By McDermott Will & Emery
UK Withdrawal Process
The United Kingdom will continue to be an EU member until procedures are completed for exiting the European Union, which is likely to be a long process. Under EU Treaty rules, the process will begin when the United Kingdom gives notice to the European Union of its intention to leave. It seems unlikely that the UK Government will give notice until a new Prime Minister is in place, which will be in September 2016 at the earliest.
Any notice will trigger a two year deadline for the United Kingdom and the European Union to negotiate a withdrawal agreement, although the deadline can be extended with the unanimous consent of the remaining EU Member States. During the negotiation period, EU laws and treaties will still apply to the United Kingdom; which means that all laws currently in place will remain in place for at least two years. The final withdrawal agreement will clarify which EU laws and regulations will no longer apply, and which will continue to apply.
The withdrawal agreement will need to be ratified by the United Kingdom and the European Union before it takes effect, which is likely to take some time. If the two sides cannot come to an agreement on withdrawal after two years, EU treaties, laws and regulations will cease to apply to the United Kingdom, unless the EU Member States unanimously decide to extend the negotiation period.
The approach that the UK Government will take in negotiations with the EU is unlikely to become clear for some weeks. Some prominent figures have suggested that its key priority will be ensuring that the UK remains within the European single market, to ensure that it continues to benefit from rules guaranteeing the freedom of movement of goods, services, people and capital between participating countries.
Until the Government has decided on a negotiating position (which may necessitate a General Election first), it seems unlikely that notice will be served under the EU Treaty. The EU has indicated that it is not prepared to enter into informal negotiations over the terms of a Brexit until notice has been served. It is entirely conceivable that the United Kingdom may not serve notice for some time to come.
Key Legal Implications
The impact of Brexit will depend on what approach the United Kingdom decides to pursue in its negotiations with the European Union, but the following are some of the most prominent issues for businesses to consider now.
Until the United Kingdom formally exits the European Union, all EU access rules and procedures will continue to apply to all intra-EU trade, including with the United Kingdom, and to imports entering UK ports from third countries.
Once the United Kingdom gives notice of its intention to leave, however, it will need to renegotiate a new trade relationship with the remainder of the European Union to take effect at the end of the two year period during which the existing treaties still apply. One option could be membership in the European Economic Area (EEA), an arrangement that grants Norway and certain other countries free access to the EU internal market, but doesn’t give them any vote in EU decision-making bodies. Another could be a bilaterally-negotiated agreement with the European Union similar to the arrangement Switzerland has.
The United Kingdom will also need to renegotiate on its own behalf the free trade agreements (FTAs) and other trade agreements the European Union currently has with dozens of countries around the world, and will likely also pursue trade agreements with the United States, Japan and other countries that are currently negotiating trade deals with the European Union. The United Kingdom may also have to renegotiate its World Trade Organisation (WTO) market-access commitments with WTO member countries.
To the extent that the European Union loses one of its largest members, it may also be required under trade rules to renegotiate certain of its WTO, regional and bilateral trade commitments. With the European Union’s attentions now primarily directed to managing Brexit fallout, the pace of its FTA trade negotiations with other countries (the United States, Japan, Mercosur and Mexico) may be affected.
One of the most significant potential implications relating to tax is that UK companies may lose access to the EU Parent-Subsidiary or Interest and Royalties directives, which eliminate withholding tax on payment flows between related entities, and may instead have to rely on double tax treaties, not all of which offer a complete withholding tax exemption.
It seems unlikely that the United Kingdom will be bound by the new anti-tax abuse directive that is scheduled to come into effect from 1 January 2019 and which has largely been inspired by the Organisation for Economic Co-operation and Development Base Erosion and Profit Shifting (BEPS) initiative. It is worth bearing in mind, however, that the United Kingdom is likely to remain committed to introducing BEPS reforms in any event.
VAT is likely to remain largely unchanged, although the UK Government may have greater freedom to vary the scope and rates of VAT once it is no longer constrained by the EU VAT Directive.
If the United Kingdom ultimately leaves the EU single market (which guarantees freedom of movement of goods, services, people and capital between member states), it could result in the imposition of customs duties on exports and imports to and from EU countries, with associated compliance costs.
