Cybersecurity Financial Services Summit: New York

November 6, 2025 | 8:30 AM ET - 5:00 PM ET

Hosted by BankInfoSecurity

Event Overview

ISMG’s 2025 Financial Services Cybersecurity Summit will tackle the sector’s most urgent cyber challenges. A keynote panel of leading CISOs will discuss how InfoSec leaders’ responsibilities now span IT, data, communications and operations, underscoring cybersecurity’s strategic role. Sessions will deliver insights on advanced threat intelligence, payment fraud prevention, AI’s impact on attackers and defenders, and leveraging cyber insurance in risk management.

The event concludes with the interactive Solution Room, a hands-on incident response workshop where participants face a high-stakes deepfake scenario to strengthen crisis planning and response.

View our ISMG Event Experience video to see what your peers are saying about their participation.

Venue

Conrad New York Downtown

102 N End Avenue

New York, NY 10282

 

NOTE:  All requests to attend will be reviewed by event staff and approved based on professional qualifications and event capacity.

Scott Tenenbaum

Head of Claims, North America, Resilience

Seth Rose

Supervisory Special Agent Group 06, U.S. Department of the Treasury/Cyber Investigation Unit

David Anderson

Vice President, Cyber, Woodruff Sawyer

Vlad Brodsky

SVP, Chief Information Officer, OTC Markets Group

Speakers

Thought Leaders on Stage Leading Deep-Dive Discussions

ISMG Summits bring the foremost thought leaders and educators in the security space to the stage, interactive workshops and networking events. Learn from the “who’s who” in Cybersecurity passionate about the latest tools and technology to defend against threats 

Agenda

Given the ever-evolving nature of cybersecurity, the agenda will be continually updated to feature the most timely and relevant sessions.

7:30 AM - 8:30 AM ET

Registration & Breakfast

8:30 am - 8:35 am et

Opening Comments

9:00 AM - 9:30 AM ET

The CISO's Dilemma: Balancing Accountability, Regulations Reporting and Security in 2026​

This session will review the last year and explore where CISOs have made progress in defining and a strategizing about their mandates, communicating with management and company boards, quantifying and visualizing risk, building new security frameworks and influencing company culture, all while protecting their companies’ critical assets.
 
Panelists will discuss real-world scenarios and use cases that can help define the role of the CISO in 2026 while reducing burnout risk and insecure company posture.
 
Session Highlights:
 
  • How CISO’s responsibilities have changed re: risk management, data governance and business operations
  • Approaches that can align company stakeholders around cybersecurity objectives, fraud reduction, compliance and other risk domains
  • Strategies for engaging with company boards and executive leadership on cybersecurity risks and solutions
  • Measuring security programs’ value in financial terms to support informed decision-making

Erika Dean

CSO, Robinhood Markets

Eric Boateng

CISO, MassMutual

1:20 pm - 2:30 pm et

Trust Undermined: An Immersive Simulation of AI-Augmented Insider Threats

This expertly designed session challenges participants to respond to cascading disruptions across IT and operational systems, unraveling the role of AI-augmented tactics in exploiting insider vulnerabilities. With a multi-phase simulation highlighting the cross-industry impact of AI-augmented insider threats on IT and operational systems, attendees will collaborate to develop actionable strategies for containment, detection, and long-term defense.

What You Will Gain From This Experience: 

  • Precision Threat Response: Master techniques for isolating compromised systems, analyzing hybrid network activity, and mitigating cascading disruptions caused by insider-enabled AI attacks.
  • Real-World Scenario Insights: Understand how AI-driven insider threats exploit IT-OT vulnerabilities, with lessons applicable to sectors reliant on interconnected systems.
  • Actionable Defense Playbook: Design advanced countermeasures, including micro-segmentation, AI-based anomaly detection, and evidence preservation for incident response and regulatory requirements.

Ed Thomas

SVP, ProcessUnity

2:55 pm - 3:25 pm et

Generative AI Arms Race - Cyber Offense and Defense

This session confronts the double-edged sword of AI in cybersecurity. On one side, we see cybercriminals leveraging generative AI to supercharge phishing campaigns, create polymorphic malware, and even produce convincing deepfake voices or videos to facilitate fraud. On the other side, forward-leaning security teams are deploying AI for threat detection, automated incident response, and code review at unprecedented speed. We will explore real examples of AI-powered attacks – as well as how financial firms are harnessing AI in defense. Experts will emphasize the need for governance and caution amid the hype, including strategies to prevent AI model abuse and ensure AI outputs can be trusted.
 
