Slave power rising - what must the Master do?
Question: What has been your experience with using technology to mitigate risks arising out of technology momentum?
Technology is too powerful a tool to be taken for granted. It is totally unsafe to assume that technology will behave only as we want it to. Technology can and does behave in unpredictable ways. 12 experts tell us how we can protect ourselves and keep control over technology.
ABHILASH BALAN, CISO at Digit Insurance
We are a technology first company, and we are aware of risks such as misconfigured systems, access issues, data leakage, etc. We follow established governance and policy framework to ensure systems and data are protected. We have implemented multiple controls covering data protection, authentication and log review to monitor and mitigate the risks. Also, we are continuously upgrading our systems and processes in line with the evolving threat landscape like phishing attacks, ransomware, etc.
BIKASH CHOUDHARY, Appointed Actuary & Chief Risk Officer at Future Generali India Life Insurance
Technology has truly become the backbone of every modern organization. From the use of computers, smartphones, tablets and the internet, organizations now have a global exposure to cyberattacks that are difficult to understand and predict. Basis learnings, following are 6 key lessons which, if followed, will help in mitigating the risks arising out of the technology momentum.
(i) Identify key risk, measure probability and impact
– It is very important to identify in time the key areas of concerns and measure the probability of occurrence and impact on business activity. This will help in developing an effective mitigation plan.
(ii) Measuring Risk
– Once the risk is identified and analyzed, measure its impact.
(iii) Analyze security threats
– The organization must identify all security vulnerabilities. This must include external threats such as cybercrime and cyberterrorism, as well as internal threats, such as the distribution of restricted information. Review of security requirement related to following areas is very important: (a) System access and controls (b) Authentication (c) Transaction authorization (d) Data Integrity (e) Audit trail (f ) Security event tracking (g) Exception handling and (h) System activity logging.
(iv) Analyze the risk of hardware and software failure -
Organizations should consider what the risk of hardware and/or software failure entails for the organization and its overall operations. Questions that must be answered: How stable is the equipment and software the organization uses or plans to use? What are the potential consequences of failure?
(v) Outsourcing risk
– It is very common for an organization to hire a third-party company to handle system development and maintenance, network administration, disaster recovery service, application hosting and cloud computing. A third-party vendor must be carefully selected and evaluated on the basis of their viability, capability, reliability, track record and financial position.
(vi) Rank potential risk and specify the desired outcome
– Threat profiling should be carried out and analyzed post identification of a risk. The analysis should consider outlining the types of risks an organization can encounter as well as the likelihood of the risk occurring. Based on the analysis, the organization must choose the appropriate risk management strategy - risk avoidance or risk transfer or risk reduction or risk retention.
BIRANCHI MISHRA, Head – Credit, Risk & Product at Netafim Agricultural Financing Agency
Given that technology plays a vital role in the risk management and financial reporting process besides improving efficiency in each function, the integrity of the technology and the outputs are critical control elements of the internal control environment. The output of technology addresses several assertions inherent t o eff ec t i veness, effi c i ency, confidentiality, integrity, availability, compliance and reliability. IT risks are the events that depict ‘what can go wrong’ in not meeting the above fundamental assertions. Secondly, unlike natural systems, organizations are managed by intelligent participants who may find ways to defeat the purpose unless there are adequate controls. Appropriate controls, constant upgradation and regular internal and external technology audits help mitigate the technology momentum risks.
DAMODARAN C, Vice President & Chief Risk Officer at Federal Bank
Digitization of risk management functions is necessary for mitigating the rapidly digitizing business domain. Use of AI & ML on the domain of risk management is increasing. This enables banks i n early effective monitoring, early detection of risk events and ensuring timely remedial action. While banks rely on a host of technology enabled models for decision making, we have put in place model risk management practices for periodic monitoring, back testing and reviewing such models. We have put in place tech-enabled models for transaction monitoring and fraud prevention. These models are constantly reviewed and upgraded to detect the emerging frauds in digital transactions.
K R MOHANACHANDRAN, Chief Risk Officer at ESAF Small Finance Bank
We use proper technology risk assessments to identify the critical risks and ways to mitigate them. We see the costs and take a call whether to go for risk mitigation using technical controls or administrative controls. In majority of the cases, only technology can help in mitigating the risks arising from
digital acceleration.
We follow the concept of ensuring Confidentiality, Integrity and Availability (CIA) in our information systems and applications. The information systems of the bank are subjected to Vulnerability Assessment and Penetration Testing (VAPT) periodically, as a preventive measure against cyberattacks that could threaten the CIA of data and the systems.
