Sounds like there’s hope for the planet yet. Almost half of employees and consumers believe it’s important for companies to disclose their environmental impact and climate-related risks, PwC’s 2024 Trust Survey shows (PwC is a sponsor of this newsletter). When it comes to building trust in an age when people have so many ways to share information, Aidan Madigan-Curtis reckons such honesty is at a premium. “Being frank and being truly transparent about your business, what it is doing, what it is not doing, what it stands for, and everything in between, is more important than ever,” says the partner at venture capital firm Eclipse Ventures. “Especially in a world increasingly full of misinformation and noise.”

Eclipse walks the talk. The firm, which manages about $4 billion, sits at the intersection of digital transformation and heavy industry, think transportation, manufacturing, and logistics and supply chain. With such industries accounting for roughly 75% of global greenhouse gas emissions, it invests in companies using technology to reduce that pollution. Over the past several years, more institutional investors have been asking Eclipse about its portfolio’s carbon dioxide footprint. Madigan-Curtis and her colleagues figured the positive climate impact could be significant over time. “But when we went about trying to find a [system] to measure that, just how much carbon would be avoided or mitigated by leveraging modern technology in these industries, we couldn’t find one,” she tells me from Nevada.

So Eclipse built its own. With analytics firm Rho Impact, it developed the Eclipse Carbon Optimization (ECO) framework, which calculates a new venture’s climate impact potential. Eclipse then applied ECO to 13 portfolio companies representing a cross-section of heavy industry. The bottom line, published in a 2023 report: By 2050, those companies could shrink annual carbon dioxide emissions by 172 million metric tons, or about 4% of total U.S. C02 output today. That’s equal to the yearly emissions of 22 million homes. “We found it really impactful to have that kind of standard,” Madigan-Curtis says of ECO. Besides helping Eclipse’s companies convey their carbon impact to potential customers, it’s been well received by other VC folks interested in using such a framework. 

Madigan-Curtis also sees a way forward for any business that wants to build trust in its climate reporting. In her view, many companies could do better. “If you look at, for example, Amazon or Google’s reporting around their carbon footprints, there’s a lot to be potentially disappointed by,” says Madigan-Curtis, who previously worked at Apple and connected operations provider Samsara. Many carbon reduction goals and statements take offsets into account, she notes. “It’s fairly well-known that carbon offsets are not the most reliable.” True enough. One study found that more than 90% of rain-forest carbon offsets approved by the world’s top certifier are probably “phantom credits” that could worsen global warming.

Eclipse prefers the rigor of carbon “insets,” Madigan-Curtis explains. For businesses, that includes doing things that are carbon-reductive, such as upgrading HVAC systems and investing in new tech that cuts energy consumption. “These are the types of actions we like to measure,” Madigan-Curtis says. “This is why we’re promoting this framework, versus the more high-level ‘Set a goal, and then use carbon offsets to get there if you’re coming up short.’” To be fair, Google has changed course. As it shifts away from buying carbon offsets in bulk, the tech giant is aiming for net-zero emissions by 2030.

Madigan-Curtis sees big upside in trading offsets for insets. “Consumers, investors, and employees are smart, and a lot of people care about climate and the way that companies behave around climate,” she says. With that in mind, Madigan-Curtis thinks there’s plenty of room for businesses to lead by doing “real work” to decarbonize and measuring and reporting the impact. Those that do “will be the ones that, over time, get more investment, have happier customers, and have greater employee stickiness,” she predicts. “Because people are smart, and they really do look under the hood.” Ideally, that vehicle is electric.

Aflac is embracing generative artificial intelligence, though the insurance company isn’t using the technology externally. At least, not yet. “Aflac is taking a more conservative approach,” says Shelia Anderson, chief information officer at the insurance company that’s best known for selling supplemental policies to cover health events ranging from cancer to life insurance. “Our goal is to never be first to market.”

