How Financial Teams Automate SEC Compliance Workflows – Daniel Schalla

Episode Overview

Daniel Schalla is a seasoned cybersecurity professional and an expert at Mattermost, a leading secure collaboration platform. With extensive experience in the intersection of cybersecurity, compliance, and workflow automation, Daniel plays a key role in helping organizations in highly regulated sectors such as finance, healthcare, and defense protect their data and streamline their incident response processes. At Mattermost, Daniel focuses on providing solutions that enable teams to securely collaborate, manage workflows, and respond to critical security incidents—all while adhering to the stringent regulatory standards these industries face.

Having worked on both sides of the security spectrum, Daniel understands the complex challenges businesses encounter when balancing risk management with compliance. His work with Mattermost has helped countless organizations adopt a secure collaboration environment that is not only compliant but also flexible enough to support on-premises and cloud deployments. A strong advocate for incident preparedness, Daniel emphasizes the importance of automating workflows and simulating security incidents to build resilient response strategies. His deep knowledge of security operations and regulatory frameworks has made him a trusted advisor to organizations seeking to protect their most valuable assets—data and reputation—while maintaining compliance with evolving legal requirements.

Episode Transcript

Daniel Schalla: Just simulate having a security incident, right? If you think about it, there is something called like tabletop exercise, which essentially means you outline a scenario, right? Coming back to what I said earlier, you may have an affect the malware on an employee device, but it could also be that a third party.

Kevin Rosenquist: Hey there and welcome to Pay Pod, where we bring you conversations with the trailblazers shaping the future of payments and fintech. My name is  Kevin Rosenquist. Thanks for being here. When a cyberattack hits a financial institution, every second counts. And with the new SEC rules demanding disclosure within four days, there is no room for improvisation. But what if the problem isn’t just the attack itself, but how your team communicates and responds when it happens? My guest today is from Mattermost, a secure collaboration platform used by some of the most tightly regulated industries in the world think finance, defense and healthcare. In this episode, we unpack the real vulnerabilities plaguing financial institutions. Why secure workflows, not just secure data, are vital, and how automation can help you meet regulatory demands without sacrificing control. So please welcome Daniel Schalla. So what are some of the most like the major vulnerabilities that you see today in financial institutions that perhaps traditional tools don’t solve?

Daniel Schalla: Yeah, that’s a great question. I would say financial institutions in that sense are think are affected by the same type of vulnerabilities that most other organizations are. Right. There’s an annually published Verizon data breach report that is taking a look at like 12,000 incidents in data breaches. And typically like the three types of breaches that we see the same, right? It’s around fishing. It’s about exploitation of outdated systems. And it’s like stolen credentials. If we think about phishing as one of them, like there’s no great tooling solutions to that because it’s like a human problem.

Kevin Rosenquist: I was going to say it’s.

Kevin Rosenquist: It’s kind of up to the user on that one. And yeah, I mean, they’re getting good with those phishing attacks. A lot of times they look pretty legit.

Daniel Schalla: Yeah, exactly. And the challenge there is like it’s a security organization. You can try to of course, like train your staff on how to spot it, how to respond to it. But there’s only so much you can do in terms of putting technical controls into place. Right? Because they get more and more creative. Right? Use trusted tools that are like used for real applications so you cannot block them. But I still like utilize them for phishing exercises. So I think that that is like definitely one of the biggest category of vulnerabilities you see out there like very often abused, but also just organizations just not keeping their system updated. Right. Yeah.  if you think about major organizations, especially financial institutions where you have high availability needs and like, your systems are mission critical.  we’re saying, oh, we will take these offline and patch them in a regular business days. Rather challenging. Right? So how do you keep these systems updated? Is another growing like intrusion factor. And those things didn’t change much over the previous years because they are hard issues, right?

Kevin Rosenquist: Well, I think it’s somewhat new. The four day rule firms have to disclose material incidents within four days. Has that changed the compliance landscape?

