At TSAM London 2026, the conversation focused on the reality of cyber resilience under pressure. We compared the theoretical policy version with the reality of what happens when a firm has to keep operating during an incident. The gap between those two is often wider than organisations expect.
I moderated the session alongside three experienced leaders from across the asset management industry, each bringing a different perspective on cyber resilience and operational continuity.
Nicolai Lassesen, Managing Director and Head of Risk & IT at Capital Four Management A/S, shared insights from the risk and governance side, including what it takes to manage resilience and IT oversight when firms are under pressure. Mario De Bergolis, COO at Asset Management One International, focused on the operational realities of keeping the business running during disruption. Sagar Mandal, Head of Marketing Technology for EMEA & APAC at Columbia Threadneedle, explored the role technology, client communications and internal coordination play during a cyber incident.
Left: Sunil Odedra (CTO at Kurtosys), Mario De Bergolis (COO at Asset Management One International), Nicolai Lassesen (Managing Director and Head of Risk & IT at Capital Four Management A/S) and Sagar Mandal (Head of Marketing Technology for EMEA & APAC at Columbia Threadneedle).
The operational reality of cyber incidents
Cyber resilience is still too often treated as a purely technological issue, when in practice it is organisational. Of course, tools matter, but they are rarely decisive in the early stages. What matters is whether people know what to do, whether decisions can be made quickly, and whether teams can coordinate while the business continues to serve clients.This is where testing comes in. Because on paper, most firms appear prepared. But during an actual incident, these carefully mapped out plans cannot be executed due to missing information, broken communication and competing priorities. Practical exercises bring those gaps into view, often exposing small but critical dependencies. Something as simple as access to contact information can become a point of failure if it sits inside systems that are no longer available. These are the details that determine whether a response is controlled or fragmented.
The same applies to third-party risk. Few organisations operate within clear internal boundaries. At least some, if not all, core services depend on external providers, and when a supplier fails, the impact moves quickly across the business. At that point, it is no longer a third-party issue. It is your incident. The first hour is critical. Establish control, understand the real business impact, engage the vendor directly, and keep communication clear. That depends on knowing your dependencies in advance. Without that, the response slows before it has properly begun.
Alongside this, the nature of the actual threat is changing. Generative AI has made social engineering more effective and more scalable. Phishing emails are now difficult to distinguish from legitimate communication. Deepfake audio and video can convincingly imitate individuals. Identity has become the primary route of entry, and the methods used to exploit it are advancing faster than most organisations can adapt.
This creates a structural imbalance. Attackers adopt new tools quickly, while defenders operate within governance and control frameworks that change slowly. The result is a persistent gap between the pace of attack and defence.
Resilience is about limiting impact
In that context, the objective cannot be to prevent every attack. A more realistic aim is to limit impact. That means stronger identity controls, clearer separation between systems and data, and faster detection and response. It also means recognising that exposure now extends beyond the network. AI allows organisations themselves to be imitated, extending risk into client communications and market interactions. Protecting systems remains essential, but trust has become part of the attack surface.Regulatory frameworks such as the Digital Operational Resilience Act reinforce this shift. Expectations are clearer. Firms are required to understand third-party exposure in more detail, assess impact more rigorously, and demonstrate that resilience extends beyond internal controls. This has improved discipline in some areas, but it has also highlighted how difficult it is to achieve consistency across a global supplier base. Resilience has to be built into contracts, processes and working relationships, not assumed.
Leadership matters most during disruption
What stood out from the panel was its focus on execution. There was no suggestion that risk can be completely eliminated. Firms that perform well are not those that assume they can prevent everything, but those that design their operating model around the expectation that something will eventually go wrong.That has implications for leadership. The focus shifts away from documentation and towards whether teams can act with confidence when conditions are unclear. Can decisions be made quickly? Do teams understand their role beyond their function? Can communication be maintained if usual channels fail? These are the practical foundations of resilience.
Resilience is not a one-off programme. It has to be maintained as an ongoing discipline. Risks change, supplier relationships evolve, and operating models become more complex. A playbook that was credible a year ago may no longer reflect how the organisation actually works. The strongest firms revisit assumptions, test their response and adjust when weaknesses are found.
Resilience is defined less by what a firm sets out in advance and more by how it responds when conditions are no longer stable. That is where governance, communication and operational clarity come together in practice. Firms that understand this are better prepared, not because they expect to avoid disruption, but because they accept that pressure will test every assumption.
In the end, the question is not whether a firm has a plan, but whether that plan reflects reality closely enough to support sound decisions under pressure. That is where resilience becomes an operational capability rather than a policy exercise.
FAQ’s
- What is cyber resilience in practical terms? Cyber resilience is the ability to keep operating when something goes wrong. It is not just about preventing incidents, but about responding effectively, containing the impact, and recovering in a controlled way while continuing to serve clients.
- Why is cyber resilience often misunderstood? It is often treated as a technology problem. In reality, it is an organisational one. The outcome of an incident depends less on tools and more on how people make decisions, communicate and coordinate under pressure.
- Why is testing so important? Plans tend to look complete on paper, but testing exposes what they miss. It highlights hidden dependencies, gaps in communication and practical issues that only appear under pressure. Without testing, organisations are relying on assumptions.
- What typically fails first during an incident? Communication often breaks down before systems are fully understood. Teams struggle with incomplete information, unclear ownership and conflicting priorities. Once coordination slips, recovery becomes more difficult.
- How should firms approach third-party risk? Third-party risk is no longer separate from internal risk. If a supplier fails and it affects your service, it becomes your incident. Firms need clear visibility of dependencies, ownership and response expectations before something goes wrong.
- What matters most in the first hour of an incident? Establish control, protect critical services and understand the real business impact. At the same time, engage the right stakeholders, communicate clearly and maintain focus on continuity rather than diagnosis alone.
- How is AI changing the threat landscape? AI is making attacks more convincing and easier to scale. Phishing, impersonation and fraud are more credible, particularly where identity is involved. This increases the likelihood of compromise and reduces the effectiveness of traditional detection cues.
- Why is there a growing gap between attackers and defenders? Attackers can adopt new tools quickly and without constraint. Defenders operate within governance, risk frameworks and operational processes that slow change. This creates a persistent imbalance.
- What does a realistic resilience strategy look like? It accepts that some incidents are inevitable. The focus is on limiting impact through strong identity controls, clear system separation, effective detection and a response that can be executed quickly and confidently.
- How should leaders think about resilience going forward? Resilience is not a one-off programme or a set of documents. It is an ongoing discipline. Leaders need to ensure teams can act under pressure, revisit assumptions regularly, and build operating models that hold when conditions are no longer stable.
Bio of author
Sunil Odedra has been with Kurtosys for over 16 years and has worked with investment management software and services for more than 20 years. Sunil has a background in Software Engineering and since moving into a leadership role has taken on engineering, infrastructure and QA teams before moving into the Chief of Technology role in 2022. Sunil has overseen the modernisation of the Kurtosys technology stack, including adoption of AWS, Cloudflare as well as architecting of the Kurtosys App platform.