To kick off its generative AI journey, Aflac developed guardrails and policies to ensure all applications of the technology would follow specific rules. The company also set up a steering committee to assess potential use cases and match them to business objectives. Anderson says Aflac also spent a considerable amount of time educating the C-suite, board, and the broader employee base on what generative AI is and how it can be used to support the company’s business goals. That work is still ongoing, with Aflac currently in the process of developing a curriculum that covers technologies ranging from AI to cloud computing.

With the right structure now in place, Aflac anticipates that it will have external use cases of generative AI ready in 2025. It’s exploring a number of those concepts today in the company’s Hatch Innovation Lab, which is based at Aflac’s corporate office in Georgia, and consists of researchers, user experience designers, and tech specialists from different fields that explore emerging technologies. Some areas of focus include agent recommendations, fraud detection, and churn predictions, the latter would help Aflac identify the customers that have the highest propensity to seek an insurance policy elsewhere. Armed with that insight, Aflac’s sales team could take steps proactively to retain those clients.

The largest and most impactful AI model in place today at Aflac helps auto adjudicate simpler claims, giving customer service agents more time to focus on complex cases. A human will always remain in the loop and approve final submissions for “any type of denial or anything that would be kind of an adverse reaction,” says Anderson. Aflac is exploring AI copilots and generative AI tools from existing partners like Amazon Web Services and Salesforce, as well as working with specialized, insurance-focused AI startups. The company is also exploring more niche products in the innovation lab, though Anderson says she’s wary of how much she’ll invest in customized solutions. She also keeps tight controls on Aflac’s data. “Most of the AI models that we have, we will be leveraging data safely inside the walls of Aflac,” says Anderson.

Anderson has worked in the insurance industry for over a decade, serving as a CIO at Liberty Mutual and USAA prior to joining Aflac in 2022. Beyond generative AI, what’s kept her busy is the integration of acquisitions and making customer-facing processes more consistent as it relates to information about policies, claims, and billing. Anderson also slowed down Aflac’s “rapid” cloud migration. She has led an effort to upskill the company’s workforce so that Aflac could be more knowledgeable about when to lean on cloud and exactly where and how it can save money. “It can actually end up costing you more if not well managed,” warns Anderson.

We all think about cybersecurity for different reasons. In the indictment unsealed yesterday in the criminal case against Eric Adams, investigators said the New York City mayor “increased the complexity of his password from four digits to six”, or 10,000 possible combinations to 1 million, two days before the FBI seized his cellphone, and then told investigators that he forgot the new code. Meanwhile, the city council of Santee, Calif., revealed this week that it paid a ransomware consultant more than $600,000 to address an attack on its servers last month. In Washington, the personal information of more than 3,000 congressional staffers was leaked to the dark web. And China-backed hackers are now breaching different U.S. internet providers in what’s being called the Salt Typhoon attacks. 

So it was fascinating to interview J. Michael Daniel, president and CEO of the Cyber Threat Alliance, last night at a Fortune CFO dinner in Washington sponsored by Workday and Deloitte (which also sponsors this newsletter). Daniel was the nation’s cybersecurity coordinator in the Obama Administration and an advisor to Bush and Clinton during his years in the Office of Management and Budget. He talked about how ransomware gangs are now using stolen data to physically threaten C-suite executives and their families and squeeze many millions from corporate coffers. He also noted the depressingly low odds of being caught, with a 0.05% rate of detection and prosecution in the U.S.  

Senior reporter Sheryl Estrada, who cohosted the dinner and writes Fortune‘s CFO Daily newsletter, did strike a vein of optimism when turning the conversation to AI. Daniel believes AI gives a slight advantage to defenders of corporate realm as it’s allowing them to detect the signal more easily in the noise of constant attacks.  

