FinCyber Today

FS-ISAC has been at the forefront of the sector’s collective security and resilience for over 25 years. But the threat environment across the financial services ecosystem is changing at an unprecedented rate – and our operating model is evolving in response. Our CEO, Valerie Abend, outlines how our core services are a necessary response to the threat landscape, details our call to collaborative engagement, and explains why FS-ISAC’s mission to advance the cybersecurity and resilience of the global financial system will never change – but the way we achieve it must.

GenAI offers outsized opportunity from faster development and broader security coverage, says Patrick Sullivan, VP and CTO at Akamai. It also introduces novel risks by breaking traditional assurance models and opening new attack surfaces. The creative, non-deterministic nature of GenAI forces tough choices between creativity, predictability, and security – but Sullivan says a bedrock of first principles reduces the risk in the sector’s increasingly non-deterministic environment.

Fraud is changing, says Romano Stasi, Managing Director, ABI Labs. More and more, fraudsters don’t break into systems – they trick customers into giving the threat actor access to their data and accounts. Italian banks are responding with investments in customer education, cybersecurity, and AI tools – even funny commercials aimed at potential victims. Still, Stasi believes collaboration within banks and across the ecosystem is necessary to fight fraud.  

MasterCard’s definition of resilience is to prepare for – and deliver despite – any local, regional, or global crisis that might arise, says Fadwa Rachi, Director, Head of MasterCard's European Cyber Resilience Centre. Mastercard can execute on that definition because leaders drive an exceptionally proactive culture and because its highly organized response teams – uniting over 30 different departments – take a situationally adaptive approach to communication, deployment, and exercising. Listen in as Fadwa describes how MasterCard’s resilience machine runs. 

As LLMs become the gateway to the internet, agentic AI grows ubiquitous, and the threat landscape evolves faster, CISOs may need to think about security modernization in a new way. Everything from endpoint access to fraud strategies to data localization will be affected, says Grant Bourzikas, Chief Security Officer, Cloudflare. Still, he believes that despite these critical shifts in the financial sector’s digital landscape, the basics will be even more important: contextualized intelligence, core security principles – and common sense.  

 In APAC, cyber defenders are likelier to share tactical threat intel rather than strategic information, often out of fear of suggesting they were breached, says Devinder Singh, Maybank’s CISO. But getting intel out fast – and across borders – is key to the sector's defense. To encourage a culture of trust and collaboration, Singh says APAC cyber teams need to share information on successful defenses, have the option of anonymity, and be sure of their leaders’ and regulators’ support. After all, sharing is a shield, and doing the right thing is often doing the smart thing.

Quantum computing’s threat to cryptography makes many cyber experts in the financial services sector nervous. But Jaime Gomez Garcia, Global Head of Santander's Quantum Threat Program and Chair of Europol's Quantum Safe Financial Forum, thinks stoking anxiety around quantum is the wrong approach. He says cyber leaders should pose quantum resilience as “basic cybersecurity hygiene” — because, in reality, it is — prioritize use cases, and invite risk managers to the conversation. But most importantly, the sector must coordinate its efforts because, as Garcia says, we have to do this together.

Cybersecurity threats to an institution are no longer limited to the organization themselves, as threat actors launch attacks across the entire supply chain in hopes of disrupting the financial services sector. Managing supply chain risk is top of mind for Ariel Weintraub, Chief Information Security Officer, Aon, who emphasizes that cybersecurity is not a competition, but an opportunity to share best practices and timely information to maintain the resilience of the global financial sector.

The quantum revolution is coming to the financial sector. Debbie Janeczek, Global Chief Information Security Officer, ING, is preparing for it and says the rest of the sector should, too. She suggests starting with building leadership’s awareness of quantum risks, inventorying algorithms, and developing the skill sets needed for post quantum cryptography. Those moves, among others, will help financial firms be ready when the quantum revolution arrives — and it’s getting closer every day.

The goal of information security is to not react to the change. It's to learn about change in advance. That’s one of the many lessons Meg Anderson, former CISO, Principal Financial Group, has learned after 40 years in cybersecurity. It’s a lesson she’s instilled in her teams, along with the power of saying no, the vital importance of developing a pipeline, and why cyber leaders need business leaders’ trust. Those lessons will help CISOs succeed, even as the cyber landscape changes. 

Fraud is one of the sector's biggest concerns, but passwords aren’t much of an obstacle to today’s innovative cybercriminals. Biometrics are the next frontier, but how do you get customers to accept the pivot?  Susan Koski, Chief Information Security Officer, PNC, has been examining the challenge and recommends managing by facts and known risks, understanding fraud prevention as a cross-sector problem, and remembering that the customer experience has to be central to the post-password cyber landscape.

Financial services cybersecurity has its challenges – but it’s also interesting, varied, and just plain fun, says Jochen Friedemann, Chief Information Security Officer at Talanx, the Hanover-based insurance/re-insurance firm. Cybersecurity is also more impactful than it’s ever been, thanks to cyber’s importance to senior management, with more educational and career opportunities than ever before. So though the responsibility is heavy, if you’re thinking about joining InfoSec, this is a great time to have a good time in cybersecurity.

