How to Protect Sensitive Information in the Remote Work Era

Welcome back to CFO Weekly, where we're talking with financial leaders about how to build efficiency in their teams, create time for strategy, and ultimately get results. With your host, Megan Meese. Let's jump right in today.

Megan - 00:00:31: My guest is Ben Chrnelich, president and CFO of the markets, infrastructure, and technology platform Symphony. Ben has a passion for capital markets technology and has spent his career focused on enabling trading organizations to utilize technology that drives efficiency and productivity. Over the past two decades, he has held financial and management leadership positions at Charles Schwab, Lehman Brothers, New York Stock Exchange, and IPC, where he drove business strategy to adapt to the constantly evolving trading landscape. When not working, Ben enjoys coaching soccer for New Jersey ODP and his daughter's teams. Ben, thank you very much for being my guest on today's episode of CFO Weekly.

Ben - 00:01:15: Thanks, Megan, I appreciate you inviting me and really looking forward to our conversation.

Megan - 00:01:19: Yeah. Today we're going to be discussing cybersecurity, record management, and monitoring issues that have stemmed from remote work, particularly in financial services. And with the increasing frequency and sophistication of today's cyber threats, this is a topic that nobody can afford to ignore. I'm really looking forward to learning from you. So let's get started.

Ben - 00:01:39: Fantastic.

Megan - 00:01:40: First and as always, let's start with you and your career journey and how it is that you got to where you are today.

Ben - 00:01:47: Thank you very much. So, currently, I'm President and CFO at Symphony. Symphony is a capital markets platform that focuses on market infrastructure, collaboration, and workflows, and provides a community capability to all professionals working in financial services and capital markets. So we have a community of over 600,000 users and are a kind of 24/7 system that a lot of people rely on as they're working through their capital allocation, trading, and communication all across Wall Street investments, institutional asset management, and related technology. I've been here about a little over three years. I would say the first half of my career was really on the investment banking, capital markets, and trading side. So I spent a lot of time working on trading floors, capacities of business management, finance operations, working with a lot of our regulators, and different liquidity centers, and a lot of involvement in acquisitions and mergers. So was always in financial services, and capital markets, spent time at Robertson Stephens in San Francisco. We're kind of right in the middle of the Internet boom. And that cycle was at Lehman Brothers for a number of years in New York and the Equity Sales and Trading Group, and after 2008, moved out of the kind of core investment banking trading side to New York Stock Exchange and had an opportunity to help build the commercial technology business at NYSE, which was a really fascinating experience for me as I was able to really understand the buying cycle, the purchasing cycle, how clients and organizations that I've been part of thought about their technology roadmaps and how we as technology providers and solution providers, could help build into those roadmaps. After NYSE was acquired by Ice, I stayed on for a little bit of time to help with some of the divestitures and integration work that they needed to get done. And then was CFO at IPC, which is now a technology organization providing trader voice and electronic networking and data distribution, was there for about six years and then came over to Symphony.

Megan - 00:03:51: So I'm just curious, talk to us a little bit about the workflows that Symphony helps manage. What kind of workflows are those?

Ben - 00:04:00: So it's communication and collaboration and I would say data dissemination. So from a communication standpoint, we have one of the leading trader voice platforms or products in what we call Cloud Nine. And so that allows traders in a screen-based and mobile-ready environment to speak directly with their clients on the buy side or traders at other organizations. And that's done over high audio, high quality, recorded, compliant, and direct dial environment. If you just can imagine a trading floor where you have individuals that are talking into a speaker voice trading or communication, that's done over a very secure, encrypted, specific, purpose-built voice communication platform. That's one thing that we run. We also have a full collaboration suite of messaging, integrations with Microsoft, teams with Zoom, and our own voice and video capabilities. So people internal to their firms and then external to other firms are able to communicate in a secure and encrypted manner. On the Symphony platform, everyone is identity verified, so it's a known community of participants. So if somebody from an investment bank messages you over Symphony, you have a very high degree of confidence or almost complete confidence that you're interacting with that person, which is not always the case with other platforms. And then we do what we call a lot of compliant, enabled federated messaging, which is a lot of words to say that you can use Symphony to talk to individuals on SMS, WeChat, or WhatsApp. So if you're a regulated user, so you're regulated by the SEC or the CFTC or the different agencies that provide the regulatory framework for broker-dealers and capital markets firms. There are certain requirements that you have to meet in how you communicate with clients in the forums and mediums you use for that communication. Symphony allows you to connect to your client's messaging tools, so you're always in compliance with those rules. But at the same time, clients can speak to you on the platform that they're most interested in using. Yeah, absolutely. We have about 2000, we call them bots, but that run on the platform. About 75% of those are built by our clients. They look at manual processes in the trade workflow and they can use Symphony to automate those processes. So it can be something as routine as sending information between a depository and a custodian and a settlement agency. It can be research tags and information that's being pulled out it can be pricing info that is disseminated prices that were transacted at that's disseminated across the platform. And so people really look at it simply and say, there are so many people connected, there are 600,000 users on the platform. What daily tasks can we automate and just put into a process instead of having an individual to have to work through those specific items? And so that really drives efficiency because automated tasks are better than manual tests.

