fbpx

Category Archives: findings tech

ESG companies are outperforming their peers in recent years – why?

Findings.co | supply chain | security | ESG

Higher ESG rating, higher return

Indeed the ultimate goal of any investment is to earn a maximum return. But as the focus has increased on sustainability, investors worldwide are resorting to smart investing strategies. In the current investment scenario—where environmental sustainability and corporate social responsibility are driving business decisions—investors place a great deal of emphasis on the environmental, social, and governance (ESG) rating of a company they wish to invest in.

ESG criteria are becoming increasingly popular amongst investors to evaluate the ability of companies to be stewards of nature, managers of social relationships, and trailblazers of excellent leadership. Now, ESG companies that uphold the principles of smart investing while catering to the needs of socially conscious investors are seen outperforming their peers in a big way, especially after the COVID-19 pandemic.

In 2020, the year of extreme and dramatic changes trigged by the pandemic, the median total return on equity funds of ESG companies focused on sustainability exceeded that of their peer funds by 4.3 percentage points. Funds of such companies provided better returns almost every month of the year. Their focus on sustainability is essentially indicative of the quality of their board and management.

Low beta, high quality 

The companies with higher ESC ratings fell and rose less dramatically as the markets collapsed and recovered sharply in April 2020 than those with lower ESG ratings. The pattern suggests that stocks of such companies also have a low-beta-high-quality factor. Such funds are also less affected by volatility in the larger market.

There’s been a significant rise in the popularity of ESG investing. It is mainly triggered by fears of the global community over climate change. As such, socially conscious investors, especially millennials, now consider the impact of their funds as they have started investing. It’s crucial to note and understand that ESG risk is an investment risk; those firms that meet ESG standards are more unlikely likely to be sustainable enterprises.

Similar trends were observed when fixed income ESG stocks were analyzed from January to September 2020. The bonds of ESG companies with high ratings performed better on average than their lower-rated peers. The stocks of companies with an A-rated ESG score lost around 0.5 percent on average during the period compared to low-rated stocks, which lost 4.6 and 4.4 percent.

A peek into the future.

ESG and smart investing with a focus on sustainability are expected to grow. The attitude of retail investors towards sustainable investment has also been shifting. In the U.S., close to half of individual investors adopt sustainable investing. Also, 80 percent of asset-owner institutions are seen incorporating sustainability factors in their investment processes.

It’s also worth noting that the Institute for Sustainable Investing, in 2019, found that sustainable funds had larger market capitalizations on average and hold more stocks in companies that are considered growth stocks. Let’s not forget. Evolving regulations also lead companies to disclose their sustainability practices, providing investors with more data to understand ESG-related risks and growth opportunities. We can hope that the future of sustainability investing delivers on its promises and make a positive global impact in the times to come.

Get started with your ESG journey easily with Findings ESG.

ESG Investing is popular but confusing – here’s how it works

Findings.co | supply chain | security | ESG

ESG investing is becoming popular as awareness grows about the impact of corporate actions on the environment, society, and governance. This article will look at how ESG Investing works and some of the benefits and drawbacks of this growing movement. What should you consider when including this type of investment in your portfolio?

What are the essential characteristics of an ESG investment strategy?

Many factors make up an ESG investment strategy. For a company to be an ESG investment, there must be exposed to environmental and social aspects. Exposure to these factors can be defined by three characteristics: alignment, integration, and recognition. All three of these characteristics must be present to exhibit an entire ESG investment strategy. By adopting one or more of these strategies, they can better prepare themselves in times of need.  It is much easier to come back from challenging situations when you are ready. It takes careful planning, diligence, and perseverance to fully adopt an ESG investment strategy. However, if done correctly, these practices will strengthen your company and increase its value over time and preserve its reputation within its community.

How do I make sure my fund managers follow an ethical approach?

The first and most basic way to make sure your fund managers take ESG into account is to ask them. As with any other question, you should call them up and ask if they use sustainability metrics in their investment process. They’ll tell you, Of course, we do (which might or might not be true), and that will give you a sense of how serious they are about ESG investing. If you like what you hear and want to invest, you can trust that your money isn’t funding unethical companies. But if they seem mysterious, or worse—dismissive—then it could mean that there aren’t good incentives in place to keep fund managers accountable for their actions. That would indicate an unethical culture at your mutual fund management firm.

Why is this different from other kinds of socially responsible investing?

The social responsibility aspect of ESG investing isn’t just about environmental or social impact but may include these factors. It also aims to be financially responsible and considers an investment’s impact on other financial indicators such as price volatility, liquidity, earnings growth, operating efficiency, and capital preservation. These features are often not found in socially responsible investments as they tend to focus on issues surrounding environmental or social effects. As a result, many consider ESG to be more than just socially accountable investing — because it includes financial indicators and increased engagement with companies — while others think it is just another kind of SRI.

When did this become popular? And why should I care now?

After decades of playing second fiddle to shareholder-value investing, ESG has emerged as a star in its own right. Even though sustainability and corporate ethics are still relatively new concepts in business management, concerns about social issues have been around for thousands of years—and they show no signs of fading away. That’s why more and more investors are looking at companies through an ESG lens.

Some examples of funds in this space and their returns over time.