Nikesh Arora, chairman and CEO of Palo Alto Networks, believes we need a paradigm shift in how we approach cybersecurity. As he recently told me: “People are getting to infrastructure much faster and they have economic reasons now with ransomware to get there, so you have to be able to detect and stop bad guys as quickly as you can.” For him, perhaps unsurprisingly, the answer is better integrated platforms. (Click here to listen to our podcast.) 

For Lane Bess, CEO of Deep Instinct, the answer comes through deep learning and “edge-chipped” technology that doesn’t require a big data center. Says Bass: “We have to get at prevention.” 

European shipping companies are still lagging in ESG reporting despite pending regulations set to come into force in two years. The European corporate social reporting directive is already kicking in for larger stock-listed companies that need to meet its requirements from next year. It has been created to offer greater levels of transparency regarding company sustainability efforts. Smaller listed companies get pulled into the requirements in 2026, with many already beginning to adapt their sustainability reporting to be compliant. This will include most listed European shipowners.

A new report from Oslo-based Position Green reveals that there are no shipowners with an A- grade when it comes to meeting the standards in transparency and detail in their sustainability reporting. The report lists companies on the Oslo, Copenhagen and Stockholm exchanges as well as the top 100 European companies.

Position Green founder and executive chairman Joachim Nahem said listed shipping companies still have a lot to do to have sustainability reports that meet the European Sustainability Reporting Standards. The ESRS are the standards that companies need to use to meet the corporate social reporting directive. He told TradeWinds that shipowners’ reports have been graded from B to F in Position Green’s ESG100 scorecard, but none have achieved top grades. In last year’s ESG100 report only three owners achieved an A grade.

“This stuff is complex and shipping is behind the curve,” he said. “This is not an exercise that you do in two seconds. This requires diligent work getting this data and because it needs to be assured and disclosed, you cannot just make it up.” The European directive mandates the disclosure of detailed environmental, social and governance data and introduces stringent assurance requirements.

The standards which shipowners will be expected to align their ESG reporting which cover a wide range of topics, including climate change, biodiversity, human rights, and governance practices. Nahem pointed to the volume of information required to be disclosed by the ESRS, which can in itself pose a transparency challenge in itself.

The Position Green report has been published annually since 2018, but this is the first time the company has graded sustainability reports directly against the new directive. Some companies which achieved a good grade last year have found they have a lower grade this time round as they struggle to apply the standards, Nahem said.

When a vendor’s tech glitch takes down a business, whether for just a few hours or several days, who should pay? It’s a question many are asking after a faulty software update from cybersecurity company CrowdStrike last month crashed millions of Windows-based devices, leading to corporate chaos, lost sales, and millions of dollars spent trying to fix the problem.

The answer, it turns out, is complicated, hinging on the fine print in the contracts that businesses sign with their software vendors. Companies also frequently buy insurance to cover any disruptions, although the policies vary in paying out when third-party tech providers are responsible for the disaster. What is clear is that many employers, burned by the CrowdStrike outage, are suddenly paying a lot closer attention to their software vendor contracts to better understand who’s liable when tech fails.

Michael Mainiero, the chief digital, and information officer at Catholic Health Long Island, says he’s now performing quarterly status checks on vendor contracts after a big part of the New York-based hospital system was taken down by the CrowdStrike outage. He’s also ensuring Catholic Health has an updated point of contact for all the company’s vendors to know who to call if things go south. But Mainiero has no plans to require vendors to agree to larger legal liability in the event of a system breakdown. He fears it would create a disincentive for vendors to remotely update their software for fear that it, like CrowdStrike’s, could end in a tech disaster. “If you’re making it onerous for a vendor to update something, you could weaken your cybersecurity posture and increase your risk exposure,” Mainiero says, adding, “My focus is to build strong collaborative relationships with the vendors, and during the crisis, have the ability to work together seamlessly and bring the system online quickly.”

