Observability today is far more than an operational tool; it has become a critical security signal. Most major breaches begin with small anomalies, such as an unusual API call or subtle authentication deviation at the application layer, says Swati Bhardwaj, CISO, UGRO Capital.
Swati Bhardwaj, Chief Information Security Officer, UGRO Capital
Google in March 2026 will move to OpenTelemetry ingestion — a uniform vendor-neutral observability data standard and ingestion layer, thereby departing from proprietary, product-specific telemetry agents and formats. UGRO Capital has prepared for this change in advance. Accordingly, in addition to integrating the infrastructure and endpoint systems into its threat detection, the company has also added the API telemetry and application related logs at the SOC level.
For CISOs, this transition materially strengthens the security posture by enabling threat visibility across heterogeneous environments, reduced blind spots from fragmented logging, and stronger governance through consistent data controls and auditability. FE FUTECH speaks to Swati Bhardwaj, Chief Information Security Officer, UGRO Capital.
Excerpts:
With Google’s move to unified OpenTelemetry ingestion, observability data now effectively becomes a security signal — has your SOC integrated application traces and API telemetry into threat detection, or is monitoring still limited to infrastructure and endpoint logs?
Observability today is far more than an operational tool; it has become a critical security signal. Most major breaches begin with small anomalies, such as an unusual API call or subtle authentication deviation at the application layer.
At UGRO, our SOC does not operate in silos. While infrastructure and endpoint monitoring remain foundational, we are progressively integrating application traces and API telemetry into our threat detection framework. The objective is contextual visibility rather than isolated log monitoring.
AI-driven behavioural analytics enables us to detect subtle deviations, intelligently correlate distributed telemetry signals, reduce alert fatigue, and accelerate incident response. We are continuously strengthening this capability to move from reactive detection toward proactive prevention.
UGRO’s biggest cyber exposure is the ecosystem risk (API partners, fintech distributors, marketplaces, co-lenders). How do you technically validate and continuously monitor partner-side controls beyond contractual audits?
At UGRO Capital, we believe trust may be contractual, but assurance has to be technical and continuous. In a digital lending ecosystem, audits alone are not sufficient. Every partner integration operates through tightly governed API gateway layers with strong authentication, authorization controls, payload validation, and strict access management. No partner has direct connectivity into our underwriting engines.
We apply integrity validation on critical data fields, embed maker-checker controls, and run automated rule validations before any data is consumed. Bureau information is sourced through lender-controlled integrations and KYC data is independently verified against authoritative systems.
Our Security Operations Center continuously monitors API telemetry, behavioural patterns, and anomaly signals. Even in a hypothetical compromise scenario, system segmentation and zero-trust controls ensure that underwriting decisions and fund flows cannot be manipulated from external environments.
RBI has made the regulated lender fully responsible for customer data, disclosures and direct fund flows even when loans originate through fintech partners. To what extent has UGRO operationally implemented these requirements across all its LSP and embedded-lending integrations, and what were the most difficult controls to enforce?
We approached RBI’s digital lending guidelines not merely as a compliance requirement but as an architectural mandate. Across all loan service providers (LSP) and embedded lending integrations, we have implemented strict data minimisation principles, secure API governance, centralized logging, periodic security assessments, and enhanced partner due diligence.
Disbursements and repayments are executed strictly between the borrower and UGRO-governed systems. Partners facilitate customer journeys but do not control fund flows. Transparent disclosures, audit trails for consent capture, and centralized grievance mechanisms are embedded across digital journeys.
The most complex area has been ensuring uniform data governance across interconnected API ecosystems. As multiple third-party platforms interact in real time, enforcing data minimisation, purpose limitation, and retention boundaries consistently across environments requires continuous oversight. It is a dynamic challenge, but central to maintaining regulatory compliance and customer trust.
Empower your business. Get practical tips, market insights, and growth strategies delivered to your inbox
By continuing you agree to our Privacy Policy & Terms & Conditions
