Let’s begin the latest installment of our Executive Interview Series with a hard truth:
Financial institutions are fighting an uphill battle to safeguard consumer trust and assets.
As cyber threats evolve with increasing sophistication, from ransomware to new phishing schemes, the financial sector must continuously adapt and strengthen its defenses. With trillions of dollars flowing through these organizations on a daily basis, the stakes for cybersecurity have never been higher.
Enter John Carlson, a seasoned cybersecurity expert whose career spans over three decades across both the public and private sector. As Senior Vice President of Cybersecurity Regulation and Resilience at the American Bankers Association (ABA), he is at the forefront of shaping cybersecurity strategies and policies that enhance the security and resiliency of the financial sector.
We recently sat down with John to discuss all things cybersecurity. Expect to learn how he got into the industry, his thoughts on the most pressing cybersecurity challenges (and innovations) for financial institutions, the value of domain security through .Bank, and more.
Let’s dive in.
Background and Professional Experience
Q: How did you get into the world of cybersecurity?
I got into cybersecurity when I worked at the Office of the Controller of the Currency (OCC). This is an independent bureau of the U.S. Department of the Treasury. This was my third job out of graduate school, Harvard’s Kennedy School of Government, where I focused on public policy.
When I was at the OCC I started working on several bank technology projects focused on the rise of the Internet and how the national banking system should look at the risks associated with Internet banking.
That then evolved into a massive effort focused on Y2K, where I helped the national banking system prepare for the century’s date change.
While Y2K sounded ridiculous, it was actually fairly significant because it involved a lot of coordination with critical service providers, testing, business continuity planning, and thinking about what would happen if something did go wrong.
That then evolved into working on some projects to update the FFIEC’s information technology booklet, and that’s where I started getting deeper into cybersecurity. From there I left the OCC and joined BITS, which is the technology policy division of the Bank Policy Institute, formerly the Financial Services Roundtable.
I led their cybersecurity program, and we focused a lot on how cyber was evolving, with increasing risk to the industry. I started getting much more involved in our sector’s coordinating council, the Financial Services Sector Coordinating Council (FSSCC), which included working on R&D-related issues and conducting many exercises on behalf of the sector.
I was then recruited to Morgan Stanley to help them establish their operational risk department after the 2008 and 2009 financial crises. I then returned to BITS and got even deeper into public-private sector collaboration.
Current Position at the ABA
Q: What role does the ABA play in financial services cybersecurity?
We’re the largest financial association. We represent and work with thousands of banks of all sizes across the country. Several working groups focus on cybersecurity and related issues, including third-party risk management. Recently, we’ve spun up some new groups to deal with artificial intelligence.
We also have a lot of work to do to try to address the rise in fraud, which is often cyber-enabled. We also have groups that focus on business resiliency or operational resilience, thinking through how to continue critical services in response to significant events, whether they’re physical or cyber.
We host conferences and do training for our members. For example, we did an exercise a few weeks ago at our risk and compliance conference in which we:
- Simulated a ransomware attack and how the fictitious bank would deal with that, whether they pay the ransom, how would they coordinate with their critical service provider, which was the nexus of the cyberattack.
- Formulated ways to deal with cyber risk insurance providers.
- Developed strategies on how to communicate to customers, to the general public, through the media, as well as social media.
- Managed incident notification requirements regulators and non-regulators now require in response to these events.
On a broad scale, the ABA prioritizes advocacy, education, and leadership in our sector through our leadership role at the FSSCC and supporting stakeholder organizations like .Bank, operated by fTLD Registry Services.
Q: What does a typical day look like for you at the ABA?
I would say every day is different. I run many different working groups, so a fair amount of time is spent organizing calls and webinars on various topics. I’ll give you one example.
A few months ago, when NIST, the National Institute of Standards and Technology, finalized its rewrite of the 10-year-old cybersecurity framework, we brought on the head of that program to discuss the update.
We also brought on the Cyber Risk Institute, another important partner and another spinoff between BITS and ABA that does a great job of developing frameworks for assessing cyber readiness. I also write a lot of comment letters, and that fits into our advocacy.
I support our lobbyists who work on Capitol Hill to respond to legislative proposals.
With the FSSCC, I co-chair the R&D committee (along with Ben Flatgard at JP Morgan Chase), so we focus on both near term and long-term research and risk priorities for the financial sector. In the fall of 2023, Ben and I partnered with other associations BITS and FS-ISAC to explore the intersection of artificial intelligence and cybersecurity. We convened a series of discussions with experts from dozens of financial institutions. At the end of the process we wrote a six page summary of our findings. The US Treasury staff paid us a compliment by incorporating that summary in the appendix of their report on AI and cybersecurity, which came out in March 2024: Managing Artificial Intelligence-Specific Cybersecurity Risks in the Financial Services Sector (treasury.gov)
I also serve on the planning committee and help to develop the agendas for the three meetings that the FSSCC and our public sector sister organization called the Federal Banking Information Infrastructure Committee (FBIIC) convene each year. So, there’s quite a lot of planning that goes into those meetings.