Many financial services firms have such vast hoards of data – much of it unclassified legacy data – that owning it causes more data governance challenges than the information is worth. Olivier Nautet, Group CISO at BNP Paribas, says that firms suffering “infobesity” must approach the challenge cross-functionally, with a view to operational resilience and compliance. Here’s what he says about slimming down safely, effectively, and within regulation. Data decisions: Amassing data – especially information system and client data – forces decisions about encryption, classification, communication, usage, storage sites, environmental impact (data management takes a lot of electricity), and more. Making those decisions takes effort, but upcoming regulations will increase the pressure to make data management decisions. Classification is key: Classification dictates how encryption is managed. The key is to establish principles to determine the data that’s most important and how to classify it. Nautet says to start by determining the types of data necessary for the business (your “crown jewels”) and the credentials that must be protected.  Protecting data is a collaborative effort: Data governance is a multi-team initiative including GTOs, DPOs, IT, cybersecurity, and the business. It’s up to IT to find the best solutions for data while the business determines what’s critical and what’s secret.  Minimum Viable Systems: Think of data governance as part of operational resilience – if an incident shuts you down, it will take time to restart from scratch – in terms of minimum viable systems. Include “everything you need to ensure that you won't interrupt the business” in the system, Nautet says, such as data, systems, third parties, and compliance requirements.  Will AI fix everything?  AI will make classification easier – it can sort huge amounts of data – but you need to define the correct processes for all the different types of data you use and train your models well. Different types of data have different regulatory and governance requirements, and classification requires human judgment (especially around PII). And though AI sorts data quickly and the tooling is improving, AI may also help attackers locate encrypted data.  The challenge is scale: Data governance has to be done on a global scale, and it can be overwhelming. All the businesses, IT, and cybersecurity must work to select the data to delete while respecting all the regulations in all the jurisdictions you work in, and implement the right level of protection on the data you’re keeping. Slimming down is a data governance challenge that may require input from the whole organization. 

Data security regulation is accelerating many firms’ data protection processes, says Karl Schimmeck, Executive Vice President and CISO of Northern Trust. However, complying with multiple jurisdictions’ reporting regimes around privacy, incident disclosures, and decision process documentation can be tough. Rigorous incident management plans and structures simplify things but it’s important to remember compliance isn’t about checking boxes. It’s about reducing risk.  Regulation drives data protection: Meeting regulations is challenging when adequate data protection has different definitions in different jurisdictions – “GDR is a perfect example,” Schimmeck says. Leaders need to understand the key pieces of regulation – especially cybersecurity, data protection, and resilience –impacting financial services, because management is more involved than ever. Still, in most organizations, regulatory pressure is a tailwind that can push CISO’s modernization agenda forward in our increasingly high-expectation environment.  Regulators care about business continuity: Ultimately, regulators, security, and technology have the same concern: business continuity. Work with regulators to find the right balance between innovation and safety – but remember, regulators will want to know how operations were impacted and how problems are resolved. Schimmeck recommends knowing how your critical systems interact, your third-party dependencies, and how data flows across the businesses and systems, then plan how you’ll respond when continuity is impacted using a plan designed by specialists that produces consistent outcomes.  Leaders’ macro message:  Accomplishing the CISO’s goals requires partnership across the entire firm – even areas that didn’t prioritize cybersecurity. The message from the top is that “at the end of the day,” Schimmeck says, “we’re all risk managers.” He recommends building partnerships across the firm, including with business leaders, to address cybersecurity and operational resilience as enterprise-wide risks. Where do you set the bar? Meeting the most stringent requirements of risk management and reporting is the most efficient approach, but it adds costs and complexity. Review your incident management and disclosure processes to ensure they can provide timely and accurate information to regulators. You may need to create other technology solutions to fulfill data protection requirements, but deciding your thresholds and planning your response early on saves time and headaches when an incident occurs. The difficulty is that even if you aim high, you may not have the information you need to meet materiality requirements in the time legally allotted.  Forecasting the compliance future: New technologies – think AI – are getting regulatory scrutiny. Ideally, financial services will get the freedom to test new tech in pilot projects within their risk appetites to learn, evolve, and make mistakes. The important thing is that we remember regulation is always about risk management and that data protection decisions aren’t compliance-driven, but by the commitment to reduce risk and maintain the public’s trust.  

Identifying and managing risk is fundamental to good governance, says Claus Norup, Managing Director and Group CISO, Euroclear, but that’s only part of the job. Success in a CISO role depends on leadership’s buy-in, the ability to translate information to its audience, and the degree to which the function is embedded in overall governance, among other factors. Still, Norup says that in the end, successful governance comes down to the person in the role. Should you take the CISO job? If offered a role, judge the board and management’s commitment. You need their buy-in to succeed. If you do say yes, take some time and talk to your stakeholders, document governance policies, and get management’s sign-off. And work to embed governance in the funding processes. You can’t execute anything without money, and embedding governance makes information security part of the global governance of the institution. Governance requires timing, transparency, and translation: Governance programs should be tied into the regular program reporting and built two or three years out, but CISOs must relate technical information in a cadence and language keyed to the stakeholder. Just don’t filter information. It confuses people and fosters distrust. “What is green in the board report is green to the regulator,” Norup says. “What is red in the board report is red to the regulator.”  Finding the balance: CISOs have to strike a difficult balance between satisfying regulators, the board, management, and security, and none think they get it right every day. Commitment from senior management and the board – and their well-understood role matrix – is crucial to that balance.  Where should you focus? Try to spend a third of your time on governance, a third on communication, and a third on “what you're actually hired to do to keep the place safe,” Norup says. Team building: Leverage the second (and third and fourth) line -- they can offer input and reveal blind spots. Your team should be solid technologists and handle stakeholder management so you can concentrate on services, processes, controls, and reporting, not day-to-day operations. Governance automation: Automation, such as risk register analysis, helps you better understand groups of risks. But communication and the translation of risk to the audience can’t be automated – ultimately, information security is driven by people. “At the end of the day, whether you're a good or a bad CISO depends on who are you as a person,” Norup says. “It's still a people business, I firmly believe.” 

