Standard Chartered CEO on why cybersecurity has become a 'disproportionately huge topic' at board meetings
As the chief executive of one of the largest banks in the world, Bill Winters is constantly identifying, evaluating and taking steps to mitigate risks.
And over the last decade at London-based Standard Chartered, cybersecurity has become a major focus of his in terms of investment, employee training and board discussions. "That just reflects the magnitude of the threat," according to Winters.
As CEO, Winters is less concerned about specific vulnerabilities or threat groups than he is about how cybercrime is evolving and how he can bake cybersecurity awareness into all aspects of the company. Cybersecurity "is religion here," said Winters, when discussing efforts to reduce the risk of phishing attacks.
Winters recently talked to Recorded Future News about the bank's approach to cryptocurrency and artificial intelligence, as well as how he's been able to influence cybersecurity culture at an 85,000-person company. The conversation below has been lightly edited for space and clarity.
Recorded Future News: How is artificial intelligence shifting the way that your company is handling cybersecurity?
Bill Winters: Probably the earliest applications for us have been in the compliance realm, where we're processing millions of transactions that have to be screened and we’re always looking for patterns or data points that would suggest the fund flow could be illicit. We have very substantial obligations to identify these things and report them. We obviously have the data that is coming from these transactions, but it needs to be structured properly.
Probably the single biggest investment we've made as a bank over the past 10 years has been in our whole financial crime compliance regime, because it's existential for a bank — if you get that wrong, you get your license pulled. But that’s where we started, probably going back to 2015, 2016, 2017, and we developed a lot of data skills that are useful for lots of other things — risk modeling in our trading businesses, for example. But it was basically taking our data and reconfiguring it and using it in different ways.
Where it starts to get interesting is when we start using third-party data or when our data is in any way transmitted outside the bank, opening up the channels that would expose us to primarily data privacy concerns, but also to cyber concerns. We have an absolutely excellent cybersecurity team making sure that how we're opening up those channels in or out of the bank is very secure. It's happened in an evolutionary way rather than everything's locked down, and then tomorrow we open the whole thing up. We've not had major incidents, and it's because we've been quite cautious.
When you get into some of the generative AI areas, we're very concerned about data leakage outside the bank. We don't have ChatGPT sitting on any Standard Chartered computers — we do in some sandboxes, but we're putting very, very substantial protocols in place to make sure that the private bank data can never be shared externally or go to some depository of data that could cause us to breach our obligations.
I'd say banks generally are at the cautious end of the spectrum on the adoption of generative AI. But certainly the big tech and cloud providers are very focused on the particular requirements of companies that have substantial privacy concerns and are building tools together with us to allow us to tap into the enormous productivity capabilities of these tools.
RFN: Sanctions have exploded in recent years, especially amid conflicts like Russia’s invasion of Ukraine. Has that posed a compliance challenge?
BW: Every time a new sanction rule comes out from anybody, it goes into our rules database, and we have to screen every transaction against that rules database. We don't have a business in Ukraine or Russia, so in that sense we know that we're not going to be exposed from that perspective. But we're one of the largest, if not the largest, correspondent bank in the world. We get around 1,800 banks that clear their U.S. dollars and some other currencies through us. If they're originating payment into or out of Russia or into or out of Iran or into or out of North Korea, we have to spot that, and we have to report it or stop the payment. Russia-related sanctions in Ukraine have absolutely impacted our daily life, not our operations, but just the transactions we process.
Sanctions have been around for decades, but the Iranian sanction regime was the one that took it to a whole new level, and that goes back 20 years. The proliferation of sanctions is quite substantial, and it's not just the U.S. anymore — it's the U.S., and the UK, and the EU, and China and Russia levying sanctions. We really have invested a lot to have really good sanctions compliance systems so that we can process these millions of transactions with really no disruption to the business unless there's reason to believe that the payment could be illicit, in which case your business is definitely disrupted.
RFN: Speaking of Russia, some cybersecurity experts have warned that the tightening economy there has meant that the hacking and ransomware scene is booming. Have you noticed an uptick in financially-motivated attacks originating from Russia?
BW: Yes. I only have to open up the newspaper to see the uptick in the attacks. It's not just Russia — some of the state-backed groups are particularly well resourced, but ransomware and malware-as-a-service is clearly proliferating, and it's affecting some of our clients. I'm sure that there are attempts to penetrate our defenses. I think typically banks are very well protected. We intend to be as protected as we possibly can be, but we're not naive enough to think that nobody could ever penetrate us under any circumstance, so our guard is constantly going up. But I don't think it's specific to Russia, even though Russia has taken a particular stance on a number of fronts that is not very friendly to neighbors and counterparties and friends.
