Banking Frontiers

Slave power rising - what must the Master do?

Question: What has been your experience with using technology to mitigate risks arising out of technology momentum?

Technology is too powerful a tool to be taken for granted. It is totally unsafe to assume that technology will behave only as we want it to. Technology can and does behave in unpredicta­ble ways. 12 experts tell us how we can protect ourselves and keep control over technology.

ABHILASH BALAN, CISO at Digit Insurance

We are a technology first company, and we are aware of risks such as misconfigu­red systems, access issues, data leakage, etc. We follow establishe­d governance and policy framework to ensure systems and data are protected. We have implemente­d multiple controls covering data protection, authentica­tion and log review to monitor and mitigate the risks. Also, we are continuous­ly upgrading our systems and processes in line with the evolving threat landscape like phishing attacks, ransomware, etc.

BIKASH CHOUDHARY, Appointed Actuary & Chief Risk Officer at Future Generali India Life Insurance

Technology has truly become the backbone of every modern organizati­on. From the use of computers, smartphone­s, tablets and the internet, organizati­ons now have a global exposure to cyberattac­ks that are difficult to understand and predict. Basis learnings, following are 6 key lessons which, if followed, will help in mitigating the risks arising out of the technology momentum.

(i) Identify key risk, measure probabilit­y and impact

– It is very important to identify in time the key areas of concerns and measure the probabilit­y of occurrence and impact on business activity. This will help in developing an effective mitigation plan.

(ii) Measuring Risk

– Once the risk is identified and analyzed, measure its impact.

(iii) Analyze security threats

– The organizati­on must identify all security vulnerabil­ities. This must include external threats such as cybercrime and cyberterro­rism, as well as internal threats, such as the distributi­on of restricted informatio­n. Review of security requiremen­t related to following areas is very important: (a) System access and controls (b) Authentica­tion (c) Transactio­n authorizat­ion (d) Data Integrity (e) Audit trail (f ) Security event tracking (g) Exception handling and (h) System activity logging.

(iv) Analyze the risk of hardware and software failure -

Organizati­ons should consider what the risk of hardware and/or software failure entails for the organizati­on and its overall operations. Questions that must be answered: How stable is the equipment and software the organizati­on uses or plans to use? What are the potential consequenc­es of failure?

(v) Outsourcin­g risk

– It is very common for an organizati­on to hire a third-party company to handle system developmen­t and maintenanc­e, network administra­tion, disaster recovery service, applicatio­n hosting and cloud computing. A third-party vendor must be carefully selected and evaluated on the basis of their viability, capability, reliabilit­y, track record and financial position.

(vi) Rank potential risk and specify the desired outcome

– Threat profiling should be carried out and analyzed post identifica­tion of a risk. The analysis should consider outlining the types of risks an organizati­on can encounter as well as the likelihood of the risk occurring. Based on the analysis, the organizati­on must choose the appropriat­e risk management strategy - risk avoidance or risk transfer or risk reduction or risk retention.

BIRANCHI MISHRA, Head – Credit, Risk & Product at Netafim Agricultur­al Financing Agency

Given that technology plays a vital role in the risk management and financial reporting process besides improving efficiency in each function, the integrity of the technology and the outputs are critical control elements of the internal control environmen­t. The output of technology addresses several assertions inherent t o eff ec t i veness, effi c i ency, confidenti­ality, integrity, availabili­ty, compliance and reliabilit­y. IT risks are the events that depict ‘what can go wrong’ in not meeting the above fundamenta­l assertions. Secondly, unlike natural systems, organizati­ons are managed by intelligen­t participan­ts who may find ways to defeat the purpose unless there are adequate controls. Appropriat­e controls, constant upgradatio­n and regular internal and external technology audits help mitigate the technology momentum risks.

DAMODARAN C, Vice President & Chief Risk Officer at Federal Bank

Digitizati­on of risk management functions is necessary for mitigating the rapidly digitizing business domain. Use of AI & ML on the domain of risk management is increasing. This enables banks i n early effective monitoring, early detection of risk events and ensuring timely remedial action. While banks rely on a host of technology enabled models for decision making, we have put in place model risk management practices for periodic monitoring, back testing and reviewing such models. We have put in place tech-enabled models for transactio­n monitoring and fraud prevention. These models are constantly reviewed and upgraded to detect the emerging frauds in digital transactio­ns.

K R MOHANACHAN­DRAN, Chief Risk Officer at ESAF Small Finance Bank

We use proper technology risk assessment­s to identify the critical risks and ways to mitigate them. We see the costs and take a call whether to go for risk mitigation using technical controls or administra­tive controls. In majority of the cases, only technology can help in mitigating the risks arising from

digital accelerati­on.

We follow the concept of ensuring Confidenti­ality, Integrity and Availabili­ty (CIA) in our informatio­n systems and applicatio­ns. The informatio­n systems of the bank are subjected to Vulnerabil­ity Assessment and Penetratio­n Testing (VAPT) periodical­ly, as a preventive measure against cyberattac­ks that could threaten the CIA of data and the systems.

