Operational resilience and security drive DTCC’s agenda

As capital markets firms continue their digitization drive and look to the cloud for increasingly large swaths of their technology and data needs, they also inadvertently expose themselves to a range of operational risks.

Two key technology and operational trends to have emerged over the past decade have been capital markets firms’ slow but steady move towards full digitization of their technology estates and their increased adoption of the cloud and cloud-based services. While both trends hold huge transformative potential, they also have a downside: increased digitization, adoption of new and innovative technologies and remote access to data and mission-critical platforms also mean an increase in operational vulnerability and cyber security threats. These themes feature prominently in the Depository Trust & Clearing Corporation’s (DTCC’s) June 2022 whitepaper, The power of technology resilience: A framework for the industry, which sets out a step-by-step guide to the practices market participants should follow to satisfactorily mitigate the operational risks they are exposed to through the adoption of new technologies and ancillary services.
 

Enabling technology comes to the fore

Neelesh Prabhu, managing director of architecture and enterprise services in IT at DTCC, explains that, even before the Covid-19 pandemic struck and restrictions came into force worldwide, DTCC as an organization had what he describes as a “dispersed workforce”, spread across multiple geographies and markets, mirroring the decentralized structure of large numbers of capital markets firms. “What we’ve seen is that having a distributed workforce put a spotlight on technology in the sense that it has become more critical as an enabler of collaboration,” he says.

According to Prabhu, even though most firms’ working practices continue to return to something resembling normality in the wake of the pandemic, most capital markets firms still have appreciable numbers of workers telecommuting, which in turn brings cyber resilience into play. “Making sure you have a good understanding of what your cyber considerations are and that you’ve covered yourself from that perspective [becomes critical],” he says.
 

Executive committee sign-off

Given that flexible working practices and remote access to data and systems are likely to feature indefinitely in most firms’ operating models, it becomes imperative for them to implement the technologies to support remote and collaborative practices while ensuring they have the necessary checks and balances in place to shore up their operational resilience and integrity. It is important to make recommendations to market participants about enhancing their technology and operational rigor, but DTCC understands it is no trivial task to receive sign-off from the executive committee when there are multiple high-priority technology projects chasing finite budgets that deserve equal consideration.
 

Rationale

The solution to that challenge, according to Prabhu, can be found in the business, operational and technology rationale for producing the whitepaper. He cites three key trends across the industry, upon which much of the paper is predicated. The first, he says, is the increased digitization of DTCC’s clients’ businesses, where now-critical services are being enabled, accessed and delivered by technology. The second entails a change in the technology landscape underpinning the industry through the emergence of hybrid—cloud-based and in-house—architectures and the increasingly distributed nature of applications in terms of where they reside and their development, the added complexity of which has increased the number of potential points of failure. The final driver deals with the modernization of the industry, where firms are committing significant financial resources to improving their technology, driven by cyber threats and ongoing challenges around managing legacy and often proprietary technology in-house.  “The paper sets out an approach about how to provide resilience against the backdrop of these three trends,” Prabhu explains. “At DTCC, we’ve built out a number of capabilities in order to drive resilience, such as our resilience testing, chaos engineering and failure mode analysis center of excellence, where the focus is ensuring that any applications that are being developed have the requisite levels of resilience built into them from the ground up.”

The second aspect entails DTCC changing its software development methodology by embedding design elements that have been rigorously tested through such processes as chaos engineering to ensure the attendant applications are operationally robust and fit for purpose, even during the most extreme circumstances.
 

The way forward

Prabhu explains that any new initiative needs to check a number of boxes before it can be seriously considered and budgeted for: it must have operational and cyber resilience hard-baked into it; it must be cost-effective; and it must have minimal time-to-market, along the lines of the agile DevOps methodologies. “But the question remains: can you build these applications and embed the necessary resilience within them in a cost-efficient fashion, while maintaining speed to market?” Prabhu says. “That is the real opportunity and what the industry should strive for.” 

Sponsored content