Spy on Spy: Hacking into the Darknet

In the murky underground forums of the darknet, thousands of hackers trade secrets, discuss new forms of malware, and boast about recent attacks. Back when those logging in to the forums were primarily a bunch of computer geeks, it probably had the feel of a harmless secret society. Then came the bad guys.

Criminal enterprises, terrorist organizations, and nation-states with malicious aims changed the nature of these underground forums, turning the “Gotcha!” game of hacking into a serious enterprise with devastating consequences. Listening in on what is now known as the darknet’s hacker chatter is now the life or death stuff of governments and businesses.

The problem is getting an invite. Not just anyone can log on to the darknet—an encrypted network built on top of the existing internet—and participate in hacker forums like a typical webinar. Only vetted hackers can apply to learn the latest about hacking tactics, techniques and procedures (TTPs), as well as emerging and growing threats. Yet there are white hat hackers—the good guys—who have been able to find their way into these forums.

Among these white hat hackers are cyber security experts Shawn Cozzolino and Alex Heid. Each is a cyber spy with a made-up persona that opens doors across the darknet.

Cozzolino is the surveillance and human intelligence team lead in the Counter Threat Unit™ (CTU) team of Secureworks, which protects customer networks and information assets from cybercrime. Heid is the Chief Security Officer at SecurityScorecard, a company that provides cyber security ratings.

Both spies have colorful backgrounds. Cozzolino’s resume, for instance, includes a stint as a counter-terrorism expert at U.S. Homeland Security and another assisting intelligence collection at the U.S. Special Operations Command in Tampa.

“Our team here at Secureworks is all former military and intelligence professionals,” Cozzolino said. “We’ve created personas that we’ve built up over many years to gain a reputation as legitimate black hat hackers in the underground community. This way, we can engage in discussions with threat actors in forums in Russia, Europe, and the Middle East. Over time, we build up a rapport.”

Learning the Ropes

Like Cozzolino, Heid took years to create his darknet façade. “Any time I had access to a computer in my software coding class as a high school kid in the 1990s, I hacked it to leverage information to help me do better in class,” he said. “I had no intention of doing anything malicious. Back then hacker culture wasn’t about theft or destruction. That came later on when criminal groups began using hacking methodologies to steal data and shut down networks.”

Heid attended Barbara Goleman High, a Miami Lakes, Florida-based technology-focused school that had one of the few high-speed broadband lines connected to the internet at that time. “Every other school in the area had dialup,” he recalled. “Given my tinkering, my teacher eventually made me the unofficial systems administrator in the lab. I guess you could say I’ve always been a white hat hacker.”

In 2008, Heid and a friend, James Ball, created HackMiami as a physical hacker space. Ball had become famous in hacking circles for infiltrating an online Al Qaeda forum, and Heid, who had become proficient at analyzing banking botnets while working in the financial sector, had earned significant cred for hacking the stealthy Zeus botnet in Russia.

Today, HackMiami is the premier annual conference bringing together hundreds of the sharpest minds in the digital underground and information security industry, an eclectic mix of white hat hackers, black hat hackers, spammers, law enforcement, military and threat intelligence analysts, and the security recruiting firms that want to hire them.

Both Heid and Cozzolino describe the work they do as intelligence gathering. “It’s like `catfishing’ on a dating app, where a person creates a fake profile using a photo of someone else who is a lot better looking,” said Cozzolino, with a laugh. “You start slowly, laying your bait by pretending you’re just another threat actor. In earning credibility with the cybercriminals, patience is key. Gradually you gain the trust of the real threat actors.”

When asked how he gets the ball rolling, Cozzolino hesitated. “All I can say is that there are a variety of trade-craft methods we use to build a reputation, which I can’t disclose,” he explained. “The best way to describe what we do is like being an undercover detective. You’re in the field acting like a low-level drug dealer, talking with real drug dealers with the ultimate goal of finding the kingpin.”

Heid also won’t divulge specifics of his persona-building approach, other than commenting that it took years to cement his credibility. He started out in the early 1990s by attending text-based hacker forums in internet relay chat (IRC) rooms, and then graduated to underground web forums on the darknet.

“I’m now circling around spaces like jabbers, which are encrypted chat rooms on the darknet,” he said. “They’re tougher to penetrate, requiring a bigger effort to hide one’s true identity.”

Wearing the Mask

Like traditional forums on the internet, each Darknet forum typically has an administrator, a moderator, longstanding verified attendees, and newer unverified people signing up for a visit. Some forums have high levels of security and restrict attendance to only active members of that group. Others are a bit more relaxed, willing to allow participants with a referral from someone they trust.

And most forums have an attendance limit, just like in the real world. “Sometimes you try to register, but you’re too late,” Heid said.

Once registered in a forum, the other participants are an odd lot, ranging from people cruising the scene for fun to criminal groups to hactivists like Anonymous who are there for political and financial reasons. “Depending on the culture of the group you’re dealing with, you can sometimes be completely transparent and let them know you’re a researcher or a journalist looking to learn about emerging threats,” Heid said. “They may let you in, or they may kick you out.”

Threat actors in different countries host forums through different platforms. “In the Middle East, hackers use a messaging tool called Telegram, whereas in China they use something called QQ,” Cozzolino explained. “Very few people use IRC anymore. We have been able to routinely access hundreds of forums, burnishing our personas as we go along.”

In creating and enriching his persona, Heid said building trust is a critical process. “It all boils down to social engineering; at the end of the day you’re dealing with people,” he said. “The more forums you attend, the greater your trustworthiness. There’s a running joke among white hat hackers that for every chat room with 100 people, only ten are real hackers and the rest are spectators.”

The cyber criminals are well aware such spies exist. Hackers even have a phrase describing an online identity used for the purpose of deception—a “sock-puppet.” “They know we exist, but they don’t know who we are,” Heid said.

Hackers also expect to be hacked by fellow hackers. In fact, it’s a bit of a sport. “Rival hackers are at each other’s throats,” Heid added. “There are long-standing rivalries between certain hackers who hack each other’s websites and release data from each other’s databases. There’s no honor among thieves. This makes threat actors paranoid and wily—all the more reason to gradually build your credibility.”

Taking Stock of the Spoils

According to Cozzolino, his team’s cyber spying has paid off for Secureworks’ clients. “We’ve picked up vital intelligence about new variants of malware and ransomware early on, and found exploits well before they were published,” he said. “Last year, for instance, we discovered three exploits before they were disclosed publicly.” (An exploit is the use of software, data, or commands to take advantage of a weakness in a computer system to carry out some form of malicious intent, such as a denial-of-service attack.)

But just like a fake lead in a physical criminal investigation, cyber spies must be careful to ascertain the validity of intelligence culled from a darknet forum. “There’s a fair amount of counterintelligence going on, with the actual threat actors leaking false information to muddy the waters,” Heid said.

Cozzolino agreed. “Some threat actors have horrible reputations for leading people astray,” he explained. “Each time we find something, we label it with high confidence, medium confidence, or low confidence.”

So, has he ever blown his cover? “We take very good precautions so there is no way the threat actors can link us back to anything real,” he said. “Everything we do is on a separate system with multiple layers of security.”

Cyber risk professionals say the white hats are making a big difference in the war on cybercrime. “They’re providing a valuable resource by being preemptive, spying on potential threats before they become full-blown disasters,” said Vance Brown, CEO of the National Cybersecurity Center, a cybersecurity think tank that provides cyber risk management training to business executives. “The intelligence they provide is an extremely important piece of the overall puzzle.”

As more light is shed on hackers’ brewing inventions and attack strategies, everyone benefits, Cozzolino said. “To guide better decisions on cyber preparedness and response, you need to collect, analyze and authenticate each piece of threat data,” he explained. “The intelligence we’ve vetted and provide to our business clients helps them better manage their cyber risks. That’s of value to them, the economy, and all of us.”

Russ Banham is a Pulitzer-nominated financial journalist and author who writes frequently about the intersection of business and technology

Think About It: Converting Brain Waves to Operate a Prosthetic Device

Following an electrical accident as a teenager, Les Baugh lost both arms to amputation. When he heard about a revolutionary surgery that would give him the ability to operate a prosthetic device using his thoughts, Baugh stepped forward as a volunteer.

