Craig Froelich

Craig Froelich
Chief Information Security Officer (CISO)
Bank of America Corporation

Last Updated: 12/15/2017

Executive Summary

Craig Froelich serves as the Chief Information Security Officer (CISO) at Bank of America Corporation, the financial services organization headquartered in Charlotte, North Carolina. He leads the team that is responsible for protecting the firm’s customers, clients and employees from cyber risks and threats. During his tenure at Bank of America, which began in 2008, Froelich has led the Company’s security technology, operations, insider threat and information protection programs. He joined Bank of America through its acquisition of troubled mortgage lender Countrywide Financial, where he rose to Senior Vice President, responsible for the Company’s cybersecurity technology, performance systems, crisis management, and security operations. Froelich began his career in September 1986 as a Consultant and in June 1990 was hired as a Product Manager at Dustin Software, a Swedish reseller of IT-products and additional services to businesses, public entities and consumers. From November 1994 to August 1995 he was Product Manager at PCM, an El Segundo, California-based provider of IT solutions and services, specializing in cloud, data center, mobility, networking, security, and software solutions. Froelich in August 1995 began a five-year run as Director at WebVision and from August 2000 to July 2001 was Consulting Manager at Netigy prior to that firm's sale to Cisco Systems Inc.


Personal Attributes and Interests

  • On his Twitter profile Froelich describes himself as a "SoCal dude learning how to be a southern gentleman. A nice lawyer named Keith said my opinions are my own."
  • Froelich has active security clearance from the U.S. Department of Homeland Security.
  • He has filed for eight information security patents, three of which have been issued:
    • Login Initiated Scanning of Computing Devices, United States 8,590,046, issued November 19, 2013: "Embodiments of the invention relate to systems, methods, and computer program products for login initiated remote scanning of computer devices."
    • Internet cleaning and edge delivery, United States 9,160,711, issued October 13, 2015: "Methods, systems, and computer-readable media for implementing a cleansing farm are presented. A cleansing farm may comprise of a computing device that filters customer requests directed to an organization before they are routed internal to the organization. A cleansing farm may receive customer requests and filter the requests based on a set of filtering rules."
    • Dynamic Incident Response, United States 9,165,250, issued October 20, 2015: "Methods, systems, computer-readable media, and apparatuses for providing dynamic incident response using advanced analytics are presented."
    • Dynamic Employee Security Risk Scoring, United States 20110167011, filed July 7, 2011: "Embodiments of the invention relate to systems, methods, and computer program products that provide for an employee security risk score."
    • Providing an Indication of the Validity of the Identity of an Individual, United States 20110166869, filed July 11, 2011: "Aspects of this disclosure relate to an identity level generating computer which may include a processor and memory storing computer executable instructions that, when executed, cause the computer to perform a method for generating identity levels for customers of a business."
    • Cyber Security Analytics Architecture, United States 20150033337, filed July 25, 2013: "Systems and methods are disclosed for responding to security events in real time."
    • Mobile Device Detection and Identification, United States 20150051976, filed August 13, 2013: "Systems, methods and computer-readable media for detecting a mobile device and identifying a user of the device are provided."
    • Risk Ranking Referential Links in Electronic Messages, United States 20140259158, filed September 11, 2014: "A computer system enables a business to reduce risks from phishing electronic messages. One or more original web links embedded in the electronic message may be replaced with a replacement web link. If the determined risk score for the original webpage is large enough webpage and the user clicks on the embedded web link, a user is directed to an intermediate webpage rather than to the original."
  • Froelich in November 2016 was selected as the Information Security Executive of the Year Award winner in the Financial Services Category by T.E.N., a technology and information security executive networking and relationship-marketing firm. Finalists included Steven Jensen, Executive VP and Chief Information Security Officer of Scottrade and Jason Lish, Senior Vice President of Security Technology & Operations of Charles Schwab & Company