Where cybersecurity and operations converge – as they increasingly do -- financial services firms must view cyber risks as operational risks. That integration is a sign of cyber maturity, says Matt Harper, Aflac’s Vice President and Global Practice Lead, Product Security, and Program Strategy, but it affects the practice of risk management. He advises financial services cybersecurity leaders to learn about the business side and map security processes toward it to the benefit of the overall institution. Risks aren’t tech or operational – they’re both. Financial services firms used to categorize cybersecurity risk as a technology issue. But as cyber and business processes converge – fusion centers were an early example – business processes make cybersecurity a fundamental part of operations. As such, the risks can’t be managed independently of each other, and core processes and controls need to be mapped to business processes.  Cyber teams can accelerate the convergence. Cyber professionals need a solid understanding of the business side, from strategy to day-to-day operations. Similarly, the business side needs to understand that cybersecurity professionals are more than technologists and that security enables and enhances business. “The brakes on the car are not there to slow you down,” Harper says. “They’re there for you to go fast safely.” Learn about the business side from the business side.  To understand how security processes impact operations and customers, Harper recommends that technologists and security professionals sit in design meetings with business owners – even those they’re not directly involved in – to learn more about business processes. Listen to learn, he recommends, and repeat back what you hear.  Aflac’s integration successes. Claims processing is core to Aflac’s mission, but processing at scale with effective fraud detection controls takes time. So the operational and fraud functions worked closely together to move risk telemetry outside of the core flow, automate more detection, and build a risk engine independent of the claims process.  Explain convergence to stakeholders. Cloud, AI, and (soon) quantum computing are changing the nature of cybersecurity, and budget is always a priority. Clarify how integrating cyber and business in an evolving landscape helps the firm manage risk, improve sales, and serve customers. Leaders may not need to know how controls work but should understand how they facilitate business. 

There used to be weeks between the announcement of a zero-day vulnerability and the next exploit. Now we have days or hours to patch the vulnerability, says Carsten Fischer, Deputy Chief Security Officer at Deutsche Bank. Sometimes threat actors are in the machine even as the patch is being tested. With such a small window of reaction time, mitigation must be faster.   Prevention vs. Detection We can’t prevent every threat, but we don’t always have time to patch detected vulnerabilities before adversaries exploit them. So as zero day vulnerabilities – and exploits in the wild – increase, cybersecurity should prevent as best as possible and use detection until a patch is available and remediation can begin. It helps to share intel and ask colleagues for advice. You may find a control that should be strengthened, a technique that’s working, or that a threat has increased. Regardless, if you share, you're better off than those who don’t.  Threat intelligence vs. Threat Modeling  Threat intelligence is the sheer information that educates you on the threat landscape and guides you to the problem and its mitigation. Sharing that intel is necessary to defense: colleagues in similar straits may know a component that could speed a mitigation.  Threat modeling is mapping that problem back to you and your controls. A good threat model will indicate where the threat could materialize, the controls along the kill chain, and will connect to KPIs that show where investments should be made. Resilience is a necessary part of threat models – you have to continue operating – but the ideal outcome is reacting so quickly that you're not really impacted. No Time for a Dress Rehearsal We must be more proactive. Automate, connect platforms, and use prevention and detection controls. They can kick in while patches are being developed. But remember, people build threat models by connecting the dots in the threat landscape. The more that people connect with each other, the more dots they can connect in the threat model.  FS-ISAC Summits  The pandemic demonstrated the importance of in-person meetings. A chance to talk to security vendors and experts, discuss what’s working and what’s not, and combine the power of security thought leadership is valuable. When you exchange information you can enrich it.  

Stephen Sparkes has over 30 years of experience in leadership roles across the financial services tech spectrum and is currently Scotiabank’s EVP, Chief Information Security Officer and Enterprise Platforms, and member of the FS-ISAC Board of Directors. Over the years, he says, cyber has become the dominant operational risk, giving CISOs a more prominent leadership role. That role – and the skills CISOs need to succeed – will continue to expand as the threat and business environment evolves.Episode NotesHow the role of the CISO has evolved. The CISO’s role is more about leadership, strategic decision-making, and resource management than it is a security or infrastructure discipline. Working directly with senior leaders and boards requires communication skills to convert technological discussions into lay terms and the integrity to take a principled stand and consistently interpret risk. Still, CISOs’ calculated risk decisions empower the business, which can be tremendously satisfying.Regulatory environment: Engaging with regulators is an investment in efficiency. You can’t time a spot inspection or a rapid horizontal but planning for them – and having a deep enough bench to meet your obligations – saves CISOs effort and trouble in the long run.Fusion centers: Threat intel has cross-functional impact, so converging fraud and account takeover prevention, AML, customer-facing apps, and other teams with cybersecurity amplifies defense. Scotiabank has a virtual fusion center that rotates leadership between teams to cross-pollinate knowledge and preserve clarity during incidents.Moving to the cloud. Cybersecurity spending must increase as threats do, and cloud providers can out-spend most institutions to fend off mutual threats. Taking advantage of cloud’s scale – especially if cyber, infrastructure, IT, risk, and corporate applications are consolidated in the migration – can be both a business and security strategy. Still, moving data to the cloud can make expenses more variable, requires more control than on-prem operating models do, and is best done with a coordinated set of priorities.The next 10 years. The CISO role will become a stand-alone function as board demands increase, regulations evolve, and technology advances. Leadership skills will become more valuable and cybersecurity performance definitions will expand – system admins, for example, may need to become service managers setting policies. Prep by bringing in strong leaders, empowering and coaching your people, and explicitly explaining new corporate objectives, KPIs, and KRIs.

A financial services CISO’s job is to secure the organization of today and tomorrow. Lindsey Bateman, Chief Information Security Officer at M&G plc, a UK Savings and Investments company, recommends instituting a Security by Default culture to reduce the risks and increase the resilience of financial services institutions today, while keeping an eye on the horizon for emerging threats – and quantum computing is at the top of the list. Episode Notes Future Risks: Quantum Computing  The progress of quantum computing development is unclear, but CISOs need to think about the process of changing the cryptography in their organizations, transforming their algorithms, the standards they’ll adopt, and the impact on the business.  Generative AI Expands Your Attack Surface  GenAI is a “juggernaut” embedded in devices across enterprises. CISOs have to make it safe because they can’t stop GenAI usage. A security by design culture helps curb the threats inherent in the adoption of all AI models – such as data modeling – but CISOs need to be involved with AI deployment in business lines and identify threats to models, determine vulnerabilities, and insert the correct mitigations. Still, accurate data is clean, explainable, monitored data and presents an opportunity to incorporate or reinforce security by design in data governance.  Phishing and Deepfakes Threat actors use AI to create more sophisticated social engineering and information operations. Train employees on the behavioral cues that indicate frauds like phishing and deepfakes. Real-world exercises are effective, as are reinforcing official business communication channels (i.e., WhatsApp is not meant for work). Identity and Trust  Customers’ trust is the bedrock of the financial system, and identity security increases their confidence, but fraud detection disrupts the user experience. Solutions will take collective action, standardized approaches, and tools that enhance identity security in easy interfaces. The CISO Role is Changing What was a very technical position has become a high-profile role in executive leadership. To succeed, CISOs must speak business language and use the right risk frameworks. If aiming for the role, breadth is more important than depth in technical understanding, it helps to be a people person, and it’s good to think carefully about what you want to do – then go for it.