Newfield ESG Long/Short Fund (EQLIX), Calvert Social Investment Strategy Fund (CSLFX), Vanguard FTSE Social Index Fund ETF (VFTSX). After a rocky start, there are signs that environmentally conscious investing has been growing in popularity—more than 150 socially responsible mutual funds with $200 billion in assets under management. Still, concerns remain about what kinds of businesses these investment funds hold and their role in helping companies change their behavior to protect employees and the environment better. 

Want to save time and automate your ESG processes? Use best-practices? Findings ESG is at your service.



The Insider Guide To Coordinated Vulnerability Disclosure Programs

Findings - Vulnerability Disclosure Program

When you co-ordinate a vulnerability disclosure program, you follow a systematic process for communicating about, responding to and remediating vulnerabilities. Keep reading for tips on how coordinated vulnerability disclosure programs work, why they’re important and 5 steps to creating one.

 

What Is a Coordinated Vulnerability Disclosure Program?

A coordinated vulnerability disclosure program (CVDP) is a structured, systematic strategy for sharing information about vulnerabilities to various internal and external stakeholders whenever a vulnerability occurs. It’s a way of ensuring that information about a known vulnerability is not just available, but also that response operations are as efficient as possible. But remember not all vulnerabilities should or must be disclosed. Deciding how to react, whether to block or avoid is also an important decision.

 

The Benefits of Coordinated Vulnerability Disclosure

Coordinated vulnerability disclosure programs ensure that you can react efficiently and minimize the risks that vulnerabilities create. Disclosure programs minimize risks not just for your business, but also for your suppliers, partners and customers. The benefits include:

– Reduced vulnerability impact

The overall impact of the vulnerability is likely to be smaller when stakeholders coordinate their response. Patches can be developed faster, and  rolled out to affected applications or systems before hackers attack them. This translates to a lower risk that the vulnerability will be exploited. 

Consider CVDP as a  “neighborhood watch” for your IT assets by encouraging everyone in your supply chain to report risks they discover.

– Build internal processes

Having a coordinated plan in place for vulnerability disclosure helps ensure that your employees each work efficiently to respond to vulnerabilities. A coordinated program defines what each internal stakeholder needs to do when a vulnerability appears.

– Combined stakeholder response

External stakeholders, too, can coordinate their activities much more effectively via a coordinated vulnerability disclosure program. With a program in place, each affected entity can share information efficiently and collaborate with security researchers as needed. Coordinated programs help to establish trust and positive cooperation across the supply chain with regard to vulnerabilities.

– Avoid surprises

When you have set policies in place for what to disclose and how to react to it, stakeholders from across the supply chain have the information they need to react effectively. This breeds transparency and mitigates the risk of unanticipated actions by one organization (such as a decision that a vulnerability is not severe enough to merit action) that could disrupt the responses of others.

On top of this, when you share information quickly and in a coordinated way, you avoid the risk that affected organizations will learn of a vulnerability from the media. The result is an embarrassing scenario and one that leads to slow, inefficient responses and potential damage to an organization’s reputation.

– Ethical corporate behavior

Finally, there is an ethical element to coordinated vulnerability response. Having set procedures in place, and defining how your business will interact with others during vulnerability response, sends a message that you care about transparent operations that benefit the community as a whole. It’s a sign that you’re not just tracking security risks for your own sake, but because you understand the broader impact (ESG) they can have on suppliers, partners and customers.

 

Learn more about Vulnerability Disclosure Programs – Click here

 

5 Steps for Creating a Coordinated Vulnerability Disclosure Program

Now that we know what coordinated vulnerability disclosure means and why it’s important, here’s how to implement it.

1. Create secure reporting channels

As cybersecurity analyst Keren Elazari says, “hackers can be helpful allies” in finding vulnerabilities. What she means is that good-willed third parties who are reviewing your code or systems can be a critical asset for finding security risks that you haven’t seen.

However, you need to provide secure channels through which third parties can report vulnerabilities in order to benefit from them. These channels could be as simple as resources like “security.txt” files that identify where and how someone can report a vulnerability to you.

Consider, too, integrating incentives into these reporting channels, for example, by creating a vulnerability reward program – a practice that companies like Google have used with great success.

2. Assess vulnerability severity

Every vulnerability carries a different degree of risk. What’s more, the risk can vary for different stakeholders within the supply chain.

For these reasons, your coordinated response program should include a process for assessing how severe the vulnerability is, then include that information in the disclosure report, along with technical details on how the vulnerability is exploited.

With that information, security analysts at organizations like CISA can disseminate vulnerability data that is as meaningful as possible.

3. Remediation

Determine, too, how the vulnerability should be mitigated. Does it require the creation of a patch by software vendors, for example, or can it be mitigated by changing environment configurations?

This information helps to coordinate vulnerability response because it provides actionable guidance to stakeholders on what they need to do to remediate the vulnerability across the supply chain.

4. Public awareness

In a coordinated response process, the group that identifies a vulnerability will take appropriate steps to notify users about it via all relevant channels – such as vulnerability databases, email lists and media reports.

Included in these notifications should be a timeline about which information to disclose and when to disclose it. In some instances, you may not want to include certain technical details right away; for example, if a patch is not yet available to fix a vulnerability, you may not wish to disclose how to exploit the vulnerability, in case hackers use that information to execute zero-day attacks that can’t yet be prevented.