Daniel Schalla: It’s an interesting question. Like in the sense that the four day rule is matching other regulatory standards that come out there, like GDPR, that it now mandates within a certain time frame, you have to report incidents and there’s different aspects to it. The first interesting thing with the four day rule is that it says that material cybersecurity incidents must be reported in four days. And the interesting question there is what is material, right? There was a major discussion point when this was announced. Like who decides what is material? And from what I know, it has been described. Well, if essentially your investors would consider it significant. Now that leaves a lot of room for interpretation. Yeah, sure. What is significant is it now when an employee loses a hard drive, is that significant? If,  helpdesk agent clicked on a phishing email, but you detected it, I guess that doesn’t count, right? So there’s a lot of room for interpretation, which makes it rather challenging for organizations to decide when to report and when not to report it, and I think that is leading to a lot of uncertainty.

Daniel Schalla: At the same time, like how to report it, I think that process is very clear with the 8-K filing. And if we take a look at other jurisdictions like Europe with GDPR, they even strict it right. Instead of a four day rule, GDPR, essentially the privacy law of Europe says within 72 hours. But in theory you already have to report it once single European data record was leaked, right? That contains personal data. So I definitely think that the SEC reporting requirements are affecting more organizations. Right. That may not be impacted before by regulations such as GDPR. But in itself, I don’t think it’s an outlier in that sense. Right? I think it’s good that we try, as we generally rely more on like IT systems and on other providers, to make clear, once there’s a data breach, that these organizations are required to notify you at the same point in time. I also think that many organizations that are affected by this have not only the SCC or GDPR to report to, but also potentially depending if there are a service provider, their customers.

Kevin Rosenquist: Right, which could be a lot of people.

Daniel Schalla: You need to for the SEC for a rule, you have for days 8-K filings or you reported in Europe, you must report it to the Data Protection Authority if personal data from a European resident was affected. Where do you need to report it? To the Data Protection authority of the country that you are having your office in or multiple. Right. Then for your customers, they may contractually have given you different requirements. Is it 48 hours? Is it 72? But again, how do you notify them? Can be like a phone number. It can be an email like so many different challenges. So the question as an organization is how do you keep track of all your different reporting requirements that you may have. Right.

Kevin Rosenquist: From Mattermost. What would you call what would you say? The core use case is that you guys are solving for industries like finance.

Daniel Schalla: Matsumoto’s objective is to provide you a secure collaboration and workflow platform. Right. As you mentioned, we’re definitely seeing a lot of our customers in the finance industry. But really, it’s more generally more critical infrastructure, which definitely incorporates finance, but also defense, healthcare, energy. Right. So we have a very diverse set of customers. What is combining them with is like a shared characteristic is they’re usually highly regulated and they have high security requirements. Right. And for these customers we provide essentially a suite of products. Right. One aspect is we provide you a product for your classic chat collaboration, but also beyond that we provide you a platform to streamline your workflows for. So think about you have an incident and you must using the previous example, you must coordinate when to notify whom. We provide you a workflow platform, and there’s a few different pieces to that puzzle. But the goal is really to provide a purposeful collaboration platform to both incident response teams, but also other parts of the organization to streamline the workflows, and one relatively unique characteristic of Mattermost is that you have full flexibility on how to deploy it. Many of our financial services customers do have a requirement to deploy Mattermost with their own infrastructure, potentially even not exposed to the internet. So if you cannot use a software as a service offering, like Microsoft Teams or Slack or any discord or any other ones, but rather must retain full control of your data, potentially even on your own infrastructure. Mattermost gives you that flexibility to apply the controls and installed on the infrastructure as you need it.

Kevin Rosenquist: I also want to talk about automation. I think automation is super interesting. Obviously, it’s one of the best use cases in my mind for AI and a lot of that technology, as far as it fitting into an incident response process, can workflows be designed to support human decision making but without introducing more risk? So if you have both the automation and then the human decision making, can you add that automation without introducing more risk?

