Technology is the most powerful business tool but also the biggest source of risk. Anis Pathan, CRO at Chaitanya India Fin Credit delves deep into various risk associated with technologies, vendors and in-house development:
Smriti Pandey: What do you feel are the most critical technology risk mitigation solutions for the MFI segment in the financial sector?
Anis Pathan: In today’s interconnected world, with the pervasive use of cloud and open-source technologies, the risk of cyber-attacks is ever-present. It is not a matter of if you will be attacked, but when. The inherent risk of a cyber-attack is always very high. The best way to handle this risk is through thorough preparation, including continuous monitoring of the threat landscape and strengthening cyber risk controls.
However, the most effective risk treatment for cyber risk is to transfer this risk through insurance and contractual liability transfer. Cyber insurance with sufficient limits and well-drafted policy wording is essential in today’s cyber security landscape. Organizations must have a cyber policy with reputable and experienced general insurance firms that have a history of handling and settling cyber insurance claims. It is also critical that these firms provide additional services such as legal support, forensic investigation, and negotiation assistance to manage the incident effectively.
Furthermore, it is vital to review all vendor contracts for liability transfer and mandate that vendors have adequate coverage. This ensures that in the event of a cyber incident on vendor premises that impacts the organization, the vendors are financially capable of covering the liabilities. This proactive approach to cyber risk management ensures comprehensive protection against potential cyber threats.
Please compare and contrast the risks among internally developed technologies and externally sourced technologies.
In most organizations, a hybrid structure of internally developed and externally sourced technology is practiced. Each approach has its own benefits and challenges. Internally developed technologies offer control and flexibility, allowing for custom solutions tailored to the organization’s needs. Externally sourced technologies, on the other hand, provide advantages in speed and advanced features such as AI capabilities and industry best practices.
A significant risk associated with externally sourced applications is vendor risk, which can introduce supplier risk exposure through third, fourth, and even fifth parties. Given the various regulatory guidelines associated with data security, cyber security, and third-party management, managing vendor risk is paramount for any organization operating in the BFSI sector. The recent Crowdstrike issue with Microsoft is a classic example of this risk.
Internally developed applications also come with their own set of risks, such as delays in delivering business-critical solutions, which can impact organizational strategy and objectives. Additionally, maintaining skilled resources in cyber security and technology is becoming increasingly challenging. If not managed adequately, internally developed applications can expose the organization to similar risks as externally sourced applications, including cyber-attacks and data leaks.
Therefore, it is crucial to balance both approaches, ensuring robust risk management practices are in place to mitigate these challenges.
What are the key risks associated with small IT companies and with large IT companies?
In the current landscape, organizations often collaborate with both large and small IT companies to access a wide range of services and expertise. Smaller organizations are nimble, able to deliver solutions quickly and accommodate changes effectively. In contrast, larger organizations adhere to best practices in project and change management, ensuring reliable solutions at scale.
However, key risks associated with smaller IT organizations include management changes, takeovers, or winding up due to insufficient funding, dependency on a few clients, or highly leveraged balance sheets. Such risks heighten the threat to business continuity. Additionally, if vendors are not profitable, they may not invest adequately in quality resources or adhere to industry best practices in change and project management, exposing the organization to operational risks. It is imperative to have well-guarded agreements with such vendors, covering major liabilities arising from errors, omissions, or potential cyber-attacks. Moreover, ensuring that vendors have adequate insurance to cover these liabilities is critical.
For larger IT organizations, risks include project overruns and budget overshoots due to heavy process dependency. While operational and cyber-attack risks also exist in larger organizations, they are generally better managed. It is crucial to include well-thought-out service level agreements in contracts, along with penalty mechanisms for any breaches of commitments.
Balancing these approaches with robust risk management practices ensures that organizations can effectively leverage the strengths of both large and small IT companies while mitigating associated risks.
Give examples of how the company has, in recent times, improved its comprehension of technology risk and the ability to deal with such risks.
The comprehension of technology risk has changed dramatically over the last decade. Senior management, including the board and director level, now has a much deeper understanding of technological risks and their impact on strategy.
For example, the understanding of cloud technology and dependence on the SaaS model has improved significantly, recognizing the benefits and agility it offers. Management now comprehends the risks associated with these models and is prepared to take calculated risks while maintaining strong risk management in SaaS and cloud deployment.
Large cloud service providers have made the space more reliable and scalable, offering adequate controls through various consoles and dashboards that enable users to deploy robust security measures while benefiting from the technology.
While the benefits of cloud and SaaS models are widely acknowledged, it is crucial to remain vigilant and aware of the associated supplier and systemic risks. Over-reliance on one or two vendors can expose the industry to systemic risk. Implementing multi-cloud disaster recovery (DR) strategies, along with strong business continuity planning (BCP) and preparedness, can help manage these risks. Recent incidents involving Crowdstrike and Microsoft Azure highlight the importance of such precautions.
By balancing the advantages of cloud technology with robust risk management practices, organizations can effectively mitigate potential vulnerabilities and ensure operational resilience.
Recent Articles: