Craig Froelich

Craig Froelich
Chief Information Security Officer (CISO)
Bank of America Corporation

Last Updated: 07/29/2018

Executive Summary

Craig Froelich serves as the Chief Information Security Officer (CISO) at Bank of America Corporation, the financial services organization headquartered in Charlotte, North Carolina. He leads the team that is responsible for protecting the firm’s customers, clients and employees from cyber risks and threats. During his tenure at Bank of America, which began in 2008, Froelich has led the Company’s security technology, operations, insider threat and information protection programs. He joined Bank of America through its acquisition of troubled mortgage lender Countrywide Financial, where he rose to Senior Vice President, responsible for the Company’s cybersecurity technology, performance systems, crisis management, and security operations. Froelich began his career in September 1986 as a Consultant and in June 1990 was hired as a Product Manager at Dustin Software, a Swedish reseller of IT-products and additional services to businesses, public entities and consumers. From November 1994 to August 1995 he was Product Manager at PCM, an El Segundo, California-based provider of IT solutions and services, specializing in cloud, data center, mobility, networking, security, and software solutions. Froelich in August 1995 began a five-year run as Director at WebVision and from August 2000 to July 2001 was Consulting Manager at Netigy prior to that firm's sale to Cisco Systems Inc.

 

Personal Attributes and Interests

  • On his Twitter profile Froelich describes himself as a "SoCal dude learning how to be a southern gentleman. A nice lawyer named Keith said my opinions are my own."
  • Froelich has active security clearance from the U.S. Department of Homeland Security.
  • He has filed for eight information security patents, three of which have been issued:
    • Login Initiated Scanning of Computing Devices, United States 8,590,046, issued November 19, 2013: "Embodiments of the invention relate to systems, methods, and computer program products for login initiated remote scanning of computer devices."
    • Internet cleaning and edge delivery, United States 9,160,711, issued October 13, 2015: "Methods, systems, and computer-readable media for implementing a cleansing farm are presented. A cleansing farm may comprise of a computing device that filters customer requests directed to an organization before they are routed internal to the organization. A cleansing farm may receive customer requests and filter the requests based on a set of filtering rules."
    • Dynamic Incident Response, United States 9,165,250, issued October 20, 2015: "Methods, systems, computer-readable media, and apparatuses for providing dynamic incident response using advanced analytics are presented."
    • Dynamic Employee Security Risk Scoring, United States 20110167011, filed July 7, 2011: "Embodiments of the invention relate to systems, methods, and computer program products that provide for an employee security risk score."
    • Providing an Indication of the Validity of the Identity of an Individual, United States 20110166869, filed July 11, 2011: "Aspects of this disclosure relate to an identity level generating computer which may include a processor and memory storing computer executable instructions that, when executed, cause the computer to perform a method for generating identity levels for customers of a business."
    • Cyber Security Analytics Architecture, United States 20150033337, filed July 25, 2013: "Systems and methods are disclosed for responding to security events in real time."
    • Mobile Device Detection and Identification, United States 20150051976, filed August 13, 2013: "Systems, methods and computer-readable media for detecting a mobile device and identifying a user of the device are provided."
    • Risk Ranking Referential Links in Electronic Messages, United States 20140259158, filed September 11, 2014: "A computer system enables a business to reduce risks from phishing electronic messages. One or more original web links embedded in the electronic message may be replaced with a replacement web link. If the determined risk score for the original webpage is large enough webpage and the user clicks on the embedded web link, a user is directed to an intermediate webpage rather than to the original."
  • Froelich in November 2016 was selected as the Information Security Executive of the Year Award winner in the Financial Services Category by T.E.N., a technology and information security executive networking and relationship-marketing firm. Finalists included Steven Jensen, Executive VP and Chief Information Security Officer of Scottrade and Jason Lish, Senior Vice President of Security Technology & Operations of Charles Schwab & Company

