about which information to disclose and when to disclose it. In some instances, you may not want to include certain technical details right away; for example, if a patch is not yet available to fix a vulnerability, you may not wish to disclose how to exploit the vulnerability, in case hackers use that information to execute zero-day attacks that can’t yet be prevented.

5. Assess your response

The final step in a coordinated response program is to generate feedback about its effectiveness. Assess each disclosure by answering questions like how transparent it was and whether stakeholders had easy access to the information they needed to respond. These insights help ensure that you can continuously improve your program over time.

Coordination leads to the best outcomes

As Daniel Cuthbert, Global Head of Cyber Security Research at Santander, said in a Black Hat talk, “missing links create a vulnerability unto themselves.” In other words, the less information you have available in vulnerability disclosures, the higher your risk of damage.

Coordinated vulnerability disclosure programs minimize these risks by allowing all stakeholders to respond as effectively as possible to newly discovered vulnerabilities. They remove the blind spots in vulnerability response, while also demonstrating goodwill commitments to transparency on the part of your business.

When it comes to planning for coordinated vulnerability response, Findings can help. Findings provide end-to-end visibility into software supply chain risks, ensuring you have all the information you need to plan for effective, comprehensive vulnerability disclosure.

Schedule a call to learn more

4 Reasons Why Your CISO Wants To Implement A CMMC Framework

4-Reasons-Why-Your-CISO-Wants-To-Implement-A-CMMC-Framework

“Let’s pursue a new compliance framework just because we feel like it!” is not a phrase that you tend to hear business leaders utter excitedly. After all, making the changes necessary to comply with new compliance rules is a significant undertaking. Unless a specific legal requirement is at stake, businesses tend to embrace them slowly.

However, the Cybersecurity Maturity Model Certification (CMMC) is an exception. Although CMMC is not strictly required for most businesses, implementing it should be a priority for many CISOs today. 

Indeed, a CISO’s main job is to harden cybersecurity wherever possible. Doing so requires identifying security risks, developing practices and policies to mitigate those risks, and creating regular reports that track the effectiveness of cybersecurity investments. Because the CMMC encourages these practices, pursuing CMMC compliance is an excellent way for CISOs to achieve their primary goals.

“All DoD contractors will eventually be required to obtain a CMMC certification,” as CSO Online notes, which may be another reason CISOs implement CMMC compliance. But it shouldn’t be the only one: Whether or not you need to do business with the U.S. Department of Defense, pursuing CMMC compliance is a great idea.

Four reasons to implement CMMC

You achieve several critical benefits when you invest the time and effort required to implement CMMC compliance.

1. Independent cybersecurity validation

Among the recent changes to CMMC is a new independent validation requirement for businesses with CMMC level 3 compliance. Independent validation provides a more thorough security check and vulnerability reporting than you can get from following other security guidelines, like those from NIST (which closely resembled the original version of CMMC).

Thus, CMMC is a more rigorous cybersecurity framework in many respects than anything else you can find.

2. Holistic cybersecurity best practices

CMMC is designed to encourage solid cyber hygiene for businesses of all types and industries.

It encourages a proactive cybersecurity culture (ESG benefits because it demonstrates a commitment to privacy). It facilitates education for all employees – including non-technical stakeholders – about security best practices. And it underlines the importance of managing supply chain security risks, one of the most severe categories of threats that businesses face today.

3. Increased revenue

From a purely business perspective, the additional sales opportunities that CMMC compliance opens up can lead to revenue growth.

When you achieve CMMC compliance, you can do business with U.S. government agencies that might otherwise be off-limits. This means more clients, but it often means more significant client contracts because government agencies tend to be high-value, long-term accounts.

4. Enhanced security maturity

Even in cases where clients aren’t government agencies and don’t require CMMC compliance, being CMMC compliant can nonetheless be a significant boon to business. It helps you demonstrate a commitment to cybersecurity and serves as a stamp of quality/security on the security front, which can help you close more deals and retain more clients.

The enhanced security maturity that comes with CMMC compliance can help you stay ahead of the competition, which may comply with less rigorous mandates but not with CMMC.

