Skip to content

David Cass

Expert Consultant · Head of FinTech Practice

Biography

David Cass occupies a vantage point few cybersecurity and financial-technology experts can claim: he has sat on every side of the table. He recently served as a lead regulator at the Federal Reserve Bank of New York, where he was a member of the Large Institution Supervising Coordinating Committee (LISCC) overseeing the systemically important institutions whose security and risk practices he had spent two decades building from the inside. As Head of the FinTech Practice at Law & Forensics and a member of the firm's Cyber Security and Forensics Practice, he brings that supervisory perspective to bear as a testifying expert and consultant — most recently as a cybersecurity expert witness on a significant cyber-attack against a regional credit union that compromised member data and disrupted services.

That regulatory standing rests on an unusually deep operating record. Before the Federal Reserve, David was Chief Information Security Officer and Global Partner for Cloud Security at IBM, with global responsibility for cloud security practices, processes, and policies across IBM's Security Services unit, serving as a regulatory subject-matter expert and executive steering committee member for IBM's international banking customers. He was part of the team that introduced the first financial-services blockchain initiative on public cloud, supported by ten major international banks. Earlier, as SVP and Chief Information Security Officer at Elsevier, he ran security, privacy, data protection, and the HIPAA function for a regulated FTSE 100 enterprise — accumulating more than four and a half years operating such a business in the cloud — and earlier still rebuilt the information-security risk and governance function at Freddie Mac and directed risk management for JPMorgan Chase's global technology infrastructure.

Across these roles David has handled the full range of high-stakes matters that define the firm's forensics-first practice: ransomware and breach incident response, forensic tracing of cryptocurrency and digital assets, AML and KYC program design, securities and ICO compliance under SEC and international frameworks, and cybersecurity governance counsel to corporate boards. He pairs that operational fluency with the formal credentials regulators and courts expect — among them the CISSP, CISM, CRISC, CGEIT, CIPP/E and CIPP/US, PMP, and Certified Blockchain Professional designations — and the engineering and management training behind them, including a Master of Science in Engineering from the University of Pennsylvania's Wharton School and Penn Engineering and an Executive MBA from MIT's Sloan School of Management.

David's authority extends well beyond his client engagements. He has spoken as a subject-matter expert at the Federal Judges Association's 9th Quadrennial Conference in Washington, D.C., and teaches as an adjunct professor at Harvard University — covering risk management, regulatory issues, and computer forensics — and at Rutgers Law School. He serves on the editorial boards of the Journal of Law and Cyber Warfare and the Journal of Legal Technology Risk Management, sits on the New York State Bar Association's Cybersecurity subcommittee as a subject-matter expert, and has published on cybersecurity, forensics, cryptocurrency, blockchain, cloud, and AI/ML, including co-authoring "The Dirty Truth About Crypto: Money Laundering Made Easier" with Daniel Garrie and Gail Andler. A frequent voice at conferences from RSA and DefCon to Money 20/20, the Institute of International Finance, and the Singapore Academy of Law's TechLaw Fest, he combines the credibility of a former regulator, the fluency of a hands-on operator, and the clarity of a teacher — the qualities that make a named expert persuasive in a courtroom.

Practice Areas

Blockchain

  • A fintech startup specializing in cross-border payments struggled with high fees and slow transaction times due to traditional banking channels. The engagement focused on leveraging blockchain technology to streamline operations. By developing a decentralized ledger system, the startup achieved near-instantaneous transactions at a fraction of the previous costs, enhancing competitive advantage. This innovation attracted a more extensive customer base and opened new markets, leading to a 50% growth in transaction volume within the first six months
  • A multinational corporation sought to integrate blockchain technology into its operations while ensuring strict compliance with data protection and privacy regulations. Our engagement involved designing and implementing a blockchain compliance solution that addressed critical regulatory concerns, including data anonymization techniques, consent mechanisms, and cross-border data transfer protocols. We provided expert guidance on leveraging blockchain's inherent transparency and security features while complying with the General Data Protection Regulation (GDPR) and other relevant laws. Our innovative compliance solutions enabled the client to harness the benefits of blockchain technology effectively, ensuring data integrity and regulatory compliance
  • Tasked by a multi-national corporation aiming to expand its blockchain operations into Switzerland, renowned for its "Crypto Valley" in Zug, the consultancy provides an in-depth analysis of the Swiss regulatory environment. The focus is on understanding the Federal Council's approach to blockchain and cryptocurrency, including tax implications, the legal framework for ICOs as per the Swiss Financial Market Supervisory Authority (FINMA), and navigating the cantonal differences within Switzerland. The consultancy advises on strategic partnerships with local blockchain entities and integration into the Swiss crypto ecosystem, ensuring the client's expansion is seamless, compliant, and optimized for the Swiss market.

