Book A Meeting

Avoiding Another Outage

CCG Catalyst Commentary

Avoiding Another Outage

By: Tyler Brown

July 30, 2024

Some technology-related risks are outside a bank’s control. The global technology outage a week-and-a-half ago, the result of a faulty update pushed by a cybersecurity firm, was one of them. The outage reportedly affected operations of at least eight multibillion dollar US banks. It would be no surprise if the same happened to others but didn’t make the news.

This incident should remind bankers to assess their technology dependencies, grasp the robustness of the systems they use and administer, and hunt for unaddressed risk in their IT systems and processes. It also speaks to the need for a framework to evaluate technology risk, particularly as bankers ponder modernization, plan for pending regulation, and evaluate new business opportunities.

A bank’s board and senior management must acknowledge three general types of technology risk when they negotiate their tolerance, set a risk management strategy, and find a balance that meets their objectives:

  • Passive risk: Management and IT staff may neglect or be unaware of risks inherent in the tech stack. This risk is common to banks with a fragile but familiar legacy tech stack or with managed services that enable complacency. Passive risk may be exacerbated by an unclear strategy or poor governance. It is self-perpetuating, not likely to be top of mind for management or the board, and becomes an acute problem only when something breaks or during a major change.

  • Managed risk: Many permanent risks are part of doing business and addressed by an active, well-documented risk-management program. Technology risk may be higher for some banks than others. A Banking-as-a-Service (BaaS) sponsor bank, for example, will have a permanently elevated risk level compared to peers that only operate direct channels, due to more complex vendor relationships. They’ll need the systems and processes in place to routinely address their choice.

  • Intermediate risk: Changes to the tech stack temporarily raise the level of risk before it settles down to a new status quo. The elevated risk can last hours or years depending on the change. In the context of technology planning, it may apply to a large-scale, all-at-once transformation project or piece-by-piece modifications. In the context of a transformation project, bankers need to decide on “peak risk” over time.

The global IT outage was an external, virtually unknown passive risk from third-party software that cascaded to companies’ IT systems. It was difficult to avoid because of widespread dependence on a limited number of critical services that enterprises had little to no control over. But many solutions can lead to similar troubles, and bankers need to pay close attention to the risks they can mitigate.

Reasons related both to technology and the organization mean that legacy core systems are a particular challenge. Hardware for on-premise solutions may be nearing the end of its useful life and software developed years ago may be hard to maintain. Processes may be designed around legacy technology, and IT governance may be in question. It’s important that banks have a well-developed internal IT audit function to anticipate and prevent issues and, when they surface, be prepared to address them before they interrupt a bank’s day-to-day functions.

Phoenix • New York • London • Singapore

Phone: +1-480-744-2240  • Contact Us

© 2024 CCG CATALYST. Privacy Policy & Terms of Service.
Request a Call Back
Linkedin
Subscribe
to our Insights
Subscribe
BANK
FINTECH
FUSION
Linkedin

Subscribe to our Insights