Here are the CMMC Compliance Requirements: Everything You Need To Know

Granted, CMMC implementation is not a simple task: It’s essential for CISOs to understand the challenges before undertaking a CMMC compliance initiative:

  • Process: You have to apply for CMMC compliance. That’s another task for CISOs to manage on their already full plates.
  • Buy-in: CISOs need to get buy-in from shareholders and management for the CMMC process. That’s important not just culturally but also because business leaders will need to play a valuable role in the CMMC application process by filing forms, tracking progress and reporting, etc.
  • Multiple steps: Applying for CMMC compliance is not a one-and-done affair. It usually involves multiple steps, with changes or additional information required as you progress through the process.
  • Maintenance: You need to keep your compliance strategy continuously updated to meet CMMC compliance requirements. That increases your time and effort even further.
  • Cost: For most businesses, CMMC compliance will require new tools and processes, which come at a cost. And depending on what level of CMMC compliance you need, an outside advisor may also be required.

None of these challenges should prevent businesses from pursuing a comprehensive CMMC framework to protect against cyberattacks compliance. But it’s essential to be aware of the potential objections and barriers before starting the process.

Even if CMMC compliance is technically optional for your business, there’s a good reason not to treat it as an option. Instead, CISOs should embrace CMMC implementation as an intelligent way to strengthen their business’s cybersecurity – and, in turn, open up new business opportunities.

Learn more by scheduling a demo.

ESG Investing – What Green Bonds are, and why do they matter?

ESG-Investing-–-What-Green-Bonds-are,-and-why-do-they-matter-

Sustainability has become an integral part of how we do business and live our lives, and the concept of ESG investing has taken hold with investors and financiers alike. What are green bonds, and why do they matter? Read on to find out!

3 key ways green bonds improve corporate sustainability

green bonds increase access to capital for sustainable projects; green bonds help decrease reliance on fossil fuels, and green bonds help finance critical social programs. We’ll examine each of these ways in detail below.

An introduction to green bonds

Undertaking a green business venture or a project is by no means cheap. The costs of starting up an alternative energy project could run into millions of dollars. And even if you secure funding for such projects through loans or grants, those payments will add to your operating costs over time. However, governments worldwide have been easing financing concerns through what’s known as green bonds — debt securities that raise funds to support environmental-friendly endeavors. More recently, private organizations have been taking up their initiatives in making it easier for entities engaged in green initiatives to raise funds from investors. These so-called green bonds have several advantages over conventional debt offerings. You need to know about them: 1) What are Green Bonds? 2) How Do They Work? 3) Where Can You Buy Them?

The history of green bonds

The idea of a bond linked to environmental, social, or governance criteria – known as ‘green bonds’ – originated in 2003 when HSBC issued its first ecological bond in response to investor demand. This was followed by BNP Paribas with its first Corporate Sustainability Bond in 2005. Today there is greater recognition of ESG issues from governments, investors, and issuers than ever before. Green bonds have increased over recent years. In 2010, only three green bonds were issued globally; today, it is not uncommon for international financial centers like London to see two or three different green issuance rounds each week.

How is a green bond different from any other bond?

A green bond is no different from any other bond in that it is debt security – a loan – given by an organization to raise money for any purpose. However, green bonds typically have specific criteria which make them eligible for being classified as green or environmentally friendly. They tend to be used exclusively for projects with positive environmental or social impacts, whether that means energy efficiency retrofits or renewable energy generation. These bonds are commonly referred to as ESG bonds (Environmental Social Governance). An investor who wants to include more green investments in their portfolio can purchase ESGs because these securities contain safeguards against non-environmentally friendly use of proceeds. In short, if your company has borrowed money through a green bond, you must use that money only on activities with positive effects on people and the planet. This way, investors can feel good about making such investments while knowing they’re getting solid returns.