Megan - 00:06:59: So can you discuss some of the cybersecurity challenges that financial services companies have faced during the shift to remote work and also what measures Symphony has taken to address these challenges?

Ben - 00:07:10: Yeah, absolutely. I think cybersecurity is being someone that's been in the capital markets technology space for most of my career. Cybersecurity has always been a topic I've spent time on, really came to the forefront of my thinking and focus when I was at New York Stock Exchange. As one of the leading markets in the world and maybe the most well-known stock exchange brand in the world, we were a top-five institution of hacks or attempted hacks on a daily basis. So we implemented and employed some of the top cybersecurity experts in the world to ensure that the integrity of the New York Stock Exchange markets was never breached and that we had a really good sense of how to fight and impact cybersecurity threats. And they could come from anywhere, right? It could be a group of individuals that were nefarious and trying to truly do damage to the integrity of the markets. It could be probably amateur individuals who just thought it'd be fun to poke around and see if they could get into a New York Stock Exchange trading system. So to me, we think about cybersecurity. We rely so much on the integrity of the information that is given to us, whether it's messages that come across, whether it's prices and size trades that are communicated or emails that come through sensitive deal information. You think of where we operate in capital markets. Almost every message or every element of communication that people have tied into sensitive information. It could be individual private client information. It could be mergers and acquisitions, it could be IPO syndicate allocations. There are all these things that happen in the flow of capital that have privacy around them that other people would love to know, certainly for nonlegitimate purposes. But it's information that folks want to get at ostensible profit from that information. So there are really two elements. One is, can you protect the information that resides within a company's environment to ensure that external people cannot get access to it? And there are all sorts of tools for that. With Symphony, we're encrypted end to end. We do not see any of the information flow. There's probably any month, there's 175 to 200 million messages that come across the Symphony platform. We, as Symphony, never see those actual messages. So we're the platform and the distribution and the deployment and the endpoints that get the message from one person to another. But that message data, that message, the actual content sits within the clients. So we really are a very secure system and no one can break into Symphony and then see those messages on the same side. We want to make sure for clients that everything is encrypted so that there's no ability to intercept a message or understand information that is coming across. So for us, that security encryption is absolutely critical. Then there's how do you keep your information within the right community? And I think there are so many times, especially in email, everyone's made the mistake of typing the wrong email address in or missing someone's name by one letter or inadvertently adding the wrong person who may have a very similar name to a confidential email that goes out. And all of a sudden you've exposed confidential information and breached a cybersecurity policy. Within Symphony, we every day are verifying back to our clients and our customers the exact identity of the people on the platform. And for us that identity management and that identity confirmation and knowledge is absolutely critical because if you're sending information, a file, a document, a term sheet, a SIM, whatever it may be, you know, the people that are in your Symphony room or your Symphony collaboration channel are those people and are verified on a daily basis. So I think cybersecurity is a big area of spend and investment banks are always looking to ensure that fraud is mitigated, that phishing attempts are tracked and mitigated. But you think of how easy it is for people to access their financial information. Today you can log on to your brokerage account on an app and move significant amounts of money with a couple of keystrokes. You can log on to your bank account on an app and pay bills, move money, transfer money, wire money, and certainly criminal activity has figured out how they can intercept some of those flows and look to either steal actual funds or become aware of information that could lead to them doing things, potentially profit from it.

Megan - 00:11:36: And this is a bit of an aside, but I've been reading a lot lately about artificial intelligence. So can you talk to us at all about how that's changing the landscape of cyber threats?