Third-party providers are often crucial to financial service operations – and a serious cyber risk. For that reason, EU regulators are taking a close look at the digital supply chain. Here, BISO (Business Information Security Officer) at ICE Trading and Clearing, and Chair of FS-ISAC’s UK Strategic Subsidiary Board, Burim Bivolaku talks about the biggest challenges in third-party risk management, how to effectively address them, and why FS-ISAC’s UK Strategic Subsidiary Board helps its governance structure remain both global and local. Third-Party Risks and the Benefit of Collaboration Reliance on third-party providers varies among financial service firms and sub-sectors, and some have more critical providers than do others. But risk management considerations– especially as they pertain to cloud computing and UK and EU regulations – are gaining prominence across the sector.  For that reason, the financial community should encourage collaboration with providers, as the sector routinely does amongst itself. Proactively sharing knowledge and capabilities complements regulatory compliance requirements. And getting to know each other builds trust in a way that due diligence doesn’t – and trust can be a vital asset during an incident.  Define the Third-Party Interface Financial service firms should define their interface with and outputs from third-party suppliers – and be really specific -- from a cyber-risk perspective. Risk outcomes manifest in different ways, from outages to contagion, but the interface definition can minimize or prevent harm. This is especially important with critical service providers because they’re core to effective risk management and overall resilience, while contractual agreements can address fourth- and fifth-party risks.   Threat Goes Beyond the Cybersecurity Department  Cybersecurity is a multi-disciplinary, cross-organizational issue. All departments should be involved, because the implications of a cyber attack are wide.   Why FS-ISAC’s UK Strategic Subsidiary Board is Important FS-ISAC has a global remit because threats are cross-national, but members navigate local and jurisdictional complexities as well. FS-ISAC has enhanced its regional governance structures over the years, and the UK Strategic Subsidiary Board is a logical continuation. The Board will help FS-ISAC advance cyber risk management, sharing, and collaboration among members and authorities in the UK, provide local and global threat intelligence, and offer a forum to share best practices, knowledge, and cybersecurity frameworks.  DORA and Third-Party Risks Collaborating with regulatory bodies on third-party risks helps drive positive regulatory change. And the sector’s feedback helps actions such as the EU’s Digital Operational Resilience Act (DORA) reduce risk with appropriate proportionality. For example, DORA includes rules regarding third-party tracking. Some critical service providers will not be able to meet the additional cost of compliance, which increases the potential of concentration risk – and that impacts financial service firms’ resilience. The sector’s input will help regulators keep the sector safe. Advice for People Aspiring to Become BISOs The role links information security and business functions, so on-the-ground experience with both business and cyber issues will help you advise your board, management, and sector. By understanding the business, you can better serve it.  

It’s difficult to quantify risk – some CISOs say it can’t be done – but there is a business case to be made for cybersecurity measures and controls (information sharing helps). Beate Zwijnenberg, ING CISO and member of FS-ISAC’s Global and European Boards, explains her approach to quantifying risk and communicating metrics relevant to senior management priorities. And she explains why DORA’s pillars may increase the sector’s resiliency as it matures the supply chain’s cyber defenses.Quantifying Risk The possibility of accurately and precisely quantifying risk is a matter of some debate among CISOs. In one sense, such metrics are available, insofar as they apply to the link between cyber risks and financial services organizations’ capital reserves.  But precise quantifications of the impact of cybersecurity strategies, policies, and investments on the business are much more difficult to ascertain. Determining success on those measures requires knowing the likelihood of various attack patterns or threat actors, which is often a matter of professional judgment.  Making a Business Case CISOs can, however, quantify aspects of risk management by measuring investments and controls against business issues such as financial losses, reputational risk, and operational effectiveness or efficiency. Another potentially useful approach, Beate says, is a comparison to peers on a cybersecurity maturity index.  Moreover, information sharing and incident reporting clarifies the potential for and impact of different kinds of attacks, which helps ICT teams gauge the success of their cybersecurity measures and controls.  Communicating in a Business Context Communicating risk management within a business context helps executives and board members know what to ask, track, and expect of CIT. One effective approach communicates risk management by emphasizing capability – such as risk management practices, in-depth assessments on outstanding threats, and progress on strategic programs. Another takes a control implementation perspective, covering open front ability management, progress on strategic goals (such as improving capabilities in prevention/detection /response) or on ongoing change initiatives.  DORA Pillars:  Prescriptive, but Effective  Financial services CISOs will likely find DORA’s risk management practices familiar, if somewhat prescriptive – such as those regarding front ability scanning. Nonetheless, CISOs may need to adjust internal policies to translate requirements into their own IT risk management framework. Real-life testing is the best way to prove the efficacy of DORA’s mandatory control framework on institutions’ cyber practice and will aid the sector’s resiliency. Incident reporting may advance the cyber maturity of the supply chain as well.  Standardization A major benefit of DORA is the potential for standardizing risk management practices applying to contracts within the software supply chain. Each firm’s unique contractual clauses regarding IT risk management standards, frameworks, and/or requirements with third parties inhibit automation. Standard contractual clauses centralized within end-to-end connections will improve efficiency and effectiveness across the sector.  CISO Skills Stakeholder management skills make CISOs more effective. Because cyber incidents can be so operationally disruptive, CISOs should connect with various organizational functions – particularly finance, legal, and privacy – to streamline their approaches. However, CISOs and other executives may have very different perspectives on the business, or even how to parse problems. Beate recommends understanding other leaders’ business perspective, and finding the right moments to orchestrate initiatives and develop more productive relationships.

