Connect with us

Top Stories

With APIs at the Heart of Insurance, Why Their End-to-End Security is Vital



With APIs at the Heart of Insurance, Why Their End-to-End Security is Vital 1

By Olaf van Gorp, Perforce Software

The explosion of application programming interfaces (APIs) to enable digital transformation and open finance continues to escalate. APIs are the connectors, the ‘glue’ that connects services of all kinds. They are a fundamental part of the digital revolution that is changing the world right now. Many financial sectors can benefit from this revolution, including insurance.

In its excellent document: “Digital disruption in insurance: cutting through the noise”, McKinsey talks about the triple prize for the insurance industry: satisfied customers, lower costs, higher growth, and how automation can reduce the cost of a claims journey by as much as 30 percent. Those are pretty powerful messages.

APIs are one of the foundations of digitalization. In the insurance sector, that means ecosystems connected by APIs so that insurers and third parties can share data such as customer claim information (with the consent of the customer, of course). Previously time-consuming steps can be simplified and sped-up, with the customer accepting changes to a policy digitally following an accident, for instance. Welcome to the new era of open insurance.

Introducing Risk

The insurance sector also has the opportunity to learn what other markets have, sometimes to their cost: API security is everything. APIs have huge potential, but they also bring in risk. One of the reasons that companies use APIs is because they provide a controlled route through which critical data can be shared, including with third parties. However, that makes the assumption that the API is robust and not vulnerable to attack. If that API is published, and then discovered to have a problem — a weakness that can be exploited — there is little or no time to take remedial action, thereby leaving that API open to attack, unauthorized access to data, or data shared externally without permission. Suddenly, that controlled route is compromised.

While that may sound like scaremongering, here is some perspective. Once a new website is published, it is likely to be attacked within hours. That is the nature of today’s highly sophisticated cyber-attack community. The result of vulnerable APIs? Insurance companies risk putting their data into the public domain. As we have seen across other industries, vulnerable APIs can lead to some high profile data breaches and cyberattacks.

So, protecting both internal and external APIs has to be a priority, and not something that is dealt with as an afterthought down the line. If APIs are the means to ensure a seamless experience across all channels, pulling together all touchpoints to secure data transfer between all parties in the ecosystem, then they need to be trusted. And that means end-to-end security of APIs across their entire lifecycle, starting with their creation.

Software Development Can Be a Source of Risk

An API is just another piece of software. It is a very clever and useful piece of software, but it is basically still software code. In the software industry, it has long been acknowledged that development of software is the top culprit for introducing future software vulnerabilities. That is changing — partly with a shift towards DevOps to create better collaboration across teams — but it is an ingrained mindset with many software developers that sorting out security is not their problem. That has traditionally been exacerbated by the fact that software developers tend to work in a very individual way, siloed from the rest of the organization. Again, movements like DevOps are changing that, but there are still some other hurdles to overcome.

First, the nature of APIs means that the whole project team is probably going to be focused on creating great performance and functionality, possibly also a great user experience too. Security is often not top-of-mind for anyone.

Anyone Can Be an API Author

Second, the simplicity of APIs means that their creation is within the reach of anyone, so reduced level of expertise is needed, and in many cases, those individuals may work at external consultancies or design agencies. That is great in terms of increasing the range of people who can write APIs, but again, the risk landscape is increased. Even if the in-house team have had the security message drummed into them, it is harder to control the experience of external teams, who may also have less experience in software development. Furthermore, everyone is probably under pressure to deliver that API fast.

API Drivers in Insurance and Other Finance Markets

In banking, open banking standards have been a driver towards better API management and security, and for good reason: the volume of APIs is growing fast, and the more vulnerable APIs there are, the greater the number of ingress points for attack. This is why in Europe, the PSD2 mandates security measures that should be implemented at the API level (and by the way, some of those measures are pretty complex).

In the insurance sector, an increasing maturity around API management and security is being propelled by, for instance in the USA, the NAIC Registry, which allows automated filing of standard reporting documentation required of insurance providers for compliance with state regulations.