Developed by The Johns Hopkins University Applied Physicals Laboratory, the pioneering surgical technique is called targeted muscle reinnervation or TMR. TMR is an innovative surgical procedure providing easier and more intuitive control of prosthetic arms.

In 2013, surgeons performed TMR on Baugh to access nerves in his upper torso. These nerves, when connected to the limbs, also developed by the laboratory, would control their movement. With training, Baugh learned to control the prosthetic simply by thinking about an action he wanted to perform. His thoughts engaged the nerves in his upper torso, which activated the prosthetic. For instance, he would think about lifting an empty cup from a counter-shelf height to a higher shelf and the prosthetic arm obeyed.

“We take the brain’s customary electrical impulses to control a human arm and use those impulses to control something else, in this case a prosthetic arm,” Michael McLoughlin, chief engineer for research and exploration development at the Johns Hopkins laboratory, explained.

While the nerve-controlled technology is an extraordinary breakthrough, McLoughlin is quick to warn that the technology is still in its early stages.

“We’re the Wright Brothers right now in all of this brain-computer interface technology, flying from one end of Kitty Hawk to the other,” he said. “But, the benefits for people with paralysis are real. The missing link between brain and limb will be replaced.”

From Battlefield to Laboratory

The Johns Hopkins’ Revolutionizing Prosthetics team—comprised of neural scientists, clinicians, technology developers, and academic and commercial partners across the U.S., Canada, and Europe—have been researching the potential in the design and natural performance of prosthetic limbs for a dozen years.

The Defense Advanced Research Projects Agency (DARPA) first funded this research because large numbers of soldiers in the wars in Iraq and Afghanistan were losing their limbs to an improvised explosive device or IED. Of the more than 50,000 U.S. troops wounded in action, approximately 2.6 percent suffered a major limb amputation, most because of an IED.

The initial research focused on making a better prosthetic. The team created a prototype that allowed for eight degrees of freedom (such as up, down, to the left or right) in its natural movements, compared to the 27 degrees of freedom in the human arm. This was a marked increase beyond the existing prosthetic arms.

Tests with patients recorded and configured artificial limb movements, as well as the electrical signals used to control it. Ultimately, the Johns Hopkins team created an artificial Modular Prosthetic Limb (MPL) with 180 sensors embedded, providing 26 degrees of freedom. The MPL also had more natural control—individual finger movements—that mirrored those of a biological human hand.

Developing Dexterity

After achieving major strides in physical dexterity, the next phase of development was to control the prosthetic limb through brain commands.

The Johns Hopkins team developed a small wireless device with 100 electrodes, each capable of measuring signals from individual neurons in the brain. The device was then implanted into the cranium of a monkey to access the animal’s cortical signals. Scientists decoded the signals to determine the corresponding action and then translated them into directions that could operate the robotic arm.

When the monkey thought about moving its own arm, the robotic arm moved in the way its mind had suggested. The tests proved the ability of the device to decode motor control signals from the brain and recreate natural sensations in external devices.

Wanting to assist the lab in the next stage of its research and development, Jan Scheuermann, a Pittsburgh mother of two, volunteered to have surgery to implant the neural transmitter into her brain. Scheuermann had a genetic disease that had paralyzed her from the neck down, disrupting the neural connection between her mind and limbs. The implanted electrodes allowed her brain’s messages to maneuver a robotic arm and even conduct a flight simulation.

Another research volunteer, Nathan Copeland, also stepped forward. Copeland was paralyzed from the chest down in a car accident.

“We wired the robotic arm to Nathan’s brain, providing him with two-way electrical feedback,” McLoughlin said. “He not only could operate the device by thinking, he also received signals coming from the robotic arm, such as the feeling that his fingers had been touched. It was a real `Star Wars’ moment.”

The next goal was to attach the prosthetic limb to a person to receive information directly from the brain. A single arm amputee, Johnny Matheny, volunteered to have the prosthetic connected to remaining bone in his arm. Again, the experiment was a rousing success. Matheny’s natural-like use of the prosthetic arm drew the attention of 60 Minutes, which featured him in a segment.

A Final Round of Applause

To honor the volunteers and the Revolutionizing Prosthetics team, The Johns Hopkins University board of trustees held a meeting whereby they brought Baugh to the podium to award him with a special coin. As the board members broke into applause, he dropped the coin.

The room became uncomfortably silent for a few seconds, until Baugh explained: “I thought about clapping myself.” Simply thinking about applauding caused his hand to open and drop the coin as it moved toward a clap.

Additional research and development is underway involving both invasive and non-invasive thought-controlled devices. The latter might be embedded into a hat that would, as one would imagine in a Hollywood sci-fi movie, receive wireless messages from the brain.

“We’re in a pilot program with Facebook at the moment exploring the idea of thought-to-text,” said McLoughlin. How “Star Wars” is that, he joked. “Use the force, Luke, to text your sister.”

Russ Banham is a Pulitzer-nominated journalist and author of the book, `Defining Innovations: A History of The Johns Hopkins University Applied Physics Laboratory.’

How Small Businesses Can Use Televisions To Enhance The Buying Experience

By Russ Banham


Big-screen televisions are a pittance of what they cost just a few years ago, making them a potentially worthwhile investment for small businesses — not so they can catch customers up on reality television but to help with marketing.

Televisions strategically installed throughout a store can play programs that educate, interest and inform customers, spurring sales and cross-selling — a pair of shoes to go with that dress, perhaps? The challenge is to provide high-quality content that is entertaining, useful and not distracting.

“We’ve all seen great TV commercials and terrible ones,” said Anindya Ghose, Heinz Riehl chair professor at the New York University Stern School of Business, where he oversees the business analytics program. “If the music is too loud, the information doesn’t address my needs, and the program repeats every five seconds, it could be very off-putting.”

When done right, however, an implementation of television screens may allow small businesses to generate additional sales to offset the initial investment.

Inspire, Inform And Engage

While retailers have long used television screens to market in-store products, the investment value was difficult to quantify. Most programming provided basic information or simply repeated commercials seen at home. Now retailers know that content is, indeed, king.

What kind of content?

“It depends on a retailer and its customers, but generally it can be boiled down to programming that either inspires, informs or engages customers,” said Lokesh Ohri, a partner at Deloitte Consulting, where he leads the advertising, marketing and commerce practice.

Ohri provided examples of programming that inspires a consumer to buy something.

“Say you’re planning a vacation and you walk by a clothing store and see a large screen inside with a video of a man strolling on a beach in a Hawaiian shirt with relaxing ukulele music playing in the background. Or, you’re in a supermarket and there’s a video of a great-looking dish being prepared,” he said. “In both cases, the consumer wants to trade places.”

With informational content, the objective is to inform a consumer about the differentiating features of a product in an entertaining fashion. With regard to programming that engages people, the intent is to present content that matches consumers’ interests or needs, Ohri explained.

For instance, a small home renovation company can engage its customers by featuring remodeling shows next to model kitchens. And a deli or small food market can feature any of the dozens of cooking shows populating numerous networks.

A patient in a hospital likely will want more relaxing television content than patrons at a pub, whereas someone in a gym may want programming focused on exercise and nutrition.

Small and midsize businesses can provide video that benefits their customers simply by choosing cable television networks whose programs align with their marketing strategies.

As a first step, businesses should review what’s offered by local cable providers to see which package makes the most sense in terms of available content and cost.

Although the best deals on TVs happen on Black Friday, retailers offer sales throughout the year. With a wave of deals expected in the runup to the World Cup, businesses that are on the verge of investing in video may want to take advantage of May and June discounts.

Russ Banham is a Pulitzer-nominated business journalist and author of 24 books.

Leadership and Legacy: When Enough Is Enough at the Top

By Russ Banham

Carrier Management magazine

When to retire is one of the toughest decisions for any executive to make. For a CEO at the top of the pyramid, the decision is rife with complexities. Not only must the CEO relinquish day-to-day control, he or she must cope with the possibility of not having completed the strategic objectives developed at the outset of their tenure.

Like the song goes, “Should I stay or should I go?”

Hanging in there too long can tarnish the CEO’s legacy, while leaving too early may founder the ship. For a graceful exit, a capable successor needs to be in the wings, but this is not always the case. And captivating post-retirement activities must be considered, as it is psychologically damaging to jump off a fast-speeding train onto, well, the couch.