Daniel Schalla: I think there’s different levels of automation depending on your organizational maturity, but also technical ability. The first scenario is you have an incident and you have zero preparation, right? Right. You have an incident. You don’t have an incident response plan. You do not have maybe even a security team. So at that point there’s zero automation but not even process, right. That’s obviously the worst case. Right. Because nobody will know who to notify, what process to follow, who’s leading it.  that is the worst case scenario.

Kevin Rosenquist: Yeah, that’s not ideal.

Daniel Schalla: No, that is not ideal. But many organizations may be hit with that. Like sometimes, especially if you think I don’t think major financial institutions will ever find themselves in these show shoes. But if you think about like SMB businesses, right. They may have that issue, right. With a high reliance on also services. That’s a real issue. I mean.

Kevin Rosenquist: I can tell you I’ve worked for companies that had no plan. That’s for sure.

Daniel Schalla: 0.4% family businesses, right. They still rely on IT services for the billing, invoicing, email communication. Right.  but they don’t have the same resources. So if you go beyond that and say you want to prepare and you have an incident response plan, it can be word document, which then everyone needs to read and update manually. But you can also take that word document, which usually outlines steps, right, to make that like an automated workflow. So instead of having everyone read this document, instead have like a checklist, right? And say, okay, I have now an incident and the first thing I need to do is like, check. Like what is the severity, right? Meaning like, how bad is it? Who’s the person responding to it? Right.  how do I make sure that this may not actually be a false alert? So we can automate this way that if you get woken up at 4 a.m. in the middle of the night and you don’t know what to do, you can make sure that people can follow like a recipe and make sure and even more importantly,  if you think about major organizations being distributed across the world and having staff with a different level of seniority, and depending on how these organizations are structured, they may have somebody not as well versed in as experienced respond to incidents. Right. And they can still then easily follow a process that was designed by way more experienced security engineers or architects that them makes sure that you always follow the same process, right? You always make sure to that certain crucial steps are being followed. What do you get there is that you have clear instructions. That’s very important because like incident response is very hectic, right?

Kevin Rosenquist: Absolutely. Take the guesswork out of it. Just make it like, yeah, this is what you do if you don’t worry about anything else. Just do this.

Daniel Schalla: Exactly. Yeah. And there will be a framework. Every incident is unique, right? You cannot say this is the recipe you always follow, but certain steps are always the same. And this way you can like, provide clear instructions, but also you can document your timeline. So if you like coming back to the earlier question, you have the fatigue rule for the SEC. You have the three day rule for GDPR. How can you prove like when you found out that you actually have an incident at hand, right? So if you automate that workflow, you can directly automate. Okay. When did I find it? When did we respond to it. When did we understand that it was actually material right to then directly document it?  because as you like, let’s say you have a major intrusion in your systems. Note taking is a rather mundane exercise, but it’s so crucial, right, that you have your evidence, your timeline. If you then later on must provide reporting, right. There may be lawsuits to provide essentially when we take which actions to protect both investors but also our customers. Right. And that can also be like just helpful overall that the team can then do lessons learned later on.

Daniel Schalla: Okay, we took this step at this point in time, but we failed to do this. How can we improve this? So this is a thing when you have zero automation. It’s a great place to start right. Like make sure that you automate your process and like that you follow your checklist. In Metamaus we have a functionality called Mattermost playbooks where you have on the left hand side your team chat. On the right hand side you have your recipe you follow. The second thing I would then encourage organizations to think about if you have your collaboration tool for your incident,  unless you have the luxury that everyone is in one room,  which is nowadays really happening. Think about how can you automate actions to get the data your incident response team needs? So if you think about it, you get woken up at 5 a.m.. Kevin’s MacBook had a small incident, right? And you’re like a 5000 organization company. I don’t know who Kevin is or what this MacBook does. Right? And that is rather bad if you want to, like, understand hey, maybe this is normal, depending on what it is, right? Because these alerts are not always perfect.

Kevin Rosenquist: Sure.

Daniel Schalla: So the first thing you want to do is like, find out who Kevin, what’s his MacBook. Right. But also find out what Kevin’s role.