Competition and State Aid
At present, the European Commission enforces EU competition law, and the UK regulator—the Competition and Markets Authority (CMA)—enforces both EU and UK competition law. Although both the CMA and the European Commission can enforce EU-wide competition rules, they do not engage in parallel enforcement of the same case. For instance, if a transaction fulfils the thresholds for notification to the European Commission, it will not need to be notified to the CMA, even if the UK thresholds for mergers are met. Likewise, if the European Commission investigates an alleged infringement of EU competition law, the CMA would not undertake the same investigation. This arrangement essentially provides a “one stop shop” merger review process.
There are many unknown variables at this stage, but it appears that Brexit could lead to increased competition law scrutiny, penalties and uncertainty for businesses. For instance, post-Brexit, merging companies may be obliged to notify the same transaction to both the CMA and the European Commission, no longer benefiting from the European Commission’s one stop shop merger review. Similarly, the CMA and European Commission could investigate the same antitrust infringements, leading to multiple fines for the same conduct.
EU State aid law applies across the European Union, enforced by the European Commission. In the absence of EU State aid law, the United Kingdom would, in principle, be subject only to WTO rules, but this scenario assumes no trade arrangement between the United Kingdom and the European Union, which is highly unlikely. Alternative scenarios could involve the application of EU State aid law subject to an EU-UK trade agreement, or the promulgation of a UK State aid law.
Mergers & Acquisitions
Although transaction volumes may suffer in the short term, and some transactions in the UK market may now be put on hold or simply not take place, the effect of the United Kingdom withdrawing from the European Union will have a marginal effect on the legal principles and practice of M&A transactions under English law.
In UK public M&A, transactions involving UK public companies will continue to be regulated by the UK Takeover Panel through the City Code on Takeovers and Mergers. While many of its provisions are incorporated into (rather than derive from) the EU Takeover Directive, the Code would not be affected by EU withdrawal, as it is a standalone set of rules subject to resolution ultimately at the Panel level.
As far as private company M&A is concerned, little if any EU law overrides principles of English contract law and parties are likely to continue to use English law as the basis for commercial transactions—even where there is no UK nexus—owing to the English courts’ long history of commercial case law precedent, tried and tested contractual terms for use in documentation, the impartiality and consistency of the English courts in resolving disputes, and the large body of professionals in London and elsewhere competent to execute transactions effectively under English law.
There are a few areas where EU law does impact on M&A transactions, such as the Acquired Rights Directive, which is incorporated into UK employment law and acts to automatically transfer employment contracts to a buyer on completion of a business or asset transaction, but this is unlikely to be repealed by the UK Government in the short term.
The competition implications of Brexit are dealt with above, but the effect of EU withdrawal may act to prolong competition clearance where there is a UK component in a transaction, as the UK component would no longer be aggregated within the EU market calculation and would instead be assessed separately by the domestic UK competition authority.
Brexit is unlikely to have an impact on European Patents, neither with regard to existing patents and applications, nor with regard to future applications. This is because, despite the name, European Patents are unrelated to the European Union and are therefore not directly affected by Brexit.
The situation is different with regard to the new European Unitary Patent scheme, which was expected to come into force in early 2017. The United Kingdom will now most likely not be able to join the Unitary Patent system. As a non-EU Member State, the United Kingdom is also unlikely to be able to host a branch of the European Patent Court as previously planned It is extremely likely that the Unitary Patent system will now be renegotiated altogether and that its entry into force will be delayed, for at least one year.
The destiny of EU trade marks and designs is less clear than that of European Patents as these are linked to the European Union. One possible scenario is that the UK element of such rights will be split off, with a grace period within which the United Kingdom portions of Community IP rights may be converted into national UK rights.
Health, Pharmaceuticals and Life Sciences
The European health service sector in Europe will likely not be affected as health services are one of the few industries that are fundamentally not harmonised on a European level at all. As a result, market entry barriers for foreign investors vary considerably among European countries.
The United Kingdom traditionally has a long history of one predominant public payer (the National Health Service (NHS)) and plans to privatise elements of the NHS in the early years of the Cameron government were largely abandoned due to severe political resistance. In view of the current political turmoil in the United Kingdom following the Brexit vote, it appears very unlikely that a new government, once appointed, will focus on opening the UK health care market to foreign investors.