Attendees will learn:
  • How adversaries are weaponizing generative AI, and where these tactics have been observed in the wild.
  • Ways financial institutions can deploy AI and machine learning for defense.
  • The importance of AI governance and security for AI systems to prevent new attack vectors.
  • Emerging best practices and frameworks to responsibly integrate AI into cybersecurity programs.
 

Darryl Jones

VP of Product and Strategy, Ping Identity

3:25 PM - 3:55 PM ET

Payment Fraud 2.0 - Stopping Cybercriminals in Real Time

In this session, we explore the “New Age” of payment fraud and the tools and tactics needed to combat it. From synthetic identity fraud to sophisticated social engineering that bypasses controls on real-time payment networks, fraudsters are innovating quickly. We will examine recent cases of large-scale payment and wire fraud that leveraged data breaches, account takeovers, and increasingly convincing use of deepfakes. This discussion will focus on how cyber teams and fraud units can partner more closely, sharing data and insights to detect anomalies in digital transactions. We’ll also highlight defensive innovations such as machine learning models for transaction monitoring and customer behavior analytics to spot illicit patterns.
 
We will discuss:
  • The rise of synthetic identities and account takeovers targeting banks and payment platforms.
  • Techniques to detect and block fraudulent transfers before money is lost.
  • Organizational approaches for converging fraud prevention and cybersecurity.
  • Emerging tools that help identify subtle fraud indicators without adding excessive friction.
 

Bill Sovak

VP of Data Protection Sales, Fortra

3:55 PM - 4:05 PM ET

Embedding Security at the Speed of Finance

But a well-executed DevSecOps strategy can turn security into a business enabler, integrating controls directly into the software lifecycle without stalling delivery. This session focuses on what DevSecOps means for CISOs in financial services: not just shifting left, but embedding governance, risk, and compliance directly into development workflows.
We’ll explore how leading financial firms are implementing security guardrails in CI/CD pipelines, using policy-as-code to enforce controls, and ensuring that software shipped to production meets regulatory and resilience standards.
 
We’ll also discuss how to drive alignment across AppSec, DevOps, and GRC functions – especially in environments where infrastructure is increasingly ephemeral and APIs serve as critical product infrastructure.
 
We will cover:
  • How to establish DevSecOps as a governance model, aligned to compliance and operational resilience.
  • Real-world practices for embedding security guardrails into CI/CD pipelines.
  • Strategies to integrate SBOM validation, third-party component monitoring, and change control into Dev workflows.
  • Cultural and structural changes needed to align AppSec, DevOps, and GRC teams.
 

Vincent Stoffer,

Field CTO, Corelight, Inc

8:55 AM - 9:00 AM ET

CISO 360° – Expanding the Cybersecurity Mandate in Financial Services

Our Keynote will examine how cybersecurity leadership is expanding into a business-wide mandate – from compliance and privacy to fraud prevention and operational resilience. We will discuss the growing strategic importance of cybersecurity at all organizational levels and how CISOs must collaborate across risk, compliance, and business units to embed security into the company’s DNA. Attendees will hear how new regulations and rising board expectations are elevating the CISO’s accountability. Through real-world examples, we’ll explore strategies for breaking down silos, communicating cyber risk in financial terms, and aligning security initiatives with core business objectives to drive resilience and trust.

Key Takeaways:
  • How and why the CISO’s responsibilities now span enterprise risk management, data governance, and business operations;
  • Approaches to bridge communication gaps between cybersecurity, fraud, compliance, and other risk domains;
  • Effective methods to engage the Board and executive leadership on cybersecurity as a strategic business issue;
  • Strategies for measuring and conveying security program value in financial terms to support informed decision-making.

Vincent Stoffer,

Field CTO, Corelight, Inc

9:00 AM - 9:30 AM ET

Zero Trust: Cutting Cyber Risks, Lowering Claims, and Unlocking Better Cyber Insurance!

