Derek Szeto is a serial entrepreneur who previously founded Red Flag Deals. While working on another app, he and his co-founder Adrian Niblock identified an opportunity to facilitate insurance based on needs, leveraging customer insights and data. “We’re a bit like a matchmaker,” Szeto explains in a recent conversation. “Walnut Insurance is a licensed insurance broker and a technology provider, ultimately trying to match the needs of a customer with the needs of an insurer.”
As an example, Walnut partners with a mortgage broker. Part of the requirements of funding a mortgage is for the home buyer to prove they have home insurance. When the mortgage provider has approved the buyer for a mortgage, they engage Walnut (with the buyer’s permission) to provide an insurance quote to the home buyer directly — without the buyer having to retell all their personal and financial information. If the buyer accepts the quote, Walnut can facilitate fulfilling the insurance need.
“Customers predominantly don’t love insurance,” he adds. “If we can provide it to them in a more modern, more delightful, more digital and more time efficient way, they’re happy. At the same time, we help insurance providers reach customers without having to spend direct-to-customer marketing dollars, which is interesting for them. If we can make insurance a little bit more loveable, it’s a big win for everyone.”
The foundational importance of cyber security
Insurance is very personal. When you consider life insurance, providers ask for birthdate, health questions, family history, smoking history and more. It is highly sensitive information that no one wants others to know. Even auto insurance requires information such as driver’s license history, address, and household information — essentially all the information needed to run a credit score. “We need to make sure this sensitive data is secure and used in an appropriate way,” says Szeto.
Considering the ever-evolving cyber threat landscape, Walnut requires a robust cyber security infrastructure that can adapt quickly.
“We started two and a half years ago — and as we bring on larger clients, cyber security requirements have grown. We need more robust processes on audit logging, backups and SOC compliance as we work with larger and larger organizations,” says Szeto, who explains that every client has different requirements. “Vendor onboarding processes may involve hundreds of questions around IT security, certain certifications and proof of secure protocols. Some also require cyber insurance coverage,” he adds.
Part of their security infrastructure involves the built-in features of the systems they run. “We run basically everything in the cloud, so we use a lot of the security features that are built within AWS, an Amazon business,” explains Szeto, who adds that partners are familiar with AWS and comfortable with its built-in security. “We also use Google Docs, which enables us to share materials with certain clients based on sharing settings we can set ourselves.”
Partnering with Kobalt.io for enhanced cyber security protection
To meet the full scale of their cyber security requirements, Walnut works with Kobalt.io, a cyber security firm specializing in helping businesses defend their business and data. “With Kobalt.io we conduct an annual penetration test, which helps us identify vulnerabilities in our systems,” explains Szeto. The penetration test (or pentest) involves the team at Kobalt.io being given access to a staging environment at Walnut and conducting a set of tests to try to break through their systems. They then share a report and provide recommendations to address any vulnerabilities — a report that Walnut can share with their partners and vendors.
“Kobalt.io has a strong reputation in the market, and they’re known to be a reputable firm – working with them shows that our security measures are up to standard,” says Szeto.
“Cybersecurity is a critical element for the Fintech industry and really financial organizations of any size. Incorporating cybersecurity into your business strategy discussion will help alleviate core security risks and support business success. We are so glad to have the security conversation with Walnut Insurance early and often to maintain a strong level of awareness and posture,” says Michael Argast, Co-founder and CEO of Kobalt.io
Cyber security requires a 365 mindset
Although the pentest is a standard and annual exercise that Walnut undertakes, Szeto quickly explains that cyber security is not a once-a-year endeavour for him and his team. “Security is constantly evolving and is always top of mind,” he says.
While this security mindset is a requirement for Szeto’s business, it’s also a point of differentiation for Walnut among other businesses of his size and tenure. “My co-founder and I worked at a financial institution; we have engineers who came from Symcor, which services financial services, and others who came from Symantec, which deals with a great deal of personal data. As such, we probably have more of a security mindset than most start-ups,” he says. “Between our experience and Kobalt.io’s expertise, we have been able to take the security infrastructure and processes of larger firms and adapt them to a smaller, more nimble, early-stage start-up to protect data and work with partners for whom security is top of mind.”
Walnut has enhanced cyber security protocols in place partly because of the experience of its founders and the nature of its business. But just about every business needs to think about its technology, people and processes — and how they might be a target for cyber security attacks.
“When it comes to security, a cyber secure culture is key in driving growth through digital trust. We work alongside the Walnut Insurance team. They have a security-savvy mindset, which paves a long way for building business resilience,” Michael adds.
Protecting customer and partner data is paramount in a world where cyber security threats are evolving and persistent. Working with a cyber security partner can help business owners identify vulnerabilities, set a relevant plan and implement policies and processes that keep their businesses and information secure.
This article is intended as general information only and is not to be relied upon as constituting legal, financial or other professional advice. A professional advisor should be consulted regarding your specific situation. Information presented is believed to be factual and up-to-date but we do not guarantee its accuracy and it should not be regarded as a complete analysis of the subjects discussed. All expressions of opinion reflect the judgment of the authors as of the date of publication and are subject to change. No endorsement of any third parties or their advice, opinions, information, products or services is expressly given or implied by Royal Bank of Canada or any of its affiliates.