5. Assess your response

The final step in a coordinated response program is to generate feedback about its effectiveness. Assess each disclosure by answering questions like how transparent it was and whether stakeholders had easy access to the information they needed to respond. These insights help ensure that you can continuously improve your program over time.

Coordination leads to the best outcomes

As Daniel Cuthbert, Global Head of Cyber Security Research at Santander, said in a Black Hat talk, “missing links create a vulnerability unto themselves.” In other words, the less information you have available in vulnerability disclosures, the higher your risk of damage.

Coordinated vulnerability disclosure programs minimize these risks by allowing all stakeholders to respond as effectively as possible to newly discovered vulnerabilities. They remove the blind spots in vulnerability response, while also demonstrating goodwill commitments to transparency on the part of your business.

When it comes to planning for coordinated vulnerability response, Findings can help. Findings provide end-to-end visibility into software supply chain risks, ensuring you have all the information you need to plan for effective, comprehensive vulnerability disclosure.

 

Schedule a call to learn more

Crisis Management: The Missing Link In Supply Chain Security

Findings - Supply chain security

It’s easy to treat crisis management as an afterthought within the context of supply chain security. Businesses may assume that attacks are unlikely to happen, especially if they’ve invested in risk assessment and mitigation. Just ask some of the major vendors that have been at the root of cybersecurity crisis in the recent past, despite having taken breach prevention quite seriously.

What is a cybersecurity crisis management strategy?

A crisis management strategy provides a protocol for organizations to identify, eliminate and recover from cybersecurity attacks as swiftly as possible; its purpose is to  position the organization for minimal impact of a cybersecurity incident. The protocol will unquestionably reduce the stress on your executive and IT teams in a crisis situation and everyone else involved in mitigating an attack. 

The protocol typically includes, who does what in the event of a cyber incident, who is in charge of managing the crisis, aka  Cybersecurity Crisis Response Team (“Response Team” or “CCRT”). It also covers which  systems need to be checked for impact and where the backups are located; which partners, vendors and customers need to be notified and at what stage does the Board of Directors and media need to be addressed and how. 

For many organizations, this strategy is not only  the responsible thing to do, but may also be a compliance mandate.

 

Information: The following policies can also be mandated:

Your Vulnerability Disclosure Policy Can be Easier Than You Think

 Meeting The CMMC Compliance challenge Head On

 

But where do you start? In contrast to many other security protocols – like privacy disclosure requirements, which are usually straightforward enough – there is no predefined playbook you can follow or set of boxes you can check off, to plan for crisis management. 

It is therefore up to each organization to research and create their own set of protocols. We’ve highlighted what should be in yours below.

Supply chain security: Your crisis management plan

Step 1: Risk assessment

The first step is to identify your supply chain security risks.

Do this by assessing which regulations and legal requirements your business is bound to when it comes to cybersecurity. You should also evaluate your contractual obligations. Next, identify vulnerabilities that exist within your supply chain security and risk management report. Do these vulnerabilities need to be reported to other vendors within your supply chain? Or can they be easily patched? Finally, examine how a breach may impact your business’s operations.

The easiest way to check your metal here is to take risk assessments test surveys and run some gap analysis – doing so will give you a complete score on where your current efforts stand compared to where you should be and industry standards. 

If you find any “show-stoppers,” you must stop your process and fix it before moving forward to avoid failure at a later stage.

With this insight, you can develop a plan for managing the impact.

Step 2: Formalize your security and risk management plan

Once you’ve identified the risks, document them and put them in writing, along with a plan that spells out which steps various stakeholders need to take during an incident to mitigate the risks.

Specifically, your plan should detail:

  • Whom – such as vendors, partners, customers, regulatory authorities – you need to notify about a supply chain breach. And, your head of cyber security should also be formalized.
  • Which processes various stakeholders – such as executive, IT and public relations teams will follow to do their part in handling the incident.
  • How you’ll maintain the necessary level of transparency (which should be defined within your Vulnerability Disclosure Program).
  • What information to disclose to the media, and how to disclose it. Not every part of every incident needs to be publicized, but you should think strategically ahead of time about how to engage with the media.

Step 3: Practice cyber drills

In order to ensure your crisis management plan actually works as you intend it to, you should run through cyber drills, which mean engaging stakeholders in responding to simulated incidents.

If you have the resources, you can hire a professional penetration testing team to create a mock incident, then test your business’s response. Alternatively, you may use your own teams to create a simulated supply chain attack, using a red team/green team model.

The more drills you practice, the better, but you should perform one drill annually at a minimum.

Step 4: Make crisis management a collective business responsibility

Next, work to ensure that everyone in the business – not just the IT team and security experts, but everyone from PR and customer relations to sales and marketing, to the C-suite and beyond – understands your supply chain crisis management plan and knows how to play their role within it.

Do this by publishing the process in a place where all stakeholders can view it. You can also ask stakeholders to explain their role in crisis management, based on the published plan.

Be sure, too, that the plan nominates someone to take the lead in crisis management unless your business already has an obvious person (such as a CISO) to take on this role.