I also speak to the boards of our member companies at different conferences, and provide risk management courses that our members use to train their staff. I focus on the ones dealing with cyber, third-party risk management, and business continuity.
The ABA also does some applied research. In 2022, we did a deep dive into digital identities, the complex ecosystem, and the challenges we face in the policy area to enhance digital identities, which are important for enrolling and authenticating customers.
The last thing I’ll mention is that I serve on the board of Sheltered Harbor and am very active in the Cyber Risk Institute, serving on several of its committees.
Q: How has all your experience in the private and public sectors shaped your approach to your work at the ABA?
I would say it really boils down to two words: trust and collaboration.
You cannot collaborate unless you have trust, and I think the financial sector has done a very good job of identifying challenges and issues that need to be addressed, and then the industry works together to mitigate some of those risks.
A good example would be voluntary information sharing. The concept was implanted during the Clinton administration, and as a presidential directive encouraged critical infrastructure sectors like financial services to create information-sharing organizations. The first one was the Financial Services Information Sharing and Analysis Center (FS-ISAC) which is celebrating its 25th anniversary later this year. Other sectors such as health care, electric, telecommunications, retail have also set up information sharing organizations. To this day, the FS-ISAC is the largest and most active in terms of information sharing.
Another example would be the exercises we’ve been doing in partnership with the U.S. Treasury Department. It’s called the Hamilton Series. I’ve probably been involved in at least 30 of them over the past eight years. They’re very helpful in terms of having an experience that everyone can participate in, to discover where there may be weaknesses or inadequacies in policies, procedures and capabilities and then, most importantly, to fix it.
It’s amazing what the sector has done. There’s a potentially significant risk to the industry, and then the industry comes together, comes up with the proposal, and creates an organization to run it to help individual banks.
Current Cybersecurity Threat Landscape and Trends
Q: What are the current threat trends in cybersecurity that you find most impactful for bankers?
As you know, there are many adversaries out there who target financial institutions. Obviously, as Willie Sutton said, “that’s where the money is”, and that’s where the data is that criminals want to use to steal money, fraud people, or interrupt the ecosystem. We also have seen nation state adversaries target financial institutions to disrupt commerce or steal intellectual property.
Criminals and nation-state adversaries they’ve gotten better in terms of their capabilities.
Criminal enterprises often share information amongst themselves. They’re highly organized with people who are really good at breaking into systems and then others who are good at creating fake identities, launching phishing attacks, and conducting ransomware extortions. So they’ve become very compartmentalized and sophisticated.
The other side is nation-state actors including China, Russia, Iran, and North Korea. Those tend to be the big four, and they have different tactics in terms of how they steal information or disrupt systems.
In the case of disruption, a good example is the Distributed Denial of Service attack (DDoS). There was a major attack that was a front-page news issue back in 2012-13, when over 30 major U.S. banks were targeted by an Iranian-backed group. This type of attack has led to an increase in regulatory requirements and scrutiny of cybersecurity programs.
We have also seen Russian actors who are very active in fraud, carding, and other similar activities. And then we’ve been seeing many warnings from U.S. government officials about the wholesale theft of intellectual property by Chinese government backed actors.
Also, North Koreans are using ransomware attacks and crypto to fund many of their government’s operations. So, it boils down to what tactics they’re involved in.
Financial services is really a technology business because a lot comes through third parties. Banks and others rely on a plethora of third-party providers, and attacks often occur through those third-party providers.
One very recent example, even though it wasn’t a cyber attack, it was a software update that didn’t go as planned. The Crowdstrike outage had huge implications for multiple industries, not just financial services.
I think the financial services industry weathered that quite well. There were some disruptions, but organizations could restore, reboot, and return to operations. However, other industries, like airlines, had huge disruptions and very large losses that we now see playing out in the legal system.
Ransomware attacks have also been going on for some time now. Adversaries break in, encrypt sensitive data, then demand a ransom, and it’s a very challenging predicament that a bank and any organization face.
There are issues such as whether you pay the ransom and whether you have good backups so that if you don’t pay, you can continue to service your customers.
This is connected mainly to third-party attacks but not zero-day attacks. This is where there’s a vulnerability, and there is not a patch yet. That can be very destabilizing to the industry.
We also see a lot of social engineering, very sophisticated phishing, and what’s called business email compromise. This is when a criminal targets a Chief Financial Officer at a commercial business or someone in a position to execute a payment by sending an email saying this is something the CEO wants and that it must be done quickly. In some cases, the losses for those who fall prey can be significant.
So, in summary, there’s no shortage of challenges when it comes to cyber and attempts to defraud financial institutions and their customers.
Q: What role does artificial intelligence (AI) play in cybersecurity?