The Right Culture

Given that API security is both a priority but also a challenge, how can it be improved? The first step is getting everyone involved to understand why API security is important in the first place, why that needs to start with the development stage, and their roles in mitigating any risks. This needs to apply to external contributors as much to internal ones. Think about investing in training developers on API security.

Think Wider Than Mandatory Measures

Open finance standards have some great guidance on better API security, and it is often mandated. However, these may have a very specific scope, so consider looking at the wider picture, and look at other security measures that can be applied. A handy reference is the OWASP API Security Top 10, which covers the ten most common API vulnerabilities and ways to mitigate them.

Get the Processes Right

Processes that support a more secure API development environment should be comprehensive across all deployment policies, approval workflows, users and groups. In addition, they should encompass: authentication, authorization, malicious pattern detection, message content security, rate limiting, and other security policies. Nominate people who must review an API before it is published, with time-stamped approval. That is typically carried out manually, but combined with automation through the software development process’ delivery Continuous Integration/Continuous Delivery pipeline. Ensure that there is a clear audit trail, so that if something does go wrong, then the original cause can be traced and action taken so that the problem is not repeated in the future.


Given the kind of scale that is usually involved, consistency and repeatability are important, so security policies need to just automatically happen and enforced across all current and future APIs, without needing any extra coding. Additional manual intervention should be avoided, and people should not be able to switch off these policies at will. Introducing an API gateway with in-built security features will help that. That should include policing of contributions from external contributors, but make sure to choose a gateway that can support the different types of API (REST, SOAP, etc), and that automation can take place at scale, particularly since the growth of APIs and the traffic that goes through them will only increase.

Don’t Let API Security Get in the Way

API security should not fall to developers to sort out, because they are busy people who do not need another task. Instead, this should fall to API product managers, security architects, and other individuals more focused on the need for security. Even so, humans should be making the decision, with automated workflows doing the work. Use tools that continually inspect code to detect creates early on and delegate tasks wherever possible to an API management tool for consistent and simplified enforcement of security policies. The more manual intervention can be reduced, across every stage of the API’s lifecycle from creation to deployment, the greater the likelihood that robust APIs will go into production.

Insurance is at a pivotal stage in its adoption of digital technologies, and APIs are a critical part of that journey. Getting the right steps in place now will help insurance companies make the most of the changing landscape, be more efficient, compliant, and competitive, while maintaining (even enhancing!) customer satisfaction. Making sure that APIs are secure right from their early inception through to publishing is an integral part of making all that happen.

Top Stories

U.S. inauguration turns poet Amanda Gorman into best seller



U.S. inauguration turns poet Amanda Gorman into best seller 2

WASHINGTON (Thomson Reuters Foundation) – The president’s poet woke up a superstar on Thursday, after a powerful reading at the U.S. inauguration catapulted 22-year-old Amanda Gorman to the top of Amazon’s best-seller list.

Hours after Gorman’s electric performance at the swearing-in of President Joe Biden and Vice President Kamala Harris, her two books – neither out yet – topped’s sales list.

“I AM ON THE FLOOR MY BOOKS ARE #1 & #2 ON AMAZON AFTER 1 DAY!” Gorman, a Los Angeles resident, wrote on Twitter.

Gorman’s debut poetry collection ‘The Hill We Climb’ won top spot in the online retail giant’s sale charts, closely followed by her upcoming ‘Change Sings: A Children’s Anthem’.

While poetry’s popularity is on the up, it remains a niche market and the overnight adulation clearly caught Gorman short.

“Thank you so much to everyone for supporting me and my words. As Yeats put it: ‘For words alone are certain good: Sing, then’.”

Gorman, the youngest poet in U.S. history to mark the transition of presidential power, offered a hopeful vision for a deeply divided country in Wednesday’s rendition.

“Being American is more than a pride we inherit. It’s the past we step into and how we repair it,” Gorman said on the steps of the U.S. Capitol two weeks after a mob laid siege and following a year of global protests for racial justice.