Current Focus

  • Company Snapshot: Bank of America Corporation is an American multinational financial services company headquartered in Charlotte, North Carolina. It is ranked second on the list of largest banks in the United States by assets. As of December 31, 2017, it had $1.081 trillion in assets under management (AUM). Bank of America is one of the Big Four banks in the United States, along with Citigroup, JPMorgan Chase and Wells Fargo. Bank of America operates retail branches in all 50 states of the United States, the District of Columbia and more than 40 other countries. It has a retail banking footprint that serves approximately 46 million consumer and small business relationships at 4,600 banking centers and 15,900 automated teller machines (ATMs).
  • Organization: Froelich works in Bank of America's Global Technology & Operations (GTO) organization, which is headed by Cathy Bessant, Chief Operations and Technology Officer. Nearly one-half of all employees work in the GTO, which operates with a budget of $17 billion. That’s 110,000 employees and contractors in 35 countries worldwide. 
  • Specific Duties: As CISO, Froelich is responsible for Bank of America's customers, clients and employees from cyber risks and threats and has led the company’s security technology, operations, insider threat and information protection programs. 
  • Cybersecurity Honors: Bank of America i April 2018 announced that its Global Information Security group has won the SC Magazine Professional Award for Best Security Team. The award was presented to Bank of America’s Global Information Security Group on April 17 during the 2018 SC Awards Gala held in San Francisco. Froelich was also named as a finalist in the “CSO of the Year” category. The 2018 Professional Award winners were chosen by a panel of judges comprised of recognized security professionals and leaders from a variety of backgrounds and vertical markets. The individuals, programs and teams chosen as winners in the Professional Award categories go through a rigorous judging process that includes testimonials, industry assessment and additional research. “Cyber threats keep growing, and clients rightly expect us to do everything we can to protect their information; getting this right is critical to our success,” said Froelich. “This award is tremendous recognition of our work in this area, and I’m proud of our team’s dedication to protecting our business’ and clients’ critical information.” Bank of America’s Global Information Security team has previously received national recognition for its cyber security and risk management efforts, as have a number of its members individually. The team also leads a variety of industry initiatives – in the U.S. and globally – to ensure the safety and resilience of the financial sector. “Bank of America is a shining example of leadership for the entire information security industry,” said Illena Armstrong, vice president, editorial, SC Media. “The Professional Award category of the SC Awards is continually evolving to recognize those who stop threats and educate the industry on best practices for protecting sensitive information.” The SC Awards, now in its 22nd year, are lauded as one of the most prestigious awards for information technology (IT) security professionals and products. The awards recognize the best solutions, services and professionals that work around the clock to defend against the constantly shifting threat landscape in today's marketplace. 
  • Vetting Third-Party Vendors: JP Morgan Chase, Bank of America, Wells Fargo, and American Express have banded together and created a company called TruSight, SC Media reported in November 2017. This new firm's expressed mission is to provide a consistent assessment of potential third-party vendors for a company before one is hired. This will be done designing and using a common questionnaire with all vendors and include online and on-site reviews to ensure that what the potential vendor said is true. Any such investigation would ensure that the vendor is using approved cybersecurity practices. “TruSight will establish a consistent approach to managing third-party risks associated with cyber threats and leverage best practices that will improve the industry as a whole,” said Froelich. Trusight will begin operations during the first quarter of 2018, the company said. "To say that third-party oversight is needed when it comes to cybersecurity would be a major understatement," SC Media observed. "In the last several months errors by third-party vendor errors have been blamed for numerous breaches, including Forever 21 POS breach, Maine IT office, several healthcare facilities and the takeover of Dell's domain."
  • Fortifies Online BankingBank of America said it would incorporate Intel Corp.'s Online Connect technology, that enables fingerprint touch payments, into its online banking systems starting in 2018, Reuters reported in October 2017. Cybersecurity is getting serious attention from U.S. companies, as concerns rise among financial market participants and regulators about the risks posed by cyber attacks. The financial services industry is among the most vulnerable to cyber crime because of the massive amount of money and valuable data that banks, brokerages and investment firms process each day. Just last month, credit monitoring firm Equifax disclosed that cyber criminals had breached its systems between mid-May and late-July and stolen the sensitive information of millions of Americans. BofA itself has earmarked about $600 million this year toward information security, Chief Operations and Technology Officer Cathy Bessant told CNBC earlier this month. The bank would spend a similar amount for information security next year, and has some 1,200 employees “dedicated to that effort,” Bessant added. BofA also said that customers with an iPhone X, Apple's newest smartphone, can use the phone’s Face ID technology for secure authentication into BofA’s mobile app.