It’s also not easy to give up power. This may explain why many CEOs are getting older. From 2006 to 2018, the number of Fortune 500 CEOs age 65 to 69 more than doubled from 20 to 44, according to research by Korn Ferry provided to Carrier Management. The average age of a Fortune 500 CEO has gone up from 55.4 in 2007 to 57.4 in 2017, according to Spenser Stuart research. (2017 Spenser Stuart U.S. Board Index)

No CEO wants to be accused of overstaying his or her welcome. Sure, lots of people maintain their vigor and intellectual chops well into their 80s. But very few people are old and au courant at the same time, Berkshire Hathaway’s Warren Buffett excluded.

“Many CEOs have a hard time letting go,” said Cecile Alpers-Leroux, an economic anthropologist focused on workplace transformation as Ultimate Software’s vice president of human capital management innovation. “It requires deep reflection to make the leap—a verification of their values, what’s important to them and their aspirations going forward. But leap they must.”

Carrier Management reached out to four insurance company CEOs who have made their leaps, giving the decision the care and attention it deserves. Although their stories are different, they share similar values about life and work. In their reflections on retirement, they sought the counsel of spouses, friends and business colleagues.

“The most successful CEOs are the ones who put aside time to reflect on what they’ve accomplished and what they want in the future,” said New York-based executive coach Alisa Cohn, who works with C-suite leaders and board directors. “Not all CEOs fit this mold. Leadership can be intoxicating; you’re almost in a trance-like state. Your identity gets wrapped up in being the one in charge. But if you overstay your usefulness, it will come back and bite you.”

Company First

Well before he became the CEO of Penn National Mutual Insurance Company in 2010, Ken Shutts knew from personal experience that he didn’t want to work well into his 60s.

“My father, who had worked for Ohio Casualty Insurance Company for 42 years, retired when he was almost 69 years of age,” Shutts recalled. “He and my mother had great plans to do a lot of traveling. Twenty-nine days after he retired, he suffered a massive heart attack and passed away. He never got the chance to enjoy his retirement. It just stuck with me.”

Shutts did not want to encounter the same fate. A sports enthusiast, he divides life into quarters like a football game. With the average life expectancy for American males at nearly 79 years, each quarter consumes about 20 years.

“I’ve been working since I was 13, when my sister got me a job as a busboy at a restaurant where she was a waitress,” said Shutts. “That was the first quarter. Once you hit 60, whether you want to admit it or not, you are entering the fourth quarter of life. I’d been at the company for 35 years, starting out in the legal department. I’d been president of the company for seven years. The time had come to do something else, and I had made preparations here at the company to do it.”

He had a strong desire and commitment to mentoring the senior executives who would move a rung up the ladder following his retirement, including Penn National’s current CEO Christine Sears, the company’s former president and previously CFO. “You want to hand the baton over to someone who is ready to take it and help grow the company further,” he explained. “I took this responsibility very seriously and feel quite secure the organization is in great hands today.”

During his leadership tenure, Shutts guided an important affiliation with Waukesha, Wis.-based Partners Mutual Insurance Company, which is now a part of Penn National. Partners Mutual had a history, culture and mutual insurance structure that deftly aligned with Penn National’s history, culture and structure. It also relied exclusively on independent agents to sell its policies and served customers in Wisconsin and Iowa, two growth markets for Penn National.

In making the decision of when to retire, Shutts reached out to his wife, children and friends for their input. The determining factor was his response to a question he always asked his senior executives when they approached him with a difficult decision: “What’s in the best interests of the company?”

“That was my guidepost; it takes your emotions out of the equation,” he said.

Shutts is a firm believer that organizations must continually turn to new leadership to remain relevant and healthy. “A company needs new ideas, new energy and new oxygen to thrive,” he explained. “CEOs who stay on too long tend to become regimented in how they view things. We all know stories about sports figures that stay in the game past their prime. I’ve always believed it’s better to quit at the top while you still have the passion, vim and vigor to do other things.”

His “other things” include membership on Penn National’s board of directors. “My love for the company has never diminished,” Shutts said. “What I miss most about being a CEO is working with our employees and agents, interacting and seeing many of them daily. But I truthfully feel no voids in my life. When I get up in the morning, I look forward to the rest of the day.”

Purposeful Preparations

Terry Cavanaugh gave himself a 10-year tenure when he became CEO of Erie Indemnity Company in 2008, following a 33-year career with Chubb Group of Insurance Companies. Cavanaugh was 55 years old at the time and planned to work until he was 65. His projection was off by one year—he retired a few months shy of his 64th birthday. Close enough. “In my mind, there’s a half-life to being in any job, and as you go up the food chain to become the CEO, it becomes more acute,” he said.

In making the decision to retire, Cavanaugh felt good about his tenure. Under his leadership, Erie Insurance had increased its property/casualty direct written premiums by more than 45 percent and grew policyholder surplus by 60 percent. He was the first senior executive to be hired from outside the company. “The board was frustrated by not having a solid internal candidate to assume the post,” he explained.

Not surprisingly, his initial challenge was to build the organization’s operational and financial skillsets. “Human capital drives success,” he said. “I was acutely aware of the need to recruit and develop talent. Most importantly, I wanted to have a good successor in place when it was time for me to go.”

As he got closer in age to 65, the year he had established for his retirement, Cavanaugh reflected on whether or not his timing was right. “Some CEOs don’t have good self-awareness; others get to the point where the job becomes so much a part of their identity they can’t walk away comfortably,” he said. “I took inventory of how I felt intellectually, emotionally and physically about the company’s state and my own future.”

Eight and a half years had passed since he became CEO, and he realized another year and a half wouldn’t make much of a difference to the company and his legacy. “But it might extend the length of my lifespan not having to deal with all the stress and eat restaurant food on the fly anymore,” he added.

In his talks with former CEOs who had confronted the prospect of retirement, they often mentioned the pressure they felt from board directors requesting they stay on longer. “I feel the longer the CEO stays on, even if they’re successful and energetic, it adversely affects the succession management plan,” he said. “It doesn’t send a good message to the executive team and can create organizational apathy.”

A more personal reason to move on with life is the realities of aging. “When you hit 64 and look in the mirror, you realize it’s harder to be courageous—to take innovative risks,” he confided. “Fortunately, I had groomed people to take over. It was their time now.”

Cavanaugh lives half the year today in Naples, Fla., where he often runs across other former CEOs. “I met this one fellow who said, ‘Terry, you and I are PIPs. I asked what he meant and he replied—’Previously Important People.’ Made me laugh.”

Nowadays, he puts his considerable business acumen to work as a member of two boards and is an executive coach to C-suite leaders. “My advice to them is to retire while they’re still champions,” he said.

Knowing the End Game

Jim Kennedy retired as the CEO of Ohio Mutual Insurance Group when he turned 63 years old in 2015, having served in the post since 2003. Like Shutts, Kennedy had made the decision to retire in his 60s for personal reasons. When he was 57, his older brother, an executive at another insurance company, passed away at the age of 64 from a sudden heart attack.

“Coming to grips with the fragility of life made me consciously think about my own retirement,” said Kennedy. “None of us know how long we have left on this planet. And there were other things I wanted to do with my life than just work.”

His family lineage was close in mind throughout his retirement deliberations. “My father was a car salesman working on commission who never earned a dime of salary; he didn’t have the money to retire early and do the things he’d wanted to do,” he said. “Fortunately, I was in a financial position that I could retire. After I hit 60, my wife and I had these long conversations about what we wanted our future together to look like. She was supportive of whatever I wanted, she said.”

He realized that running a large insurance company had consumed much of his time and energy, entailing quite a bit of travel. “I didn’t want to die in the chair,” said Kennedy. “But I also wanted to be sure when I left that the financials and operations were solid to pass on to someone else to take the company further.”

They were. During Kennedy’s tenure, Ohio Mutual’s premium revenue increased by 78 percent, surplus nearly tripled, and assets expanded by 140 percent. The company had grown from one state market to seven. He had done his best and let go of the reins in 2015.

“I’ve got no regrets retiring when I did, although I do miss the interactions with people and the collegial effort of everyone coming together and putting their minds around a problem and solving it,” he said. “But I planned my retirement well before I saw the finish line.”