The Cyber Risk Institute has developed a cybersecurity framework for the financial sector that is based on globally recognized standards. Josh Magri, CRI President & CEO, talks about the genesis of this framework and how it can help bridge the gap between self-assessment and regulatory compliance, even for financial firms that have operations around the globe.Notes from our Discussion with JoshCRI ProfileThe profile is the Rosetta Stone between cybersecurity frameworks, standards, and regulatory provisions. The purpose is to use the profile as an assessment tool. It incorporates several different regulatory jurisdictions. Genesis of the ProfileThere was significant regulatory fragmentation in the way cybersecurity was being approached. This regulatory fragmentation wasn’t just across the globe, but even within the US. This led to firms spending a tremendous amount of time on compliance documentation, rather than on frontline cyber defense. FS-ISAC conducted a survey of how firms were dealing with compliance and found that 40% of the cyber team’s time was spent on compliance, rather than on frontline cyber defense. So, under the umbrella of the Financial Services Sector Coordinating Council, several financial institutions and trade associations got together to find a different way to do this. CRI focused on NIST CSF and the International Organization of Securities Commissions’ frameworks. Adoption of the ProfileThousands of firms are using it. It’s a free downloadable spreadsheet. It’s used in the US, UK, mainland Europe, Japan and Africa. Self-Assessment That Can Be Used for Regulatory Compliance Different regulatory requirements had a set of around 3,000 questions that firms would need to address. The framework brought this down to around 277 diagnostic statements related to a cyber program. To bring these 277 statements to a manageable amount, an “impact hearing” schema was layered on top. It’s essentially an assessment for financial services that can be used for compliance.Challenges in Regulatory Harmonization It’s probably not possible to achieve 100% regulatory harmonization. We should aim at regulatory convergence, where regulators take a common approach to cyber, without the expectation of all regulatory provisions looking the same. Geopolitical challenges are going to be the impediments. Role of the Profile in Managing Supply Chain Cyber RisksA number of firms have used the profile internally and are using it for external evaluation of third parties and even M&As. One of the key distinctions of the profile is the detailed and holistic view of third party. This is what all regulators and firms care about, and it tends to be the weakest link. Role of the Profile for Cloud Service Providers Financial services bring compliance requirements to cloud service providers. But if it’s not part of their strategic roadmap, the cloud service providers are reluctant to do it. So, 2-3 years ago, the Profile was merged with Cloud Security Alliance’s Cloud Controls Matrix to show where cloud controls intersected with cyber controls and regulatory compliance. The Profile and AIThere are a number of agencies working on AI already and the profile shouldn’t duplicate that. The profile will probably focus more on security controls around AI than on algorithmic bias or even privacy.Advantages of the ProfileUsing it saves a huge amount of time and effort. It is freely downloadable. Software suites like Axio are incorporating it. There’s another program in which consulting firms like EY and KPMG are involved. So, there will be many more support type services out there, rather than having a spreadsheet on its own.

Generative AI (GenAI) is changing the cybersecurity landscape at a phenomenal pace, creating both new challenges and opportunities. As cyber attacks become increasingly sophisticated, preventing them requires information sharing. Ann Barron-DiCamillo, Managing Director and Global Head of Cyber Operations at Citi, talks about the difference between traditional attacks and AI-powered threats. Ann, also the current Chair of FS-ISAC's Board, discusses supply chain risks, the importance of information sharing and nurturing the cybersecurity talent pool.Notes from our Discussion with Ann(0:50) - GenAI in CybersecurityGenAI has helped accelerate time to market. The use of advanced technologies, especially in the financial sector, centers around acceleration. On the cybersecurity front, the opportunities are reversed. With acceleration, there’s a growing need to ensure we are not bypassing validation or losing control. There’s also the need to differentiate between traditional malware and AI-powered threats. ChatGPT has resulted in the merger between security tool capability and business logic, allowing security teams to reverse engineer the use of AI to find vulnerabilities quicker. (4:51) - Threat Actors Using AI95% of breaches begin with a phishing email and threat actors are adopting highly sophisticated phishing techniques. The emails no longer have obvious errors, making detection harder and they are combined with more sophisticated payload links. The threat actors pivot so quickly that your controls are unable to catch up before they move on to other things.(6:18) - Threat Vectors in FocusGeopolitical factors have infiltrated cybersecurity and hacktivists have become a key attack group. (8:10) – Recommendations for Firms with Less Sophisticated Defense Join and engage in a community like FS-ISAC. Information sharing helps institutions with less investment dollars get up to speed with the latest developments. It helps to close the gap between more sophisticated organizations and ones that are still evolving. (10:13) – Supply Chain RisksThe Cyber Risk Institute (CRI) Profile incorporates the NIST Framework for considering third-party partners. It’s important to have a framework to evaluate third-party providers and elevate their security depending on their criticality to an organization’s operations. It helps if you are sharing information in a community like FS-ISAC because partners, stakeholders and vendors can have open discussions. (14:39) – Bringing Partners on Board with CybersecurityOrganizations like Citi must lead by example. There is the need for partners to provide visibility into the state of their network, security practices and control, without violating privacy or creating additional vulnerabilities. Vendors need to be part of the conversation because they have a lot of information. The partnership must be furthered to enhance awareness. (20:27) – Stress and Burnout Among Senior ExecutivesOrganizations must collectively think about how to empower delegation and build teams that can share the load. This helps senior executives have a better work-life balance. Leveraging a hybrid model can also keep senior talent in the industry longer.(22:44) – Advice to Talent Aspiring for Senior PositionsIt’s important to vocalize that you need work-life balance. This also empowers others to create space for their families while pursuing a stressful career. People can also attend events and create a network. It’s a great way to create opportunities for yourself. Embrace ambition.(25:51) – Where is The Community Heading?While communities may have a regional component, it does not mean they will not benefit from a global perspective, especially because cyber has no borders. FS-ISAC has created such communities and is well positioned to be a great source of information.

