Gautier Garin, Penneo: “an electronic signature doesn’t necessarily bring any guarantees when it comes to signer authentication”
Having to control some of the most basic business processes, such as document transactions and digital signing, often comes with cybersecurity challenges.
Because of the sensitive nature of these processes, organizations tend to outsource some of these tasks or search for automated solutions to implement. This allows ensuring that tools like digital signatures are deployed in a secure and effective manner.
To discuss why such automation is a useful and convenient practice, we have reached out to Gautier Garin, the Marketing Director of Penneo – a company that digitizes and automates the process of e-signing.
Tell us about the journey since your start in 2014. How did Penneo go from an idea to what it is today?
started back in 2014 when six entrepreneurs came up with the idea of digitizing the manual signing flow of a wide range of documents. Shortly after, the company discovered an attractive niche in the audit and accounting industry and started developing its software solution to digitize and automate the process of signing and filing financial reports, as well as onboarding and verifying the identity of clients in full compliance with regulatory requirements.
Penneo’s product offering quickly gained traction within the audit and accounting vertical, and after signing its first major accounting firm as a customer already in 2014, the company reached a milestone of 500 customers in 2016. In 2017, Penneo expanded across national borders when
it entered Sweden and Norway, and the following year, all top ten largest accounting companies in Denmark were using Penneo, including the Big Four. In 2019, Penneo gained a strong foothold in the Nordics with the addition of several key accounting firms in Sweden and Norway. Today, Penneo is a listed company and a very strong actor in Scandinavia with more than 2000 customers. Penneo continues to develop in new markets such as Belgium, Finland, and Germany.
Can you tell us a little bit about what you do? What are the main challenges you help navigate?
Penneo offers two solutions – Penneo Sign and Penneo KYC – which help companies get rid of pen and paper by digitizing cumbersome manual documents- and signing processes while ensuring compliance with legal requirements. Penneo Sign and Penneo KYC are offered in separate plans or as a combined package.
Penneo’s solutions are standardized and run on cloud infrastructure, which allows customers to access the platform from any web browser. This enables Penneo to deliver software updates, new features, and integrations to all customers simultaneously, which makes its offering highly scalable and cheaper for clients, as they do not need to allocate any internal IT resources to the process. The platform also integrates with the relevant partner software systems that customers use in their daily work, such as Silverfin, Wolters Kluwer, or CaseWare.
Have you noticed any new cyber threats arise as a result of the pandemic?
We haven’t seen new cyber threats arising as a result of the pandemic directly, but rather more awareness around existing cyber threats such as fraud on signatures and document modification or potential risks of document leaks. Companies became more aware of different needs by not being able to meet in person and therefore more aware of current problematics such as:
- Who has access to my documents?
- What policies do I need to follow?
- How do I securely make document transactions?
Before the pandemic, a lot of companies were still signing documents physically or sending them by email with a very low level of compliance and security. Those cyber threats became more predominant and companies started to realize that they needed to improve some processes.
Even though cybercrime rates are constantly on the rise, certain companies still fail to recognize the importance of compliance and other security standards. Why do you think that is the case?
At Penneo, we believe that the reason certain companies still fail to recognize the importance of compliance and other security standards is simple: they don’t realize the risks they are exposed to.
Many companies are quite passive when it comes to compliance and security because they tend to have the state of mind of “this happens only rarely and only to others” or they perceive regulatory compliance as a difficult field to navigate in. Our role at Penneo is also to make companies aware of the reality when it comes to cybersecurity and the risks they might encounter by not taking it seriously, as well as making regulatory compliance much simpler.
An example is a trust many companies have in the fact that any document they send by email wouldn’t be modified by the recipient before signature. It is a quite common threat that happens more than companies believe. It’s so much better to be able to track any activity made on a document until it is signed and sealed to make sure the document hasn’t been modified in a way that could threaten the company.
What are some of the worst cybersecurity habits that can put an organization’s workforce or their customer data at risk?
We can see numerous bad cybersecurity habits that can put organizations and their customers at risk. The main ones in our area of work are:
- Document transactions via insecure channels such as email. Organizations don’t have control over potential changes in the documents or to whom the document can be transferred.
- Data deletion policies are not being respected. Most companies are subject to data deletion policies but don’t respect them or are even not aware of them which results in documents being stored for a long time and often without a high-security level.
- Access control of the documents. Companies cannot be 100% sure who has access to which documents, which creates risk.
While the digital signature is becoming a widespread practice, there are still some myths and confusion around it. What misconceptions do you often notice?
There are a lot of misconceptions around the digital signature concept. Today, different terms are used to sign documents electronically, and a lot of people don’t know the differences between, for example, electronic signature and digital signature.
An electronic signature (just drawing or typing signature on a document online) doesn’t necessarily bring any guarantees when it comes to signer authentication, content integrity, or legal validity, while a digital signature (made with an electronic ID) is much more secure and compliant.
In short, here is a table to visualize the misconceptions between electronic and digital signatures:
Furthermore, we also have misconceptions around topics such as digital certificates or KYC (Know-Your-customer) processes.
What security issues do you think will arise in the near future as digital identity becomes a significant part of our lives?
Overall, when it comes to digital signing, data collection, and KYC processes, the security level is constantly increasing, and cyberattacks are more and more difficult to take place. However, when it comes to automating processes and signing workflows, it can also create some security vulnerabilities and we will need to make sure digital identity remains at the highest level of security at all times to keep credibility and authority on the market.
Talking about the future, which security measures will become crucial to combat emerging threats?
In the future, a lot of security measures will become or remain crucial to combat emerging threats and will need the greatest attention and support. Among them, we can mention the following: personal identification numbers (PINs), electronic IDs, and passwords used to authenticate and verify users and signers as well as to approve signatures.
- Asymmetric cryptography systems to reinforce security with private and public-key encryption and authentication
- Certificate authority (CA) validation is used to issue digital signatures and act as trusted third parties by accepting, authenticating, issuing, and maintaining digital certificates.
- Trust Service Provider (TSP) validation. Those legal entities need to remain highly performant and secure.
Share with us, what’s next for Penneo?
Today, Penneo is the leader in the Audit & Accounting market in Denmark, with more than 66% of all annual reports signed with Penneo in 2020. We want to continue to make life easier, more secure, and more compliant to Audit & Accounting firms in the first place but also all AML (Anti-Money Laundering) related industries. Penneo is quickly reinforcing its leadership in Scandinavia and is starting to develop in new markets such as Belgium, Finland, and Germany.
In short, Penneo aims to become the European standard when it comes to regulatory compliance and security for all companies, as every company will be subject to regulations sooner or later. We can see the future of Penneo as a network where companies could communicate and perform document transactions, data collection, and signing in the most compliant and secure way possible.