Delta Air Lines, which had to cancel thousands of fights following CrowdStrike’s outage, has taken a far more aggressive stand. It has said that it would seek $500 million from CrowdStrike for lost revenue and extra costs. In response, CrowdStrike said its contract with Delta limits its liability to less than $10 million. Sean Scranton, a cyber risk expert at insurance provider WTW, says a broad group of stakeholders, including the chief information security officer, legal department, risk managers, and internal auditors, should work together to agree on liability language in contracts.

After an initial risk assessment, companies should consider ways to reduce the potential trouble spots they identify, including requiring extra approvals for software updates from vendors like CrowdStrike. That human oversight would be an extra expense for the customer. Companies using third-party software could also reduce their financial risk of a meltdown by taking out insurance or by accepting the risk and planning a detailed response for when things go wrong. “Everyone is responsible for managing risks and making sure that if incidents do occur, we keep the severity low,” says Scranton. 

The CrowdStrike fiasco shows that business customers may have been too trusting of software vendors and that healthier skepticism may be needed, says Asha Palmer, senior vice president of compliance at software maker Skillsoft. Vendors should tell customers about any upcoming tweaks to their products, including software updates and any hiccups they encountered in the development process, she says, but customers must also create systems that protect themselves against faulty software. “There is a mutual accountability between the vendors that service you and you being the person who is being serviced,” says Palmer.

Steven Weisman, a partner at law firm McCarter & English, says traditional business disruption insurance wouldn’t cover a CrowdStrike-type event. But some policies that specifically cover cyber failures may reimburse customers for some of the lost revenue and extra expenses caused by a third-party software provider’s mistake.

Corrie Hurm, head of claims at insurance broker Embroker, says most insurance that covers business interruptions requires certain triggers for payouts: Was it a system outage? Or a cyber-attack? Each event can come with varying degrees of insurance coverage. But often, those insurance policies require companies like Delta to implement their own checks and balances for when things go awry. Businesses should also use a diversity of software and hardware vendors, Hurm says, advice that’s contrary to the push by many IT leaders to reduce the number of vendors they work with. “If you’re putting all your eggs in one basket and there’s an outage like this one, you have a major problem,” says Hurm.

There is a generation of shipping executives wishing desperately they had concentrated more in chemistry and mathematics. The immediate future of the industry effectively rides on them understanding a complex series of equations that have crucial variables missing, and they are struggling. In the absence of any better ideas, they are guessing.

The good news is that the first test question has been revised down from an essay to a multiple-choice option. Having grappled with several semesters, and studied the vagaries of shipping’s multi-fuel future, it seems that the end of year finals has narrowed the question down to a choice of three distinct molecules: ammonia, methanol, or methane. But turn the page and, inevitably, there are difficult follow-up questions requiring you to show your working on which variant of bio, or E-methane you are basing your answers on.

Examiners are liable to find variable quality in the work that gets submitted. Some papers arguably may do well in a theology exam, but fare less well when it comes to the rigors of immutable numbers. The Höegh team are serious students and have been working hard on their ammonia answer, but like everyone else their answer is conditional. They may not ‘believe in methanol’, but faith in ammonia is equally difficult to rationalize when you factor in the 150%-200% cost differential that will need to be bridged by, yet undefined and unguaranteed, carbon pricing mechanisms.

Maersk did, and presumably still does not ‘believe’ in LNG. But when they are inevitably called on during their results presentation on Wednesday to show their working on the hotly anticipated (and sizable LNG dual-fueled) addition to the orderbook they are expected to unveil, they are going to need to be clear on the detail of how their new dual-fueled strategy stacks up. Examiners will be looking closely at the detail of their answers to understand the subtle difference between market pragmatism and U-turn.