RFN: One of the most notable banking cyberattacks happened nearly a decade ago and involved a hack of the SWIFT network. It was attributed by many to North Korea — are they still seen as a major threat among banks?
BW: We've all invested massively. I'm sure you're referring to the attack on Bangladesh — it was $81 million and it’s just money that's gone. I don't know how many resources the attacker put into that attack, but it was not $81 million. The silver lining in that case was it woke everybody up to not just vulnerabilities around SWIFT implementation, but a whole slew of vulnerabilities.
But we are constantly, constantly, constantly upgrading our own capabilities and constantly testing. We test, our regulators test, there's some very sophisticated penetration testing firms that are testing banks all the time. Of course, they find things from time to time, but I think banks have put up quite a good defense. You know as well as I do that when the commercial actors go to make money, they go where they can get the best bang for the buck, which typically means the weakest entry point with big money. I think they concluded quite a while ago that while you might penetrate a bank if you try hard enough, it's quite hard and quite expensive.
RFN: How involved is the bank in cryptocurrency? What's your outlook on the cryptocurrency ecosystem as a whole?
BW: We made some investments in that space, we have a custodian called Zodia Custody, we have a marketplace and an exchange called Zodia Markets. Those are partnerships, so we control both of them but we have outside partners. They were built in our venture lab, so they're separate from the bank, but they benefit from all the cyber knowledge that we have in the bank. We have the same, if not more rigorous, cybersecurity standards in each of these ventures as we have in the bank itself. That's the big appeal… people want separation of execution, settlement, custody. Historically in that industry, as you know, they've lumped together into single firms. They want institutional-grade custodial services, including cybersecurity. It's not to say that we're not complacent for a moment, that somehow because we're bank-aligned, that we're not subject to attack. But we've invested heavily in that, and that's a key part of the proposition we offer to our clients.
We'll continue with the business, not because Bitcoin has increased in value, but because the startup players in that space did not evidence institutional-grade controls, and we have and we intend to maintain that. More broadly, inside the bank itself, it's extremely disadvantaged from a regulatory perspective for us to hold any inventory in cryptocurrencies. But the digital asset space we think is extremely interesting.
We've got a bunch of pilots of one sort or other where we're tokenizing everything like Kenyan government bonds, which obviously is nothing like Bitcoin. In Kenya, you’ve got savers who for the first time are accumulating a few hundred dollars, but the denomination for a government bond is a thousand dollars so they can't buy one. So we buy some government bonds, we tokenize them, we sell them — that kind of thing. Our bet over time is that a broad range of assets will be tokenized. I'd love to tokenize carbon credits. I'd love to tokenize mutual funds and eventually encroach on the ETF market. And so the custodian that we built and the marketplace we built, that's the necessary infrastructure to be able to support that ecosystem. So for the time being, it's absolutely dominated by Bitcoin and Ether. But as time goes by, I think we'll see an enormous upsurge and a really wide range of digital assets and tokenized assets that will be using that same infrastructure.
RFN: What are the benefits of tokenization?
BW: It's cheap, easy and risk-reducing. Real-time settlement, settlement on blockchains, so verifiable and transparent to all parties. There’s almost zero marginal cost of execution, it eliminates lots of middlemen, all the clearinghouses go away. Once everybody's scaled up it's a much more efficient marketplace with lots of intermediaries disappearing, including banks in some cases. But if we're going to get there, we want to be contributing to the infrastructure that runs things going forward. Because if we get there, we're going to be displaced anyway, so we might as well have a stake in something where we can serve our clients.
RFN: Law enforcement has been clawing back hundreds of millions of dollars in cryptocurrency tied to money laundering or other types of crime. How do you feel about efforts to have stricter know-your-clients rules?
BW: That's what we do. Nobody's selling anything back from us because we're doing it right in the first place. But we all know that what happens in the crypto universe is very difficult for law enforcement to get their arms around. But it's still difficult to buy a house with Bitcoin. You’ve got to have somebody that gets you in and out of the crypto market. And in one way or another, it's very likely to hit a bank. So law enforcement works with us very carefully to track any in and outflows in cryptocurrencies… To get the money back out of the digital economy into the real economy and the fiat economy, you're going to have to go through a bank. That's where law enforcement trains their guns, and it’s fantastic because financial crime is bad for everybody except for criminals.
RFN: What are the biggest ways you've been able to influence cybersecurity culture in your organization?
BW: It's an ongoing challenge. We've had some really, really excellent CISOs in the bank, and we've had some really excellent outside advice. One of our board advisors is a man named Sir Iain Lobban, who ran GCHQ not that long ago. And he's been a really good prompt for us. So working together with the CISO team and the risk cyber team as well — of course, they're technical experts themselves, and I think they’ve done an excellent job of putting the technical program around our own defense mechanisms. But probably the most challenging thing was to get the broad business — the people who weren't technical experts — to understand what role they have to play in our cybersecurity defenses.