The health services of EU Member States will be entirely unaffected by political issues within the United Kingdom.
The potential for change in the pharmaceutical sector is higher, given that the pharma industry is, to a large extent, harmonised on a European level. The current UK pharmaceutical legislation— from the development of a medicinal product to its approval and post-approval monitoring—derives mostly from European legislation. Only pricing and reimbursement depend on national laws, as European attempts to harmonise them have been limited.
If the United Kingdom becomes part of the EEA alongside Iceland, Liechtenstein and Norway, most of the EU pharmaceutical legislation will remain relevant, e.g., a marketing authorisation for a medicinal product approved by the European Commission is also valid in the EEA countries. If the United Kingdom adopts the Swiss approach and negotiates multiple bilateral trade deals, with no automatic recognition of EU legislation, the situation will be more complicated.
What appears very likely, is that the harmonisation of the European pharmaceutical market would not directly apply to the United Kingdom any further. Consequently, the European authority in charge of granting EU market authorisations, the European Medicines Agency (EMA), which is based in London, will have to relocate to an EU Member State. Italy, Sweden and Denmark have already indicated their interest in hosting the EMA.
Wherever the EMA relocates, it is very likely that foreign, in particular US, pharmaceutical companies that still have their European headquarters in the United Kingdom will relocate those headquarters to the new location.
Announced in outline only, further details of the proposed changes were expected to follow after the Referendum, with a consultation anticipated in autumn 2016 and the intention of the law coming into force from 6 April 2017. It seems unlikely that these reforms will be a priority of either the present or successor government. If the changes are not enacted as previously expected, the taxation of “non-doms” will continue as before.
Individuals currently resident in the United Kingdom who were formerly resident in certain other EU jurisdictions, and who are subject to a deferred payment of exit tax liabilities in relation to their prior residence, may find that Brexit triggers payment of the deferred liability by virtue of the individual ceasing to be resident in the European Union. We expect this would occur on the earlier of the date of entry into force of the withdrawal agreement (under Article 50(3)) or on expiry of the two-year notice period (if no withdrawal agreement is in place).
Finally, individuals resident in the United Kingdom who own assets in an EU country may eventually be subject to a less favourable tax treatment than they currently enjoy.
The European operations of many international private equity (PE) sponsors are based in London and authorised by the Financial Conduct Authority. The Alternative Investment Fund Managers’ Directive (AIFMD) currently allows these PE sponsors to market funds to investors across the European Union via a “passport” regime, which will continue to apply for the two year negotiation period.
If the United Kingdom joins the EEA, access to the single market would be maintained and the impact on financial regulation, including AIFMD, likely to be relatively minimal. A full exit would theoretically result in UK-headquartered PE sponsors losing their passport right to market to investors across the European Union, which could prompt some to set up parallel operations in EU Member States. It is, however, anticipated that the passport regime will be extended to non-EEA PE sponsors by 2018 so, in practice, this extension may address and allay concerns.
Access to the EU markets by third country investment firms is currently governed by the Markets in Financial Instruments Directive and the Markets in Financial Instruments Regulation (MiFIR), together known as MiFID II, which essentially, grants access to countries that have “equivalent” standards of regulation. One issue to consider is that the MiFIR provisions relate only to segments of the businesses that currently benefit from passporting rights. For example, asset managers that have Undertakings for Collective Investment in Transferable Securities funds domiciled in the United Kingdom for distribution throughout the European Union are not covered. In theory, the United Kingdom should be able to take advantage of the MiFIR provisions because the country meets the guideline for equivalent standards of regulation. That could change, however, if, for example, the United Kingdom revokes the part of the EU bank capital rules that cap bankers’ bonuses, in which case the EU Commission, which must decide on MiFIR eligibility, could turn down the application.
An alternative, which is currently used by non-EU firms, and which could also be used by UK firms before the passport regime is extended, would be to take advantage of the national private placement regimes of each country where they want to do business. The national private placement regimes allow non-EEA PE sponsors to market and carry out regulated activities on a country-by-country basis. This is a temporary, short term solution if the need arises.
In respect of transactional matters, as well as the considerations highlighted in the M&A section above, the ability of PE sponsors to conclude UK and EU deals will be dependent on the response of banks and financial institutions both in the United Kingdom and elsewhere to Brexit, and their appetite to lend in the short term.
In general, PE sponsors and management teams should review the terms of their existing financing arrangements and consider short/medium term liquidity options. Although, based on standard Loan Market Association (LMA) provisions, Brexit is unlikely to constitute an event of default under material adverse changes or force majeure clauses, bespoke arrangements and financial covenants should be reviewed carefully. In the case of the latter, the impact of a devaluation of sterling should be considered in the context of exchange rates to be applied for foreign borrowings. This is of particular importance to those companies due to test covenants on 30 June.
The market volatility arising from Brexit will undoubtedly generate a number of contractual disputes. One key area that will be affected is the relevant jurisdiction of disputes. Currently, the jurisdiction of EU Member States is largely governed by Regulation No 1215/2012 of 12 December 2012, which governs all main civil and commercial matters, apart from certain, well-defined matters, including maintenance. It is likely that the United Kingdom will eventually withdraw from these provisions and return to a conventional common law approach, subject to bilateral and multi-state agreements.
This could, however, only occur once the two year negotiation period is completed, or a withdrawal agreement is reached, whichever comes earlier. In the meantime, businesses should revisit any jurisdictional advice they have received on disputes involving EU Member States and the United Kingdom to ensure that this will not be adversely affected by a return of a conventional common law approach and/or bilateral and multi-state agreements.
We have been here before; the trading and downstream world has faced seismic shifts over the last 20 years comparable to working through the implications of Brexit. We can draw upon experience of events such as Enron’s demise and the 2008 financial crash. These events had significant knock-on effects and unintended consequences, from which the industry learnt and emerged.
As far as immediate and forward-looking issues are concerned, careful consideration will have to be given as to whether or not to reopen provisions in ongoing agreements, particularly in the trading and projects space. The circumstances may be remote, but counterparties may need to consider the scope of material adverse change clauses and, potentially, force majeure provisions.
Going forward, careful attention will, as ever, have to be given to clauses anticipating future changes such as identifying the circumstances that will trigger them, the correct test for the relevant change, the mechanism to settle any differences, and the consequences of any failure to agree or fulfil contracts.
From the perspective of investment in the United Kingdom, energy policies and laws are driven by many factors, both national and international. The European Union was one dimension of the United Kingdom’s energy sector, but numerous other drivers remain in place. Security of supply, geology, skills within the workforce, local investment priorities and worldwide climate change considerations will all remain in the policy mix going forward.
It could be argued that the United Kingdom could benefit from potentially greater control over its energy generation mix. While there will be obvious questions raised as to the long term investment profile of projects such as Hinckley Point nuclear power station by companies like EdF, the future for carbon capture and storage and coal fired output may be revisited.
As far as the outlook for renewables is concerned, from an investment perspective, comfort can be taken from the United Kingdom’s long standing support of these technologies, which is enshrined within the original Electricity Act 1989 on privatisation. Many of the non-political drivers also remain in place.
In the commodities world, an already complex and evolving picture has simply become more so. Unravelling the financial services regulatory impact will require additional thought by an industry which has already been facing changes for the last eight years.
Existing EU-based legislation underpins much of the cross-border and domestic activity of banks and financial institutions based in the United Kingdom, including through the EU passporting regime. It also facilitates the activities of non-EU-based banks and financial institutions that access EU markets using the United Kingdom as a base, relying on the equivalence process.
Parties that have transacted under agreements that are governed by English law, or which are subject to the jurisdiction of the English courts, will be considering the immediate and longer term impacts of Brexit, as will parties to agreements entered into by non-UK parties (whether in the European Union or elsewhere) with parties located in the United Kingdom, and vice versa, whether they are banks or financial institutions (or UK branches of the same), borrowers or guarantors.
In the immediate term, in the vast majority of instances there should not be any immediate impact on such agreements. On 24 June 2016 the Loan Market Association (LMA) issued a statement to this effect in relation to LMA based agreements. All applicable contractual and legislative regimes continue for now. Except in transaction- or party-specific scenarios, it is unlikely that default provisions, e.g., material adverse effect clauses, will have been triggered by the Referendum or the subsequent market turmoil. Parties should, however, give some consideration to their position under their relevant existing contracts.