Challenges in the market for Green Bonds

The market for green bonds remains relatively small, but both public and private sector actors recognize a need to increase access to capital for climate-friendly projects. In October 2017, Sustainable Finance Lab, in conjunction with The Rockefeller Foundation, released its second Climate Finance Survey. The survey results reveal that limited capital and coordination are among the most significant barriers to scaling up investments in clean energy. One of those critical challenges has been high transaction costs, or what is often referred to as the pipeline problem. Green bond issuance data from Bloomberg New Energy Finance (BNEF) shows that transaction costs for green bonds have been more than double those of comparable rated corporate bonds since 2008. This means that investors looking to invest in low-carbon infrastructure through green bonds were paying too much due to inefficient issuance processes. As a result, some financiers had said that there was limited interest amongst potential institutional investors when investing in them.

 

Eager to learn more about ESG? Start your ESG journey with Findings ESG today.

Your Vulnerability Disclosure Policy Can Be Easier Than You Think

Your-Vulnerability-Disclosure-Policy-Can-Be-Easier-Than-You-Think

It’s easy to recognize the importance of creating a vulnerability disclosure policy. Vulnerability disclosure policies, or VDPs, are important because they help you track vulnerabilities within your supply chain and determine how to disclose security risks that arise within the supply chain. That’s a best practice for any business, not to mention a formal requirement for companies wishing to do business with the DOD and U.S. government agencies.

It can be pretty hard, however, to figure out how to define and enforce such a policy. If you’re like many businesses, you may struggle to determine which types of vulnerabilities to disclose, how to report them, and how to integrate these rules into a policy document that your business uses as a systematic guide whenever supply chain vulnerabilities arise.

Fortunately, it’s easy enough to work past these challenges. By taking a step-by-step approach to creating a vulnerability disclosure policy, you can define and enforce disclosure rules tailored to your business’s needs with much less effort than you may imagine.

More information below on managing and building relationships with your vendors:

The insider’s guide to coordinated vulnerability disclosure

&

Watch below: How you can interact with vendors and suppliers  – headache free

The main purpose of vulnerability disclosure

Establishing an effective vulnerability disclosure policy starts with understanding what such a policy is supposed to do.

Vendor disclosure programs  have two main benefits:

Streamlined vulnerability reporting: A VDP defines who in your organization handles vulnerability reporting. This is important because many companies don’t know who the right person is to generate and distribute reports. Without a predefined reporting policy, you’re likely to end up with delays, or reports that never happen at all because no one knew who was supposed to create them.

Real-time reporting: Just as important, VDPs make it possible to react in real-time to vulnerabilities and breaches. As soon as you detect a security issue, you can report it to stakeholders or CISA, as required based on factors like which systems the incident impacts and how severe it is. The ability to disclose issues immediately and be fully transparent demonstrates a strong commitment to security on the part of your organization, which in turn helps your brand weather security events. Rapid disclosure may also be a compliance requirement for some businesses, as we’ve noted. But rapid disclosure means you need a complete view over your whole supply chain, not an easy task unless you have an automation tool to help with checking and reporting vulnerabilities.

Every VDP should be designed with these benefits in mind.

The six components of a vulnerability disclosure policy

To enable efficient, real-time vulnerability reporting, you should create a VDP in the form of a document that details six key facets of vulnerability disclosure.

1. Compliance policies

Your VDP should specify which compliance rules your business needs to meet, and which vulnerability disclosures those rules require.

The details in this section of the VDP will vary depending on your business and its compliance context. Not only do compliance requirements vary between geographies and industries, but businesses may also be exposed to different mandatory disclosure rules based on factors like the size of the business and the nature of a given breach. These are a few of the important policies you may come across ISO27001, NIST, ENISA, CMMC ISO, GDPR, HIPPA, CPPA (to name a few), and these need to be kept up-to-date with compliance rules changing every so often.

Whatever your specific requirements are, the goal of this section of your VDP should be to spell out the business’s disclosure responsibilities relative to its compliance mandates. 

2. Contractual obligations

In addition to compliance mandates, your business may be required by the contracts it signs with vendors, customers or partners to disclose vulnerabilities. Thus, one section of your VDP should address contractual vulnerability disclosure obligations.

Be sure to detail in this section not just when and to whom you have to disclose security issues, but also how the disclosures should be communicated. Typically, your agreements with other businesses will specify how communication is to be maintained in this context. By including this detail in your VDP, you ensure that you can find it easily, without having to piece through contracts.

