When the System Blinks: Understanding and Managing Technology Risk in Financial Services
One late afternoon, in a well-known financial services firm, a routine end-of-day batch job failed to kick off. A simple scheduling error, it seemed. But that single misfire led to an overnight reconciliation backlog, delayed settlements, and an early morning call with a regulator who’d noticed the delayed reporting. That was the moment we learned: in today’s digitized financial landscape, technology risk isn’t just a back-office concern—it’s front-page news waiting to happen.
Technology risk refers to the potential for losses stemming from the failure of systems, software, networks, or third-party tech services. It may be triggered by outdated infrastructure, coding errors, cyberattacks, third-party failures, or even well-meaning automation that no one quite tested properly. The consequences? Reputational damage, financial loss, and regulatory scrutiny.
The Chain Reaction Nobody Wants Several years ago, I worked with a global asset manager undergoing a cloud migration. It sounded exciting. The cost savings and scalability benefits were all there. But what wasn’t on the slide deck was how many business-critical applications still depended on legacy architecture that wasn’t cloud-compatible. In one instance, a reporting tool that pulled position data for risk oversight failed to retrieve accurate feeds after the cloud switchover. The result? Inaccurate risk reports sent to internal committees and a scramble to recall and correct them before external eyes got involved.
What did we learn? The importance of technology change governance. Before any major tech overhaul, every upstream and downstream dependency needs to be mapped, tested, and retested. Simple rule: if it can break, it probably will—unless you’ve planned for it not to.
Cyber Risk: The Ever-Present Shadow No article on tech risk is complete without mentioning cybersecurity. And it isn’t just about firewalls and encryption. A breach can come from an innocuous email attachment. At another institution I advised, a phishing email compromised an employee’s credentials. No big deal, right? Wrong. The compromised ID had access to a dormant third-party file transfer protocol (FTP) server still linked to live customer data. That one oversight turned into a multi-month breach investigation.
We took action quickly: reviewed all privileged access, killed off dormant accounts, revamped endpoint monitoring, and launched mandatory cyber-awareness training. But we also rewrote our third-party risk policy to emphasize identity lifecycle management and data minimization.
Regulations and Frameworks: A Compass, Not a Crutch Regulators have taken note. The NYDFS Cybersecurity Regulation (23 NYCRR 500), GDPR, and FFIEC guidance all outline expectations for managing tech risk. Yet compliance with these laws shouldn’t be the ceiling—it should be the floor.
One client of mine adopted the NIST Cybersecurity Framework as a strategic blueprint. By pairing it with FAIR (Factor Analysis of Information Risk) modeling, we quantified risk exposure in dollar terms. This helped the board better understand why we needed a budget increase for endpoint detection and response. Dollars and metrics speak louder than fear.
The People Side of Technology Risk Technology risk is never just about the tech. People build, maintain, and use systems. And people are fallible.
At a mid-sized bank, a developer wrote a script that bypassed a manual review step to speed up processing. It worked. Until one day, it didn’t. The script ingested corrupted data, which went unchecked, leading to a cascade of reconciliation issues across six business lines. It took days to untangle.
This incident led to our “Human Factors in Technology Risk” initiative. We didn’t just audit the code. We started asking: Why did the developer feel the need to create a workaround? Was it a culture that celebrated speed over controls? Were teams empowered to report fragilities? These are cultural questions as much as operational ones.
What Financial Institutions Must Do
- Map Dependencies – Understand how your systems connect, where the single points of failure lie, and who is accountable for each.
- Simulate Failure – Run tabletop exercises. Pull the plug (figuratively) on a major system and see what happens. Be surprised in a safe setting.
- Invest in Culture – Tech awareness, ownership of controls, and a psychologically safe environment to report issues are just as vital as tools and policies.
- Benchmark to Frameworks – Use NIST, COBIT, ISO 27001, or FFIEC not just for compliance but to drive maturity.
- Vendor Vigilance – Third-party risk is first-party risk in disguise. Have your vendors been tested? Audited? What’s their incident response time?
About the Author Laksh Vaswani is a senior financial services executive and technology risk advisor with over 20 years of experience guiding institutions through digital transformation, regulatory compliance, and operational resilience. A best-selling author and International Achievers Award recipient, he is passionate about building governance frameworks that don’t just satisfy regulators, but make institutions stronger, safer, and smarter.
Share this article :