“We will not march back to what was. We move to what shall be, a country that is bruised, but whole. Benevolent, but bold. Fierce and free.”

The performance stirred instant acclaim, with praise from across the country and political spectrum, from the Republican-backing Lincoln Project to former President Barack Obama.

“Wasn’t @TheAmandaGorman’s poem just stunning? She’s promised to run for president in 2036 and I for one can’t wait,” tweeted former presidential candidate Hillary Clinton.

A graduate of Harvard University, Gorman says she overcame a speech impediment in her youth and became the first U.S. National Youth Poet Laureate in 2017.

She has now joined the ranks of august inaugural poets such as Robert Frost and Maya Angelou.

Her social media reach boomed, with her tens of thousands of followers ballooning into a Twitter fan base of a million-plus.

“I have never been prouder to see another young woman rise! Brava Brava, @TheAmandaGorman! Maya Angelou is cheering—and so am I,” tweeted TV host Oprah Winfrey.

Gorman’s books are both due out in September.

Third on Amazon’s best selling list was another picture book linked to politics and projecting hope: ‘Ambitious Girl’ by Vice-President Kamala Harris’ niece, Meena Harris.

(Reporting by Umberto Bacchi @UmbertoBacchi, Editing by Lyndsay Griffiths. Please credit the Thomson Reuters Foundation, the charitable arm of Thomson Reuters, that covers the lives of people around the world who struggle to live freely or fairly. Visit

Continue Reading

Top Stories

Why brands harnessing the power of digital are winning in this evolving business landscape



Why brands harnessing the power of digital are winning in this evolving business landscape 3

By Justin Pike, Founder and Chairman, MYPINPAD

Delivery of intuitive, secure, personalised, and frictionless user experiences has long been table stakes in digital commerce, well before the era of COVID-19. As businesses harness the revolutionary power of digital technologies, they have pursued large-scale change to adapt to evolving consumer preferences (some more successfully than others, but that’s a blog for another day). Digital transformation is a term we hear repeatedly, and it looks different for each organisation, but essentially, it’s about utilising technology and data to digitise, automate, innovate and improve processes and the customer experience across the entire business.

As I said, this was already well underway but then came 2020 and no industry escaped the disruption of the coronavirus outbreak, which has had an indelible impact on businesses performance, operations, and revenue. Regardless of whether the impact of COVID has been very positive or very challenging, it has forced organisations globally to re-evaluate and re-orient strategies to adapt.

As lockdowns and pandemic-related restrictions continue to change daily life, this raises the question of how we can balance a dramatic shift to digital and the benefits it brings, while ensuring business continuity and innovation both during and post-COVID, and protecting everyone against fraud?

Digital is an essential survival tool, and even more so in a COVID world

No one could have predicted the dramatic digital pivot that has taken place over this year. Indeed, within weeks of the COVID outbreak cash usage in the UK dropped by around 50%. Digital solutions including delivery applications, contactless payments, mobile commerce, online and mobile banking have become essential components of a touchless customer experience in the era of social distancing. It’s no longer just about an enhanced and superior customer experience, it’s also about health, safety and survival.

In store, businesses have benefited from contactless payments enabling faster throughput and reduced need for consumers to touch payment terminals (therefore requiring greater cleaning, which degrades the hardware much faster). Mastercard reported a 40% increase in contactless payments – including tap-to-pay and mobile pay – during the first quarter of the year as the global pandemic worsened. Digital has also become an essential sales channel for many B2C brands. Where brick and mortar stores have been required to close, digital commerce enables continuity of customer relationships and revenue. This channel also provides brands with rich customer data, which can be used to enhance and personalise the customer experience and typically results in greater levels of engagement and uplifts in revenue.

Industry forecasts estimate that worldwide spending on the technologies and services enabling digital transformation will reach GBP 1.8 trillion in 2023 – a clear indication that the process represents a long-term investment and a global commitment to digital-first strategy. The key point here is that digital brings significant benefits, and regardless of COVID, is here to stay.

