Navigating Threats in Fintech

Below is a re-print of the interview I gave to CIO-World that cover featured me in the "Europe's Most Influential CISOs of the year 2024". The Original can be found here.

TLDR - I talk about Essential Skills for a CISO, how regulation can achieve bolstering resiliency and security, essential Skills for Effective CISO Leadership, Advice to Navigate the C-Suite, how to navigate the Evolving Intersection of Technology and Compliance.

This represents multiple blog post in one - enjoy.

As financial technology (FinTech) evolves rapidly, it faces an increasing number of cyber threats. Cybercriminals are constantly finding new ways to exploit weaknesses in payment systems, putting billions of dollars and countless identities at risk. A staggering statistic reveals that up to 75% of customers worldwide now use at least one FinTech service, a number projected to grow as more people embrace digital payments and online banking.

Source: CIO World 

Meet Thierry Zoller, the Chief Information Security Officer at J.P. Morgan Mobility Payments Solutions S.A. (Red. now Julius Baer) , whose mission is to stay one step ahead of these digital predators. With nearly three decades of experience in cybersecurity, Zoller brings a unique blend of technical expertise and strategic vision to one of the world’s largest financial institutions. His journey from a curious teenager in Luxembourg to a leading figure in global information security is an example of the power of passion and perseverance.

Thierry’s fascination with technology began early, driving him to explore the inner workings of systems and networks. This curiosity led him to dive deep into reverse engineering and system vulnerability analysis, skills that would become invaluable in his future roles.

His career has been marked by a series of high-profile positions, including Head of Security Risk and Compliance Europe for Amazon and CISO for Amazon Payments. These experiences have honed his ability to navigate the complex intersection of technology, finance, and security.

At J.P. Morgan, he faces his most challenging task yet: securing the future of mobile payments in an increasingly cashless world. His approach combines futuristic technology with a deep understanding of human behavior, recognizing that the weakest link in any security system is often the user.

Thierry’s impact extends far beyond his corporate role. As a prolific blogger and researcher, he has coordinated the disclosure of over 100 vulnerabilities and released numerous free security tools. His work has been cited in books and peer-reviewed papers, cementing his status as a thought leader in the field.

The 45-year-old security expert’s commitment to knowledge sharing has been a cornerstone of his career. This philosophy drives his continued efforts to educate and empower the next generation of cybersecurity professionals, contributing significantly to the global information security community.

Let us learn more about his journey:

Read more »

The responsibilities of vendors, suppliers, and service providers have grown increasingly important in the dynamic digital economy. The growing digitalisation and reliance on third-party entities significantly enhances business operations while concurrently introducing a spectrum of security risks. 

Recognising these challenges, regulatory supervisors have been actively creating frameworks over the years to make sure that financial entities in particular appropriately handle and mitigate the risks of security incidents that could directly affect their operations.

The adoption of specific guidelines by the European Banking Authority (EBA) in marked a substantial acceleration of the shift towards a more security-conscious approach when interacting with third parties. These guidelines were a significant advancement in highlighting the important security aspects to take into account while working with third parties. 

However, with the recent final Regulatory Standards published, the Digital Operational Resilience Act (DORA) is further evolving the requirements and expectations in light of multiple high-profile breaches involving third parties and the supply chain. The entry into force of this European Regulation, which takes effect in January 2025, marks the beginning of a new era in third party security management. 

It signals a time when strict compliance and proactive risk management are more important than ever in third-party contacts, and it also emphasises the significance of operational resilience and indicates a heightened response to the changing threat landscape.

While researching the state of the Art in "Third Party" risk management I came across an Report recently published by Wade Baker, Ph.D. and the Cyentia Institute titled “Risk to the Nth-Party Degree: Parsing the Tangled Web".

In true Cyentia Institute fashion the report is a data driven and provides plenty of opportunity for the data science geeks amongst us to rejoice - for the others it's one of the first publicly available reports providing us with data analysis on the matter with.

The Report highlights a crucial aspect that is often overlooked in risk management: vendor risk extends beyond direct third parties.

What really is "third party" risk ?

Read more »

I recently completed my studies at the Luxembourg School of Business and began exploring how to incorporate my newfound knowledge into my field of work. Specifically, I've been considering the application of Psychological Safety principles in the realm of Cyber/Information Security. 

What is Psychological Safety ?

Psychological safety is a concept that refers to an individual's perception of the consequences of taking an interpersonal risk in a work environment. It involves feeling safe to express oneself without fear of negative consequences to self-image, status, or career. In a psychologically safe team, members feel accepted and respected. This environment allows for open communication, creativity, and innovation, as individuals feel comfortable sharing their ideas, questions, concerns, and mistakes without fear of ridicule or retribution.

Amy Edmonson - TED Talk (Building a psychologically safe workplace)
https://www.youtube.com/watch?v=LhoLuui9gX8

Read more »

 

Cybersecurity in M&A 

A Growing Priority for Decision Makers

In the dynamic landscape of mergers and acquisitions (M&A), decision-makers are increasingly prioritizing cybersecurity risks. 

A detailed survey by Forescout provides key insights into the current state of cybersecurity in mergers and acquisitions, the survey that involved nearly 3,000 IT and business decision makers reveals a growing emphasis on cybersecurity in M&As. 

The study found that 81% of respondents now prioritize a target's cybersecurity posture more than in the past with 62% agreeing cyber risk is their biggest concern post-acquisition.

This trend highlights the recognition of cyber risks as potential deal-breakers, capable of causing significant financial and reputational damages.

" Take the Verizon acquisition of Yahoo in 2017 as an example. Following Yahoo’s security breach disclosures, there was a $350 million acquisition price cut."

The study highlights this shift, noting the importance of continuous cyber assessment throughout the M&A process. It's no longer a one-time check but a critical, ongoing evaluation.

Key Findings

Transparency 🚫 - An undisclosed data breach is a deal breaker for most companies: 73% percent of respondents agreed that a company with an undisclosed data breach is an immediate deal breaker in their company’s M&A strategy

Plan for continuous assessments 🔄 - Decision makers sometimes feel they don’t get enough time to perform a cyber evaluation. Only 36% of respondents strongly agree that their IT team is given time to review the company’s cybersecurity standards, processes and protocols before their company acquires another company. The results emphasize the importance of proper evaluation and time in ensuring successful M&A outcomes.

Acquisition Regrets🤦- 65% of respondents regret their M&A decisions due to cybersecurity concerns. Failure to address cyber risk can lead to major acquisition regrets: Nearly two-thirds of respondents (65%) said their companies experienced regrets in making an M&A deal due to cybersecurity concerns.

Integration Delays⏲️- 49% encountered unknown or undisclosed cybersecurity issues, causing M&A timeline delays. 54% reported minor delays and losses under $1 million; 50% faced major delays with similar financial impact.

Significant Losses💸 - 22% experienced losses over $1 million due to cybersecurity incidents.

Read more »

Introduction

As many of you know the Schengen Agreement (Named after the Luxemburg City "Schengen" where the initial contract was signed) introduced the free flow of goods and people across the European Union. Many claim it to be on of the core backbone agreements of the European Union.

Synopsis

Germany decided to introduce border controls following the SARS-CoV-2 epidemic during  March-Mai 2020. Luxembourg has a particular situation that is best displayed via this illustration: every day over 1/3 of the entire working population enters the country via Germany, France, and Belgium to drive home in the evening thus passing these very borders every day. 

Read more »