Today, he sits on the board of Harford Mutual Insurance Company in Bel Air, Md., and the board of a local college. He provides operational consulting services to insurance companies and is actively engaged at the National Association of Mutual Insurance Companies. “I’m teaching people how to become a successful board director,” he said. “There’s a need for it.”

Hanging On Because You Have To

Warren Heck was 64 years old when he became CEO of GNY Insurance Companies and 78 when he retired. In between, he twice tried to retire, but the executives in line to succeed him either didn’t stand up to further scrutiny or decided to leave the company.

“I knew at the age I was when I became CEO that I didn’t have much time to find a successor to carry on, but it was much harder than I had imagined,” said Heck, who prior to becoming GNY’s CEO had been its president and chief operating officer for a lengthy 18 years.

Heck, who retired in 2014, was hale and hearty at the time of his decision and remains physically and intellectually sharp today at 82.

“Looking back, I honestly never cared if I became CEO or not; I was interested in running the company,” he said. “All I wanted was to be in charge of some objective and couldn’t care less about the title. My predecessor was different; he held onto the job like it was his lifeline. But as long as he let me run the company, I didn’t care if he remained CEO.”

With regard to his own long tenure, Heck shares Shutts’ philosophy that the company’s interests always come ahead of the CEO’s needs. “If you’re deeply and emotionally connected to the company, you want it to succeed after you leave,” he said. “To do that, you have to find someone who will put the interests of the business ahead of their own. It took more time than I’d imagined to find that person.”

Lengthy CEO tenures are common at GNY. Heck is only the fifth CEO in the company’s 104-year-old history.

“I love insurance, so it wasn’t a burden to lead the company in my 70s at all,” he said. “People have always told me I don’t look my age. But I knew I was getting older and running out of time. Every now and then a board director would point out that I was getting a little long in the tooth, but nobody was aggressive about it and I appreciate the fact that they did point it out. Still, I had to find a successor.”

He finally did. Heck’s daughter Elizabeth, GNY’s former president and chief operating officer, is the company’s CEO today. “The board asked for the names of three people as my successor, and Elizabeth was one of them,” he said. “I suggested her because she’s a financial person who has a CPA and worked for one of the big accounting firms, as well as at other insurance companies. I told the board to treat her as one of the candidates. Elizabeth impressed them with her knowledge and expertise. They gave her the job and she’s doing great work today.”

Heck, who remains on GNY’s board as its non-executive chairman, left the company in terrific shape. In 2014, it tallied $315 million in direct written premium, a $430 million surplus and close to $1 billion in assets.

Does he miss the thrill of running a big insurance business? “Not at all,” said Heck. “I retired not because I didn’t have the energy to continue or the company was becoming unsuccessful—far from it. I would have retired years before if we’d had the right leadership in place to take over.”

Humility, Not Hubris

Each of the former CEOs feels a tremendous sense of accomplishment at leaving the organization in better shape than when they took the top post. None fell prey to the addictive charms of being in charge, putting the company’s best interests first. They loved the job and the small intimacies that occur in all business dealings, but they had other fish to fry and new lives to create.

Best of all, they did not want to squander the knowledge and expertise they had accumulated through decades of hard work. “The best CEOs take all the business lessons they’ve learned over a lifetime and contribute them to boards, small businesses and students,” said Cohn. “They’re used to making a positive difference.”

As for the “right age” for a CEO to retire, Cohn said it’s irrelevant. “The decision has to do with the individual’s values, not the number of years they’ve lived,” she said.

Still, every CEO has an expiration date. Appreciating this fact is crucial to ensuring the next leader will grow the business further. As the former CEOs’ stories indicate, successful succession management is not a breezy walk in the park.

“It’s vital that a CEO choose someone to succeed them who will honor their legacy and yet also take the organization in the direction it needs to go,” said Alpers-Leroux. “But if you stay on too long and don’t let that person lead, you’re doing a disservice to them and the company.”

As always, timing is everything.

Playing Favorites


By Russ Banham

Chief Executive magazine

The dismantling of so-called Net Neutrality rules regulating service providers that connect consumers to the internet may have unintended consequences for the rapidly growing telehealth industry.

Telehealth, or telemedicine as it is also called, refers to virtual healthcare provided remotely by a doctor, nurse practitioner, registered nurse or other medical specialist. Employers that provide telehealth services to employees are able to reduce absenteeism caused by the need to visit a doctor physically, enhancing employee productivity while reducing overall healthcare expenditures.

In 2017, 71% of employers with 500 or more employees offered telehealth services, up sharply from the 59% that offered it the prior year, according to a study by Mercer. These numbers may go down in the aftermath of the Net Neutrality ruling, which is perceived to have a disproportionate impact on consumers in low-income and rural areas.

Companies in these regions are a key target market of telehealth providers, given the significant distance an injured or ill employee must travel to obtain adequate healthcare. “Reliable broadband connectivity is needed for telehealth services to thrive for all patients and healthcare facilities,” says Mary Kay O’Neill, M.D., senior clinical advisor at Mercer Health and Benefits.

The repeal of the Net Neutrality law effectively allows giant internet service providers (ISPs) to slow down broadband connections for low-income content customers to provide greater bandwidth to more financially valuable forms of content, such as streaming television. “The ISPs can play favorites among different entities that deliver content,” says O’Neill. “Large healthcare systems in primarily urban areas will have an unfair advantage over smaller, rural ones.”

This disparity can have a dire impact on telehealth services like behavioral health. “Employees receiving smoking cessation, weight management, psychological counseling and other forms of behavioral assistance need these telehealth services to be readily available, due to the coaching and frequent back-and-forth texting and FaceTime that occurs to help the person through the day,” says O’Neill. “If this is interrupted, no one benefits.”

The ruling introduces other broadband access concerns. For instance, high-speed internet connections are needed to link personal medical devices and wearable sensor technologies to remote telehealth providers. A case in point is the use of a personal glucometer for diabetes management.

“When the reading exceeds a certain threshold, the information automatically uploads to a database in a cloud, where a nurse can access it remotely,” says O’Neill. “If the data doesn’t upload in time, not only is this dangerous from a patient safety perspective, it is a wasteful use of a healthcare facility’s money.”

She adds, “This is one of the hottest things in healthcare software right now, but it depends on connectivity.”

Forced to negotiate for bandwidth, small rural hospitals may decide to curtail their telehealth programs and invest their financial resources in other areas—to the detriment of companies and people that truly benefit from the service.

What’s the solution? “Really this is a tough one to solve,” O’Neill says. “I would urge rural citizens to urge their legislators to take actions to ensure we don’t have a two-tier system in which lower-income people in rural regions get the short end of the stick.”

Revolutionary thinking: Why CFOs should account for political instability

Corporate executives are increasingly worried about geopolitical instability — and with good reason.

By Russ Banham

FM magazine

Prior to the 2011 uprising in Egypt that led to President Hosni Mubarak’s stepping down from power, multinational building materials company Cemex developed a plan to manage fallout from just such a political crisis.

That plan came in handy: Within a few weeks the Egyptian military dissolved the country’s parliament and suspended its constitution. Like many sophisticated multinational businesses, Mexico-based Cemex, which had significant operations in Egypt, had assembled an enterprise risk management (ERM) programme that included strategies for handling global political risks.

Months before the uprising, Enrique Alanis, Cemex’s global director of ERM, and his team received intelligence from within and outside the company that “something was not right”, he said. “The information was gathered from our own people in the region, as well as external people like market experts, industry trade groups, suppliers, and vendors. We also incorporated public sources of information like the internet, media reports, and public forums.”

Armed with this insight, the company quickly took action. “The advance warning gave us time to prepare for how we would address the situation,” said Alanis. “We had a strategy ready that pointed out [to the new regime] that Cemex was good for the country.”

The company successfully communicated to the new leaders that it provided significant employment, and building products that many diverse businesses relied upon in Egypt. The result: Cemex was able to continue its business operations without missing a beat.

Alanis said: “At all times, our goal is to stay ahead of potential risks [and] to be ready if they occur.”

Not all companies are as fortunate. Disastrous outcomes have included the confiscation, expropriation, and/or nationalisation of a company’s assets in a foreign country. Examples over the years are far too numerous to cite, but they provide a cautionary tale for all multinational companies operating in politically unstable regions of the world.