Crypto Consulting

  • Recognized the surge in cyber threats targeting cryptocurrency exchanges, a leading digital asset exchange engaged my consultancy services to conduct a thorough security assessment. The engagement focused on evaluating the exchange's infrastructure for vulnerabilities, assessing the robustness of its cryptographic protocols, and implementing advanced security measures. We identified potential security gaps by leveraging state-of-the-art penetration testing techniques and blockchain security analytics. We proposed a strategic plan to bolster the exchange's defenses against sophisticated cyberattacks, ensuring the protection of digital assets and maintaining trust with their users.
  • Engaged by a burgeoning startup looking to launch a new cryptocurrency exchange in the United States, the consultancy delves into a comprehensive review of the U.S. regulatory landscape. This includes navigating the intricacies of the Securities and Exchange Commission (SEC) guidelines for initial coin offerings (ICOs) and tokens, understanding the requirements set forth by the Commodity Futures Trading Commission (CFTC) for cryptocurrencies as commodities, and ensuring compliance with the Financial Crimes Enforcement Network (FinCEN) for anti-money laundering (AML) and Know Your Customer (KYC) policies. The engagement focuses on developing a regulatory strategy that aligns with the startup's business model, identifying potential regulatory hurdles early on, and establishing best practices for ongoing compliance.
  • Developed a comprehensive AML program tailored to the unique risks associated with cryptocurrency transactions. This included the creation of AML policies, implementing a transaction monitoring system capable of detecting suspicious activities, and developing a customer identification program. We also conducted AML training sessions for the client's staff, emphasizing the importance of vigilance and compliance in the crypto space. Our efforts significantly enhanced the client's ability to detect and report suspicious activities, ensuring compliance with AML regulations and safeguarding the platform's integrity.

Cybersecurity Governance & Strategy

  • Worked closely with boards to establish a comprehensive cybersecurity governance framework that aligns with the company's strategic objectives. This involves crafting a cybersecurity strategy that addresses current security challenges and anticipates future threats. By integrating cybersecurity into the broader corporate strategy, I ensure that security considerations are at the forefront of decision-making processes, enabling the board to make informed decisions that enhance resilience against cyber threats.
  • Counseled boards on cybersecurity investments, ensuring that resources are allocated efficiently to areas of highest risk and potential impact. This includes recommendations on adopting advanced security technologies, outsourcing security functions where appropriate, and investment in cybersecurity talent development. By aligning cybersecurity investments with the organization's strategic priorities and risk profile, I help boards optimize their security spending, achieving the best possible security outcomes within budgetary constraints.
  • Engaged by a national retail chain facing repeated cyber threats, my consultancy entailed a complete overhaul of its cybersecurity strategy. This included conducting a vulnerability assessment, redesigning their network architecture for enhanced security, and implementing advanced threat detection and response technologies. Furthermore, I developed a cybersecurity awareness program for their employees, reducing the risk of human error. This comprehensive approach fortified their defenses against cyber-attacks, ensured business continuity, and protected customer data, illustrating my expertise in crafting and executing strategic cybersecurity solutions.