As the Brexit process moves forward and the shape of the post-Brexit regime becomes clearer, additional detailed due diligence will be required. In due course some amendments may be required to existing agreements. Currently these are anticipated to be relatively minor, but this will depend on what Brexit arrangements are agreed (or not agreed). Parties currently negotiating relevant agreements will also need to consider the Brexit process.
A significant proportion of UK employment laws derive from the European Union. Those laws will continue to apply unchanged during the two year period of negotiation. Notably, for corporates doing deals in the United Kingdom, this includes Transfer of Undertakings (Protection of Employment) legislation governing automatic transfers of employees in many corporate transactions.
It seems highly unlikely that there will be any substantial downgrade of UK employment protection for employees. The political consequences of doing so are all too obvious and, in any event, it seems inevitable that any trade agreement negotiated with the European Union would require adherence to the vast majority of EU employment and social protections.
Nevertheless, there may remain some scope in the longer term for the UK Government to gradually modify UK employment laws to make them more palatable to UK businesses and outside investment.
The liability of internationally mobile employees for social security contributions is governed by a European directive that would presumably cease to apply if the United Kingdom leaves the European Union. Unless suitable arrangements are put in place, such individuals could find themselves liable to double contributions.
For many organisations operating in the United Kingdom, the most immediate concern from a human resource perspective is likely to be addressing the negative impact on staff morale caused by the wide-ranging uncertainty Brexit has created. An effective internal communications strategy will be required to address this.
To take the nation’s financial pulse, we must go digital
By Pete Bulley, Director of Product, Aire
The last six months have brought the precarious financial situation of many millions across the world into sharper focus than ever before. But while the figures may be unprecedented, the underlying problem is not a new one – and it requires serious attention as well as action from lenders to solve it.
Research commissioned by Aire in February found that eight out of ten adults in the UK would be unable to cover essential monthly spending should their income drop by 20%. Since then, Covid-19 has increased the number without employment by 730,000 people between July and March, and saw 9.6 million furloughed as part of the job retention scheme.
The figures change daily but here are a few of the most significant: one in six mortgage holders had opted to take a payment holiday by June. Lenders had granted almost a million credit card payment deferrals, provided 686,500 payment holidays on personal loans, and offered 27 million interest-free overdrafts.
The pressure is growing for lenders and with no clear return to normal in sight, we are unfortunately likely to see levels of financial distress increase exponentially as we head into winter. Recent changes to the job retention scheme are signalling the start of the withdrawal of government support.
The challenge for lenders
Lenders have been embracing digital channels for years. However, we see it usually prioritised at acquisition, with customer management neglected in favour of getting new customers through the door. Once inside, even the most established of lenders are likely to fall back on manual processes when it comes to managing existing customers.
It’s different for fintechs. Unburdened by legacy systems, they’ve been able to begin with digital to offer a new generation of consumers better, more intuitive service. Most often this is digitised, mobile and seamless, and it’s spreading across sectors. While established banks and service providers are catching up — offering mobile payments and on-the-go access to accounts — this part of their service is still lagging. Nowhere is this felt harder than in customer management.
Time for a digital solution in customer management
With digital moving higher up the agenda for lenders as a result of the pandemic, many still haven’t got their customer support properly in place to meet demand. Manual outreach is still relied upon which is both heavy on resource and on time.
Lenders are also grappling with regulation. While many recognise the moral responsibility they have for their customers, they are still blind to the new tools available to help them act effectively and at scale.
In 2015, the FCA released its Fair Treatment of Customers regulations requiring that ‘consumers are provided with clear information and are kept appropriately informed before, during and after the point of sale’.
But when the individual financial situation of customers is changing daily, never has this sentiment been more important (or more difficult) for lenders to adhere to. The problem is simple: the traditional credit scoring methods relied upon by lenders are no longer dynamic enough to spot sudden financial change.
The answer lies in better, and more scalable, personalised support. But to do this, lenders need rich, real-time insight so that lenders can act effectively, as the regulator demands. It needs to be done at scale and it needs to be done with the consumer experience in mind, with convenience and trust high on the agenda.
Placing the consumer at the heart of the response
To better understand a customer, inviting them into a branch or arranging a phone call may seem the most obvious solution. However, health concerns mean few people want to see their providers face-to-face, and fewer staff are in branches, not to mention the cost and time outlay by lenders this would require.