Episode NotesJayaraj Puthanveedu - MD, Global Head of Resilience, Cyber, and Digital Fraud of BNP Paribas - dives into fraud, what the landscape looks like for financial firms, its impact on customer trust, tips on customer awareness, and much more.Notes from Our Discussion with JayarajFraud Landscape for the CustomerFraud is of utmost importance for the financial sector. It is increasing in both complexity and magnitude. Only about 20% of fraud is reported, making it more difficult to measure it.Rising Agility of Fraudsters Fraudsters respond very quickly to changing situations. Now they can leverage AI, which makes it even more difficult for customers to recognize suspicious sites or activities. Neither individuals nor the largest organizations are immune to fraud.Which Customers are Most Susceptible to FraudFraudsters are enterprise businesses now, which operate across countries. It’s easier to target the older, less tech-savvy generation. Fraudsters have data analytics to profile customers and evolve their targeting strategies. They also adapt to different themes, like the cost-of-living crisis.Impact of Fraud on Trust in the Financial SectorFinancial institutions focus on securing their own infrastructure, their websites, applications, assets and information. There’s a need to be external looking and protect customers. It’s challenging to keep customer’s data and money safe, while ensuring they have access to banking services when they need it. Building trust is about creating communication protocols to raise awareness and train customers.Considerations When a Customer Becomes a Victim of FraudEven if a bank does everything right, a customer who is defrauded may lose trust. Banks need to think beyond the regulatory aspects and encourage customers to report fraud and train them to know when, what and how to report it. This helps financial institutions to understand the latest modus operandi of perpetrators in cross-jurisdiction fraud. Also, the fund recall process has become far more complex because the money moves quickly between countries.Fraud Proof by DesignFinancial firms need to follow a holistic approach to building machines, processes and products to detect non-standard behaviors and patterns. Fraud prevention must be a consideration in application development, product design and delivery. Intelligence gathering is also important, like identifying websites that look like your own to reduce phishing. Getting Customer Attention to Increase Fraud AwarenessDespite the rapid evolution of fraudulent activities, banks cannot communicate too frequently, as customers will just tune out. Awareness needs to be part of the customer journey, from onboarding to the transaction process and account maintenance. Sometimes personal data is stolen on other websites, but customers don’t get to know till their bank account is impacted. Customer awareness of different ways in which data may be compromised is key. Customer education is better driven by contextualizing the message. Collaboration to Get Ahead of FraudstersThere’s a need to share actionable intelligence and information on trends and patterns. There is currently no central or global data source to understand the real loss from digital fraud because it is hugely underreported. There needs to be regional and international coordination to tackle fraud.Privacy Issue with Sharing Fraud DataFraud reporting may not require sharing customer specifics but will definitely include customer profiling. There are privacy issues with this as well. Conversely, there are things that can be shared that are not yet being shared. 

Episode NotesWith over 20 years of experience as a CISO, Phil Venables, Chief Information Security Officer at Google Cloud, talks about creating an AI framework, key use cases for AI in cyber, Google Cloud joining FS-ISAC's Critical Providers Program, how he approaches operational resilience, and gives advice on how CISOs can maintain work-life balance.Notes from our Discussion with PhilGoogle Cloud’s Security AI FrameworkAI has presented new risks and very specific types of threats. The objective is to create a foundational framework on a basic set of control principles that can be replicated in other processes. It’s important to extend detection and response capabilities to include AI systems. This is particularly important when deploying large language models (LLMs). AI is the best defense against AI. There’s a need to embed AI in tooling, so that everyone doesn’t need to be an AI expert.Expectations from the FrameworkGoogle Cloud is looking to partner with organizations to develop the framework. This may not become “the” framework, as there are others like the NIST AI Risk Management Framework. The aim is to build on the framework to include other, more detailed recommendations and tooling. It should have a broader use, beyond Google and the customer’s use of Google’s AI. Key Use Cases of AI in Cybersecurity There are 3 areas – Threats, Toil and Talent.Threats: Google is using LLMs, AI and GenAI to analyze, monitor and manage threats, like analyzing new malware discovered via Google’s VirusTotal service and using Sec-PaLM 2 LLM to decode and provide threat advice. LLMs need to be trained using a large corpus of security and threat data.Toil: Security operational jobs have a lot of overhead and ineffective tools. Google Cloud is focusing on using Sec-PaLM 2 to help organizations automate security operations.Talent: AI will be the great democratizer of talent. Giving people AI assistance to develop, expand and extend their skills can increase security talent.AI Risks for Financial Services OrganizationsAI as a democratizer of talent and a tool for enhancing people’s skills can also extend the capabilities of threat actors. Organizations will need to bolster their current defenses. For example, deepfakes across voice video and images are being used to confound authentication systems and organizations are strengthening their traditional authentication systems, like using hardware tokens.Impact of AI and Strategies to Secure the Cloud EnvironmentAI is driving an accelerated cloud adoption. Even the largest companies will need to migrate to the cloud for the processing capability to deploy the new LLMs. There will not only be a drive to the cloud to get access to AI, but also the use of AI tools to securely manage cloud configurations.Google Cloud Joins FS-ISAC's Critical Providers ProgramAs a cloud provider, Google provides support for many critical infrastructures and the financial services sector is among the most critical infrastructures in the world. With more banks moving to the cloud, it makes sense for Google to stay in touch with the community and make sure we’re meeting customers where they are. By joining FS-ISAC, Google Cloud wanted to be part of an organization that is promulgating best practices and sharing information and intelligence.Maintaining Work-Life BalanceTwo big lessons. Work-life balance is not about achieving the balance every day. You can think of it on a weekly or monthly basis. If you’re aiming for a balance every day, it may add to your stress during weeks when there’s a crazy amount of work. Secondly, maintaining work-life balance requires discipline. The answer is to talk to your future self. Often you say yes to meetings that don’t add much value. Talk to your future self to judge your decision about attending the meeting.