Incident Response

  • Assisted boards in developing and refining incident response plans. This entails efficiently preparing the organization to detect, respond to, and recover from cybersecurity incidents.
  • Conducted tabletop exercises and simulations to test the effectiveness of incident response plans, ensuring that the board and the organization are well-prepared to manage and mitigate the impact of cyber incidents, minimizing operational disruptions and financial losses
  • Engaged as a cybersecurity expert witness and consultant for a significant cyber-attack on a regional credit union that compromised member data and disrupted services.
  • When a multinational corporation fell victim to a sophisticated crypto-ransomware attack, resulting in the encryption of critical data and demand for a hefty ransom in cryptocurrency, they turned to my consultancy for urgent assistance. This engagement involved a swift incident response to contain the breach, forensic analysis to trace the attack vector, and negotiations with the attackers leveraging cryptocurrency tracing techniques to identify and possibly recover the funds. We also developed a long-term cybersecurity strategy, emphasizing ransomware prevention, employee training, and backup solutions to mitigate future risks.

Risk Management

  • A fintech startup venturing into cryptocurrency services engaged my consultancy to navigate the complex regulatory landscape and implement a robust risk management framework. This comprehensive engagement covered an analysis of applicable regulations, Anti-Money Laundering (AML) and Know-your-customer (KYC) compliance, and the development of a risk assessment model tailored to cryptocurrency transactions. By establishing clear compliance protocols and a risk mitigation strategy, the startup was positioned to operate legally and securely within the dynamic cryptocurrency market, minimizing potential legal and financial exposures.
  • Advised boards on developing and implementing a robust risk management program that identifies, assesses, and mitigates cybersecurity risks. This includes guidance on compliance with regulatory requirements and industry standards, helping companies navigate the complex regulatory landscape and avoid potential fines and reputational damage. I ensure that boards know their risk posture and compliance status through regular risk assessments and audits, facilitating proactive measures to address vulnerabilities and compliance gaps.
  • Engaged by a multinational bank, I led a project to develop and implement a comprehensive business resilience and continuity plan focused on cybersecurity threats. This involved conducting a thorough risk assessment to identify critical assets and vulnerabilities within their digital infrastructure. I then designed a tailored resilience strategy, incorporating advanced cybersecurity measures, employee training programs, and an incident response framework. The successful execution of this plan significantly enhanced the bank's ability to withstand cyber-attacks, minimizing potential disruptions to their operations and protecting client data. This engagement showcased my ability to fortify business resilience through strategic cybersecurity planning.

Securities Consulting

  • Engaged by a leading global investment bank, our objective was to navigate complex securities regulations across multiple jurisdictions. This comprehensive advisory role included developing and implementing a robust regulatory compliance framework to ensure adherence to the evolving securities laws and regulations, including the Dodd-Frank Act and MiFID II. We conducted a thorough risk assessment of the bank's trading and investment activities, providing strategic recommendations to mitigate compliance risks. Our guidance enabled the bank to refine its compliance policies, enhance internal controls, and establish a continuous monitoring system, ensuring its operations remained compliant while pursuing aggressive growth strategies in volatile financial markets.
  • Tasked by an innovative fintech startup, our mandate was to design a legally compliant Initial Coin Offering (ICO) framework. This engagement required a deep dive into the intersection of securities law and emerging cryptocurrency regulations. We conducted a detailed analysis of SEC guidelines, the Howey Test implications for digital assets, and applicable international regulations. Our deliverables included a comprehensive legal and regulatory assessment, the development of a white paper outlining the ICO process, and strategies for token classification to navigate regulatory complexities. Our advisory ensured the client's ICO launch was successful, attracting significant investment while adhering to stringent securities regulations.
  • Advised a financial services conglomerate on strategic mergers and acquisitions which required a nuanced understanding of securities laws about M&A activities. The engagement involved conducting due diligence to identify potential regulatory hurdles, advising on structuring transactions to ensure compliance with the Securities Exchange Act of 1934 and facilitating communications with regulatory bodies. We provided strategic counsel on negotiating terms, representation and warranties, and developing integration plans that complied with applicable securities laws. Our advisory supported the client through successful acquisitions, enhancing its market position while ensuring regulatory compliance and minimizing risks associated with securities laws.