Kevin Rosenquist: What does he do? Does he.

Daniel Schalla: Work.

Kevin Rosenquist: Here?

Daniel Schalla: Where does he live? Right. Or work at least?

Kevin Rosenquist: Yeah.

Daniel Schalla: Because all this context helps you, like, respond to an incident more effectively.  like, if I find out. Okay, we get this alert from Kevin at this location, and his job role is he’s a penetration tester, like somebody that is attacking organizations to find weaknesses that may be part of his role. Right? Like, he he may use tools that are are picked up by an antivirus solution as suspicious. I would still reach out to Kevin and find out. Right?  like, hey, this actually,  but then more importantly, is this device that I get this alert from Kevin on, actually, Kevin’s work machine. Right? If I can, if Kevin is otherwise working from a windows machine. But now Kevin is working from a MacBook that is rather suspicious. Right. So what you want to start with, once you get your alert from your security monitoring, is get all the context you need, right? Like you must make a decision. Is this an incident or is it an alert? Like an alert. Meaning like I got notified. Hey, this looks strange by your security monitoring tools, but with an incident, you know, like, okay, this is actually something like a security risk is going on. We have confirmed the suspicion that there is something at play here that we must investigate closer. And if you say you have an incident response team responding to something like this, and all four people do this, like manually, right? Like you log into your device management solution, another person looks into your user management solution. Right? Find out in the user directory like Kevin’s title department, etc. then everyone takes screenshots, shares them everywhere.

Daniel Schalla: So a great thing you can do is before even a human looks at it, once you see like, oh, this incident is happening directly, look up these things automatically, right? So you provide the person responding to the incident all the context they need. The third thing is then like automating your playbook, like your process to follow you automated, like how to look up data and providing it to your team. Maybe you want to take an automatic response to it. And automated response is always a very tricky topic. So in my previous role, I was working in professional services helping organizations implement incident response tooling. It was always a very hot topic because if automation responding to security alerts goes wrong and everyone gets locked out of their device, or other destructive actions are being taken. It is rather challenging, right? So what some organizations opted to do is how about we make it like a partial approach, right? You say instead of fully automating this and giving it to the automation system, why don’t we let somebody click a button? Once they agree that this is a good thing and then like it’s being executed. So automation is like different maturity levels. I would always recommend to start with automation. Then assist your team with data lookups, data enrichment that they can respond to more effectively. And then think about this. What can you automate to respond to an incident? I would never start the other way around that you first want to automate response versus data enrichment, because the one use case is like, you always need the other ones. Hopefully.

Kevin Rosenquist: Raleigh, right? Yeah, yeah that makes sense. Started at that point instead of the latter point. Yeah. Yeah. When you really do need human involvement. Yeah.

Daniel Schalla: Like you like thinking about how you want to automate the thing that you need 1% of the time or 10% of the time, right.

Kevin Rosenquist: Yeah. Yeah, yeah. From a collaboration standpoint, I mean, obviously a lot of different financial firms, a lot of different companies love tools like slack. It’s not necessarily built for regulated environments. What makes a secure collaboration platform fundamentally different under the hood?

Daniel Schalla: I think like with many financial institutions, they are heavily regulated. You have a lot of different compliance requirements, but also sometimes there is a risk aversion that stems from this. What do we see with our customers very often is that they first of all want to keep complete control of their data, right? Very often we’re running our own data center, although we see slowly an increase of or like financial institutions adopting cloud. So the most important thing is keeping control of your data.  Because if you keep control of your data on your own infrastructure, you can also protect it most efficiently, right? You will most likely already have internal standards. How? Very confidential information must be protected. And if you adopt a SaaS solution, you may make compromises, right? You may say, well, the SaaS vendor says they can do this, but not that. And you either can accept the risk or not accept the risk, right? And then you go to the next solution. Survey in collaboration platform you essentially deploy it similar to other applications. You already are operating internally and can make it meet your requirements. Do you need everyone to be located in the office? They’re connected. You could do that, right? Do you need everyone to be on a trusted device? You could do that, right? So it gives you the most control. I think there’s otherwise if you basic needs, if you think about key compliance, export.