The bank has implemented a 24x7 Security Operations Centre (SOC) to detect and analyze all potential incidents and notify the application owners who have been affected, to contain, eradicate and recover from the incident. All cyber security incidents are recorded and reported to the InfoSec team. Also, we conduct planned and unplanned DR drills. The bank’s technology platforms have proved to be robust to face any potential cyber security and IT security risks.
PRITHVI CHANDRASEKHAR, President Risk & Analytics at InCred
I see complexity as the main risk emerging from the accelerated use of technology. In the balance, these emerging technologies are immensely powerful. They clearly make our customers and our industry better off. However, dealing with the complexity (and the unintended consequences) of these technologies, is something we are still
grappling with.
ROOPAM ASTHANA, CEO & WTD, Liberty General Insurance
Technology momentum in any industry would affec t 3 major pillars of any organization - Processes, Systems and People. While risk of obsolescence and lack of continued tech support can be an outcome of not keeping pace with technology, risk relating to introduction of new technology can likely lead to a major failure. Hence, it is crucial to identify possible risks and create a plan to mitigate these risks. Post identification of these risks, we must have a strategic plan in place like business continuity plans and back-up plans. Constant identification of technology risk should be an ongoing process.
SADAF SAYEED, CEO at Muthoot Microfin
Various risks are arising out of the technology momentum. The most important is the data accuracy, availability of the data and security of the system and data. These IT/ data security risks can be mitigated through various technological and logical tools. We are implementing the basic security tools effectively. Yes, with complexity of the data, process and IT systems, we will be implementing more sophisticated security tools.
SUJAY DAS, Chief Risk Officer at MoneyTap
Technology enhancement has helped in mitigating risk in several ways for financial organizations. There are many things that can be done instantaneously using machine learning algorithms and through API integrations. In our case specifically, checking the validity of self-taken images that customers send us, validating of PAN card details, verifying geo-location, eKYC and video KYC, income verification, etc, are a few examples where technology has helped the credit underwriting and verification processes become faster and more accurate. These go a long way in mitigating credit and fraud risk for financial organizations.
However, there should be proper checks and balances built in the processes to see that there are no failures in the technology. We should build in robust monitoring processes that get triggered if any technological failure happens, so that it can be immediately fixed so as to reduce operational losses.
SUNDER NATARAJAN, Chief Compliance & Risk Officer at IndiaFirst Life Insurance
Risks include adoption, teething and early redundancy. A head start in the use of technology across the sales process over the recent years has helped us ride the momentum which I have largely driven by the willingness of the end customer and our distributors to engage through digital or phygital means. We have seen a digital uptick across the customer life cycle - right from engaging prospects through web workshops, paperless onboarding through an OTP-based customer consent, ongoing customer service through WhatsApp, IVR, and chatbots, collecting premium and remitting maturity and claim proceeds through digital means.
The first level risk arises from the above is adoption, especially if it involves a large set of users. The immediate next challenge is the ability to overcome teething troubles and course-correction alongside changes. The biggest risk, however, is maintaining the status quo in the age of rapid change.
VENKATA JAYARAMAN M., Chief Risk Officer at Fincare Small Finance Bank
Technology has been a game-changer in addressing several challenges by optimizing the end-to-end risk management process. Our experience with using technology to mitigate risks arising out of technology momentum include: (i) Adopting a shift left strategy towards security testing (ii) Putting in place inbuilt security into the product rather than retrofit (iii) Implementing DevSecOps (iv) Automating continuous vulnerability assessment and (v) Automating CI/CD pipeline.
VIJAYALAKSHMI NATARAJAN, Chief Compliance and Risk Officer at Aviva India
With the increase in digital adoption in sales and servicing, the fact remains that the risk of information and cybersecurity threats do multiply. However, it is technology in itself that helps address the risks created by technology. The key to this is right investment in information and technology architecture and infrastructure at the right time supported by an IT strategy roadmap.
This should essentially address obsolete technology, timely upgrade and patching, robust DLP tool, firewall protocols, underlying security protocols and annual real time BCP (Business Continuity Plan) drills. Add to that, information and security risk assessment both at pre-go live stage and at defined intervals for critical applications.
Information and cyber security of outsourced vendor must be reviewed at regular defined intervals. Other crucial issues include testing at onboarding stage, tight digital and physical access control management. Finally, there is a need to ensure ongoing training and awareness for employees and vendor resources associated with the company.
SUMMARY
Looking at all the responses, it is clear that technology poses a vast variety of risk thereby presenting a rich scope for dealing with them. One interesting perspective is that thanks to technology, there is now a dual intelligence within every organization – the human intelligence and the cyber intelligence. When they work with synergy, magical results happen. But when the synergy breaks down – accidentally or wilfully – the outcome is usually disastrous. Net net, the human intelligence must keep moving ahead to remain the master.