Call centres are not the answer either. Lack of trained capacity, cost and the perceived intrusiveness of calls are all barriers. We know from our own consumer research at Aire that customers are less likely to engage directly with their lenders on the phone when they feel payment demands will be made of them.
If lenders want reliable, actionable insight that serves both their needs (and their customers) they need to look to digital.
Asking the person who knows best – the borrower
So if the opportunity lies in gathering information directly from the consumer – the solution rests with first-party data. The reasons we pioneer this approach at Aire are clear: firstly, it provides a truly holistic view of each customer to the lender, a richer picture that covers areas that traditional credit scoring often misses, including employment status and savings levels. Secondly, it offers consumers the opportunity to engage directly in the process, finally shifting the balance in credit scoring into the hands of the individual.
With the right product behind it, this can be achieved seamlessly and at scale by lenders. Pulse from Aire provides a link delivered by SMS or email to customers, encouraging them to engage with Aire’s Interactive Virtual Interview (IVI). The information gathered from the consumer is then validated by Aire to provide the genuinely holistic view of a consumer that lenders require, delivering insights that include risk of financial difficulty, validated disposable income and a measure of engagement.
No lengthy or intrusive phone calls. No manual outreach or large call centre requirements. And best of all, lenders can get started in just days and they save up to £60 a customer.
Too good to be true?
This still leaves questions. How can you trust data provided directly from consumers? What about AI bias – are the results fair? And can lenders and customers alike trust it?
To look at first-party misbehaviour or ‘gaming’, sophisticated machine-learning algorithms are used to validate responses for accuracy. Essentially, they measure responses against existing contextual data and check its plausibility.
Aire also looks at how the IVI process is completed. By looking at how people complete the interview, not just what they say, we can spot with a high degree of accuracy if people are trying to game the system.
AI bias – the system creating unfair outcomes – is tackled through governance and culture. In working towards our vision of a world where finance is truly free from bias or prejudice, we invest heavily in constructing the best model governance systems we can at Aire to ensure our models are analysed systematically before being put into use.
This process has undergone rigorous improvements to ensure our outputs are compliant by regulatory standards and also align with our own company principles on data and ethics.
That leaves the issue of encouraging consumers to be confident when speaking to financial institutions online. Part of the solution is developing a better customer experience. If the purpose of this digital engagement is to gather more information on a particular borrower, the route the borrower takes should be personal and reactive to the information they submit. The outcome and potential gain should be clear.
The right technology at the right time?
What is clear is that in Covid-19, and the resulting financial shockwaves, lenders face an unprecedented challenge in customer management. In innovative new data in the form of first-party data, harnessed ethically, they may just have an unprecedented solution.
The Future of Software Supply Chain Security: A focus on open source management
By Emile Monette, Director of Value Chain Security at Synopsys
Software Supply Chain Security: change is needed
Attacks on the Software Supply Chain (SSC) have increased exponentially, fueled at least in part by the widespread adoption of open source software, as well as organisations’ insufficient knowledge of their software content and resultant limited ability to conduct robust risk management. As a result, the SSC remains an inviting target for would-be attackers. It has become clear that changes in how we collectively secure our supply chains are required to raise the cost, and lower the impact, of attacks on the SSC.
A report by Atlantic Council found that “115 instances, going back a decade, of publicly reported attacks on the SSC or disclosure of high-impact vulnerabilities likely to be exploited” in cyber-attacks were implemented by affecting aspects of the SSC. The report highlights a number of alarming trends in the security of the SSC, including a rise in the hijacking of software updates, attacks by state actors, and open source compromises.
This article explores the use of open source software – a primary foundation of almost all modern software – due to its growing prominence, and more importantly, its associated security risks. Poorly managed open source software exposes the user to a number of security risks as it provides affordable vectors to potential attackers allowing them to launch attacks on a variety of entities—including governments, multinational corporations, and even the small to medium-sized companies that comprise the global technology supply chain, individual consumers, and every other user of technology.
The risks of open source software for supply chain security
The 2020 Open Source Security and Risk Analysis (OSSRA) report states that “If your organisation builds or simply uses software, you can assume that software will contain open source. Whether you are a member of an IT, development, operations, or security team, if you don’t have policies in place for identifying and patching known issues with the open source components you’re using, you’re not doing your job.”