  • CEO's Perspective on Digital Banking Capabilities: On a July 2018 earnings call Chairman and CEO Brian Moynihan talked up Bank of America's consumer digital banking capabilities. "Many of you use them, and all of you should," he said. "By investing in client capabilities, we make our clients’ lives easier, more efficient for them, more effective for them, and their satisfaction goes up. Our costs then in turn go down because our processes become more automated. So how does that play out? We crossed over 25 million active mobile users this quarter. Another 10 million use other digital channels, so that brings us to 35 million customers using digital devices this quarter on an active basis, and it continues to grow ... due to the innovation we had. Those mobile users ... logged into their mobile apps nearly 1.4 billion times this quarter. What are they doing with us?... While they do transactions, they also use them for communication. They’re using their digital services to set appointments in our financial services for their convenience, rather than just drop in. This assures we have the right teammates to serve the customers well. We had a half million digital appointments this quarter, but that’s still a lot of room to grow when you think of the 50 million customers we have that walk into our great stores every day, so it’s critical to have just both the digital and physical. As you can see in the roll-out of Erica, our digital assistant, you can do some tasks hands free or text, and that increases your flexibility.... Erica has grown nicely to over 2 million Erica users from only starting a few months ago. Customers are doing more of their regular deposit transactions on their digital devices. This quarter, we saw more deposit transactions by a person taking a picture of the deposit and sending over mobile phone than we did by a person handing their check to the teller. In fact, 76% of all our deposit transactions are now through ATMs and mobile deposit. This allows for more meaningful relationship management activities to take place in our centers as we invest more and add more teammates to do that. Customers just aren’t transacting and researching with these capabilities, they’re using them for sales. Digital sales now make up 24% of all our sales in our consumer business. This compares favorably with all sectors, including general retail in terms of digital sales.... The adoption rate is moving faster for these newer products. New capabilities are taken up much faster by the customer base who is completely digital enabled. On payments, you can see the early adoption of Zelle has grown. In the recent quarter, we processed 35 million Zelle transactions or more than $10 billion in principal amount - that’s twice the pace of a year ago. We believe we account for about 25% of Zelle and this activity will continue to grow as the industry continues to drive this as our standard for P2P payments. Overall, consumer digital payments have now overtaken non-digital payments, more than $368 billion in digital payments.... Over 52% of total payments have come in this quarter. This is growing 12% on average for the past four years.... 24% of sales are executed digitally and we continue to expand that through other products and services. Digital auto was launched a year ago and now more than half our retail auto volume. Digital mortgage, which is a true end-to-end digital experience just brought out recently, is growing fast; and ... the Merrill Edge platform [was] growing assets 20% in the past year to $191 billion and 2.5 million accounts. We have parlayed that and our capabilities for our automated Merrill Edge guided investment platform. These examples are just a set of examples about how the sustained investment coupled with the change in customer behavior coupled with the process improvement coupled with the operating excellence allows us to drive positive operating leverage while driving up customer delight. There are many other examples across our company, including Cash Pro in our commercial set of businesses, which has 475,000 commercial users. We’ll continue to make these investments and continue to drive the operating leverage of the company, and that will provide good utility for you, our shareholders."
  • Roll Out Erica to Mobile Customers:Bank of America is rolling out its virtual financial assistant Erica to all of its 25 million mobile customers, according to a May 2018 Charlotte Business Journal article.  Erica is artificial intelligence-driven, and helps Bank of America app users access balance information, transfer money between accounts, send money with Zelle and schedule meetings at financial centers. Customers can interact with Erica via voice commands, texting or touch. “Everything we do is based on what we hear from our clients: how they want to interact with us and how we can make their financial lives better,” Michelle Moore, Head of Digital Banking, said. The bank said it will continue to improve Erica's capabilities. In the coming months, Erica will be able to notify customers about upcoming bills and subscription charges, display spending and budget information, manage credit and debit cards and identify possible ways for users to save money. Aditya Bhasin, head of consumer and wealth management technology, said Erica's AI-powered knowledge increases as its interactions with clients increase. “In time, Erica will have the insights to not only help pay a friend or list your transactions at a specific merchant, but also help you make better financial decisions by analyzing your habits and providing guidance," Bhasin said. Erica is part of the bank's continued emphasis on technological investments, many of which include AI-powered advancements. BofA budgeted about $2.7 billion for technology spending in 2018 — on par with its spending in 2017. During the first quarter of 2018, BofA reported its mobile app users logged into their accounts 1.4 billion times and completed more than 140 million bill payments through the app. The bank has increased its mobile user base by roughly 5% in just six months, according to data provided by BofA.
