Cyber security: Insights from Bank of America’s chief information security officer

An interview with Craig Froelich, chief information security officer

The cyber security landscape continues to evolve rapidly. Over the last five years, there have been over 1.5 billion cybercrime complaints and a total of $7.45 billion in losses.1 Since 2016, personal data breaches and phishing scams have continued to become more prevalent.2 Last year, according to the U.S. Federal Bureau of Investigation (FBI), business email compromise topped the list of most costly cyber-attacks with losses totaling over $1.2 billion.1 It comes as no surprise that protecting information and data from cybercrime continues to be a top priority for companies in all industries.

Workplace Insights sat down with Craig Froelich, chief information security officer at Bank of America, to share insights into ways Bank of America protects information and supports client companies’ security efforts.


Craig Froelich
Craig Froelich

Workplace Insights (WI): Given the ever-changing cyber threat landscape, how do you approach information security at Bank of America?

Craig Froelich (CF): Information security is and will continue to be a top priority for Bank of America because the trust of our clients and customers is fundamental to our business. Our approach to information security and data protection is an intentional and integral part of every system, process and business interaction at Bank of America. The power to protect our clients comes from being forward-looking, agile and innovative. We are also constantly challenging ourselves to consider how things could be even better.

A whole host of factors created the cyber security landscape we see today. Cyber attacks continue to grow in sophistication and malicious intent. As a result, they require constant attention and investment. Our threat management model provides multiple layers of security. We want our clients and customers to trust our ability to prepare for, prevent, detect, mitigate, respond to and recover from information security threats and risks. We constantly assess and evolve our program to protect our clients. In addition to making strategic, and significant, investments in our technology and people, we continuously test our response capabilities and validate the effectiveness of our controls. Through this process, we strengthen our multiple layers of protection to provide end-to-end delivery of information and data security.

Our commitment to information security extends beyond Bank of America. We proactively lead industry efforts to protect critical infrastructure and continually enhance the many layers of security we’ve built to protect the financial information of our clients, customers and employees. Information security is also a critical part of our corporate risk culture, and we leverage both internal and external assessments and partnerships with other sectors to ensure we are taking a holistic approach. We do all of this to maintain confidentiality and integrity when it comes to protecting information and resources.


WI: Can you tell us about the purpose and operations of the Global Information Security (GIS) team?

CF: We are one team committed to protecting the firm. At Bank of America nothing is built or introduced without security at the foundation. Global Information Security is a part of that foundation, providing sustained excellence in Information Security to protect our clients. As one of the largest information security teams in the world, we have a diverse group made up of technologists, problem-solvers and innovators. In fact, we have nearly 450 patent applications in the works to aggressively combat the cyber threats. With this team, we understand the risks our clients face and we dedicate the necessary resources to protect against these risks.


WI: It sounds like preparation and prevention are critical to the operation. What is your approach to making sure your team is ready?

CF: Every part of our threat management model—from prevention to recovery—is important, but preparation and prevention are key in the face of cyber threats. We want to make sure that our technology, talent and systems combat any potential threat and anticipate what could be around the corner.

We plan extensively to define clear roles, responsibilities and levels of decision-making authority for each team member. We train our employees across a variety of divisions within the company on our plans so that they understand their role in cyber defense. We also use an internal team that operates like cyber attackers to test and identify any vulnerabilities in our defense system. Lastly, we conduct routine company-wide cyber security exercises. Through these exercises, we continue to strengthen our incident response and communications capabilities.

Preparing is a continuous process. As we train, test and exercise, we have the opportunity to update and strengthen our plans. In addition, through these exercises, we continue to embed security knowledge throughout the organization which makes us more resilient.


WI: What is the best way to build cyber resiliency in the financial industry?

CF: Without a doubt, collaborating and sharing information with our industry partners makes us all more resilient. The cyber security threat landscape is always changing and, in response, we all need to be preparing for what comes next.

Effective resiliency programs are built around the following:

Prevent significant incidents from occurring.
Continue to provide critical business services, within defined impact tolerances in the event of an incident.
Recover to normal operations promptly.
Learn from scenario-testing and incidents in order to limit the impact of future, similar incidents.

We proactively engage and partner with industry organizations like the American Bankers Association, the Bank Policy Institute, and the Financial Services Information Sharing and Analysis Center to keep an open dialogue and debate on cyber security. Through these efforts, as well as partnerships with government stakeholders such as the Department of Homeland Security and U.S. Treasury Department, we are pushing the dial forward in creating new strategies and solutions to cyber threats and hazards.

Working with our industry and government partners makes us stronger, smarter and more effective when it comes to protecting financial data and information for our clients, customers and employees.


WI: What can companies do to educate and advise employees on best practices on cyber security?

CF: Bank of America provides a variety of resources to clients, including seminars with our experts on how to protect their businesses and steps to take if they encounter fraud. In addition, we provide our clients with tools and online resources that are designed with security in mind. As an employer, it is always good to provide best practices for employees to keep their information secure. For example, employees can create strong user IDs and passwords, opt to have a prompt at each login with knowledge-based challenges, and use two-factor authentication. No matter what job title you have, everyone plays a vital role in protecting important and valuable information and data.


Threat management
Bank of America uses a Five-Fold Threat Management Framework to keep information safe:

1 Prepare: We constantly analyze the threat environment to identify attacks before they happen.
2 Prevent: Understanding how our adversaries might attack us means we can take steps to reduce the number of security incidents.
3 Detect: We are continuously monitoring for potential attacks—whether they come through networks, applications or business partners.
4 Mitigate: If there is an incident, we have a well-rehearsed plan of action to ensure it’s contained.
5 Respond/Recover: By having a recovery plan in place we can quickly restore any services that were harmed.

Key takeaways

Download a new overview about how we help keep information safe to learn more about our approach.

Listen to our podcast series to gain additional insights.

Encourage your employees to practice safe online behavior by sharing our tips to keeping information safe, available on Benefits OnLine®.

1 2018 FBI Internet Crime Complaint Center Internet Crime Report, April 2019.

2 2017 FBI Internet Crime Complaint Center Internet Crime Report and 2016 FBI Internet Crime Complaint Center Internet Crime Report.