Technology Risk

Technology risk is the threat that a financial firm’s core operations—trading, settlement, customer access, or risk management—will be disrupted by software failures, hardware breakdowns, algorithmic errors, cyber attacks, or the obsolescence of critical systems. Unlike most financial risks, it is largely invisible until it strikes.

The hidden vulnerability of modern finance

Modern finance runs on layers of interconnected systems: trading venues, clearing houses, settlement networks, data feeds, algorithms, and internal infrastructure that process trillions of pounds in transactions daily. Nearly all of this machinery depends on technology that is opaque to most market participants. A malfunction in a trading algorithm can crater equity prices in seconds. A data-feed error can trigger cascading hedges across markets. A cyber breach can lock a custodian out of its own vaults for days.

Technology risk is insidious because it is not priced into most financial contracts and is difficult to hedge. A bond investor does not worry that the settlement system might fail; they assume it will work. When it does fail—as it has, repeatedly, on smaller scales—the surprise is total and the consequences are swift. The 2012 Knight Capital flash crash, triggered by dormant code accidentally deployed into a trading system, wiped out 75% of the firm’s equity value in minutes. The system was not hacked; it was betrayed by the firm’s own software.

Systemic vs. idiosyncratic technology failures

Not all technology failures are equal. Idiosyncratic failures—a single firm’s system going down—are disruptive but containable. A bank’s online platform crashes; customers switch to competitors temporarily; the bank loses revenue and reputation but survives. Systemic failures, where critical market infrastructure breaks, threaten the entire financial system.

In 2012, the London Stock Exchange experienced an outage that halted trading for several hours. In 2015, the NYSE closed for a morning session due to a technical glitch. These incidents were dramatic but bounded. A broader failure—say, in NASDAQ or London Stock Exchange for an extended period, or in a central clearing house—could freeze entire markets. Counterparties would not know the net settlement amounts; liquidity would evaporate; credit-risk would spike across institutions unsure whether their trades would clear.

The challenge of legacy systems

Many financial institutions run business-critical software written in COBOL in the 1970s and 1980s. These systems are ancient, poorly documented, and brittle: changing them risks breaking them. Replacing them is expensive, risky, and disruptive. Yet keeping them is equally risky; they run on obsolete hardware, are hard to secure, and cannot easily integrate with modern data pipelines or algorithmic-trading infrastructure.

During the 2020 COVID lockdown, several banks struggled to handle the surge in digital traffic because their legacy systems, designed for office-based staffing, had capacity limits no one had properly tested. Technology risk had been hidden under assumptions about normal operating conditions. When reality diverged, the infrastructure cracked.

The cost of legacy system overhauls has become so immense that many institutions are trapped in a half-modernized state: critical subsystems in new platforms, others limping along on forty-year-old code patched repeatedly. A cyber attacker or a major system change can expose these weak points rapidly.

Algorithmic risk and the problem of speed

Algorithmic-trading has created a new frontier of technology risk. Algorithms make decisions in microseconds based on market data feeds that may themselves be stale, delayed, or incorrect. A glitch in a popular index futures trading algorithm can cause a cascade of unintended orders that breach circuit breakers and trigger emergency halts.

In 2010, the “Flash Crash,” a sudden intraday collapse in US equities, was attributed partly to algorithmic trading that malfunctioned under stressed market conditions. Most of the losses were later reversed, but the crash demonstrated that the speed of modern technology could outrun human oversight. Algorithms, once set loose, can amplify small market tremors into financial earthquakes before any human trader realizes something is wrong.

The challenge for risk management teams is that traditional stress testing assumes human-speed reactions. An algorithm encountering an event it has never seen before does not pause to think; it executes its logic. If that logic is flawed, or was designed for normal market conditions, the damage can be irreversible.

Cyber risk and the expanding attack surface

Financial institutions are targets for theft, fraud, extortion, and state-sponsored disruption. Cyber attacks have become routine: stolen customer data, compromised payment systems, ransomware holding critical infrastructure hostage for ransom. In 2021, Colonial Pipeline, an energy firm, was forced to shut down operations for days after a ransomware attack. Financial institutions face similar risks.

A successful cyber breach does not necessarily cause an immediate market-wide crisis; it usually results in compromised data, stolen customer credentials, or degraded systems that require costly remediation. But a targeted, coordinated attack on multiple financial institutions’ core systems, or on shared infrastructure like SWIFT (the international payments network), could be catastrophic. Counterparty-risk would spike globally; settlement would be uncertain; confidence in the entire system would crack.

Financial regulators now treat cyber risk as a critical systemic threat. Institutions are required to maintain incident response plans, conduct simulations, and report breaches. Yet the threat landscape evolves faster than regulations can address.

The blind spot: interdependencies

One of the deepest dangers in modern financial technology risk is hidden interdependency. Thousands of firms use the same cloud computing platforms, the same data vendors, the same reference rate feeds. A single point of failure in a seemingly non-critical system can cascade across the entire market. In 2019, a data-feed outage at CME Group’s market data service disrupted trading across multiple asset classes before the impact was fully understood.

Most firms conduct technology risk assessments in isolation, asking: “If our system fails, what happens to us?” Few ask: “If our vendor’s system fails, what happens to us? And to them? And to the entire market?”

Governance and resilience

Large financial institutions invest heavily in business continuity planning, redundant systems, disaster recovery, and regular testing. Regulators mandate backup systems and stress-testing of technology infrastructure. Yet absolute protection is impossible. Technology risk is inherent to financial systems that aim for speed, scale, and efficiency.

The industry standard is defense-in-depth: multiple layers of safeguards, monitoring, circuit breakers, and manual overrides. When one layer fails, others catch the problem. But this approach works only if all layers are properly maintained and tested. In practice, budget cuts, staff turnover, and complacency mean that some backup systems are neglected until they are needed—and then they fail.

The financial system has become vastly more technologically complex and interconnected since the 1980s. Technology risk has not necessarily increased in absolute terms—modern systems are more robust than legacy ones. But the potential for systemic impact has grown, because the entire market depends on flawless execution of invisible, rapid, interdependent systems. One catastrophic error, whether in code or infrastructure, could unravel assumptions about how markets work.

See also