3. Supply chain obligations

If vulnerabilities arise somewhere in your supply chain as opposed to your own systems, you may need to disclose those, too. Your VDP should include a section that spells out your obligations in this regard. It should also include information about how you maintain visibility into your supply chain and determine that a vulnerability has affected it.

4. Risk management and assessment

Every vulnerability is unique, and the ability to contextualize it based on its seriousness is critical for effective disclosure. Toward this end, define within your VDP how to calculate the overall security severity of each vulnerability, as well as how this security score impacts your disclosure procedures.

If you use risk assessment tools to automate the scoring process (as you should if you want it to take place in real-time and with minimal effort on the part of your team), include that information in the VDP, too.

5. Insurance coverage

In many cases, insurance can cover at least some losses incurred due to a security issue within your supply chain. For this reason, be sure that your VDP details which security insurance you have and how it applies to disclosures. 

6. Incident response plans

Disclosing vulnerabilities is one thing, mitigating is another.. Your VDP should include an overview of how your business responds to security incidents in order to ensure that they are remediated. In addition, if you’re required to keep stakeholders aware of progress toward remediation while an incident response is underway, spell out how you’ll do that within your VDP. 

Take a look at how Log4j, Kaseya and other recent supply chain attacks have caused damage

How vulnerability disclosure statements optimize security

With a comprehensive VDP statement, you ensure that you are prepared to react in a way that minimizes the incident’s impact on your business, your vendors, your partners, your customers, and your supply chain in general.

In turn, you can make informed decisions about the following:

  • When to keep doing business with vendors who introduced a vulnerability into your supply chain
  • How to work with vendors to keep their risk levels low – and, by extension, keep your supply chain secure
  • When to switch to different vendors to lower your risk
  • Communicate effectively both “upstream” (meaning with your vendors and suppliers) and “downstream” (with customers and partners) when a vulnerability arises, as the image below from FIRST.org, a global organization focused on security improvements, illustrates

You can’t prevent every vulnerability or security incident. But you can prepare ahead of time to react quickly and effectively in meeting your obligations to disclose security issues when they happen – whether they stem from a vulnerability within your own IT estate or a problem that originated with another business in your supply chain.

You can make the vulnerability disclosure process even more efficient, which automates supply chain security detection and reporting.

Learn More Findings – Optimizing Supply Chain Compliance

Russian sanctions made trade Compliance a Burning Issue – Here’s Everything You MUST Know

Trade Compliance | Findings.co

You may have heard about trade compliance before, but do you know its meaning? It’s an essential part of international trade, and it’s amongst the few things that will put your company at risk if you don’t abide by it. 

Here is everything you must know about trade compliance and why it matters so much these days with everything going on with Russia.

What Does Trade Compliance Cover?

In short, trade compliance requirements can impact your ability to import or export into foreign markets and effectively operate within your territory. Trade compliance applies to any company operating across borders; even if you plan on staying stateside and selling in only one jurisdiction, there is still a good chance that a local regulator will make contact at some point in your company’s life cycle. It isn’t always apparent whether a law requires you to comply with its provisions.

Trade compliance is defined as “an aspect of corporate compliance which ensures that all import and export transactions are in conformance with the laws and regulations of the countries involved,” according to Daw Jones Risk and Compliancy glossary.

What is the U.S. Department of Commerce Rules Regarding Export Control?

The U.S. Department of Commerce maintains a set of rules regarding export control that every business should know about—even if you don’t think your company is doing any business abroad. These rules include what products can be shipped outside of our borders and how they can be traded (and sometimes not traded).

These guidelines ensure we’re not selling or sending anything to countries we have sanctions against—like Iran or North Korea—or the newly star Russia.

What might surprise you is that there are particular nuances to how trade compliance works.

Russia made trade compliance a priority.

As part of Russia’s aggression and invading Ukraine, The U.S. has issued sanctions against Russia’s banks, business people, and other financial services to disrupt these funding sources. 

U.S. sanctions don’t apply to U.S. companies or people, but they impose restrictions on non-US persons’ dealings. The broad range of U.S. sanctions programs and rules means that almost any non-US citizen or entity doing business with a person on a sanctioned list violates U.S. law. This includes foreign subsidiaries of U.S. companies.