Prakash Kota, chief information officer at business software firm Autodesk, was fortunate enough to experience an uneventful flight home on Thursday evening to the San Francisco Bay Area after attending a leadership meeting in Montreal. By Friday morning, Kota and others awoke to the largest IT outage in history. A software update pushed out by cybersecurity company CrowdStrike caused millions of Windows-based computer systems to crash, upending air travel, banking, retail transactions, hospitals, and railways across the globe. Many CIOs are still dealing with the aftermath. And while nearly all of Autodesk’s employees were back online by Friday morning, Kota says the episode shows that IT leaders must create more protections in an era when software on corporate devices is often updated by external partners. “I would say it almost gives a wakeup call to some of these vendors that want to be agile, but certain things have to be tested,” Kota said.

One change Kota is strongly considering at Autodesk is more oversight of automatic software updates from vendors before they’re accepted. “Is there a way where we can restrict some of the changes before they get deployed broadly?” Kota asks. At cloud company Akamai Technologies, the CrowdStrike outage had no direct impact on operations due to a prior decision to prevent vendors from pushing through automatic updates. Instead, the company’s IT department must approve them before they’re downloaded. “That’s a lesson: Have faith in your providers, but you can’t trust them wholesale,” says Akamai CIO Kate Prouty. “You need to do your own testing.” 

While unscathed this time around, Akamai learned a few lessons from the CrowdStrike debacle. It realized that the existing encryption on the company’s devices adds an extra layer of complexity if staff needs to decrypt those machines remotely to resolve a problem. Akamai is now considering automating the process to get those devices back online quickly following a mass outage rather than having to unlock them one at a time. Prouty said she’s also thinking through how to ensure employee communications if the company’s internal messaging system became inaccessible due to a tech disruption.

Peter Mattis, chief technology officer at database startup Cockroach Labs, says CrowdStrike isn’t solely responsible for the outages that impacted so many businesses. Its customers, he argues, also deserve some blame. “Why weren’t they mandating that they had more control over what’s being deployed to their critical infrastructure? They are essentially turning it over into the hands of this vendor,” Mattis says.

When companies sign deals with new vendors, they often require those companies to complete a questionnaire to attest to the security of their systems. Some of these questions focus on “system resiliency,” details that would reveal how CrowdStrike and other vendors think through data protection, disaster recovery, business continuity planning, and how they stage software updates. “I’m already asking our procurement people to do a little scrutiny to [determine] should we be asking more incisive questions about their resiliency,” says Mattis. 

Tom Parker, CTO of security company NetSPI, says the outage exposed significant industrywide “gaps in our ability to react and respond” to CrowdStrike-like threats. But he remains a fan of CrowdStrike and the security industry. “There’s definitely a tendency to have a knee-jerk reaction,” says Parker. CrowdStrike customers should perform a deep analysis of what happened inside their companies during the crisis, he adds, and perform tabletop scenarios, or simulated IT emergencies that help train employees and expose weaknesses.

At CNH, a manufacturer of agriculture and construction equipment, 8,500 employees were confronted with the “blue screen of death” on Friday that made their devices unusable. By mid-day Saturday, 100 IT professionals were able to get some operations up and running, and after 72 hours, the company was fully operational. Marc Kermisch, CNH’s chief digital and information officer, says his optimistic view of the outage is that it gave many companies an opportunity to put their disaster recovery plans to work. “We really got a chance to exercise that, and it was a great learning moment,” he says. And while relieved CNH had a plan to execute against, he adds, “I hope to never have to do that one again.”

Security experts said CrowdStrike’s (CRWD.O) routine update of its widely used cybersecurity software, which caused clients’ computer systems to crash globally on Friday, apparently did not undergo adequate quality checks before it was deployed. The latest version of its Falcon sensor software was meant to make CrowdStrike clients’ systems more secure against hacking by updating the threats it defends against. But faulty code in the update files resulted in one of the most widespread tech outages in recent years for companies using Microsoft’s (MSFT.O) Windows operating system.

Global banks, airlines, hospitals, and government offices were disrupted. CrowdStrike released information to fix affected systems, but experts said getting them back online would take time as it required manually weeding out the flawed code. “What it looks like is, potentially, the vetting or the sandboxing they do when they look at code, maybe somehow this file was not included in that or slipped through,” said Steve Cobb, chief security officer at Security Scorecard, which also had some systems impacted by the issue.