Going back many years, it started with working with each business head to help them understand or declare what are the key assets that we must protect at all costs. It was really interesting to go through that exercise early on and see how unfamiliar some of the business heads were with what their own crown jewels were. Once you identify and are clear on what the crown jewel is, then you have to be part of the defense mechanism around those. Each one of these things costs money or reduces flexibility or, if done incorrectly, impacts the customer experience. Really working through that and getting them involved in structuring their business around the cyber risk, it's an ongoing process, I don't think we'll ever be done with that. We've made huge progress in the past six, seven years, I'd say, as cyber risks have increased. I think there's a culture of cyber awareness that is dramatically higher today and interaction between the cyber team, the technical specialists, and the business leaders all the way down the line, that's dramatically improved.
I think the much more mundane, but in some ways equally effective, regular penetration testing and regular phishing tests have been very impactful. I tell you, when you get the message that you just clicked on a [simulated] phishing link, it's a horrible moment. When we first started doing proper phishing simulations, we were getting like a 20% to 25% click-through. Now we get like a 2% click-through, 1% click-through. It's good. It's dramatically better. But it's not zero. And we know that with AI and generative AI, that the attack can become much more sophisticated. Dramatic cultural awareness, huge training efforts, huge testing, huge communication of the testing, ongoing newsletters, seminars, off-sites, compliance training, e-learning. Cumulatively, it's made a big difference.
I'll say it is religion here.
RFN: Cybersecurity is religion?
BW: Cybersecurity, generally. Certainly phishing because we have 85,000 employees here and every single one of them is vulnerable to a phishing attack. Every single one of them is probably being attacked every day. I certainly get 10 or 12 a day despite our great screening defenses.
RFN: How often does cybersecurity come up in board meetings?
BW: I would say it's arguably a disproportionately huge topic at board meetings, which reflects not just the seriousness with which we take cybersecurity, but the seriousness with which our regulator takes cybersecurity. Regulator's access point to companies is as frequently through the board as it is through management. Here, Hong Kong, Singapore, the U.S.… they really want the board to be involved in overseeing the cyber risk process. Of course, they want to know the management is on top of it, and they want to know that the cyber team is properly resourced and specialized, has access to the right tools to enforce their trade. It's a very, very serious topic at the board level.
RFN: Where does ransomware fall on your list of cyber concerns?
BW: The biggest risk is that somebody who, for whatever reason, sees the UK or Europe or for some reason, Standard Chartered bank, to be an enemy, tries to destroy us. And that's very unlikely to be a commercial player. It's more likely to be a state actor or a terrorist group. So obviously, we're very concerned about anybody that's just seeking to do damage.
On the other hand, ransomware threat actors are typically seeking to extort victims rather than permanently destroy data. But they're threatening to destroy you if you don't do certain things. We run simulations with some frequency to make sure that we're prepared, should anything like that happen to us, but also to our clients. I think given the state of our own defenses, we're probably more concerned about our clients, some of our clients, than we are about ourselves. But nobody thinks that we're impenetrable.
RFN: When it comes to spending on cybersecurity, do you think Standard Chartered will be increasing or lowering its investments? And what areas do you think you’ll put more attention on?
BW: We've dramatically increased our spend on cybersecurity pretty consistently over the past 10 years or so, and that just reflects the magnitude of the threat. Some decent chunk of that investment is infrastructure, so basic remediation. And then there's ongoing spend around evolving threats. The infrastructure and remediation layers are in very good shape.
The evolving threats are becoming a lot more sophisticated. So we'll be rotating out an infrastructure type investment into evolving threats. I think AI will definitely pose a number of new threats — obviously it increases the level of sophistication of attackers and ability to penetrate defenses. The modularization of finance is increasing, and the fragmentation globally of finance is increasing. Regulators are increasingly liking to have whatever they consider to be critical kept in their own country. That means replicating infrastructure and then sharing data or sharing information across countries were allowed to a greater extent. Every one of those connections is a vulnerability… We'll be looking at a huge increase in focus on third-party risk assessments.
Banks are probably well ahead of the curve on that, but many of our clients are not. You've seen this from your reporting that many of the vulnerabilities that have been exploited are coming in through third-party suppliers to the companies that are affected rather than the companies themselves. I think as supply teams reconfigure, and they are, I think that's going to be one of the key areas of focus.
Adam Janofsky
is the founding editor-in-chief of The Record from Recorded Future News. He previously was the cybersecurity and privacy reporter for Protocol, and prior to that covered cybersecurity, AI, and other emerging technology for The Wall Street Journal.