  • Using AI to Improve Fraud Detection: Bank of America is in the early stages of experimenting with how artificial intelligence could help improve fraud detection, but first, executives said they need to understand how the algorithms actually work. The bank joins several organizations, ranging from the research arm of the U.S. Department of Defense to Uber Technologies and Capital One Financial that are grappling with the opaque nature of advanced AI algorithms, reported the WSJ in May 2018. The bank recently announced they’re working with Harvard University to address topics such as bias in algorithms. “We’re not fans of lack of transparency and black boxes, where the answer is just ‘yes’ or ‘no,’” said Hari Gopalkrishnan, client-facing platforms technology executive at Bank of America. Gopalkrishnan spoke about the bank’s interest in artificial intelligence at Bank of America’s Tech Summit. The bank currently uses analytic models to help employees detect fraud and, for the past few months, has been studying how artificial intelligence could further improve the detection rate, he said. If a customer reports a fraudulent charge, an advanced AI system could one day analyze large datasets and provide an employee with a specific judgment about whether the charge was indeed fraudulent, based on the customer’s past purchase behaviors and other data. Artificial intelligence could also be used to detect money laundering, Gopalkrishnan said. But the problem with advanced artificial intelligence systems, such as deep learning, is that they are not well understood. Deep learning tools include neural networks, software whose structure roughly tries to mimic the human brain’s operations, and while these systems can draw conclusions with unprecedented accuracy and speed, it’s not always clear how the dense web of computations reaches a specific decision. An AI system that makes a judgment about a customer needs to be able to explain itself, Gopalkrishnan and other executives said. “We want to understand how the decision is made, so that we can stand behind it and say that we’re not disfavoring someone,” he said. There’s no timeframe for when an AI system could be deployed to help detect fraud, in part because solving the explainability problem is so important, he added.
  • Cryptocurrencies as a Payment System are 'Troubling': Cryptocurrencies are standing in the way of authorities catching "bad guys" who are using payment systems for nefarious purposes, Cathy Bessant, Chief Operations and Technology Officer, told CNBC in May 2018. Addressing a key criticism of bitcoin and its growing list of competitors, Bessant said it's important to differentiate the two major uses of digital currencies. "As a payment system, I think it's troubling, because the foundation of the banking system is on the transparency between the sender and the receiver, and cryptocurrency is designed to be nothing of the sort. In fact [it's] designed to be not transparent," Bessant said. That makes it more difficult to police business transactions in cyberspace. "The way we sort of quote-unquote catch bad guys is by being transparent in the financial moment of money," she said. "Cryptos is the antithesis of that." On the other hand, BofA's customers are free to choose to invest in bitcoin if they so wish. One thing they can't do, though, is use a Bank of America credit cards to speculate in the crypto world. "Just like we don't allow stocks to be purchased on our credit cards, we're not going to allow cryptos or other currencies to be purchased on our credit cards," Bessant said. Broadly speaking, Bessant said bank security is improving. "I do actually think we're in a better position every day," she said. "Awareness is higher, the sophistication of our defense and detection efforts are growing every day. There are more players in the mix with a lot of expertise, and the threat environment is beginning to show patterns that make prediction and even automated prediction something we can do every day. So I do believe we're in a better place." However, she said the perception of some data thieves as modern-day Robin Hoods poses a problem. Using the good guy-bad guy analogy again, she said that the relationship is clear with someone robbing a bank, but less so with someone stealing data. "Often times the hacker or the person who causes the leak and steals the data are considered heroic," Bessant said. "We put Julian Assange on the cover of a magazine and call him person of the year, and yet WikiLeaks is in the business of stealing data."
  • Art of Cyber: Recent advances in technology have revolutionized the business of banking, according to an October 2017 WSJ article. Mobile and online banking have allowed financial institutions to cut down on paper costs and branches, saving banks billions. But at the same time, the growing threat of cyberattacks means lenders are constantly trying to prevent themselves from becoming the next Equifax Inc. At Bank of America that responsibility rests with Bessant. In an interview with WSJ, speaking of the dynamic between business needs and technology decisions, Bessant said, “There is only one way to be fully protected, and that is to shut the place down. The constant balance every day is between doing business and continuing to move forward and protecting the firm. Here’s an example: My team at one point a few years ago brought me an idea of creating speed bumps for incoming and outgoing email. I asked them, how long will the speed bump be? How long will it slow things down? They said it depended, but it could be as long as 20 to 30 seconds, depending on the traffic. OK, we run lots of businesses where 20 or 30 seconds shuts the place down. Think about sales and trading in the equity space, where we are managing milliseconds and nanoseconds. I decided that we needed to find a different way to protect ourselves because 20 seconds might not matter one day, but the day that it does, it’s too late. I couldn’t let the company become dependent on things that impeded our ability to be agile for clients and customers. The art of cyber is to keep the firm in business and continue to grow and serve the needs of the customer every day. That is judgment. That is creative problem-solving.” She also spoke about how she responded when she learned of the Equifax breach. She said, “The first thing as it relates to third parties, including Equifax, is that we structure state-of-the-art contracts with regular rights of inspection. Many of our vendors tell us we’re onerous to do business with because of it. Thank goodness we have scale and we’re attractive to them because we write big contracts. We require certification of capabilities and defenses and require reporting. Where the most sensitive work is going on, we require our third parties to use our devices and our network. We can control the security of our own network. We engage with the third party immediately. We offer, and in some cases insist, that we help them figure out the solution. At the moment of a breach at a third party of ours, our destinies are aligned.”