The challenges that rapid digital transformation brings to businesses

Justin Pike

Justin Pike

Regardless of whether businesses are operating in developed or less-developed economies, these times of crisis have levelled the playing field in the sense that all businesses are facing similar issues. Access to products and supplies, maintaining customer relationships, accelerating sales for some and declining sales for others, health and hygiene are just a few of the unique challenges brought about by COVID.

Many businesses in physical environments have had to swiftly implement changes to significantly reduce safety risks for staff and customers, such as contactless payments, mobile ordering and delivery options. But with these changes come a host of other benefits of digitisation, such as faster transactions, and reduced human error at the point-of-sale.

The reliance on technology, however, can also expose organisations and consumers to certain vulnerabilities. In particular, the risks of fraud and cybercrime have dramatically increased since the onset of the pandemic as scammers have taken advantage of digital technologies to target both businesses and individuals.

As a McKinsey report illustrates, new levels of sophistication in the activities of fraudsters have placed more pressure on companies that have been previously slow to go digital, bringing “into sharp relief how vulnerable companies really are”, and damaging the financial health of small and large businesses. In fact, the Bottomline 2020 Business Payments Barometer reveals that only one in 10 small businesses across the UK report recovering more than 50% of losses due to fraud.

But take these stats with a grain of salt. While it is important to be aware of the risks and challenges this new business landscape brings, it’s equally as important to have a lens firmly across your own business, industry and audience, and to identify the changes you can make internally to mitigate risk as well as improve your customer experience. Where can you make some quick wins? Do you have the right skillsets internally to achieve what you need to achieve? What technology is out there that will enable your business goals? There are tech companies like MYPINPAD that are making huge strides in software development, which will transform businesses globally.

A digital world post-COVID

Almost a year in, the line between business success and failure remains fragile. However, an ongoing transition towards greater digitisation will be the difference between survival and the alternative.

There is a wide range of initiatives businesses can implement to weather this storm. If we look at the space MYPINPAD operates within, secure digital consumer authentication is crucial to the ongoing success and security of not only financial products but also identification and verification across a range of different industry verticals. Shifting the authentication of consumers securely onto mobile devices enables businesses to completely reshape their customer experiences. By bringing together a more seamless, frictionless customer experience, accessibility, privacy, security and access to consumer data, businesses are able to drive digital transformation across day-to-day activities.

Against this backdrop, software with stronger security standards continue to play an ever more vital role in supporting society, protecting consumers and businesses from the increase in risks that rapid digitisation brings. Already, merchants can deploy PIN on Mobile technology from companies like MYPINPAD, onto their smart devices to speed up the digitisation process many are now tackling.

Essentially, opening up universal payments and authentication methods that feel familiar, for both online and face-to-face transactions, will be key to opening up a world of possibilities when it comes to redefining how businesses engage with consumers.

Continue Reading

Top Stories

Brexit responsible for food supply problems in Northern Ireland, Ireland says



Brexit responsible for food supply problems in Northern Ireland, Ireland says 4

LONDON (Reuters) – Food supply problems in Northern Ireland are due to Brexit because there are now a certain amount of checks on goods going between Britain and Northern Ireland, Irish Foreign Minister Simon Coveney said.

British ministers have sought to play down the disruption of Brexit in recent days.

“The supermarket shelves were full before Christmas and there are some issues now in terms of supply chains and so that’s clearly a Brexit issue,” Coveney told ITV.

The Northern Irish protocol means there are “a certain amount of checks on goods coming from GB into Northern Ireland and that involves some disruption,” he said.

(Reporting by Guy Faulconbridge; Editing by Tom Hogue)

Continue Reading
Editorial & Advertiser disclosureOur website provides you with information, news, press releases, Opinion and advertorials on various financial products and services. This is not to be considered as financial advice and should be considered only for information purposes. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third party websites, affiliate sales networks, and may link to our advertising partners websites. Though we are tied up with various advertising and affiliate networks, this does not affect our analysis or opinion. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you, or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish sponsored articles or links, you may consider all articles or links hosted on our site as a partner endorsed link.