Ben - 00:11:48: Yeah, absolutely. And interestingly enough, about three or four weeks before Chat GPT called hit the market and gained so much awareness, we purchased a company called Amenity Analytics which was an AI and NLP so natural language processing programming firm focused on capital markets. So they have models and artificial intelligence that can read through earnings reports, research reports, and other content that is relative to or related to capital markets firms and then pull out or tag the elements in that report that are most pertinent to a trader or research analyst. They can do sentiment analysis, they can understand things that are said, how those things correlate to other activities that may happen. So AI and NLP have become a really important part of the trading ecosystem in the trading environment. Now, the risk is that you just believe everything that you hear from Chat GPT. And I heard something on CNBC the other day. One of the anchors was talking about putting information and asking questions into some of these AI models. And the information that came back was inaccurate. And they said I knew it was inaccurate because I had read something different and I had read the actual source document. But for whatever reason, the model wasn't trained appropriately to pull the most accurate information back. So the models are only as good as the information that's there. And it's amazing, the work, and it's truly kind of mind-blowing, some of the work that can come out, but from integrity of information and validation of information, you can't just rely on an AI model to tell you exactly what you need to know in the current context. So we're working with a number of our partners on helping develop AI models that are specific to capital markets that we are comfortable with the integrity of the information, the reliance of that information, and the validity of that information. Because if you're purporting to give somebody stock prices or earnings release trends or performance of a company, you need to make sure that those numbers are verifiable audible, and reliable. Otherwise, you just have a bad model and you're not going to have people interested in looking at your information.

Megan - 00:14:00: And how has Symphony adapted its record management policies and practices to accommodate the increase in remote work and the use of personal devices for work purposes?

Ben - 00:14:11: Great question. We're a global company, around 600 people. We have individuals in our New York office, London office, Paris office, and Sophia Antipolis, which is in the southern area of France. We have a team kind of covering the APAC region. And then we have individuals that work in other locations that are not tied into a specific Symphony office. We're definitely a hybrid work culture. We have days where we have a lot of people that are in one of our offices, and there are other days where people are working remotely, either at client sites or bouncing around visiting clients, or at home or in a different environment. And we really had to adjust how we think about arguing. Now, one, we do a lot of our internal work over Symphony. So wherever you are, as long as you're operating within the Symphony platform and the Symphony framework, we're very comfortable with us being able to ensure that information is not leaving the organization in a manner that we wouldn't want to. We also do a lot of training with employees. Right? I mean, the world is so intertwined between personal and work applications that you really need to be cognizant of what work are you doing in an environment that's not secure. So if you're on a personal laptop and you're in a Google Doc, does that inadvertently expose that Google Doc to a different environment than you would want it to? We're fortunate that the technology company, we have very technologically adept professionals working here, so they really understand what they need to do and how they need to operate as it relates to confidentiality, security, and accessibility of information. And so we really try and give out all the tools for individuals to ensure that whether it's on their PC, on their iPhone, on their Android, on their iPad, on their Surface, whatever technology platform they're using, they can operate their Symphony professional work responsibilities and in a secure environment.

Megan - 00:15:58: And what steps have you guys taken to monitor employee behavior and prevent data breaches while employees work remotely?

Ben - 00:16:06: We don't really monitor employee behavior. We've all read some of this, seems a little crazy. How many keyboard clicks does somebody have or how many times is their mouse moving around? You see kind of some funny things on Instagram micromanage. Yeah. What we really look at is the effectiveness of employees and kind of goal attainment, the engagement both in person and virtually throughout the day, throughout the week, and also activity on Symphony and some of our other platforms. So we invest a lot of time in analytics platforms. We use Domo. We use adaptive. We use Salesforce. We do look just inherently at who is most active in those environments, right? Like, what's happening from a client standpoint? What are the client updates that we're talking about? What are client sales pipelines looking like in our Domo analytics? Where are the regions and the teams that are seeing a certain amount of activity? I think we have the normal compliance tools in place to help remind people about the sanctity of information and the non-distribution and dissemination of information. But we don't have tools in place that I would say monitor behavior. But we do have policies that we really make sure everyone understands the criticality of the professional technology environment that we need to stay in and the risks of getting information outside of that technology environment.

Megan - 00:17:26: And I'm not sure if you can or not, but can you discuss a specific incident or threat that Symphony faced within the realm of cybersecurity during the shift to remote work and how the company responded to that?

