How to assess risk for emerging technologies – before you use them

cyberrisks associated with new technology

Artificial intelligence (AI), machine learning (ML), robotic process automation (RPA), the Internet of Things (IoT), blockchain, and “connected” buildings have become the darlings of the emerging technology world. Eager to work smarter, faster, and more efficiently in their competitive business segments, organizations are adopting these technologies at an increasingly rapid pace. 

Credit the global coronavirus pandemic with driving some of this momentum. Forced to send their workforces home to keep them safe, organizations quickly transitioned to more cloud-based technology and, with it, more advanced technologies like AI, ML, and IoT. 

Other organizations are deploying more connected technology within their four walls, including automation of tasks and processes, such as assistance in the fulfillment picking process on a warehouse floor, accounts payable processing, or security incident response, or AI-enabled chatbots that can manage customer service inquiries without human intervention. 

What many organizations don’t realize is that each addition of an emerging technology to their environment can put their organization at greater risk of a cyberattack. Or, when the emerging technology is implemented too hastily – or without a sound acquisition or development process – it can open the organization up to increased operational, financial, and financial reporting risk. 

To help manage the risks that come with using these emerging technologies, develop an emerging technology risk strategy that keeps these three points in mind: 

1) Address emerging technology risks up front. Companies need an understanding of, and a strategy to address, the risks before they implement emerging technologies. This strategy should include governance of the design and implementation methodology as well as operations across the full life cycle of the new technology. RPA is a good example of the need for governance since prior to design it can be considered a blank slate. Organizations should be sure the strategy around how solutions such as RPA are being implemented across the enterprise supports enterprise-wide business objectives related to the completeness and accuracy of processing and data, information security, financial goals, and compliance with privacy laws and other regulations.

2) Data collection is the Achilles’ heel. The more valuable information that is stored in any one system, the more likely it will become a target for cyberattack. For instance, building owners are increasing investments in connected building systems to help improve the tenant experience, but many of them are not fully aware of the degree to which those systems use technologies like artificial intelligence and machine learning to collect volumes of personal data about renters, lessees, service providers, and even visitors. The first step to protecting against an attack is knowing exactly what data your new systems will be collecting and where that data will be stored. From there, you can implement a cybersecurity strategy that prioritizes resources for its protection. You may not want to protect all the information equally, but you can implement stronger protections for more critical systems and data and then cascade downward for the less critical.

3) Don’t forget about your third-party partners. With more organizations using emerging technology in their operations, it’s not just your own hardware, software, and networks that you need to be worried about; it’s your providers’ and vendors’, too. You should be sure that your agreements, processes, and policies detail how you assess the risks of new technologies across the board. Make sure your vendor risk management program includes thorough vetting of third-party providers’ use of emerging technology, their practices associated with the implementation of the technology, and how they will be using the technology. For instance, companies should understand if their vendor’s new platform will be processing protected or sensitive information or storing this information. Establish periodic checkpoints (don’t just set it and forget it) so you can stay in front of risks and address any potential issues quickly and effectively. The measures taken should be commensurate with your risk appetite, not the third party’s standards. 

Assessing emerging technologies’ risks before incorporating the technology into your environment and business operations will help keep your organization from ending up on the wrong side of a multi-million-dollar breach, and help you avoid financial reporting issues and disclosures and operational disruption and inefficiencies. The more technology evolves and disrupts, and the more organizations adopt it for its benefits, the more risks will emerge. If you have implemented emerging technology but have not yet taken appropriate measures to mitigate and govern risk, the time to make your move is now.


Bhavesh Vadhani, Principal, National Director, Cybersecurity, Technology Risk, and Privacy


Thomas McDermott, Director, Cybersecurity, Technology Risk, and Privacy


Subject matter expertise

  • Bhavesh Vadhani
    Contact Bhavesh Bhavesh+Vadhani
    Bhavesh Vadhani

    CISA, CRISC, CGEIT, PMP, CDPSE, Principal, Global Leader, Cybersecurity, Technology Risk, and Privacy

  • Thomas McDermott
    Contact Thomas Thomas+McDermott
    Thomas McDermott

    CISA, CRISC, CGEIT, Principal, CohnReznick Advisory

  • Close


    Let’s start a conversation about your company’s strategic goals and vision for the future.

    Please fill all required fields*

    Please verify your information and check to see if all require fields have been filled in.

    Please select job function
    Please select job level
    Please select country
    Please select state
    Please select industry
    Please select topic
This has been prepared for information purposes and general guidance only and does not constitute legal or professional advice. Neither CohnReznick LLP or its personnel provide legal advice to third parties. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained in this publication, and CohnReznick LLP, its members, employees, and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.