Episode NotesDaniel Barriuso, Global Chief Transformation Officer at Santander and Chairman of the FS-ISAC Europe Board of Directors, talks about the importance of addressing cybersecurity globally and holistically, while also taking regional differences into account. He draws on his experience as Global Chief Information Security Officer (CISO) at Santander and his current role to discuss how bigger organizations can collaborate with startups to fight cybercrime.Notes from Our Discussion with DanielChairing the FS-ISAC Europe Board of DirectorsCollaboration, information sharing, and collective response to address cyber problems can create a much stronger cybersecurity ecosystem. The cyber community is keen on this approach, which makes it a pleasure to Chair the FS-ISAC board.State of Sharing and Collaboration in EuropeEurope certainly understands the importance of collaboration, but FS-ISAC brings the platforms, protocols, and trusted community to enable that to happen in real time.Key Focus of FS-ISAC Europe BoardCyber challenges are consistent around the world. But there are regional differences. For example, in Europe, the focus is on resilience, with DORA (Digital Operatonal Resilience Act) coming into effect.Convergence of Fraud & CybercrimeStakeholders often cannot distinguish between cyber and fraud. A cyber attack can lead to fraud or a fraud scam may have a cyber component. For these stakeholders, cybercrime and fraud are a single disciple.Merging Cyber and Fraud Prevention DepartmentsThis has been a very natural integration at Santander. Also, the diversity of skills and backgrounds makes cybersecurity more effective.GenAI Impacting the Fraud LandscapeCriminals leverage the latest tools and employees need to be aware of them. At Santander, every transaction is monitored using AI and other advanced tools. These also help to continuously identify new patterns to enhance response.Santander Working with Innovative StartupsIn order to remain agile, Santander keeps in touch with innovation and new developments across the ecosystem through its work with startups. Santander has partnered with Forgepoint Capital to advance cybersecurity investment and innovation, and also launched the X Global Challenge to identify startups with the highest potential.Addressing Cybersecurity Talent Shortage with PartnershipsThere is a range of things Santander does to overcome the global shortage of cybersecurity professionals. Diversity is very important to look at cyber holistically. Being aware of cybercrime should also be part of the education system.Spreading Cyber AwarenessSantander is passionate about spreading awareness to everyone, employees, customers, and society. The foundation of cybersecurity is the people behind the computers. Santander conducts cybersecurity training called Cyber Heroes in a game format, which is available to everyone. It also launched a thriller podcast series called Titania.Strengthen your cybersecurity capabilities with information sharing and collaboration - Join the FS-ISAC community.

While the Board sets up broad policies and priorities for companies, there’s a whole cyber universe that Board members may not fully understand. Jerry Perullo draws on more than two decades of experience, including as CISO at Intercontinental Exchange/New York Stock Exchange (ICE/NYSE), and recently as interim CISO at Silicon Valley Bank, to explain his framework for presenting cybersecurity risks and solutions to the Board.Notes from Our Discussion with Jerry(3:03) - CISOs as Board membersCISOs want a seat at the Board table and want to be part of the discussions. To do this, they need to be cross functional, with knowledge outside cybersecurity. (6:05) - Board TrainingDoing board training (such as with the NACD) as early in your career as possible will help you understand how board directors think about risk holistically – an important tool for CISOs briefing boards. (7:53) - Addressing Cyber Risk Management and Regulations with the BoardRisk management isn’t new for Boards. It’s been critical for years and meant different things. Yet, cybersecurity isn’t on the list. On the other hand, regulators have requirements, which brings cybersecurity into Board discussions. Tactical intelligence sharing should be digestible and actionable by the Board.(10:52) – TRIC – The Cybersecurity Framework for the BoardTRIC (Threats, Risks, Incidents, and Compliance) is a framework for presenting cybersecurity programs and progress to the Board. (11:26) – Understanding ThreatsBriefing on threats is about setting the mission. Threats can be identified by understanding the organization’s risk appetite for focusing the cybersecurity program.  (13:46) - Risks are Standalone VulnerabilitiesRisks are very specific vulnerabilities. An organization may face thousands of them and there should be a constant discovery and identification process. CISOs should also identify which of these risks to take to the Board.(15:45) – “Incidents” Defines When to Approach the Board  The Incidents piece is about defining the severity levels and getting agreement with the Board. A lot of governance is focused on when the Board is alerted and when they should get involved. These should be included in the incident response plan.(17:32) – Compliance Data Presenting data in the form of a Gantt chart can make it easier for the Board to understand the progress in cybersecurity and compliance.(19:13) –Adding a narrative executive summary and an appendix to the presentation. (20:18) –Advice for CISOs who aspire to be on the Board and discusses the possibility of cybersecurity being deprioritized by the Board.   Fight cyber threats with the intelligence and knowledge of the whole industry at your fingertips – join the FS-ISAC community.