In recent years, emerging economies such as Thailand, Myanmar, Brazil, Turkey, and the Philippines — countries that had achieved some measure of stability for several years — have experienced their share of political turmoil. They’re not alone: According to the 2017 Government Stability Projection by consulting firm Verisk Maplecroft, more regions of the world are likely to experience a decrease in government stability in the next two years, with developing markets being the most susceptible. Among the factors behind these risks, according to Verisk Maple-croft, is anticipated volatility in US global trade and policymaking, underscored by the country’s withdrawal from the Trans-Pacific Partnership trade deal and US President Donald Trump’s threats to pull the US out of the North American Free Trade Agreement (NAFTA) with Canada and Mexico, in addition to global factors including Brexit.

The study underscores a growing concern of many C-suite executives, including CFOs. Another example: A survey by McKinsey & Co. in 2016 found that the number of corporate executives identifying geopolitical instability as a “very important business trend” had doubled over the past couple of years.

“Among the 13 trends we asked about, respondents most often expect that domestic political instability, as well as slowing growth in developed economies, will pose a threat to profits in the next five years,” the study stated. “… Yet a vast majority say their organisations are not yet taking active steps to address these issues.”


This complacency may have disastrous results for finance departments. Aside from asset expropriation, political instability also can lead to currency inconvertibility, a situation where one currency cannot be exchanged for another currency. Contracts in the foreign country may be repudiated — the duties of one party to another frustrated. Additionally, the sovereign nation may default on payments owed the company and/or wrongfully call on-demand bonds and guarantees. Banks, exporters, and investors owed money from foreign buyers may never see these receivables.

There’s also the possibility of violence and the detention of employees — something that Cemex was watching for. “As part of our ERM process, we had developed early warning systems of potential problems like political insurrection and riots across our global footprint,” said Cemex’s Alanis.

Emerging economies are not the only countries vulnerable to shifting political winds. Powerhouse economies such as the US and Britain also are susceptible. Voters’ dissatisfaction with the status quo in both nations fostered the election of a populist president in the US and approval for Britain to exit the EU. These decisions have generated serious questions about potential de-globalisation, with a corresponding impact on business prospects.


Despite these sobering concerns, many companies move forward with their global strategies, their eyes focused on growth more than on the impediments in the way. “Often the reasons to do business in an emerging economy are so enticing they appear to outweigh the risks,” said Daniel Wagner, CEO of Country Risk Solutions, an operational risk management consultancy. “But it’s folly to think a country that has been politically stable for several years will remain stable tomorrow.”


Political risks are not limited to companies that conduct business on the ground in a country. “Almost every business is global in nature today, simply because their supply chains are global and their customers are often global,” said Bodhi Ganguli, lead economist for Dun & Bradstreet’s country risk team. “Companies no longer produce and sell in one place anymore. If a coup breaks out in a country where a critical component is manufactured, it can put the brakes to the production line.”

Consequently, virtually all companies must heed global geopolitics. How can they manage a complex risk that takes on the guise of a multiheaded Hydra? “You need to weigh the strategic value of doing business in a country against the array of political risks, measuring the pros and cons,” said Charles Stevens, an assistant professor of management at Lehigh University, where his academic focus is on global strategy and political risk.

Several organisations can provide insightful intelligence on political risks, including the World Bank, the Overseas Private Investment Corporation, The Economist Intelligence Unit Viewswire, the US Export-Import Bank, private intelligence organisations like Kroll, and large insurance brokers and insurance companies like Marsh, Aon, and AIG.

“There is no absence of information that can be obtained,” Wagner said. “The problem is that as soon as it is produced, a period of time that can consume several weeks, it can become obsolete and irrelevant. It’s better to have local people on the ground who really know what’s going on to provide ongoing, real-time intelligence.”

One such source may be a local organisation that partners with the company in sharing the risks and rewards of the opportunity. “It makes sense to choose a joint venture partner, particularly one that knows the ins and outs of the region,” Wagner said. “Look for a partner that knows the local political landscape and understands the legal regime, preferably one with government contacts to get in front of a problem before it rears.”

A related tactic is to secure local equity and debt to help finance the business venture. When local firms, trade unions, financial institutions, and government agencies have a stake in the venture, it can reduce adverse consequences. To get this buy-in, some companies pledge to financially assist the host country in improving quality-of-life objectives.

But even the best plans can falter, so companies also need to consider the financial value of political risk insurance. Depending on the coverage particulars, political risk insurance generally absorbs financial losses due to the following conditions:

Political interference. The nationalisation and/or expropriation of assets by the host government.

Political violence. Strikes, riots, civil insurrections, and civil war, in addition to a hostile act like a coup.

Currency inconvertibility. Imposition of local currency controls making it difficult to receive hard currency payments.

Sovereign nonpayment. Nonpayment of financial commitments, obligations, and loans by the host government.

Supply chain disruption. Political, social, economic, or environmental instability that causes a disruption in the flow of goods and/or services into and out of a country.


When political instability threatens, the first priority for companies is the security of their employees. Stevens advocated the use of smartphone apps and hotlines that can alert local employees when trouble is brewing. “Your people can be scattered throughout a country; hence the prudence in giving them the means to instantly know what to do wherever they are,” he said. “They should also contact their local embassy and have their passport on them at all times.”

To reduce risk, many multinational companies employ local citizens. If a company needs to evacuate employees who are not citizens of the country, those remaining can continue some measure of business operations.

Even with the best due diligence, the unexpected can happen. “Sometimes you don’t know you have a problem until you have one,” said Wagner, who also is the author of the books Managing Country Risk and Virtual Terror. “That’s why we advise you proactively have a plan in place for worst-case scenarios.”

What CFOs need to know about political risk insurance

Political risk is increasingly on the radar for multinational companies, given rising concerns over geopolitical instability. One way companies try to mitigate the risks is through political risk insurance.

No two insurance policies are alike; each includes specific terms, conditions, and prices based on the perceived political risks in different nations. However, even in countries deemed to be at high risk of a political event, some measure of insurance is available.

“You can get it pretty much everywhere you need it, even in perceptibly high-risk countries,” said Stephen Kay, practice leader for structured credit and political risk at insurance broker Marsh. “We recently were asked if we could get political risk insurance for a client in West Africa, which has a very uncertain political climate. We could.”

Marsh also recently brokered a political risk insurance policy for a foreign company operating in South Korea that included full-breadth coverage, including the risk of war with North Korea. “The reason insurance markets took up the risk is that the company is located at the southern tip of the Korean peninsula, enough of a distance away from the border with North Korea to provide some semblance of comfort,” Kay explained.

Insurance carriers selling political risk insurance include large international insurers like AIG, Zurich Insurance Group, Chubb, Great American, and Lloyd’s of London, among others. The US federal government’s Overseas Private Investment Corporation also offers the insurance. “Multinational companies generally can buy ample insurance coverage to protect foreign assets in most regions of the world, albeit at a price,” Kay said.

The premium depends on the market’s assessment of a country’s political risk. Current hot spots include Venezuela, Argentina, Bolivia, and Ecuador in Latin America; Cambodia, Myanmar, and Thailand in Asia; Syria, Libya, Yemen, and Afghanistan in the Middle East; and multiple countries in sub-Saharan Africa.

Russ Banham is a freelance writer who is based in the US.

GDPR: Act now Before It’s Too Late

By Russ Banham

Chief Executive magazine

The May 25 deadline for complying with the European Commission’s General Data Protection Regulation (GDPR) is approaching fast—so fast that many small and medium-sized businesses are in a mad rush to get their houses in order.

So are many large companies, but the regulation creates intimidating challenges for SMEs, given their smaller size and resources. In recent weeks, the European Commission (EC) has dispatched a flurry of detailed advisories and even created an exclusive website to help companies prepare for compliance, with special attention accorded the demands placed upon SMEs.

We’ve gone through the advisories to distill critical steps that must be taken now, assuming they have not already been addressed. Most important of all is for CEOs to take GDPR very seriously, as its teeth are razor sharp—irrespective of company size.