Step 5: Leverage crisis management

Finally, to get even more buy-in for the plan and generate business value from it, educate your sales and marketing teams in particular about the investments you’ve made in crisis management.

This is important because sales and marketing teams can tout your crisis management investments when selling your products to other companies that require a high level of supply chain security and risk management. The more commitment you can demonstrate to managing supply chain risks effectively, the better positioned you’ll be to win customers who need strong supply chain security guarantees.

Winning such business is certainly not the only reason to invest in crisis management planning, but landing more customers this way can’t hurt.

 

Request a demo

4 Reasons Why Your CISO Wants To Implement A CMMC Framework

4 Reasons Why Your CISO Wants To Implement A CMMC Framework by Findings

“Let’s pursue a new compliance framework just because we feel like it!” is not a phrase that you tend to hear business leaders utter excitedly. After all, making the changes necessary to comply with new compliance rules is a significant undertaking. Unless a specific legal requirement is at stake, businesses tend to embrace them slowly.

However, the Cybersecurity Maturity Model Certification (CMMC) is an exception. Although CMMC is not strictly required for most businesses, implementing it should be a priority for many CISOs today. 

Indeed, a CISO’s main job is to harden cybersecurity wherever possible. Doing so requires identifying security risks, developing practices and policies to mitigate those risks, and creating regular reports that track the effectiveness of cybersecurity investments. Because the CMMC encourages these practices, pursuing CMMC compliance is an excellent way for CISOs to achieve their primary goals.

“All DoD contractors will eventually be required to obtain a CMMC certification,” as CSO Online notes, which may be another reason CISOs implement CMMC compliance. But it shouldn’t be the only one: Whether or not you need to do business with the U.S. Department of Defense, pursuing CMMC compliance is a great idea.

Four reasons to implement CMMC

You achieve several critical benefits when you invest the time and effort required to implement CMMC compliance.

1. Independent cybersecurity validation

Among the recent changes to CMMC is a new independent validation requirement for businesses with CMMC level 3 compliance. Independent validation provides a more thorough security check and vulnerability reporting than you can get from following other security guidelines, like those from NIST (which closely resembled the original version of CMMC).

Thus, CMMC is a more rigorous cybersecurity framework in many respects than anything else you can find.

2. Holistic cybersecurity best practices

CMMC is designed to encourage solid cyber hygiene for businesses of all types and industries.

It encourages a proactive cybersecurity culture (ESG benefits because it demonstrates a commitment to privacy). It facilitates education for all employees – including non-technical stakeholders – about security best practices. And it underlines the importance of managing supply chain security risks, one of the most severe categories of threats that businesses face today.

3. Increased revenue

From a purely business perspective, the additional sales opportunities that CMMC compliance opens up can lead to revenue growth.

When you achieve CMMC compliance, you can do business with U.S. government agencies that might otherwise be off-limits. This means more clients, but it often means more significant client contracts because government agencies tend to be high-value, long-term accounts.

4. Enhanced security maturity

Even in cases where clients aren’t government agencies and don’t require CMMC compliance, being CMMC compliant can nonetheless be a significant boon to business. It helps you demonstrate a commitment to cybersecurity and serves as a stamp of quality/security on the security front, which can help you close more deals and retain more clients.

The enhanced security maturity that comes with CMMC compliance can help you stay ahead of the competition, which may comply with less rigorous mandates but not with CMMC.

Here are the CMMC Compliance Requirements: Everything You Need To Know

Granted, CMMC implementation is not a simple task: It’s essential for CISOs to understand the challenges before undertaking a CMMC compliance initiative:

  • Process: You have to apply for CMMC compliance. That’s another task for CISOs to manage on their already full plates.
  • Buy-in: CISOs need to get buy-in from shareholders and management for the CMMC process. That’s important not just culturally but also because business leaders will need to play a valuable role in the CMMC application process by filing forms, tracking progress and reporting, etc.
  • Multiple steps: Applying for CMMC compliance is not a one-and-done affair. It usually involves multiple steps, with changes or additional information required as you progress through the process.
  • Maintenance: You need to keep your compliance strategy continuously updated to meet CMMC compliance requirements. That increases your time and effort even further.
  • Cost: For most businesses, CMMC compliance will require new tools and processes, which come at a cost. And depending on what level of CMMC compliance you need, an outside advisor may also be required.

None of these challenges should prevent businesses from pursuing a comprehensive CMMC framework to protect against cyberattacks compliance. But it’s essential to be aware of the potential objections and barriers before starting the process.

Even if CMMC compliance is technically optional for your business, there’s a good reason not to treat it as an option. Instead, CISOs should embrace CMMC implementation as an intelligent way to strengthen their business’s cybersecurity – and, in turn, open up new business opportunities.

Learn more by scheduling a demo.

ESG Investing – What Green Bonds are, and why do they matter?

ESG Investing - What Green Bonds are, and why do they matter?

Sustainability has become an integral part of how we do business and live our lives, and the concept of ESG investing has taken hold with investors and financiers alike. What are green bonds, and why do they matter? Read on to find out!

3 key ways green bonds improve corporate sustainability

green bonds increase access to capital for sustainable projects; green bonds help decrease reliance on fossil fuels, and green bonds help finance critical social programs. We’ll examine each of these ways in detail below.