U.S. trade sanctions can have serious consequences, including fines and imprisonment. For that reason, it’s essential for firms operating internationally to make sure they have systems in place to comply with trade compliance laws. It’s also important to understand that these penalties are not just reserved for trade sanctions; sentences can be imposed against those who fail to take reasonable steps to ensure their trade partners are not violating trade compliance laws.

Businesses must understand trade compliance regulations so that they don’t run afoul of them or understand their risks to manage them appropriately.

There are four ways that trade compliance applies to you:

1) You might import goods into or export goods out of a sanctioned country

2) You might do business with someone who does

3) Your customer may purchase goods from someone who does

4) Your customer may sell goods to someone who does

Suppose you import goods into or export goods out of a sanctioned country. In that case, The Office of Foreign Assets Control (OFAC), which falls under the Treasury Department, administers and enforces trade sanctions against targeted countries. 

OFAC tracks all U.S.-based financial transactions and shipments leaving and entering U.S. ports via air freight or sea freight transport services. If you import goods into or export goods out of a sanctioned country, those goods will fall under trade compliance rules administered by OFAC.

You must file a report with OFAC before importing or exporting those goods to ensure that neither you nor your customers violate trade sanctions. 

For example, suppose one of your supplier’s purchases steel from Russia and ships it to China, where it is assembled into final products. In that case, Chinese importers have to comply with trade sanctions if they want to re-export those products back into the United States. This could also apply if you have manufacturing facilities in China since any imported raw materials would still fall under trade compliance rules administered by OFAC.

Risk Management – Effective Trade Compliance And Supply Chain Management 

CAATSA, or The Countering America’s Adversaries Through Sanctions Act, will profoundly impact global trade compliance. CAATSA was signed into law by President Trump in August 2017 and mandates sanctions against Iran, North Korea, Russia, and Venezuela. It also prohibits foreign entities from doing business with U.S. companies unless they are compliant with CAATSA. 

Many organizations also want to do business with sanctioned countries like Russia, Iran, and North Korea because they offer lower prices than other suppliers. However, before engaging in any trade activity involving these countries or individuals under U.S. sanctions laws, you must ensure that your organization has effective trade compliance programs. Otherwise, you risk facing severe penalties under CAATSA if you engage in transactions involving blocked persons without first obtaining authorization from OFAC (Office of Foreign Assets Control).

Effortless Trade Compliance

Cut the processing time in half and ignore “experts advisors” – When you use the findings’ platform, you can automate your entire trade compliance process.

Automate your assessments, enable best practices, and give your supply chain the advantage.

What to learn more about what findings can help you with? Start your free trial today.

Supply Chain Risk Monitoring as a Service
Join us today
Supply Chain Risk Monitoring as a Service
Join us today
Waitlist signup

Welcome to Findings

Let's go over some details to setup your tailor-made account


Please fill your details below and click "Next" to create your account:

Payment

Feature
Startup
Business
Enterprise
Price
$10 / Month
$10 / Month
$25 / Month
VDPaaS
Alerts
Assessments
Integrated Apps
API
Join today and scan ALL YOUR VENDORS for FREE*
* FREE VENDOR SCAN for all of your vendors during your first month.
Feature
Startup
Business
Enterprise
Price
$25 / Month
$200 / Month*
Contact Us
Free vendors scan for 1 month
Findings search engine
Rapid security and compliance profile
Profile/showcase engagements per year
5
40
Unlimited
Multi/unlimited showcase use cases
Showcase compliance badge for your website
Best practice self-assessment
1 Findings or 1 BYOC
Assessment response automation
Personalizable, branded security & compliance showcase page
File/evidence repository
OKTA
DKIM
Out-of-the-box TPRM
20 vendors +
20 rating scans
50 vendors +
50 rating scans
Support
Email
Priority via Phone / Email
Internal Workflows (SO/BO)
Onboarding and customization account setup
*Price for every 40 engagements
Automate assessment response and showcase your cybersecurity posture
Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!

Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!