Basic Background:

The EC created GDPR to heighten and unify personal data privacy laws across the European Union (EU). All companies doing business in the EU must comply with the regulation. The EC applies a new principle called extraterritoriality to ensure compliance by non-European businesses—even those without a physical presence in the EU. If they “control” or “process” personal data belonging to European consumers, they must comply with the regulation. A data controller comprises both for-profit and nonprofit organizations. A data processor is a firm that performs the actual data processing.

The new regulation broadly extends the EU’s 1995 data protection directive that held businesses accountable for the security of the consumer data they had in their possession. As opposed to the previous passive opt-out acceptance model, companies now must receive written consent from consumers to collect and use their data, and only for a legitimate business purpose. Consumers can withdraw their consent at any time, and once the business purpose for using the consumer’s personal information has been fulfilled, the data must be deleted.

These aspects of GDPR loudly resonate following recent disclosures of the harvesting of 50 million Facebook profiles in the continuing Cambridge Analytica scandal. A major objective in drafting the regulation was to give consumers more control over their personal information, insofar as which organizations can use it, when they can use it, and for what purposes. The other primary goal was to create regulatory uniformity across the EU.

Analysis and Monitoring:

Before processing a consumer’s personal information—both paper-based and digital data—companies must analyze the related data privacy and security risks. This rule also applies to consumer data the business may have provided to its vendors, suppliers and outsourcing partners. Additionally, the measures used to secure data, such as encryption in transit and in temporary storage, must be documented. A record of these various activities must be maintained by the organization for delivery to regulators upon request.

For SMEs whose core activity is the systematic monitoring of data subjects on a large scale, GDPR advises these businesses to appoint a data protection officer dedicated to data privacy. Companies not technically mandated to do this should still consider the value of hiring a privacy overseer and having this person sit on the board.

Since new products, services and technologies under development must take GDPR compliance into account from the origination of these plans, having someone in charge—either internally or on an outsourced basis—may be prudent for all SMEs.

Lastly, it is the responsibility of companies in the event of a data breach to inform EU regulators within 72 hours of the event, even though all the details may be unknown or uncertain. Regulators want to know are the nature of the incident, approximately how many people were affected, the potential consequences for these individuals, and the measures taken to date or in the planning stages to respond to the breach.

GDPR’s consequences for failing to address the regulation are gulping. A penalty of 2 percent of annual worldwide revenue or 10 million euros (roughly $12.37 million), whichever is greater, may be imposed on businesses that fail to report the breach within 72 hours. For companies that fail to comply with other parts of the regulation, the penalties are double these amounts.

Had GDPR been in effect the past five years, FTSE 100 companies that experienced a data breach collectively would have been fined more than 25 billion euros (close to $30 billion), according to an October 2017 study.

What To Do Now:

Most SMEs are hopefully well into their preparations for GDPR compliance. For those still at the beginning of this process, we’ve compiled a checklist of tasks to help ensure readiness by the deadline.

  1. Know Your Data. What types of consumer data does the company collect and where does this information reside? Create an inventory of this information that includes the consumer’s name, email, bank details, etc., since the business will need to demonstrate an understanding of the personal data in its possession.
  2. Consider Consent. How does the organization currently receive consent from consumers to collect and use their data? What needs to change internally from a process and systems standpoint to reach out to consumers for their consent and how will this consent be documented for regulatory purposes. What is the process to delete consumer information after its business use has concluded? Start writing up clear policies regarding all of the above and ensure their appropriateness from legal staff or outside consel.
  3. Data Chief. Does the company employ a chief data protection officer? If not, who in the organization will be in charge of data privacy and data security, and what are their respective responsibilities and capacity to achieve these aims? Is there value in creating a multi-functional team to report to these individuals? How does the company currently secure consumer data; broader use of encryption might be needed. The goal is to ensure regulation-ready data privacy and security policies.
  4. Breach Notification. What are the processes to comply with the 72-hour data breach notification rule? How will each of the required responsibilities, such as demonstrating the nature of the breach and how many people were affected, be determined? Who in the organization is involved in these regards and what are their tasks? Consider testing the process to iron out any kinks.
  5. Third Party Obligations. What are the processes to review how vendors, suppliers and outsourcing partners are using the personal data provided them? How can the organization ensure these organziations are GDPR-ready? For instance, contract terms and conditions may need to change to obligate them to immediately report the incidence of a data breach.

The bottom line for CEOs of midsize and smaller companies that conduct business in the European Union is that GDPR readiness may be difficult, but the likelihood is that similar rules will hit U.S. shores at some point. This gives them a leg up on domestic competitors currently free from compliance. Better now than later.

Mining for Gold—and Other Creative Ways Companies Are Combating E-Waste

By Russ Banham

The facts surrounding electronic waste, commonly referred to as e-waste, are staggering. Although nearly all e-waste can be recycled, 60 percent ends up in landfills, where toxic metals leach into the environment and can cause severe damage to human kidneys, blood, and central and peripheral nervous systems.

More than 50 tons of e-waste is produced each year through the discarding of used or unwanted electrical and electronic devices, many nearing the end of their useful purpose. In an effort to show the magnitude of the e-waste problem and promote recycling, artist Benjamin Von Wong worked with Dell to create photograph sculptures using two tones of old laptops, keyboards and circuit boards – all of which can be recycled.

The message? The past can power the future but time is of the essence. A 2010 report issued by the United Nations indicated that the volume of e-waste could increase by as much as 500 percent in developing countries alone by 2020. Newer statistics are hard to come by, but the overwhelming consensus is that much can be done to positively alter the status quo and combat these staggering 2020 figures. Here’s a look at just a few creative solutions for tackling the mounting problem of e-waste.

Revitalize the Manufacturing Sector

Inside of the 44.7 million metric tons of e-waste produced in 2016 lays approximately $55 billion of gold, silver, copper, platinum, palladium, and other high-value recoverable materials, according to a 2017 report by Global e-Waste Monitor. That figure exceeds the gross domestic product of most countries in the world, and presents a compelling financial incentive for municipalities and businesses to consider ways to pursue more robust e-waste management.

E-waste mining is one innovative solution to recover these precious materials. With $35 million in financing, BlueOak Resources has built an urban refinery in Osceola, Arkansas to recover “technology metals” from 15 million pounds of electronic scrap each year. The first of its kind in the U.S., the refinery exemplifies a type of development that can reinvigorate the American manufacturing sector.

If there’s anything BlueOak Resources proves, it’s that finding ways to extract valuable metals from electronic scraps is not only good for the environment; it is also a healthy financial investment.

Look for Gold

In addition to mining, companies are forging creative partnerships and rethinking the treatment of the precious metals hidden in technology e-waste. “When you think about the fact that there is up to 800 times more gold in a ton of motherboards than a ton of ore from the earth,” Jeff Clarke, Dell vice chairman, explained, “you start to realize the enormous opportunity we have to put valuable materials to work.”

Recognizing that approximately $60 million in gold and silver is discarded each year by Americans through unwanted phones alone, Dell has begun to work with actress and jewelry designer Nikki Reed to recycle excess gold from old computers collected through programs like Dell Reconnect and Asset Resale and Recycling Services and turn it into earrings, bracelets, and rings.

The effort is part of Dell’s “Legacy of Good” program, which outlines social and environmental milestones to achieve by 2020 (and beyond). Altogether, Dell has pledged to recover 2 billion pounds of used electronics and reuse 100 million pounds of recycled content back into their products, all by 2020.

With the help of Dell’s environmental partner, Wistron GreenTech, these efforts have resulted in a process for extracting the precious mineral to use in Reed’s sustainable design line of jewelry, The Circular Collection, through her company Bayou with Love.

More Recycling, More Jobs

Job creation through repairing electronics is another booming creative solution that tackles two birds with one stone. In addition to recycling old electronic material, these programs provide employment opportunities for often underserved or vulnerable communities.

Homeboy Recycling (formerly Isidore Electronics Recycling), for instance, employs former gang members and prisoners in Los Angeles to recycle much of the city’s electronics. “I felt like if I asked people in Los Angeles to give me their electronics, they would, and I could hire people with records to do the recycling,” founder Kabira Stokes told Fast Company in 2017.

The company accepts donations, sorts through the equipment, and then dispatches the ones still working into its reuse department. Those products that don’t make the grade are taken apart to recover and recycle the valuable minerals and other materials. As of early last year, Homeboy Recycling had employed 27 re-entry members and recycled upwards of 2.2 million tons of electronics. According to Stokes, the model is “the future of capitalism.”