An introduction to green bonds

Undertaking a green business venture or a project is by no means cheap. The costs of starting up an alternative energy project could run into millions of dollars. And even if you secure funding for such projects through loans or grants, those payments will add to your operating costs over time. However, governments worldwide have been easing financing concerns through what’s known as green bonds — debt securities that raise funds to support environmental-friendly endeavors. More recently, private organizations have been taking up their initiatives in making it easier for entities engaged in green initiatives to raise funds from investors. These so-called green bonds have several advantages over conventional debt offerings. You need to know about them: 1) What are Green Bonds? 2) How Do They Work? 3) Where Can You Buy Them?

The history of green bonds

The idea of a bond linked to environmental, social, or governance criteria – known as ‘green bonds’ – originated in 2003 when HSBC issued its first ecological bond in response to investor demand. This was followed by BNP Paribas with its first Corporate Sustainability Bond in 2005. Today there is greater recognition of ESG issues from governments, investors, and issuers than ever before. Green bonds have increased over recent years. In 2010, only three green bonds were issued globally; today, it is not uncommon for international financial centers like London to see two or three different green issuance rounds each week.

How is a green bond different from any other bond?

A green bond is no different from any other bond in that it is debt security – a loan – given by an organization to raise money for any purpose. However, green bonds typically have specific criteria which make them eligible for being classified as green or environmentally friendly. They tend to be used exclusively for projects with positive environmental or social impacts, whether that means energy efficiency retrofits or renewable energy generation. These bonds are commonly referred to as ESG bonds (Environmental Social Governance). An investor who wants to include more green investments in their portfolio can purchase ESGs because these securities contain safeguards against non-environmentally friendly use of proceeds. In short, if your company has borrowed money through a green bond, you must use that money only on activities with positive effects on people and the planet. This way, investors can feel good about making such investments while knowing they’re getting solid returns.

Challenges in the market for Green Bonds

The market for green bonds remains relatively small, but both public and private sector actors recognize a need to increase access to capital for climate-friendly projects. In October 2017, Sustainable Finance Lab, in conjunction with The Rockefeller Foundation, released its second Climate Finance Survey. The survey results reveal that limited capital and coordination are among the most significant barriers to scaling up investments in clean energy. One of those critical challenges has been high transaction costs, or what is often referred to as the pipeline problem. Green bond issuance data from Bloomberg New Energy Finance (BNEF) shows that transaction costs for green bonds have been more than double those of comparable rated corporate bonds since 2008. This means that investors looking to invest in low-carbon infrastructure through green bonds were paying too much due to inefficient issuance processes. As a result, some financiers had said that there was limited interest amongst potential institutional investors when investing in them.

 

Eager to learn more about ESG? Start your ESG journey with Findings ESG today.

Your Vulnerability Disclosure Policy Can Be Easier Than You Think

Findings | vulnerability disclosure

It’s easy to recognize the importance of creating a vulnerability disclosure policy. Vulnerability disclosure policies, or VDPs, are important because they help you track vulnerabilities within your supply chain and determine how to disclose security risks that arise within the supply chain. That’s a best practice for any business, not to mention a formal requirement for companies wishing to do business with the DOD and U.S. government agencies.

It can be pretty hard, however, to figure out how to define and enforce such a policy. If you’re like many businesses, you may struggle to determine which types of vulnerabilities to disclose, how to report them, and how to integrate these rules into a policy document that your business uses as a systematic guide whenever supply chain vulnerabilities arise.

Fortunately, it’s easy enough to work past these challenges. By taking a step-by-step approach to creating a vulnerability disclosure policy, you can define and enforce disclosure rules tailored to your business’s needs with much less effort than you may imagine.

The main purpose of vulnerability disclosure

Establishing an effective vulnerability disclosure policy starts with understanding what such a policy is supposed to do.

Vendor disclosure programs  have two main benefits:

Streamlined vulnerability reporting: A VDP defines who in your organization handles vulnerability reporting. This is important because many companies don’t know who the right person is to generate and distribute reports. Without a predefined reporting policy, you’re likely to end up with delays, or reports that never happen at all because no one knew who was supposed to create them.

Real-time reporting: Just as important, VDPs make it possible to react in real-time to vulnerabilities and breaches. As soon as you detect a security issue, you can report it to stakeholders or CISA, as required based on factors like which systems the incident impacts and how severe it is. The ability to disclose issues immediately and be fully transparent demonstrates a strong commitment to security on the part of your organization, which in turn helps your brand weather security events. Rapid disclosure may also be a compliance requirement for some businesses, as we’ve noted. But rapid disclosure means you need a complete view over your whole supply chain, not an easy task unless you have an automation tool to help with checking and reporting vulnerabilities.

Every VDP should be designed with these benefits in mind.

The six components of a vulnerability disclosure policy

To enable efficient, real-time vulnerability reporting, you should create a VDP in the form of a document that details six key facets of vulnerability disclosure.

1. Compliance policies

Your VDP should specify which compliance rules your business needs to meet, and which vulnerability disclosures those rules require.