We are seeing this as both a promise and a peril. The promise is that AI can be used in financial institutions to detect suspicious activity. The peril is that it can unwittingly lead people and customers to believe in something that’s not true. It could have malware embedded in software. AI could expose private information. AI could be used in ways that introduce bias and lead to discriminatory lending. AI could be used in ways that disrupt markets through mis and dis information. These are among some of the concerns that regulators are paying attention to.
A lot of the energy right now is being focused on the potential impact of AI and what sort of controls financial institutions need to have in place.
And there’s a huge executive order—hundreds of pages long—that came out in October of last year that demands numerous government agencies take a long list of actions to address some of the AI challenges. The US Treasury report on AI and cybersecurity was one of the many actions outlined in the executive order. That’s why we worked closely with the Treasury Department through the FSSCC to provide input to their report on AI and cybersecurity.
Q: What are your thoughts on the recent rise of supply chain attacks?
Financial institutions must rely on third parties. It’s a fact of life that it becomes a challenge to assess adequately that those third parties have the right controls, understand the risks, and how they can potentially mitigate them.
It ties into operational resilience and business continuity planning as a component of that. As a financial institution, how will you continue to provide essential services to your customers if one critical system or multiple systems are down due to your reliance on critical service providers?
And that’s where having a very strong risk management culture within the bank is crucial. Risk management covers everything from your supplier risk management program to your incident response plan in terms of how you would actually activate it and respond to the situation and how you’re managing your technology stack, so to speak.
Cybersecurity obviously fits in all those areas of the process in terms of helping financial institutions manage risk and make investments that will protect them.
You also impact the economy in terms of the ability to execute payments and transactions that are critical for all kinds of operations. That’s why it is so important for financial institutions to have plans to respond to incidents and proactively manage risk as it’s not just a matter of inconveniencing your customers. Your relationship with your customers goes deeper than that.
.Bank and the Importance of Domain Security
Q: What role does a verified Top-Level-Domain (TLD) play in cybersecurity defense?
Having a verified top-level domain like .Bank really locks in robust cybersecurity controls for banks from the start.
The .Bank TLD helps customers know who they’re dealing with. This is crucial given all of the various types of phishing attacks we see, attacks which create challenges for banks to protect customer data and their own systems. We’ve seen over 860 banks that have made the decision to move their web domain to a .Bank domain. These domains can only be obtained by banks, so bad actors are unable to register one of these domains, making it very difficult to impersonate a legitimate bank. This provides an added level of assurance for bank customers, as when they see a .Bank domain, they know that they are on the website of a real bank. They also have additional security related to email authentication to reduce spoofing.
Wrapping Up
Q: How important are awareness and education in cybersecurity?
It’s just critical. I mean, it is a cultural issue. It is constant training.
When I was at BITS years ago, we used to run a group that came together to be responsible for their security awareness and training programs. Banks have taken many creative approaches to draw attention to the significance of this.
And to this day, I think every bank offers its employees an annual security awareness training.
I know we have a lot of controls in place at the ABA. One of the things that the ABA has done that I think is very creative is running a program called #BanksNeverAskThat. It’s designed as a consumer education program that alerts people to the fact that banks won’t ask them to do certain things that fraudsters typically do to extort or defraud them..
We’re trying to expand it to also look at some of the fraud we’re seeing in checks to alert people to how traditional technologies can also be a vector for significant losses and how banks and their customers can protect against that.
So, training is key. It’s also a regulatory expectation and mentioned in supervisory guidance.
Q: What is shaping the future of cybersecurity? What challenges and innovations can we expect?
The threats I highlighted today are not going away, so we’ll have to continue to deal with them.
The conversation right now, particularly in the public and private sector collaboration space, revolves around the oversight of cloud providers. This is also a connection point into the AI equation since the cloud providers are key players in AI. Cloud computing and AI are transformative technologies. However, there are also some challenges that banks face in terms of the contracting process, visibility, and understanding of the risks associated with it. In July 2024, the FSSCC published several documents to arm financial institutions of all sizes with effective practices for secure cloud adoption and operations, and to establish a continuing effort and partnership to begin to address the gaps identified in Treasury’s report: https://fsscc.org/published-documents.
Private sector collaboration is important, and it’s also another reason why initiatives such as .Bank are so important. Years ago, financial institutions come together to identify a challenge and then develop a solution that individual banks can deploy and use to take advantage of the benefits of these types of enhanced security controls.
So, there’s more work to do, but financial institutions have a very strong foundation of working together, partnering with US Government agencies with the goal of protecting customers and our economy.
Q: What advice would you give young professionals aspiring to work in cybersecurity?
One piece of advice is to think of cybersecurity as having multiple opportunities. It’s not just a technical field. There are other roles that people can play in cybersecurity, such as risk managers, innovators, and regulators.
Whether or not you’re a technical person at heart, there are some interesting risk management challenges and great collaboration opportunities. There are also ways for regulators to start thinking about this more innovatively and inventively.
To learn more about the many benefits of a .Bank domain, schedule a meeting.