IFIXIT.org does something similar, repairing and upgrading yesterday’s tech devices for sale at affordable prices to people unable or unwilling to pay for newer, pricier versions. Through its services, the company is making a dent in the e-waste problem, creating jobs, and giving people access to affordable products—what one might call a triple bottom line.

With millions of tons of electronics thrown to the wayside each year, there are endless opportunities to repurpose valuable materials and aid employment. Whether a tossed device becomes someone else’s next device, a pair of earrings, or the inner workings of the next new device — what is yesterday’s trash might just become tomorrow’s future.

Russ Banham is a Pulitzer-nominated business journalist and author who writes frequently about the intersection of business and technology.

Real-Time Payments Have Arrived

By Russ Banham

Treasury & Risk

Prepare for payments transformation. In November 2017, The Clearing House (TCH) and 25 partnering banks launched the first new core payments structure in the United States in more than 40 years. The new system permits real-time payment clearing, marking a major change for treasury operations that have been using the one- to two-day Automated Clearing House (ACH).

Qualifying payments are domestic, interbank electronic transactions. Their payment messages are transferred, and funds are available to the payee, in real time —literally within seconds—on a 24×7 basis. The new system, dubbed RTP for “real time payments,” was designed and built through the collaborative efforts of TCH and its partnering financial institutions. RTP meets the objectives of the Federal Reserve Faster Payments Task Force, which has been tasked by the Fed to identify and assess alternative approaches for implementing safe, ubiquitous, and faster payment capabilities in the United States.

The new system follows late on the heels of the Faster Payments Scheme Limited (FPSL) launched by the United Kingdom in 2008. FPSL moves mobile, Internet, telephone, and standing-order payments quickly and securely, in nearly real time, 24 hours a day. Seventeen banks and building societies are participants in FPSL, with more than 400 financial institutions now offering the service to over 52 million account holders.

Why has the U.S. lagged behind the U.K. by a full decade in developing RTP? “The clearing cycle prior to FPSL in the U.K. was three days, giving them significant impetus to improve the status quo,” says Steve Ledford, senior vice president of product and strategy at TCH. “In the U.S., we already had ACH and next-day payments. There was less of a gap to make up.”

Another factor slowing implementation in the United States was the sheer volume of financial institutions dotting the American landscape—more than 100,000 entities in all. TCH and its partnering banks needed extra time to design a payments model that could scale to address all these institutions’ different capabilities. As Ledford puts it, “We needed to find a model that worked for everyone.”


Worth the Wait

Similar to wire transfers and ACH, RTP is another component of the core industry payments infrastructure, with the potential to support diverse use cases. In a business-to-business context, RTP is a credit “push” system. Payments are pushed from the bank account of the business making the payment to the bank account of the company receiving it. In between, RTP supports the financial institution’s customer-facing systems for services like bill payment, cash management, peer-to-peer (P2P) payments, and emergency disbursements. Messages such as requests for payment, payment confirmations, requests for additional information, and remittance detail are used to create frictionless customer-facing interactions.

TCH is working with a wide array of industry stakeholders, including community banks, credit unions, and financial institution service providers, to drive adoption of the long-sought real -time payments system. “The reality is that we’ve been talking about payments transformation for the past 25 years,” says Alberto Casas, managing director and North American head of payments and receivables at Citi, one of TCH’s partnering institutions and one of six banks currently processing payments through RTP. The others are JPMorgan Chase, BNY Mellon, SunTrust, U.S. Bancorp, and PNC Financial Services Group.

“However, we wanted a model that didn’t just promise immediacy and faster payments,” Casas adds. “We also wanted to create ‘smarter’ payments—a standardized data set that allowed for clean interactions between parties to send and accept inbound or outbound payments. Today, payments and payment information don’t always travel together perfectly, with the receiver often misunderstanding the purpose of the payment, culminating in costly and frustrating interactions.”

An example is a wire transfer that lacks details indicating the purpose of the payment. Without the right payment guidance, the recipient company may not connect the payment to the right receivable. RTP obviates this possibility by supporting the transfer of critical information about a payment along with the transfer of funds, to efficiently deal with back-office reconciliation issues.

This unique capability was designed and developed using technology from Vocalink, the software vender that built the U.K.’s faster payments system and which is now owned by Mastercard. TCH wrote the code for RTP and is the system operator.

Heightened payment security was another factor weighed carefully in the development of RTP. The new payments system is the first to be built and launched in the United States since the advent of the Internet. Over this period, incremental changes have occurred in payments, beginning with the gradual reduction in the use of cash and checks, and continuing forward with the digitization of payments and standardized messaging.

“Previous fast payments systems were based on older-generation technology and payments standards,” Ledford says. “An advantage for us being later to the game is that we could learn from and piggyback off of the previous systems’ upgrades. We’ve developed a system using secure, digitally capable Web-based protocols. So we’re not just fast, we’re also safe.”


Treasury Opportunities

Treasurers who leverage the RTP system may help their companies achieve competitive differentiation in their markets.

“With RTP, the payments system can actually become a customer engagement tool,” says Casas. “An insurance company, for example, can provide instant claims payments to a company devastated by a natural disaster.”

Now that the United States and several other nations have introduced independent systems for faster payments, other countries around the world are expected to follow suit, resulting in significant changes in how businesses and consumers send and receive payments globally.

“Today’s payments systems are the building blocks upon which future payments innovation will be built,” says Casas. “Nevertheless, we’re not predicting that all payments will move to a real-time payment channel overnight. RTP is an additional option for payers and receivers to support unique use cases.”

He provided the example of a consumer who has not paid his or her electricity bill on time. “RTP will allow for a request for payment to go from the utility to the consumer’s bank,” Casas says. “When the bank receives the request, it can instantly forward a detailed message through RTP to the consumer that the payment is now overdue. There are multiple benefits, including the avoidance of late fees and/or service disruptions while simultaneously helping to build trust and customer loyalty.”

The business owner sees that if the bill isn’t paid immediately, the electricity will be turned off. “If the person chooses the ‘click to pay’ option, the money is moved from the bank to the utility in real time to avert a shutdown in power—and possibly even a late payment fee,” he says.


Treasurers’ Next Steps

Treasurers interested in adopting RTP need to first determine its value in the context of their current business operations. Moving to RTP might require new payment technology, particularly if the company’s current system releases batch payments periodically to address specific deadlines.

“Business customers need to contemplate API [application programming interface] connectivity with their banks to release transactions in real time, as opposed to batch,” Casas advises.

Treasurers may also need to change the way they manage liquidity and working capital, creating models in their accounts that move money from point A to point B, he adds. Furthermore, with an RTP system, security needs to be embedded in the company’s operational processes at the item level as opposed to the batch level.

Citi is working closely with its commercial accounts to prepare them for these changes. Ledford says the other five TCH member banks are also assisting their business customers with the transformations required.

Response to RTP has been highly positive thus far. “We’re already hearing from the treasurers now using RTP that the big difference for them has been immediate confirmation of a payment,” Ledford says. “They’re telling us they cannot overstate how important that has been— the certainty it gives them in simplifying processes like reconciliations.”

Treasurers are also touting the speed of the new payments system in assisting their just-in-time supply and demand obligations. An example is a midsize or smaller company buying from a supplier with which they don’t have a credit relationship. “The company needs the product to ship soon but is concerned over payment,” says Ledford. “What might have taken weeks to resolve in the past takes a couple hours and less, due to the new system’s certainty [of payment] and speed.”

Down the line, more and more financial institutions and their customers will be engaging in real-time payments. “We’ll see material adoption [of RTP] in 2019, when more banks are online with more features and functionalities, such as requests for payments and extended messaging,” says Casas. “By 2020, we’ll see a high number of banks on the system and payment volume ramping up in a significant way. Beyond that, it will eventually become the material payments method and the primary alternative to existing systems.”

These developments will be felt worldwide. In anticipation, Citi has developed a comprehensive toolkit that addresses its connectivity to all payment methods and channels globally. Casas explains, “We’re focused on building globally inter-operable capabilities to provide a common experience through a central real-time payment gateway. We see this as  a significant differentiator.”