The details in this section of the VDP will vary depending on your business and its compliance context. Not only do compliance requirements vary between geographies and industries, but businesses may also be exposed to different mandatory disclosure rules based on factors like the size of the business and the nature of a given breach. These are a few of the important policies you may come across ISO27001, NIST, ENISA, CMMC ISO, GDPR, HIPPA, CPPA (to name a few), and these need to be kept up-to-date with compliance rules changing every so often.

Whatever your specific requirements are, the goal of this section of your VDP should be to spell out the business’s disclosure responsibilities relative to its compliance mandates. 

2. Contractual obligations

In addition to compliance mandates, your business may be required by the contracts it signs with vendors, customers or partners to disclose vulnerabilities. Thus, one section of your VDP should address contractual vulnerability disclosure obligations.

Be sure to detail in this section not just when and to whom you have to disclose security issues, but also how the disclosures should be communicated. Typically, your agreements with other businesses will specify how communication is to be maintained in this context. By including this detail in your VDP, you ensure that you can find it easily, without having to piece through contracts.

3. Supply chain obligations

If vulnerabilities arise somewhere in your supply chain as opposed to your own systems, you may need to disclose those, too. Your VDP should include a section that spells out your obligations in this regard. It should also include information about how you maintain visibility into your supply chain and determine that a vulnerability has affected it.

4. Risk management and assessment

Every vulnerability is unique, and the ability to contextualize it based on its seriousness is critical for effective disclosure. Toward this end, define within your VDP how to calculate the overall security severity of each vulnerability, as well as how this security score impacts your disclosure procedures.

If you use risk assessment tools to automate the scoring process (as you should if you want it to take place in real-time and with minimal effort on the part of your team), include that information in the VDP, too.

5. Insurance coverage

In many cases, insurance can cover at least some losses incurred due to a security issue within your supply chain. For this reason, be sure that your VDP details which security insurance you have and how it applies to disclosures. 

6. Incident response plans

Disclosing vulnerabilities is one thing, mitigating is another.. Your VDP should include an overview of how your business responds to security incidents in order to ensure that they are remediated. In addition, if you’re required to keep stakeholders aware of progress toward remediation while an incident response is underway, spell out how you’ll do that within your VDP. 

How vulnerability disclosure statements optimize security

With a comprehensive VDP statement, you ensure that you are prepared to react in a way that minimizes the incident’s impact on your business, your vendors, your partners, your customers, and your supply chain in general.

In turn, you can make informed decisions about the following:

  • When to keep doing business with vendors who introduced a vulnerability into your supply chain
  • How to work with vendors to keep their risk levels low – and, by extension, keep your supply chain secure
  • When to switch to different vendors to lower your risk
  • Communicate effectively both “upstream” (meaning with your vendors and suppliers) and “downstream” (with customers and partners) when a vulnerability arises, as the image below from FIRST.org, a global organization focused on security improvements, illustrates

You can’t prevent every vulnerability or security incident. But you can prepare ahead of time to react quickly and effectively in meeting your obligations to disclose security issues when they happen – whether they stem from a vulnerability within your own IT estate or a problem that originated with another business in your supply chain.

You can make the vulnerability disclosure process even more efficient, which automates supply chain security detection and reporting.

Russia sanctions made trade Compliance a Burning Issue – Here’s Everything You MUST Know

Trade Compliance | Findings.co

You may have heard about trade compliance before, but do you know its meaning? It’s an essential part of international trade, and it’s amongst the few things that will put your company at risk if you don’t abide by it. 

Here is everything you must know about trade compliance and why it matters so much these days with everything going on with Russia.

What Does Trade Compliance Cover?

In short, trade compliance requirements can impact your ability to import or export into foreign markets and effectively operate within your territory. Trade compliance applies to any company operating across borders; even if you plan on staying stateside and selling in only one jurisdiction, there is still a good chance that a local regulator will make contact at some point in your company’s life cycle. It isn’t always apparent whether a law requires you to comply with its provisions.

Trade compliance is defined as “an aspect of corporate compliance which ensures that all import and export transactions are in conformance with the laws and regulations of the countries involved,” according to Daw Jones Risk and Compliancy glossary.

What is the U.S. Department of Commerce Rules Regarding Export Control?

The U.S. Department of Commerce maintains a set of rules regarding export control that every business should know about—even if you don’t think your company is doing any business abroad. These rules include what products can be shipped outside of our borders and how they can be traded (and sometimes not traded).

These guidelines ensure we’re not selling or sending anything to countries we have sanctions against—like Iran or North Korea—or the newly star Russia.

What might surprise you is that there are particular nuances to how trade compliance works.

Russia made trade compliance a priority.

As part of Russia’s aggression and invading Ukraine, The U.S. has issued sanctions against Russia’s banks, business people, and other financial services to disrupt these funding sources. 

U.S. sanctions don’t apply to U.S. companies or people, but they impose restrictions on non-US persons’ dealings. The broad range of U.S. sanctions programs and rules means that almost any non-US citizen or entity doing business with a person on a sanctioned list violates U.S. law. This includes foreign subsidiaries of U.S. companies.

U.S. trade sanctions can have serious consequences, including fines and imprisonment. For that reason, it’s essential for firms operating internationally to make sure they have systems in place to comply with trade compliance laws. It’s also important to understand that these penalties are not just reserved for trade sanctions; sentences can be imposed against those who fail to take reasonable steps to ensure their trade partners are not violating trade compliance laws.