Current Focus

  • Organization Snapshot: Froelich works under Chief Technology and Operations Officer Catherine Bessant in Bank of America's Global Technology & Operations (GTO) organization, which is home to about one-third of the bank's staff. That’s 100,000 employees and contractors in 35 countries - recruited from campuses worldwide, financial institutions and technology companies. Bessant told InformationWeek that she runs her 11-person tech and operations leadership team a bit like a board of directors. Every few weeks they come together for a KIP review, where they discuss and debate a short list of "key initiative programs," such as the bank’s software-defined infrastructure effort and whether to go with a proprietary or OpenStack platform (they had planned to split workloads 50-50, but they’re leaning more on proprietary as the open platform matures). Bessant officiates. "As you can imagine, that [format] can be somewhat uncomfortable, but it leads to better outcomes," said one of her direct reports, Technology Infrastructure Executive David Reilly.
  • Specific Duties: As CISO, Froelich is responsible for Bank of America's customers, clients and employees from cyber risks and threats and has led the company’s security technology, operations, insider threat and information protection programs. 
  • Launching Vendor Management Firm: In November 2017, Bank of America, American Express, JPMorgan and Wells Fargo, set up a new company named TruSight that will carry out risk assessments on suppliers and partners, FinExtra reported. TruSight aims to combine best practices and standardize processes for carrying out risk vendor assessments. Financial services firms are increasingly relying on third parties for a host of critical services in the digital age, but the industry lacks a simple and comprehensive approach to gather and validate risk assessment information on these firms. This causes both the financial institutions and the vendors to spend time and money requesting, providing and validating assessment information in an inefficient and duplicative manner. TruSight is promising to make life easier by gathering information on service providers' information security, technology, hiring practices and governance, verifying it through remote or on-site validation. This information is stored on a secure, shared platform available to financial institutions of all sizes, including investment banks, wealth management firms, asset managers, credit card companies, insurers and community and regional banks. The four founders of TruSight have been working together for the past two years to craft a standardized vendor questionnaire for risk assessment. "TruSight will establish a consistent approach to managing third-party risks associated with cyber threats and leverage best practices that will improve the industry as a whole," Froelich said.
  • AI-Powered Digital Assistant: Bank of America plans to debut an AI-powered digital assistant named Erica, which consumers can chat with through voice or text message through the bank’s mobile app, the Wall Street Journal reported in May 2017. Speaking at a financial technology summit, executives said the chatbot represents the bank’s measured approach to artificial intelligence, developing uses for the technology only in areas where the company thinks clients will truly benefit. “We’re trying to separate the hype from the client need,” said Aditya Bhasin, Bank of America’s chief information officer for consumer and wealth management technology. Bhasin said the chatbot can help consumers simplify and speed up transactions instead of wasting time navigating through the mobile app to find the right tabs. “Many apps today, including ours, are very menu-driven,” Bhasin said. “As more and more capabilities get delivered into these apps they become harder to navigate.” With Erica, a client could say things like, “I want to send money to a friend,” or “I want to pay a bill,” and Erica can easily facilitate the transaction. Erica could also harness the power of advanced analytics to give consumers suggestions about how they can better manage their personal finances. For example, if a consumer has a specified savings goal, Erica could alert them when there’s a balance left over in their checking account at the end of the month. The chatbot could ask whether they’d like to put the extra cash into a savings account or help the person set up an appointment with a financial solutions advisor. Erica, which was announced in October 2016, is currently going through testing, and when it debuts later this year, Erica will join a number of other chatbots in industries ranging from finance to airlines.
  • Digital E-Commerce Solution for Merchants: Bank of America Merchant Services and Bypass are teaming up to help arenas, sporting venues, corporate and college campuses, hospital cafeterias and other contract food and beverage operators run their concessions more efficiently through a new unified, digital commerce solution, according to a May 2017 BofA news release. Bank of America Merchant Services is a global leader in payments, eCommerce and security solutions. It processed more than 15.2 billion transactions at approximately 660,000 merchant locations in 2016. Launched in 2010, Bypass is an innovator in cloud-based restaurant and multi-site food management systems. “Businesses in the food and beverage industry will enhance their operations and customer experience with our innovative point-of-sale solution,” said Bank of America Merchant Services CEO Tim Tynan. “With Bank of America Merchant Services and Bypass behind them, these businesses can network Clover point-of-sale terminals, better manage inventory and staff, and tap into valuable customer insights.” The Bank of America Merchant Services and Bypass unified solution already powers more than 10,000 point-of-sale locations across the United States, including concessions at a collegiate football stadium that seats more than 100,000 fans and the café at one of the nation’s largest credit bureaus. Clients who use Bank of America Merchant Services and Bypass’ unified solution may benefit from:
    • Cloud-based connectivity offering point-of-sale mobility
    • A fast and secure checkout experience for their customers
    • The ability to accept virtually all payment methods
    • Greater agility through real-time menu inventory management
    • Customized sales, employee and customer reporting
  • Create Data Maps to Prepare for Cyberattack: Obscurity is not a good strategy in today’s cybersecurity landscape, where every company in any given ecosystem, down to the smallest contractor, is under threat of attack, according to the CIO Journal. Because it takes just one security weakness to expose the whole business supply chain, making maps of how corporate data moves inside and outside the company is critical, said participants at a New York cyber event. Bank of America’s merchant services group, which handles transactions with Visa and MasterCard, requires detailed information, including maps, from third-party partners, said JoAnn Carlton, general counsel for the group. Carlton is prepared to stop working with vendors, suppliers and other partners that won’t assume responsibility for the bank’s data when it passes through their systems. Creating useful maps is “a very tortured and complicated exercise,” she said, but important for managing security and risk related to customer personally identifiable information, or PII. The bank will determine which data the vendor would touch and then will decide what to do, she said.

Biographical Highlights

  • Froelich began his career in September 1986 as a Consultant.
  • In June 1990, he joined Dustin Software as Product Manager.
  • From November 1994 to August 1995, he was Product Manager at PCM.
  • He was a Director at WebVision from August 1995 to August 2000.
  • From August 2000 to July 2001, he was Consulting Manager at Netigy.
  • From 2001 to 2008, Froelich worked at Countrywide Financial where he rose to Senior Vice President, responsible for cybersecurity technology, performance systems, crisis management, and security operations.
  • Froelich joined Bank of America Corporation in 2008, through its acquisition of Countrywide Financial, and has since held the following positions:
    • Leader, security technology, operations, insider threat and information protection programs
    • Chief Information Security Officer (Present)


Other Boards and Organizations

  • Member, Executive Board and Advisory Council, Financial Services Roundtable - BITS (February 2013 - Present)
  • Chairman, Board of Directors, FS-ISAC (January 2011 - Present)

Contact Information

100 North Tryon St.
Charlotte, NC, 28255
United States


Boardroom Insiders Executive Profiles and CEO Biographies Boardroom Insiders Executive Profiles and CEO Biographies