Navigating The Dark Side Of The IoT Revolution

By Russ Banham

Chief Executive magazine

Wesley McGrew is a white hat hacker at HORNE Cyber, where he directs cyber operations. His job is to find security flaws in company systems by hacking into them. Lately, McGrew and his team have been exploiting the vulnerabilities of Internet-connected smart devices like, well, pretty much everything.

From thermostats and coffeemakers to security systems and garage door openers, many commonplace things are embedded with electronics connecting them to smartphones via wireless protocols like Bluetooth. These devices can be connected to the Internet to exchange data, making the work of business more efficient—except when they do dumb things like let hackers exploit them to shut down corporate networks or steal sensitive data. “Any business today has some sort of smart device on its network, either for pure business reasons, like a printer, or for ease of use, like my crockpot,” says McGrew.

His crockpot, which he relies on occasionally for in-office meals, is a demon in disguise. Inside it is a miniature, multi-purpose computer like a circuit board with untold powers—of the bad kind. “The manufacturer of the crockpot has no idea about this computer, other than it switches things on and off,” McGrew explains. “But it is really quite remarkable, with the same power and capabilities as a full desktop workstation from 10 years ago.”

Suddenly, a prosaic crockpot is also a computer designed to automatically connect in the cloud to a company’s wireless network. However, this computer is vastly easier to hack because it was not designed with strong, configurable security in mind. “A lot of them have a hard-coded password that can’t be changed without a firmware update by the vendor,” says McGrew. “The problem is vendors rarely, if ever, update the firmware.”

A worse problem is that this password is instantly available to hackers. “Default passwords of all these devices are available on the search engine Shodan, which allows anyone to find specific devices connected to the Internet,” says Harri Hursti, the famed Finnish programmer whose studies of voting systems unearthed serious security flaws. “You simply type in the name of the device, and it’s amazing what you can find.”

Not Exactly Fort Knox

Blame economics for many smart devices’ shoddy security. “The challenge in selling many smart devices is the need to hit a price point low enough to encourage people to buy the device,” says Irfan Saif, a principal in the cyber risk practice at consultancy firm Deloitte. “To help achieve this price point, manufacturers may limit features around security.”

He is not alone in this alarmist view.

“Three seconds of thought are given to security,” says Dottie Schindlinger, vice president and governance technology evangelist at Diligent, a provider of enterprise governance management solutions. “The goal is to make the device super easy to connect to a WiFi network and other devices—to make them ‘idiot-proof’ for anyone to deploy. Yet, the moment the device connects to a network, it becomes a giant wormhole for hackers to penetrate.”

This was the case with McGrew’s crockpot.

“It was incredibly simple to exploit its security flaws,” he says. “Once in the back door, I used it as my base of operations to scan the rest of the network looking for vulnerabilities in our internal systems. Basically, I had a foothold into our network to do whatever I wanted next.”

A hacker with malicious intent can do the same thing, albeit with devastating consequences—compromise the network, steal sensitive data, hold the organization ransom and crimp the flow of business.

Midsize and smaller companies with tight resources to invest in a chief information security officer and trained IT security staff are most at risk, although even the largest enterprises are not immune.

“Our company is dependent on IT systems, data and our employees for our operations and securing these systems and data is a fiduciary responsibility of management and directors,” says Ken Asbury, CEO of CACI, a provider of information solutions and services for defense, intelligence and federal civilian government customers. “Just like we have to be sure our facilities and our people are secure, we now need to ensure our employees are informed about the importance of and necessary steps to secure smart devices like surveillance cameras, door locks and printers that are on the network….The Internet of things (IoT) is a new area for cybersecurity, one that increasingly poses the greatest amount of risk.”

Awakening the Zombies

This threat was made frighteningly clear in August 2016, when hackers created malware called Mirai that scanned the Internet continuously looking for the IP addresses of smart devices vulnerable to the default password security flaw. The hackers then commandeered these smart devices into a botnet (robot network) that unleashed DDoS (distributed denial of service) attacks on hundreds of websites, shutting them down and causing extraordinary business interruption losses. In a DDoS attack, a website is besieged with so much traffic, it can no longer accommodate legitimate users.

The smart devices-turned-zombies were primarily inexpensive, mass-produced CCTV video cameras designed for security purposes. Two months later, the same malware was used against Dyn, a managed domain name system provider of Internet services to Twitter, Reddit, CNN, Spotify and thousands of other websites, shutting many of its clients down. Approximately 500 companies that relied exclusively on Dyn suffered extensive downtimes.

“In the old days, hackers used powerful IT systems to carry out a DDoS attack,” says Vance Brown, CEO of the National Cybersecurity Center, a provider of cybersecurity training. “Today, it’s much easier to marshal thousands of network-connected smart devices to do the same thing.”

Another eye-opening hack of a smart device involved the hospitality industry. In 2017, a hacker infiltrated the wireless key card system at an Austrian hotel, locking all the doors and shutting down the computer system that operated them. “A ransom in bitcoin was demanded to turn the system back on,” says Jody Westby, CEO of Global Cyber Risk, a provider of cyber risk management services. “The hacking was publicly reported, exposing the hotel to potential reputational damage.”

Smart printers have also been hacked. In 2017, a bored teenager in the UK built a program that hacked into 150,000 Internet-connected printers to print out reams of paper. The clever hacker signed his work “Stackoverflowin.”

Schindlinger cited a more devastating hack. “A certain brand of wireless printer has been shown to have a gaping security loophole, allowing hackers to reprint anything that has ever been printed on the device,” she says. “That may include every legal contract the company has signed, new product information, payroll data, employee names and Social Security numbers—you name it.”

What’s more, once a hacker breaks into the printer, a back door to the rest of the network is opened. As Brown puts it, “As soon as you’re in the house, you have access to all the rooms.”

Even some of the best-selling technology products today may do things users are in the dark about. Brown points to smart speakers like Amazon Echo, noting, “If the device is always listening to you, it also could be spying on you.”

He’s right. A security researcher recently demonstrated how to insert malware into a pre-2017 Echo to stream audio from it to a server, turning the device into a personal eavesdropping microphone.

While there is no software patch available to repair the problem in older units, the vulnerability has been addressed in post-2017 Echo models.

Sending in the Guards

How concerned are corporate risk managers about IoT-related attacks? The answer is extremely. An astonishing 94 percent of cyber risk professionals responding to a study by the Ponemon Institute stated that a security incident related to an unsecured smart device would be “catastrophic,” with 74 percent expressing concern over the loss or theft of valuable data.

What can CEOs to do ensure their companies’ networks and systems are protected? It’s not an easy question to answer.

As McGrew points out, “In many midsize and smaller businesses, the IT security staff is 100 percent focused on keeping the network running. They don’t have time to chase all these smart devices that are connecting to it; they’re at capacity. And most companies don’t have a team of [network] penetration testers—white hat hackers who love to break into devices and pinpoint their vulnerabilities.”

Westby from Global Cyber Risk agrees, noting that it is difficult to sell the firm’s assessments to companies with under $1 billion in revenue.

“Compared with the enormous expense of a business interruption, a forensic investigation is a pittance, yet many CEOs downplay the need,” she says. “This is ridiculous since they have a fiduciary responsibility to investors and shareholders to pay attention to these risks. A big attack can literally do them in.”

The Ponemon Institute study drew a similar conclusion. The respondents cited boards of directors not fulfilling their oversight responsibilities and making management accountable as one of the three major barriers to addressing the risks of smart devices. The other two barriers were insufficient resources and a lack of priority in their approach to cyber risks. “Because it is not a priority and leadership is not engaged, the necessary resources are not being allocated,”

says Larry Ponemon, chairman and founder of the Ponemon Institute. “While smart devices promise good things by sharing information for good purposes, there is a dark side—hackers using the information for nefarious purposes.”

Asbury from CACI says that CEOs must take the risk of connected smart devices seriously and lead the charge in their organizations to do something about it. “Companies must develop a culture of cybersecurity, and that begins with the tone from the top set by the executive team and board,” he says. “A strong culture of cybersecurity makes the security of systems, data and smart devices the responsibility of all employees, not just the IT and security teams.”

He adds, “It takes everyone to keep a company secure, at every level of the workforce, all the way up to the boardroom. But someone has to lead the way.”