Open source code now creates the basic infrastructure of most commercial software which supports enterprise systems and networks, thus providing the foundation of almost every software application used across all industries worldwide. Therefore, the need to identify, track and manage open source code components and libraries has risen tremendously.
License identification, patching vulnerabilities and introducing policies addressing outdated open source packages are now all crucial for responsible open source use. However, the use of open source software itself is not the issue. Because many software engineers ‘reuse’ code components when they are creating software (this is in fact a widely acknowledged best practice for software engineering), the risk of those components becoming out of date has grown. It is the use of unpatched and otherwise poorly managed open source software that is really what is putting organizations at risk.
The 2020 OSSRA report also reveals a variety of worrying statistics regarding SSC security. For example, according to the report, it takes organisations an unacceptably long time to mitigate known vulnerabilities, with 2020 being the first year that the Heartbleed vulnerability was not found in any commercial software analyzed for the OSSRA report. This is six years after the first public disclosure of Heartbleed – plenty of time for even the least sophisticated attackers to take advantage of the known and publicly reported vulnerability.
The report also found that 91% of the investigated codebases contained components that were over four years out of date or had no developments made in the last two years, putting these components at a higher risk of vulnerabilities. Additionally, vulnerabilities found in the audited codebases had an average age of almost 4 ½ years, with 19% of vulnerabilities being over 10 years old, and the oldest vulnerability being a whopping 22 years old. Therefore, it is clear that open source users are not adequately defending themselves against open source enabled cyberattacks. This is especially concerning as 99% of the codebases analyzed in the OSSRA report contained open source software, with 75% of these containing at least one vulnerability, and 49% containing high-risk vulnerabilities.
Mitigating open source security risks
In order to mitigate security risks when using open source components, one must know what software you’re using, and which exploits impact its vulnerabilities. One way to do this is to obtain a comprehensive bill of materials from your suppliers (also known as a “build list” or a “software bill of materials” or “SBOM”). Ideally, the SBOM should contain all the open source components, as well as the versions used, the download locations for all projects and dependencies, the libraries which the code calls to, and the libraries that those dependencies link to.
Creating and communicating policies
Modern applications contain an abundance of open source components with possible security, code quality and licensing issues. Over time, even the best of these open source components will age (and newly discovered vulnerabilities will be identified in the codebase), which will result in them at best losing intended functionality, and at worst exposing the user to cyber exploitation.
Organizations should ensure their policies address updating, licensing, vulnerability management and other risks that the use of open source can create. Clear policies outlining introduction and documentation of new open source components can improve the control of what enters the codebase and that it complies with the policies.
Prioritizing open source security efforts
Organisations should prioritise open source vulnerability mitigation efforts in relation to CVSS (Common Vulnerability Scoring System) scores and CWE (Common Weakness Enumeration) information, along with information about the availability of exploits, paying careful attention to the full life cycle of the open source component, instead of only focusing on what happens on “day zero.” Patch priorities should also be in-line with the business importance of the asset patched, the risk of exploitation and the criticality of the asset. Similarly, organizations must consider using sources outside of the CVSS and CWE information, many of which provide early notification of vulnerabilities, and in particular, choosing one that delivers technical details, upgrade and patch guidance, as well as security insights. Lastly, it is important for organisations to monitor for new threats for the entire time their applications remain in service.
On the Frontlines of Fraud: Tactics for Merchants to Protect Their Businesses
By Nicole Jass, Senior Vice President of Small Business and Fraud Products at FIS
Fraud isn’t new, but the new realities brought by COVID-19 for merchants, and the rising tide of attacks have changed the way we need to approach the fight. Even before the pandemic broke out earlier this year, the transition to digital payments was well underway, which means fighting fraud needs a multilayered, multi-channel approach. Not only do you want to increase approval rates, you want to protect your revenue and stop fraud before it happens.
A great place to start is working with your payment partners to refresh your company’s fraud strategies with emerging top three best practices:
- AI-based machine learning fraud solutions helps your business stay ahead of fraud trends. Leveraging data profiles to model both “good” and “bad” behavior helps find and reduce fraud. AI-based machine learning will be increasingly essential to stay ahead of the explosive and sophisticated eCommerce fraud.