Discover how Zero Trust Architecture can transform your cybersecurity strategy while unlocking better insurance outcomes! Marsh & McLennan’s recent report reveals that nearly $500 billion in annual cyber losses could be prevented with Zero Trust and robust cyber hygiene. This session will empower you to:

  • Minimize the impact of CVE’s and prevent breaches, while leveraging Zero Trust
  • Reduce cyber insurance claims and losses with proactive defense
  • Perform deductive analysis to secure more favorable cyber insurance policies 


Attendees will learn how adopting Zero Trust network access enhances security posture and results in more favorable cyber insurance policies including:

  • Preventing one third of cyber incidents
  • Cutting breach costs by over 20%
  • Reducing insured loss by up to 31%

Vincent Stoffer,

Field CTO, Corelight, Inc

9:30 AM - 10:00 AM ET

The Path to a Password-Less Future

The goal has been common to the financial industry for several years: What will it take to achieve it? This session will explore advances in biometrics, hard tokens, passkeys and also consider how these advances can improve – or impede – customer UX, and where more friction could be a requirement. Panelists will also discuss the implications of password-free security within financial organizations. 

Session highlights:

  • Implications for the future of identity;
  • Potential password-less attack;
  • The role of data analytics and AI in supporting password-less security frameworks;
  • Impact on insider threat detection and internal system management.

Vlad Brodsky,

Chief Information Officer & Chief Information Security Officer, OTC Markets Group Inc.

10:00 AM - 10:30 AM ET

Top Recommendations from the Financial Services State of Software Security Report

The report analyzed 1.3 million applications to find the most significant risks that this sector faces.

Highlights include:

  • 57% of financial services apps have at least one security flaw, progress on reducing flaws has stagnated since 2021;
  • Fixing issues takes 276 days on average—nearly a month longer than other industries;
  • 77% of organizations carrying unresolved flaws over a year old, 63% of which are critical;
  • Most of the critical security debt (82%) comes from open-source code;
  • 45% of AI assisted code completion tasks generate a flaw that must be remediated.


Join us to learn more about the key findings, best practices to fix them, and a discussion on where the industry will go next.

Chris Wysopal,

Chief Security Evangelist, Veracode

10:30 AM - 10:40 AM ET

Sponsor Showcase: Corelight

But a well-executed DevSecOps strategy can turn security into a business enabler, integrating controls directly into the software lifecycle without stalling delivery. This session focuses on what DevSecOps means for CISOs in financial services: not just shifting left, but embedding governance, risk, and compliance directly into development workflows.
We’ll explore how leading financial firms are implementing security guardrails in CI/CD pipelines, using policy-as-code to enforce controls, and ensuring that software shipped to production meets regulatory and resilience standards.
 
We’ll also discuss how to drive alignment across AppSec, DevOps, and GRC functions – especially in environments where infrastructure is increasingly ephemeral and APIs serve as critical product infrastructure.
 
We will cover:
  • How to establish DevSecOps as a governance model, aligned to compliance and operational resilience.
  • Real-world practices for embedding security guardrails into CI/CD pipelines.
  • Strategies to integrate SBOM validation, third-party component monitoring, and change control into Dev workflows.
  • Cultural and structural changes needed to align AppSec, DevOps, and GRC teams.
 

Vincent Stoffer,

Field CTO, Corelight, Inc

10:40 AM - 11:05 AM ET

Networking Break

11:05 AM - 11:35 AM ET

Combating Insider Threats with Data Resilience and Endpoint Control

This session explores how to detect, respond to, and recover from internal attacks. Learn how to strengthen your security posture with proactive monitoring, unified endpoint management, and resilient backup strategies that protect data, ensure compliance, and minimize damage from insider-driven incidents.

Chris Young,

Cybersecurity Enterprise Account Executive, OpenText

11:35 AM - 11:45 AM ET

Sponsor Showcase: Thales

But a well-executed DevSecOps strategy can turn security into a business enabler, integrating controls directly into the software lifecycle without stalling delivery. This session focuses on what DevSecOps means for CISOs in financial services: not just shifting left, but embedding governance, risk, and compliance directly into development workflows.
We’ll explore how leading financial firms are implementing security guardrails in CI/CD pipelines, using policy-as-code to enforce controls, and ensuring that software shipped to production meets regulatory and resilience standards.
 
We’ll also discuss how to drive alignment across AppSec, DevOps, and GRC functions – especially in environments where infrastructure is increasingly ephemeral and APIs serve as critical product infrastructure.
 
We will cover:
  • How to establish DevSecOps as a governance model, aligned to compliance and operational resilience.
  • Real-world practices for embedding security guardrails into CI/CD pipelines.
  • Strategies to integrate SBOM validation, third-party component monitoring, and change control into Dev workflows.
  • Cultural and structural changes needed to align AppSec, DevOps, and GRC teams.
 

Vincent Stoffer,

Cybersecurity Enterprise Account Executive

11:45 am - 12:15 Pm et

Get Off the Assessment Treadmill. Take a Data-First, Questionnaire-Second Approach

More resources? Not likely. Sound familiar? You’re not alone. We’ve been at this for years, yet the process continues to become more burdensome for your team and for the people in your company who rely on your third parties. It doesn’t have to be that way.

The newest risk exchange models are eliminating up to 80% of questionnaire requests by leveraging validated data. In this session, we’ll show you how to transform your third-party risk management program by incorporating smarter workflows and better data access.

What you’ll learn:

  • How to instantly perform inherent risk analysis across your entire vendor portfolio;
  • Ways to incorporate real-time risk data to reduce the number of questionnaires;
  • How to map your questionnaires to industry-standard frameworks or threat profiles to ask fewer, more targeted questions;
  • How to access assessment data on large, hard-to-assess third parties that don’t respond;
  • How to monitor 100% of your third-party portfolio not just your critical vendors.

Sandeep Bhide

VP Product Management, ProcessUnity

12:15 pm - 12:45 pm et

Navigating 23 NYCRR 500 Compliance in Financial Services

Join this session to address the unique challenges of critical system security within the framework of 23 NYCRR 500, including the latest November 1 deadline. We’ll break down each regulatory requirement, highlight why critical systems must be a central focus, and explore the tangible costs of non-compliance. From vulnerability management and penetration testing to MFA and surgical data recovery, we’ll provide actionable insights and a readiness checklist to help you take immediate steps toward compliance. 

You will learn: 

  • How to align critical system security, like mainframe and IBM i, with 23 NYCRR 500 requirements;
  • Phased approaches to minimize disruption and meet regulatory needs;
  • Practical steps for vulnerability management, MFA, and more;


Don’t miss this opportunity to gain clarity, reduce noise, and take control of your critical system security strategy.

Tim Hill

VP, Software Engineering, Rocket Software

12:45 PM - 12:55 PM ET

Sponsor Showcase: Replica Cyber

But a well-executed DevSecOps strategy can turn security into a business enabler, integrating controls directly into the software lifecycle without stalling delivery. This session focuses on what DevSecOps means for CISOs in financial services: not just shifting left, but embedding governance, risk, and compliance directly into development workflows.
We’ll explore how leading financial firms are implementing security guardrails in CI/CD pipelines, using policy-as-code to enforce controls, and ensuring that software shipped to production meets regulatory and resilience standards.
 
We’ll also discuss how to drive alignment across AppSec, DevOps, and GRC functions – especially in environments where infrastructure is increasingly ephemeral and APIs serve as critical product infrastructure.
 
We will cover:
  • How to establish DevSecOps as a governance model, aligned to compliance and operational resilience.
  • Real-world practices for embedding security guardrails into CI/CD pipelines.
  • Strategies to integrate SBOM validation, third-party component monitoring, and change control into Dev workflows.
  • Cultural and structural changes needed to align AppSec, DevOps, and GRC teams.
 

Vincent Stoffer,

Field CTO, Corelight, Inc

12:55 PM - 1:40 PM ET

Lunch

1:40 Pm - 2:10 Pm et

Security by the Numbers: Cyber Risk Quantification & Insurance Strategy

This session examines how leading institutions are adopting outcome-driven metrics and cyber risk quantification to translate technical risk into business risk. We’ll explore methodologies for financially measuring cyber exposure and discuss the evolving role of cyber insurance in risk management.

We will examine:

  • Frameworks and tools for cyber risk quantification;
  • The state of the cyber insurance market for financial institutions;
  • How to integrate cyber insurance into your broader risk strategy;
  • Approaches to reporting cybersecurity to the board with outcome-focused metrics.

Scott Tenenbaum

Head of Claims, North America, Resilience

David Anderson

CIPP/US, Vice President, Cyber, Woodruff Sawyer - A Gallagher Company

Kimberly Pack

Counsel, Thompson Hine LLP

2:10 PM - 2:40 PM ET

EHLO World: Spear-Phishing at Scale using Generative AI

This session explores how to detect, respond to, and recover from internal attacks. Learn how to strengthen your security posture with proactive monitoring, unified endpoint management, and resilient backup strategies that protect data, ensure compliance, and minimize damage from insider-driven incidents.

Vincent Stoffer,

Field CTO, Corelight, Inc

2:40 PM - 3:40 PM ET

Solution Room -Trust Undermined: An Immersive Simulation of AI-Augmented Insider Threats

This expertly designed session challenges participants to respond to cascading disruptions across IT and operational systems, unraveling the role of AI-augmented tactics in exploiting insider vulnerabilities. With a multi-phase simulation highlighting the cross-industry impact of AI-augmented insider threats on IT and operational systems, attendees will collaborate to develop actionable strategies for containment, detection, and long-term defense.

What You Will Gain From This Experience:

  • Precision Threat Response: Master techniques for isolating compromised systems, analyzing hybrid network activity, and mitigating cascading disruptions caused by insider-enabled AI attacks;
  • Real-World Scenario Insights: Understand how AI-driven insider threats exploit IT-OT vulnerabilities, with lessons applicable to sectors reliant on interconnected systems;
  • Actionable Defense Playbook: Design advanced countermeasures, including micro-segmentation, AI-based anomaly detection, and evidence preservation for incident response and regulatory requirements.

Vincent Stoffer,

Field CTO, Corelight, Inc

3:40 pM - 4:00 pM ET

Networking Break

4:00 PM - 4:10 PM ET

Sponsor Showcase: Anvilogic

But a well-executed DevSecOps strategy can turn security into a business enabler, integrating controls directly into the software lifecycle without stalling delivery. This session focuses on what DevSecOps means for CISOs in financial services: not just shifting left, but embedding governance, risk, and compliance directly into development workflows.
We’ll explore how leading financial firms are implementing security guardrails in CI/CD pipelines, using policy-as-code to enforce controls, and ensuring that software shipped to production meets regulatory and resilience standards.
 
We’ll also discuss how to drive alignment across AppSec, DevOps, and GRC functions – especially in environments where infrastructure is increasingly ephemeral and APIs serve as critical product infrastructure.
 
We will cover:
  • How to establish DevSecOps as a governance model, aligned to compliance and operational resilience.
  • Real-world practices for embedding security guardrails into CI/CD pipelines.
  • Strategies to integrate SBOM validation, third-party component monitoring, and change control into Dev workflows.
  • Cultural and structural changes needed to align AppSec, DevOps, and GRC teams.
 

Vincent Stoffer,

Field CTO, Corelight, Inc

4:10 PM - 4:40 PM ET

Insider Threats – from Negligent Actors to Deepfaked Job Candidates

Session participants will cover various types of employee behavior that could be evidence of compromise or malicious intent, as well as methods enterprises can deploy to legally and ethically monitor their employees’ activities, especially those with contact with customer accounts and sensitive company data.

Session Highlights:

  • Common risk areas, including privileged third parties;
  • How Zero Trust and other frameworks apply to specific financial company assets and frameworks;
  • Proactive monitoring and incident response techniques;
  • Use cases enabling agentic AI and other automated processes.

Vincent Stoffer,

Field CTO, Corelight, Inc

4:40 Pm - 5:05 pm et

Third-Party Domino Effect – Lessons in Supply Chain Risk

In this session, we address the critical challenge of third-party and supply chain risk management in the financial sector. We’ll explore real-world case studies and cover best practices for due diligence, continuous monitoring, and incident response planning.

Key Takeaways:

  • Real-world impacts of supply chain breaches in finance• Methods to perform rigorous vendor due diligence and monitoring;
  • Tactics for managing fourth-party risk and systemic concentration;
  • Incident response considerations for third-party incidents.

Imran Khan

VP Cyber Security Transformation Lead, BNP Paribas

Vlad Brodsky

Chief Information Officer & Chief Information Security Officer, OTC Markets Group Inc. 

5:05 PM ET

Closing Comments

Don’t miss your chance to attend this dynamic impactful event

@ ISMG_News    #ISMGSummits

Summit Sponsors

Register

CPE Credits

ISMG Summits offer Continuing Professional Education Credits. Learn informative and engaging content created specifically for security professionals.

The Summit Experience

Upcoming ISMG Events

September 24, 2025

Future-Proofing ERP Transformation With AI and Low-Code

October 1, 2025

CNAPP: Secure Gen AI and Cloud Innovation Without Slowing the Business

October 9, 2025

Retail at the Edge: The Infrastructure To Deliver AI, Prevent Cyber Threats

November 5, 2025

Fraud Prevention Security Summit: New York

November 6, 2025

Cybersecurity Summit: New York Financial Services

Upcoming ISMG Events

September 24, 2025

Future-Proofing ERP Transformation With AI and Low-Code

October 1, 2025

CNAPP: Secure Gen AI and Cloud Innovation Without Slowing the Business

October 9, 2025

Retail at the Edge: The Infrastructure To Deliver AI, Prevent Cyber Threats