Problems came to light quickly after the update was rolled out on Friday, and users posted pictures on social media of computers with blue screens displaying error messages. These are known in the industry as “blue screens of death.” Patrick Wardle, a security researcher who specializes in studying threats against operating systems, said his analysis identified the code responsible for the outage. The update’s problem was “in a file that contains either configuration information or signatures,” he said. Such signatures are code that detects specific types of malicious code or malware.

“It’s very common that security products update their signatures, like once a day… because they’re continually monitoring for new malware and because they want to make sure that their customers are protected from the latest threats,” he said. The frequency of updates “is probably the reason why (CrowdStrike) didn’t test it as much,” he said. It’s unclear how that faulty code got into the update and why it wasn’t detected before being released to customers. “Ideally, this would have been rolled out to a limited pool first,” said John Hammond, principal security researcher at Huntress Labs. “That is a safer approach to avoid a big mess like this.”

Other security companies have had similar episodes in the past. McAfee’s buggy antivirus update in 2010 stalled hundreds of thousands of computers. But the global impact of this outage reflects CrowdStrike’s dominance. Over half of Fortune 500 companies and many government bodies such as the top U.S. cybersecurity agency itself, the Cybersecurity, and Infrastructure Security Agency, use the company’s software.

Deglobalization, decarbonization, and managing the higher costs of capital. These are three of the major trends global business must grapple with, Bain’s new global managing partner Christophe De Vusser told me a few days ago. But another trumps them all, he said: generative AI.

Generative AI is, of course, the buzziest term in business these days. But a few things still stood out to me as De Vusser, the first European to lead Bain (and a former colleague of mine in the Brussels office), discussed how artificial intelligence is changing Bain’s operations and its relationships with clients.

“Generative AI has not yet reached its tipping point. It’s not at full deployment where it impacts everything we do, and how workflows will be organized,” he said.

But the revolution is on the horizon. In Bain’s internal operations, AI has already altered between 20% and 25% of Bain’s work, and that will soon be up to 50%, De Vusser predicted. Gone are the days where junior consultants manually make charts. Bain now hires data scientists and engineers and has automated much of that grunt work.

De Vusser said the real impact will come when AI alters how the company works across all divisions and roles, the market in which it plays, and the profits it makes. That will all occur when gen AI becomes “multimodal,” includes video and audio alongside language, and can change entire work processes, or even replace humans with robots. (He didn’t indicate a timeline.)

Consultants like Bain don’t make money by merely looking in their crystal ball; they work hand in glove with companies to make their prophecies become self-fulfilling. Bain was one of the first consulting firms to strike a partnership with OpenAI, when it announced a “services alliance” with the ChatGPT developer in February of last year. Only a few months later, the giant French retailer Carrefour announced its own OpenAI deployment, calling it the result of a “collaboration with Bain & Company and Microsoft, partners of OpenAI.”

Since then, several more of Bain’s clients, including American Express, State Farm, Coca-Cola, Ahold Delhaize, CVC, and Citizens also displayed a “huge demand for gen AI innovation and future proofing,” the company said. “30% of our business is driven by advising people on AI and the supporting technologies,” De Vusser said. Thirty percent? That sounds like a tipping point to me.

HMM, South Korea’s flagship line, is installing Deep Eyes, an artificial intelligence video analysis solution on one of its biggest ships as a pilot with a view to further installations. Deep Eyes is a safety monitoring system that automatically recognizes and warns crewmembers of abnormal situations such as fire, smoke, workers not wearing safety equipment, or falls. An HMM official said, “We plan to actively use it to identify worker behavior patterns and standardize work safety through video analysis in the future.”

Deep Eyes was created by professors at Chung-Ang University in Seoul.