With a barrage of upcoming cyber regulations, financial firms will need to integrate some of the new requirements into their cyber and resilience programs. Erez Liebermann, Partner at law firm Debevoise & Plimpton, clarifies the key points of relevant cyber regulations that financial firm CISOs should know about. Highlights(1:11) Key trends of the recent cyber regulations(4:26) Pertinent details on the main upcoming cyber regulations for financial firms(12:27) If the four day incident reporting rule is pushed through, do cyber teams need to make changes to their response process to comply?(21:13) Who makes up the council of people in an organization to determine if a cyber incident is "material"?(25:04) The million dollar question: What does cyber expertise on the Board actually mean?(32:45) On the different regulatory approaches across the globe, and how that can put organizations in difficult spots to comply

The scope of the great cybersecurity talent shortage is real. Kristopher Fador, CISO at Bank of America details where the greatest concentration of the shortage is, how to build a good cybersecurity talent pipeline for financial firms of all sizes, and how he views retention and attrition. Highlights(3:44) – The dangers of a lack of mid to senior level talent(7:09) – How Bank of America builds a good cyber talent pipeline(10:10) – Suggestions for smaller firms on building a pipeline of cyber talent(11:16) – How Bank of America focuses on neurodiversity (12:58) – A different perspective on retention and attrition(16:41) – Advice to CISOs and other leaders struggling with talent shortage amid operational changes and economic challenges

With the help of Chat GPT and other AI tools, financial institutions can make decisions more quickly and with greater precision, but how crucial will human oversight be in the future of financial sector cybersecurity? Bashar Abouseido, MD, Chief Information Security Officer at Charles Schwab talks about the benefits and risks of using ChatGPT and other artificial intelligence in cybersecurity.Highlights(3:11) - How Chat GPT and other AI helps financial institutions leverage data to stay ahead of cyber criminals. (10:28) – The risks of incorporating Chat GPT into business operations.(15:11) - How AI enables and accelerates the evolution of cyber threats and the defense against them.(30:22) - How AI will change cybersecurity in the future.(31:37) - Advice to fellow CISOs on their journey to start integrating these AI technologies into their programs.

Tabletop exercises are a crucial component for enhancing threat and vulnerability management plans in fintech. Paige Johnson, Executive Director and Head of Americas Firmwide Simulation Utility at JP Morgan Bank, discusses the origin and development of these exercises. HighlightsHow exercise scenarios are chosen (7:46)Have exercises turned into reality (10:20)The range of tabletop exercises in use today (12:42)The best ways to engage senior leadership in exercises (17:57)How to start an exercise program (20:27)The differences between internal and external exercises (33:45)

As the global financial sector prepares for the advent of quantum computing, security professionals are at the forefront of developing protocols for post-quantum computing (PQC). George Webster, Chief Security Architect at HSBC, and Peter Bordow, Distinguished Engineer and Chief Architect of Post Quantum Cryptography and Quantum Systems, and Emerging Technology for Information and Cybersecurity at Wells Fargo, discuss the impact quantum computing will have on the financial services industry and the reasons why we should prepare now. Highlights 2:25 – Why quantum computing is a paradigm shift for cybersecurity in financial services  11:14 – The importance of preparing for quantum computing now 15:31 – The types of data targeted by "harvest now, decrypt later" attacks. 17:32 – The benefits of quantum computing for the financial services industry 25:51 – How to initiate post-quantum computing planning 

Laura Deaner, CISO at Northwestern Mutual, shares her advice for mid-senior professionals who want to become a CISO, the best practices for incorporating artificial intelligence like ChatGPT into the corporate ecosystem,  the business case for more diversity in cybersecurity, and more including:(00:52) - The advantages of having the CISO manage both cybersecurity and IT risk management. (04:21) - The importance of being able to translate technical information into the non-technical for an organization and its clients.  (06:18) - What she’s learned from being in a real crisis situation. (14:09) - The importance of maintaining a practical posture when assessing the impact of AI on cybersecurity. (32:03) - The importance of diversity in cybersecurity.

Dr Boaz Gelbord, Senior Vice President and Chief Security Officer of Akamai, discusses the changing role of the CISO in the advent of new tools that are changing the cybersecurity landscape, why security is becoming a big data problem, and more including: The CISO role is now more integrated with business operations (03:30) How the evolving Internet ecosystem is impacting cyber security (13:20)On the security threats being posed by ChatGPT (15:36)The impact of fraud’s convergence with cyber on the financial services industry (25:06)How organizations should assess the risk quantum computers pose to data security: (33:58) 

Meg Anderson, the Chief Information Security Officer (CISO) at Principal Financial Group, talks about the CISO's role in helping a large, multi-national company stay flexible by making sure security controls are in place and managing risks. She also covers:Centralization versus decentralization of cybersecurity controls in a large corporation:  (2:10)How to keep a large number of employees up to date on cyber hygiene and awareness: (3:29)Thoughts on whether a security team should be remote: (10:48)The best ways to formulate questions that will extract the best data: (26:15)

Ariel Weintraub, CISO & Head of Enterprise Security at MassMutual, discusses the spectrum of her cybersecurity responsibilities, including employee diversity and retention, managing an evolving threat landscape, and incentivizing staff to be more aware of their role in attack prevention.  How to address new initiatives and evolving priorities while managing ongoing cyber threats. (25:38 – 26:21) Why an increase in incident knowledge and contingency plans can help business resiliency. (29:04 – 29:39) Her advice for CISOs with technical backgrounds who want to better align with business priorities. (34:39 – 35:38) Determining a framework to quantify an organization’s cyber risk. (37:01 – 38:02) How incentives help employees understand their role in preventing cyber attacks. (47:57 – 48:49) 

Jenny Menna, Vice President, Threat Management and Response at Humana, and Member of the FS-IAC Board of Directors discusses the active threats to the insurance and healthcare sectors, including:  Which two ongoing threats the insurance and healthcare sectors are monitoring, and how those threats continue to evolve (7:35 – 8:30).The importance of forming a strategy around employee education (11:04 – 12:18).The key to forming relationships that help stakeholders come together when a unified defense is necessary (19:05 – 19:41).How public and private sector companies deal with ongoing cyber threats differently (29:21 – 32:43).

Teresa Walsh, FS-ISAC’s Global Head of Intelligence joins the show to talk about a wide range of topics in cybersecurity, including:The difference in how the public and private sectors handle threat intelligence (00:58-03:04)What the role of the CISO is today (07:52-11:27)The current threat landscape for financial firms and how to go about understanding all of an organization’s dependencies (19:35-27:22)The cybersecurity talent shortage, promising career paths for young people interested in cyber, especially for women (32:42-48:19)Why we need to think and worry about new challenges in digital currencies and post-quantum computing (54:57-58:06).