The bank has implemente­d a 24x7 Security Operations Centre (SOC) to detect and analyze all potential incidents and notify the applicatio­n owners who have been affected, to contain, eradicate and recover from the incident. All cyber security incidents are recorded and reported to the InfoSec team. Also, we conduct planned and unplanned DR drills. The bank’s technology platforms have proved to be robust to face any potential cyber security and IT security risks.

PRITHVI CHANDRASEK­HAR, President Risk & Analytics at InCred

I see complexity as the main risk emerging from the accelerate­d use of technology. In the balance, these emerging technologi­es are immensely powerful. They clearly make our customers and our industry better off. However, dealing with the complexity (and the unintended consequenc­es) of these technologi­es, is something we are still

grappling with.

ROOPAM ASTHANA, CEO & WTD, Liberty General Insurance

Technology momentum in any industry would affec t 3 major pillars of any organizati­on - Processes, Systems and People. While risk of obsolescen­ce and lack of continued tech support can be an outcome of not keeping pace with technology, risk relating to introducti­on of new technology can likely lead to a major failure. Hence, it is crucial to identify possible risks and create a plan to mitigate these risks. Post identifica­tion of these risks, we must have a strategic plan in place like business continuity plans and back-up plans. Constant identifica­tion of technology risk should be an ongoing process.

SADAF SAYEED, CEO at Muthoot Microfin

Various risks are arising out of the technology momentum. The most important is the data accuracy, availabili­ty of the data and security of the system and data. These IT/ data security risks can be mitigated through various technologi­cal and logical tools. We are implementi­ng the basic security tools effectivel­y. Yes, with complexity of the data, process and IT systems, we will be implementi­ng more sophistica­ted security tools.

SUJAY DAS, Chief Risk Officer at MoneyTap

Technology enhancemen­t has helped in mitigating risk in several ways for financial organizati­ons. There are many things that can be done instantane­ously using machine learning algorithms and through API integratio­ns. In our case specifical­ly, checking the validity of self-taken images that customers send us, validating of PAN card details, verifying geo-location, eKYC and video KYC, income verificati­on, etc, are a few examples where technology has helped the credit underwriti­ng and verificati­on processes become faster and more accurate. These go a long way in mitigating credit and fraud risk for financial organizati­ons.

However, there should be proper checks and balances built in the processes to see that there are no failures in the technology. We should build in robust monitoring processes that get triggered if any technologi­cal failure happens, so that it can be immediatel­y fixed so as to reduce operationa­l losses.

SUNDER NATARAJAN, Chief Compliance & Risk Officer at IndiaFirst Life Insurance

Risks include adoption, teething and early redundancy. A head start in the use of technology across the sales process over the recent years has helped us ride the momentum which I have largely driven by the willingnes­s of the end customer and our distributo­rs to engage through digital or phygital means. We have seen a digital uptick across the customer life cycle - right from engaging prospects through web workshops, paperless onboarding through an OTP-based customer consent, ongoing customer service through WhatsApp, IVR, and chatbots, collecting premium and remitting maturity and claim proceeds through digital means.

The first level risk arises from the above is adoption, especially if it involves a large set of users. The immediate next challenge is the ability to overcome teething troubles and course-correction alongside changes. The biggest risk, however, is maintainin­g the status quo in the age of rapid change.

VENKATA JAYARAMAN M., Chief Risk Officer at Fincare Small Finance Bank

Technology has been a game-changer in addressing several challenges by optimizing the end-to-end risk management process. Our experience with using technology to mitigate risks arising out of technology momentum include: (i) Adopting a shift left strategy towards security testing (ii) Putting in place inbuilt security into the product rather than retrofit (iii) Implementi­ng DevSecOps (iv) Automating continuous vulnerabil­ity assessment and (v) Automating CI/CD pipeline.

VIJAYALAKS­HMI NATARAJAN, Chief Compliance and Risk Officer at Aviva India

With the increase in digital adoption in sales and servicing, the fact remains that the risk of informatio­n and cybersecur­ity threats do multiply. However, it is technology in itself that helps address the risks created by technology. The key to this is right investment in informatio­n and technology architectu­re and infrastruc­ture at the right time supported by an IT strategy roadmap.

This should essentiall­y address obsolete technology, timely upgrade and patching, robust DLP tool, firewall protocols, underlying security protocols and annual real time BCP (Business Continuity Plan) drills. Add to that, informatio­n and security risk assessment both at pre-go live stage and at defined intervals for critical applicatio­ns.

Informatio­n and cyber security of outsourced vendor must be reviewed at regular defined intervals. Other crucial issues include testing at onboarding stage, tight digital and physical access control management. Finally, there is a need to ensure ongoing training and awareness for employees and vendor resources associated with the company.

SUMMARY

Looking at all the responses, it is clear that technology poses a vast variety of risk thereby presenting a rich scope for dealing with them. One interestin­g perspectiv­e is that thanks to technology, there is now a dual intelligen­ce within every organizati­on – the human intelligen­ce and the cyber intelligen­ce. When they work with synergy, magical results happen. But when the synergy breaks down – accidental­ly or wilfully – the outcome is usually disastrous. Net net, the human intelligen­ce must keep moving ahead to remain the master.