Biographical Highlights

  • Froelich began his career in September 1986 as a Consultant.
  • In June 1990, he joined Dustin Software as Product Manager.
  • From November 1994 to August 1995, he was Product Manager at PCM.
  • He was a Director at WebVision from August 1995 to August 2000.
  • From August 2000 to July 2001, he was Consulting Manager at Netigy.
  • From 2001 to 2008, Froelich worked at Countrywide Financial where he rose to Senior Vice President, responsible for cybersecurity technology, performance systems, crisis management, and security operations.
  • Froelich joined Bank of America Corporation in 2008, through its acquisition of Countrywide Financial, and has since held the following positions:
    • Leader, security technology, operations, insider threat and information protection programs
    • Chief Information Security Officer (Present)

 

Other Boards and Organizations

  • Member, Executive Board and Advisory Council, Financial Services Roundtable - BITS (February 2013 - Present)
  • Chairman, Board of Directors, FS-ISAC (January 2011 - Present)



Contact Information

100 North Tryon St.
Charlotte, NC, 28255
United States

704-386-5681

craig.froelich@bankofamerica.com


Boardroom Insiders Executive Profiles and CEO Biographies Boardroom Insiders Executive Profiles and CEO Biographies

Other News and Interviews

Listen: Froelich Discusses the 2018 CISO Report, January 2018