Ben - 00:17:39: Yeah, we've been fortunate that we haven't had any breaches or security hacks that would impact the integrity of the system. That said, like any platform, Symphony is subject to hacks and cybercriminals quite frequently. So a couple of things that we've done at one point we had something that was called Public Symphony, where anyone could sign up for Symphony and have some degree of limited access into the Symphony community. Now, we had a verification process that we would go through and we had an identity process that we went through to make sure that we had some knowledge of those individuals. As Symphony became more popular as a platform and more people were working in a remote fashion, we just decided to take that public capability away. We knew it could impact business a little bit, but we thought there was just too much risk. And we saw unfortunately, we were able to catch them, but we saw instances of people trying to gain access to the system and not really having a logical reason to do it or coming in from locations that were known for high degrees of cybercriminal activity. We deal with all the normal email phishing and other areas where people are trying to gain access through links and we get texts from people on, can you wire money here, can you wire money there? So we do spend a lot of time with our employees, helping them understand. What are the instances that people would ever ask you for certain types of information? What are the steps that you go through if you get these? And our CISO spends a lot of time looking at incoming threats, hacks, and attempts to make sure that we have security around those. We do work with some of the top hosting providers and data center providers in the world and are constantly partnering with them on how to think about their protection and alleviating the number of opportunities that people can try and break into our ecosystem.

Megan - 00:19:29: Why do you think it is that cyber threats seem to have just exploded in the last, I would say maybe three to five years? I often wish people would spend half the time doing good that they're spending trying to do something evil. So why do you think it is that this has really become such a problem in the last five years?

Ben - 00:19:54: Because it's profitable. Yeah, that's my personal view that people are engaging in cyber warfare and cyber criminality because ultimately they can make money off of it. And at what used to be the kind of funny emails you get about if you send me $1,000, I'm going to release $5 million into your bank account. And someone's like, oh, that sounds like a good idea, let me go do that, to where it's much more sophisticated can we figure out how to put spying software on someone's personal phone and see what their login codes are to their brokerage account and then can we move money out? Think about the amount of money that moves across the world on an hourly basis. Trillions of dollars are moving around all day long, right? And if somebody can say, hey, I figured out how to step in and take a little bit of that out of the system and you see it through credit card fraud, through phishing, through access to accounts, to just outright scams of deposits, automated debits into accounts. You just think of all the things that happen on a fraudulent basis and people are still making money off of it. And it's this ongoing balance between it is easier to trade off your phone, your iPad, or your computer than it is to pick up the phone, call a broker, place an order, and then wait to hear what that order was filled at. And trading volumes have increased exponentially through this. The liquidity, transparency, pricing, and end consumer engagement in their financial affairs and financial decisions have really increased quite a bit due to technology. But it's also opened up these pathways where people can just get into your information and try and take your money.

Megan - 00:21:45: So as these threats become more and more sophisticated, how do you educate your employees to avoid them or not click on this or that?

Ben - 00:21:56: I think it's really people understanding the seriousness of the impacts that can happen if you inadvertently allow a hacker into an environment. And if you think on any given day how many apps you open, how many emails you answer, how many texts are coming in, how many links are sent to you, it's just you can get in that routine of, I'm opening this, I'm checking this, I'm looking at this, I'm asking for this, I'm typing this password here. So we really spend a lot of time on what are the best practices for security. So we have dual authentication for all of our applications. We have ways. We have obviously, passwords, login checks, identity verification, and just ongoing awareness of the threats that are out there. To me, it's the balance between things just becoming routine and people can pick up on a pattern versus understanding what just seems out of the ordinary and unlikely that that would happen. And I was cleaning up some of my text this morning, and I think it was a bit ironic that I was having this conversation with you today, but I had a text last week, purportedly from our CEO, saying, hey, I'm in a conference call. I'm in a conference meeting right now. I can't get out, but I need you to send to wire some money. You just text back to me so I know you got this, and I'll let you know exactly what needs to be done. Now, our CEO would never actually do that with me over text, but it was just such a casual type of text that an average person could be like, oh, maybe someone needs something and they're texting me, they have my number, and it's coming across to this person, sure, let me respond back. And as soon as you respond back now, all of a sudden you're engaged in a step that gets it closer to doing it. If you imagine that an individual is sending out thousands and thousands of texts like that all day long, all they need is one or two to fall for it, and they've probably taken tens of thousands of dollars illegally.

Megan - 00:23:46: And how does Symphony stay current with the evolving landscape of cybersecurity threats?