- Increasing capabilities around device fingerprinting and behavioral data are essential to detect fraud before it happens. While much of the user-input values can be easily manipulated to look more authentic, device fingerprinting and behavioral data are captured in the background to derive unique details from the user’s device and behavior. Bringing in more unique elements into decisioning, can help authenticate the users and determine the validity of the transactions.
- Prioritize user authentication. User authentication is a vital linchpin in any fraud defense and should receive even greater priority today. Setting strong password requirements and implementing multi-factor authentication helps curb fraud attacks from account takeover.
As well as working with your payment partners it’s more critical than ever to protect online transactions while not jeopardizing legitimate purchases. Fortunately, there are a few things you can do right now to address these concerns:
- Monitor warning signs
Payment verification is an important part of protecting your business. There are a variety of strategies to employ including implementing technology utilizing artificial intelligence and machine learning to help catch certain patterns. In addition to technology, here are a few other tips that may serve as warning signs. These are not a guarantee fraud is occurring, but they are flags to investigate.
o The shipping address and billing address differ
o Multiple orders of the same item
o Unusually large orders
o Multiple orders to the same address with different cards
o Unexpected international orders
- Require identity verification
Finding a balance between protection and ease of purchase will ultimately help you protect your customers and your business. The following tactics can make it more difficult for fraudsters to be successful:
o For customers that have a login, require a minimum of eight characters as well as the use of special characters in your customers’ passwords
o Set up Two-Factor Authentication that requires a One-time Passcode (OTP) via SMS or email
o Use biometric authentication for mobile purchases or logins
- Monitor chargebacks
Keeping good records is essential for eCommerce. If a customer initiates a dispute, your only available recourse is to provide proof that the order was fulfilled. Be prepared to provide all the supporting information about a disputed transaction. Worldpay’s Disputes solutions can connect to your CRM and provide you dual-layer protection against friendly fraud, first deflecting them before they arise and then fully managing chargeback defenses on your behalf.
- Monitor declines
Credit card issuers mitigate fraud by automatically declining payments that look suspicious, based on unusual card activity such as drastic changes in spending patterns or uncommon geolocations of spending. You can check your own declined payment history to help spot a potential problem. When volumes increase, the help of a payments fraud management partner is beneficial.
- Protect your own wallet
While you take the steps to protect your business, it’s also important to be mindful of your own protection—it’s incumbent on all responsible consumers to be vigilant about their data. Whether it’s simple awareness of how the fraudsters are operating today, sticking to trusted brands when shopping online, and thinking twice about what data you share and who you share it with, you’ll soon see how often you are sharing personal information about yourself.
Research exposes the £68.8 billion opportunity for UK retailers
Modelling shows increasing the proportion of online sales by 5 percentage points would have significantly boosted retailers’ revenues during the...
Want to serve your customers better? An effective online strategy is what financial institutions need
By Anna Willems, Marketing Director, Mention A strong online presence matters. Having a strong online presence, that involves social media...
The rise of AI in compliance management
By Martin Ellingham, director, product management compliance at Aptean, looks at the increasing role of AI in compliance management and just...
Simplifying the Sector: How low code can aid digital transformation in financial services
By Nick Ford Chief Technology Evangelist, Mendix From online banking to contactless payments and Apple Pay, it has been well...
Why the Boom is Long Overdue (and Here to Stay)
By Roger James Hamilton, CEO, Genius Group Virtually every aspect of our lives has been taken over by tech, so...
5 Sustainability Lessons That Are Crucial For Business Success
By Michael Stausholm, founder of Sprout World (sproutworld.com) Sprout World is the eco-company behind the world’s only plantable pencil, with...
Why financial brands need to understand consumer vitality
By Carolyn Corda, CMO at data consortium ADARA Our day to day lives have been turned upside down. Office workers have...
Why and how a modern marketing strategy should put customer experience first
By Jim Preston, VP EMEA, Showpad In 2004, the Leading Edge Forum coined the term ‘consumerisation of IT’, defining a...
Leading from the front – why decision makers must embrace automation
By Jeppe Rindom, Co-founder & CEO, Pleo Ask any decision maker at a business about admin and you’re likely to...
Business first, not compliance only is the future for accountants
By Peter Bracey, MD at Bracey’s Accountants. The past few months have underlined the need for better business insight to reduce...