Call For Entries

Global Banking and Finance Review Awards Nominations 2021
2021 Awards now open. Click Here to Nominate

Latest Articles

The Beaconsoft story and introducing its one-of-a-kind digital campaign intelligence platform 5 The Beaconsoft story and introducing its one-of-a-kind digital campaign intelligence platform 6
Interviews18 hours ago

The Beaconsoft story and introducing its one-of-a-kind digital campaign intelligence platform

By Nigel Bridges, founding CEO of Beaconsoft Limited What were you doing prior to setting up Beaconsoft? Before setting up...

Top 8 Tax Scams to Watch Out For 7 Top 8 Tax Scams to Watch Out For 8
Finance1 day ago

Top 8 Tax Scams to Watch Out For

It is tax time and that means finding the best way to file your taxes and to get a refund...

Hisham Itani and Resource Group Recognized in the 2020 Global Banking & Finance Awards® 9 Hisham Itani and Resource Group Recognized in the 2020 Global Banking & Finance Awards® 10
Technology1 day ago

Hisham Itani and Resource Group Recognized in the 2020 Global Banking & Finance Awards®

Global Banking & Finance Review has awarded Hisham Itani the Chairman and CEO of Resource Group, Technology CEO of the...

Euro zone business activity shrank in January as lockdowns hit services 11 Euro zone business activity shrank in January as lockdowns hit services 12
Business2 days ago

Euro zone business activity shrank in January as lockdowns hit services

By Jonathan Cable LONDON (Reuters) – Economic activity in the euro zone shrank markedly in January as lockdown restrictions to...

Volkswagen's profit halves, but deliveries recovering 13 Volkswagen's profit halves, but deliveries recovering 14
Business2 days ago

Volkswagen’s profit halves, but deliveries recovering

BERLIN (Reuters) – Volkswagen reported a nearly 50% drop in its 2020 adjusted operating profit on Friday but said car...

Global chip shortage hits China's bitcoin mining sector 15 Global chip shortage hits China's bitcoin mining sector 16
Business2 days ago

Global chip shortage hits China’s bitcoin mining sector

By Samuel Shen and Alun John SHANGHAI/HONG KONG (Reuters) – A global chip shortage is choking the production of machines...

Iran's oil exports rise 'significantly' despite sanctions, minister says 17 Iran's oil exports rise 'significantly' despite sanctions, minister says 18
Business2 days ago

Iran’s oil exports rise ‘significantly’ despite sanctions, minister says

DUBAI/LONDON (Reuters) – Iran’s oil exports have climbed in recent months and its sales of petroleum products to foreign buyers...

Nissan to source more UK batteries as part of Brexit deal 'opportunity' 19 Nissan to source more UK batteries as part of Brexit deal 'opportunity' 20
Business2 days ago

Nissan to source more UK batteries as part of Brexit deal ‘opportunity’

By Costas Pitas LONDON (Reuters) – Nissan will source more batteries from Britain to avoid tariffs on electric cars after...

Muted recovery for UK retailers in December ends worst year on record 21 Muted recovery for UK retailers in December ends worst year on record 22
Business2 days ago

Muted recovery for UK retailers in December ends worst year on record

By David Milliken and Andy Bruce LONDON (Reuters) – British retailers struggled to recover in December from a partial coronavirus...

Chinese phone maker Honor partners with key chip suppliers after Huawei split 23 Chinese phone maker Honor partners with key chip suppliers after Huawei split 24
Business2 days ago

Chinese phone maker Honor partners with key chip suppliers after Huawei split

By David Kirton SHENZHEN, China (Reuters) – Chinese budget phone maker Honor said on Friday it had signed partnerships with...

Newsletters with Secrets & Analysis. Subscribe Now