Businesses must understand trade compliance regulations so that they don’t run afoul of them or understand their risks to manage them appropriately.

There are four ways that trade compliance applies to you:

1) You might import goods into or export goods out of a sanctioned country

2) You might do business with someone who does

3) Your customer may purchase goods from someone who does

4) Your customer may sell goods to someone who does

Suppose you import goods into or export goods out of a sanctioned country. In that case, The Office of Foreign Assets Control (OFAC), which falls under the Treasury Department, administers and enforces trade sanctions against targeted countries. 

OFAC tracks all U.S.-based financial transactions and shipments leaving and entering U.S. ports via air freight or sea freight transport services. If you import goods into or export goods out of a sanctioned country, those goods will fall under trade compliance rules administered by OFAC.

You must file a report with OFAC before importing or exporting those goods to ensure that neither you nor your customers violate trade sanctions. 

For example, suppose one of your supplier’s purchases steel from Russia and ships it to China, where it is assembled into final products. In that case, Chinese importers have to comply with trade sanctions if they want to re-export those products back into the United States. This could also apply if you have manufacturing facilities in China since any imported raw materials would still fall under trade compliance rules administered by OFAC.

Risk Management – Effective Trade Compliance And Supply Chain Management 

CAATSA, or The Countering America’s Adversaries Through Sanctions Act, will profoundly impact global trade compliance. CAATSA was signed into law by President Trump in August 2017 and mandates sanctions against Iran, North Korea, Russia, and Venezuela. It also prohibits foreign entities from doing business with U.S. companies unless they are compliant with CAATSA. 

Many organizations also want to do business with sanctioned countries like Russia, Iran, and North Korea because they offer lower prices than other suppliers. However, before engaging in any trade activity involving these countries or individuals under U.S. sanctions laws, you must ensure that your organization has effective trade compliance programs. Otherwise, you risk facing severe penalties under CAATSA if you engage in transactions involving blocked persons without first obtaining authorization from OFAC (Office of Foreign Assets Control).

Effortless Trade Compliance

Cut the processing time in half and ignore “experts advisors” – When you use the findings’ platform, you can automate your entire trade compliance process.

Automate your assessments, enable best practices, and give your supply chain the advantage.

What to learn more about what findings can help you with? Start your free trial today.

A retired asset owner reveals – These 3 things will attract investors like flies

Findings.co | supply chain | security | ESG

3 things you should be doing to attract ESG investors

ESG (environmental, social, and governance) investors are becoming more popular as millennials enter the workforce. Around 60% of ESG-focused funds show growth in assets under management over the past year. But what can companies do to attract more ESG money? This article will look at three things to consider when working with ESG investors to attract sustainable investment dollars.

1) Allocation matters

An ESG-friendly portfolio is an integral part of a sustainable investment strategy, but it’s just as crucial for investors that manage other people’s money (OPM). These days, many clients expect their financial advisors to invest sustainably and request environmental, social, and governance (ESG) information when reviewing or choosing an advisor. Advisers need to demonstrate how they manage sustainability in their portfolios to earn new business from clients seeking out these investments. And for those who don’t offer such solutions today, it will likely become increasingly necessary to compete and keep up with shifting investor preferences over time. In either case, OPM advisers need to do two things: identify relevant ESG factors within their client’s portfolios and then make informed investment decisions in line with client expectations.

2) Education is important

When searching for potential investments, Environmental, Social, and Governance (ESG) investors perform a thorough due diligence process. While your business might not be eligible for an asset from a fund, these types of investors can still help by providing feedback and advice. Remember, there is no shame in being honest about how much work your business needs. The more willing you are to self-critique, the easier it will be for others to trust that you’re working towards those changes. It’s important to remain honest about yourself and realistic about your goals. Remember that potential investors want to see transparency and honesty.

3) Be transparent

A growing number of institutional investors are pressuring organizations they invest in to disclose more about their environmental, social, and governance (ESG) performance. They’re asking companies many questions – some that might even seem uncomfortable at first. The purpose of these questions is transparency and improving performance, though it can feel like an interrogation at times. Transparency doesn’t come easily, but there are three things organizations can do to make sure they’re ready for such conversations with ESG-minded investors. First, have all your numbers together. This means having clear information on everything from greenhouse gas emissions levels to community involvement efforts available when you sit down with ESG investors. It takes work to get those numbers put together, but it’s worth it. Second, build relationships. One of the most important parts of successfully navigating any conversation is knowing your partners inside and out. Take time to research each ESG investor beforehand to know what kinds of topics they want to be addressed and how they usually approach them. Also, take care not to assume things based on past experiences with other investors or one-off interactions. Every organization and every investor will be different. Third, keep records of your progress. Keeping track of your progress sends a clear message to ESG investors that you’re committed to being transparent in both action and communication with them going forward. Although it may sound tedious, documented progress shows that you’re serious about maintaining transparency in your ESG practices and giving your investors peace of mind.

Did you know Findings ESG offers the first-ever comprehensive supply-chain platform for all of your ESG reporting / best practices needs? 

Don’t settle for less – Try it now.