Background & Career

  • Senior Partner – Law & Forensics LLC, 2022 to Present
  • Managing Director, Chief Information Security Officer – GSR, 2022 to Present
  • Vice President, Cyber & IT Risk LISCC – Federal Reserve Bank of New York, 2019 to 2022
  • Chief Information Security Officer, Cloud & SaaS Operations Global Partner Cloud Security – IBM, 2015 to 2019
  • Senior Vice President & Chief Information Security Officer – Elsevier, 2011 to 2015
  • Senior Executive Director – Information Security Risk & Governance – Freddie Mac, 2009 to 2011
  • Vice President – Director of Risk Management, Global Technology Infrastructure – JP Morgan Chase, 2005 to 2009
  • Senior Manager / Area Leader U.S. Information Technology – PricewaterhouseCoopers, 2001 to 2005
  • Director of Information Technology & IT Security – Max Blau & Sons, Inc., 1993 to 2001

Professional Credentials

Certifications

  • Certified Information Systems Security Professional (CISSP)
  • Certified Governance Enterprise Information Technology (CGEIT)
  • Certified Information Security Manager (CISM)
  • Certified Risk and Information Systems Control (CRISC)
  • Certified Information Privacy Professional Europe & US (CIPP/E & CIPP/US)
  • National Security Agency – InfoSec Assessment Methodology
  • Project Management Professional (PMP)
  • Microsoft Certified Systems Engineer (MCSE, retired)
  • AWS Cloud Practitioner
  • Certified Blockchain Professional (IIB Council)

Memberships

  • Speaker & Contributor – World Economic Forum Information Systems Security Association
  • International Information Systems Security Certification Consortium (ISC2)
  • MIT Media Lab – Cryptocurrency and Blockchain
  • Project Management Institute
  • Wharton Club of New York
  • Adjunct Faculty – Harvard
  • Served as Chairman for the ISSA to develop international Generally Accepted Information Security principles SME on IT Security and Project Management for CompTIA in the development of related certifications
  • New York State Bar Association – Cybersecurity Subcommittee Member
  • Volunteer Mentor for Techstars Female Founders First program
  • Frequent speaker at high profile industry conferences; list of presentations available on request
  • Volunteer Firefighter & Rescue Swimmer – New Hope Eagle Fire Department

Areas of Focus

  • US and International Financial Services Regulation
  • Cryptocurrency and Digital Assets
  • Digital Banking & Transformation
  • Cybersecurity
  • Privacy
  • Cloud
  • Blockchain
  • Artificial Intelligence and Machine Learning
  • Incident Response
  • Expert Witness
  • Forensics

Achievements

  • Speaker and subject matter expert at the Federal Judges Association 9th Quadrennial Conference in Washington D.C.
  • Adjunct Professor at Harvard University teaching Risk Management, Regulatory Issues and Computer Forensics.
  • Adjunct Professor Rutgers Law School.
  • New York Bar Association Committee Member on Cybersecurity as a subject matter expert on Cybersecurity and IT Risk.
  • Speaker at high profile conferences: Cloud Security Alliance, DefCon, RSA, Money 20/20, ISACA, Institute of International Finance, FinTech Americas, Financial Times Security Summit, InfoSec Europe, and the Singapore Academy of Law Tech Law Fest.
  • Published articles on cybersecurity, forensics, cryptocurrency, blockchain, cloud and AI/ML.
  • Contributor to On-Demand, Live Web Conferences and Podcasts available through the WestEdLegal Center.
  • Contributor to the Certified Blockchain Professional for the EC-Council.
  • Instruct executives, lawyers, and technology professionals on Blockchain fundamentals, Distributed Ledger Technology, Scalable Blockchain, Blockchain mining, Ethereum Technology, and Decentralized Applications (DApps).

Selected Publications

  • Managing Editor, the Journal of Legal Technology Risk Management.
  • Editorial Board Member Journal of Law and Cyber Warfare.
  • Key Contributor and Advisory Board Member for SecurityCurrent.
  • Contributor to recent regulatory guidance.
  • Daniel Garrie, Gail Andler, and David Cass, The Dirty Truth About Crypto: Money Laundering Made Easier (September 14, 2021)

↑ Back to top

More from the panel