Ben - 00:23:52: Yeah, that's a great question. So, two things. One, our ownership group contains upwards of 20 of global commercial investment banks. So we really do get access to and we're the privilege to work with some of the top minds across financial services and capital markets in cybersecurity. We as a software platform, are right alongside the technology teams at all the banks. So our technologists do have the opportunity to work across 20 to 30 different global banks, understanding what they're doing around fraud prevention, and cybersecurity protection, and gaining that knowledge. And then as a company, we also invest millions of millions of dollars a year in cybersecurity. We have a Chief Information security officer. He spends a lot of time looking at the threats that are out there educating people on things that are coming in, things that are as simple as updating your browser version because there's a new hack or a new threat. The exposure that came out to our sock. Two audits to constantly looking at the infrastructure of what's coming in and making sure that we have the right software in place, the right monitoring tools, and the right alerting tools that when things happen that are not part of our normal pattern that those are quickly escalated because we are the foundation of our company is based on encrypted and secure communication between market participants. And we can just never be in a situation where the integrity of that communication is breached. So for us, it's critical that we're current with both our investors, and our customers, and then also internally as to how we ensure the sanctity of all that information.

Megan - 00:25:33: And what advice do you have for CFOs out there listening today on how they can protect themselves from these threats? Yeah, their companies. Sorry.

Ben - 00:25:45: Yeah, I mean, you have to have a great partnership with your CIO, with your CSO, with your product team. I think the job and the role of the CFO have evolved so much in the past ten or 15 years. It's so beyond just numbers and reports and metrics. It's really someone effective CFOs to understand their technology environment. They understand the technology tools that are in place. They understand the different companies that provide security and software to the organization. And they understand and appreciate the criticality that a CIO has in protecting that infrastructure. And it's not cheap. If you want to have a secure and protected technology infrastructure, you do have to invest money in that. And it's not always money that you can see that direct return from, because it may not lead to a sale or it may not lead to product expansion or deployment. But if every day you know that those investments are protecting your environment from intrusion, hackers, downtime, from people prohibiting you from deploying your software, that is a pretty important investment. So knowing the technology infrastructure, being really strong business partners with the technology executives, and being aware, like, constantly looking at what's going on in the company and where are areas that we have risk-taking. The SoC two audits. Very seriously talk with consultants that come in that see threats from other areas and have that extra antenna up of what can go wrong, how we're protecting against it, and ultimately, what is the customer impact if something does go wrong and having those plans in place that you can quickly remediate if a problem does arise.

Megan - 00:27:25: Great advice. So, last question. As a finance leader, what is it that keeps you motivated?

Ben - 00:27:31: Yeah, I think for me it's really two things. One, I love the pace that I always have of technology innovation and capital markets. And at the heart of capital markets, it's about the flow and allocation of capital to businesses, to companies, to organizations that need that capital to grow and operate whatever product or service they're delivering. And then investors are able to find organizations that they want to put their money into and help grow. It sounds very simple, right? But it's a trillion dollars market that happens all day long. And for me, just the technological innovation that's happened over the past 20 years is inspirational. 20 years ago, we were mostly voice trading. Volumes are very low. The sophistication of products was minimal. Customer transparency, end-user price transparency, liquidity, and products, all were like still very early stages. And you look at how the markets evolved over the past 20 years, it's been technology applications that have created more price transparency, more liquidity, better capital options, and different types of structures that meet the needs of corporates and individuals as they're thinking about their own capital profiles. And for me, being a small part of that industry for a long period of time is really motivating. And then second, I've been fortunate in my career and certainly at Symphony, to work with a great team. Whether it's the corporate team across finance, HR, corporate development, or our broader commercial and product, and engineering teams, this industry attracts some really smart people, very motivated people, very thoughtful individuals. And for us folks that really want to help drive technological efficiency and software efficiency into our clients, we're always solving problems. This is an industry where you're asked to solve problems all the time. And for me, it's motivating to be given a problem and work with a really good team on figuring out how we give solutions to those problems.

Megan - 00:29:25: Great answer. Ben, thank you so much for being my guest today.

Ben - 00:29:28: Thank you for the invitation. It's a really important topic. I'm sure it's something that we will continue to talk about for years as there's the ongoing battle between those that want to use technology for really good purposes and then those that are trying to penetrate that for not-so-good purposes.

Megan - 00:29:45: Yeah. Well, I appreciate you taking the time to be here with us today and I wish you and Symphony all the best. And to all of our listeners, please tune in next week, and until then, take care.

If you're ready to boost efficiency and streamline your accounting processes at significant cost savings, it's time to talk with Personiv. Their people-powered solutions have transformed the delivery of back-office tasks and general accounting functions for decades, partnering with clients to provide everything from accounts payable to payroll services. See what Personiv can do for you by visiting Personiv.com.

You've been listening to CFO weekly presented by Personiv. Please subscribe wherever you get your podcast to hear all of our episodes. Want to learn more? Check out Personiv.com. Thanks for listening.