Why Cyber Insurance Won’t Save You When You’re In Need

Why cyber-insurance won't save you when you're in need | Findings | Supply chain automation

Cyber Insurance Is Great – Except When It’s Not

It would be great if cybersecurity insurance provided an affordable, reliable means of protecting your business from the innumerable cyber threats it faces today.

Unfortunately, it doesn’t. While cyber insurance has its purposes and can be a good investment, it’s hardly a panacea when defending against cybersecurity risks. It’s a type of product that has hit a “plateau,” as Harvard Business Review puts it because cyber insurance has not evolved quickly enough to meet modern security threats.

That’s why, for example, cyber insurance won’t reliably protect you against supply chain security attacks. Even if you find a policy that does address supply chain threats, actually claiming your insurance benefit may take so long that the insurance doesn’t end up doing your business much good following a significant breach.

Please keep reading for an overview of the advantages and drawbacks of cyber insurance and tips on when it does and doesn’t make sense to rely on cyber insurance alone.

What does cyber insurance cover?

Cyber insurance was introduced in the 1990s and was hailed to protect against IT-related risks that are typically not covered by other types of business insurance. The original intent was to give companies a means of protecting against the financial fallout resulting from data breaches and disruptions to critical IT systems.

Several insurance companies offer cyber insurance today, including Hiscox, The Hartford, CNA, and Nationwide.

5 potential disadvantages of cyber insurance

On the surface, cyber insurance probably sounds like a simple way to make sure a cyber attack doesn’t render your business bankrupt. In reality, though, cyber insurance isn’t necessarily so rosy. There are a number of potential pitfalls or drawbacks to purchasing cyber insurance.

  1. High costs

The first is the simple cost of cyber insurance. Although cyber insurance premiums were relatively affordable in the past, they have surged in cost in recent years, as this graph of policy costs shows:

Cyber premiums

Source: https://blog.alta.org/2021/09/cyber-coverage-premiums-increase-25-survey-shows.html

Thus, the cost of cyber insurance may be too high for many businesses today.

  1. Management challenges

Cyber insurance is not a set-it-and-forget-it affair. You have to manage your coverage actively by ensuring that your policy is kept up-to-date as your risks change – which they typically will, because you’ll roll out new systems or collect new types of data, for example, your original policy may not have covered that.

Most cyber insurance policies also place strict requirements on the insured to keep detailed records, secure their systems, and manage risks. If you fail to demonstrate that you took the steps required to protect your business against a breach, an insurer may deny your claim.

This isn’t to say that managing cyber insurance is infeasible. But it is to say that businesses shouldn’t underestimate how much effort goes into it.

  1. Coverage limitations

It’s easy to fall into the trap of assuming that as long as you’ve purchased cyber insurance, you’re covered against any and all cyber-related risks.

The truth, unfortunately, is that cyber insurance policies will always have exclusions or limitations regarding what they cover. “Insurers are demanding great security and are cutting back the amounts of cover they are willing to offer,” ZDNet reports. If you don’t read your policy disclosures very carefully, you may find that a breach you thought was covered is not.

Also, remember that merely interpreting coverage rules can be complicated – so complex that you may need to go to court to prove you are entitled to coverage. That’s what Merck had to do in a recent claim involving $1.4 billion in losses following a cyberattack. Merck, whose insurer said the claim was excluded from its cyber insurance policy because it was an act of war instead of a standard cyberattack, prevailed in that case.

But for smaller companies, in particular, this should be a warning: Going to court to defend your cyber insurance entitlements can be costly and time-consuming. Even if you have a legitimate claim, you may never get a payout if your insurer contests it and you lack the resources to defend it.

  1. Claiming insurance takes time.

Even if you don’t have to go to court to get your insurer to payout, there’s no guarantee that cyber insurance will result in immediate financial assistance following a breach. The claims process could take months or even years, especially if it requires collecting detailed information about the source of a breach to determine whether the breach is covered.

If a cyber event causes significant financial disruption, then your business may not be able to survive it if the insurance claim process takes too long.

  1. The supply chain is not insured.

In general, cyber insurance covers risks that affect your IT resources directly. Software supply chain threats originate in third-party systems and are not usually covered.

This is especially bad news given that advanced supply chain attacks are projected to increase by about 650 percent in the coming years. It means that investing in cyber insurance is not reliable for protecting against supply chain risks. For that, you need different tools – like a software supply chain risk assessment and disclosure platform.

The future of cyber insurance

Cyber insurance may well evolve to close the gaps described above in the future. We may see a reduction in costs, for example, or the creation of new policies that specifically address supply chain risks. Indeed, the U.S. Government Accountability Office has found that more insurers are creating dedicated cyber insurance policies, which could lead to more comprehensive coverage down the line.

Even if that happens, though, it’s impossible to guarantee that any cyber insurance product will fully protect your business against all threats. That’s why it’s critical to invest in other tools that help you detect and respond to risks. The security blanket of a cyber insurance policy doesn’t suffice to keep your business safe.

We agree, by all means, to invest in cyber insurance if it makes sense for your business. But don’t blindly entrust your company’s financial health to insurance alone.

Instead, invest as well in solutions like Findings, which automates cyber risk assessment and management – including not just within your business’s environment but across your supply chain as well. 

 

Request a demo