Daniel Schalla: Right. That you must make sure who’s communicating with whom at what point in time. Depending on your use case, you may be required to track that or track these messages to prevent insider trading. Right? All the scenarios, that combination I think very often is leading to that. So the flexibility to deploy where you need it with the requirements that you outlined, but also meeting all the other functional requirements that you have specifically thinking about security, I think it should empower your team, right? It should provide you the tools and the functionalities that you need for your security operations team to make them the most productive. Right? Does it allow you to integrate your tools that are running on premises? So as an example, you may have a security monitoring solution that runs on your own infrastructure. And if you have a cloud solution, you must open up your barrier, your firewall to allow it to connect to that. Right. So going back to the automation topic, and you most likely will not want to do that right. Your security monitoring houses, like all the confidential data and all the activity within your entire environment. And you don’t want to expose that necessarily to third party operated servers on the internet. So by having this operated on your own infrastructure, you facilitate these automations and these integrations. That again makes your team more effective while automating many of these workflows.

Kevin Rosenquist: You know, looking at like thinking about all the different size businesses, you know, big and small, mom and pops, you know, you made the comment about how so many, so many people are not prepared. And I mean, like I said, I worked for I remember one of my bosses saying we’re like a four person company. And he said, yeah, we’re too small for anything like that to happen because I was like, we should probably have something in place. And that’s like the biggest, obviously, one of the biggest mistakes you can make is assuming you’re too small for something like that. But, you know, looking ahead, what can every business do, whether you’re small or big, to kind of get ahead of the curve and, you know, maybe something that’s a simpler, something small, something that’s not not overhauling your whole system or putting in some robust big thing. What’s one thing you see that you’re just like, if people would just do this, we’d have a lot less problems.

Daniel Schalla: That’s a great question. One thing that comes to mind, and I think is so powerful because it touches on so many things, just simulates having a security incident, right. So if you think about it, there’s something called tabletop exercise, which essentially means you outline a scenario, right? Coming back to what I said earlier, you may have an effect like malware on an employee device, but you could also be that a third party.

Kevin Rosenquist: I’m always downloading weird stuff. That’s the problem.

Daniel Schalla: Like none. Like, it’s so frequent that we’re, like, even simulating incidents with you. But it could also be like a third. It could also be like a third party. Right? Like somebody that you do business with, right? Like. Yeah. And you simulate. Okay. Imagine this incident is happening. Where’s our incident response plan. Walk through it. So how this usually works is you have somebody moderating the tabletop exercise. So that person is preparing the scenario and they know things that the other persons that the other people that are like responding to the incident do not. So you say this is our scenario okay. We know of this, right? So we got alerted that Kevin once again had a malware alert the 10th time this quarter. This is the information. And then you ask your security team, okay, so what do you do? And you may then find out that nobody knows where the incident response plan is. Right. So that’s not good. So maybe you should train your staff on West Incident response plan. Then you may need to look on how do you document the incidents or how do you find out who Kevin is? Right. Like walking through this as a dry run helps your organization to prepare on how to do these things once they are happening for real. Because the challenge is, ideally you don’t have incidents so frequently that you are so well versed on how to respond to them. But once it’s happening, you really want to make sure that everyone knows what to do.

Kevin Rosenquist: Right? Yeah.

Daniel Schalla: And then even, like.

Kevin Rosenquist: It won’t be the first time, even though it’s a simulation, it’s like, at least you kind of understand it. You’re not just reading a sheet. You’ve actually kind of, you know, sort of role played it and understand, like how the process unfolds. Yeah, yeah.

Daniel Schalla: And that’s exactly it. Like you’re role playing, having an incident like one person has the complete picture, right? They would know. So once they as an example, the team may say, okay we took a look at these things. They like essentially share another piece of information. Right. So you don’t have to start like okay, everyone knows what the incident response plan is. They know how to document the incident. But you can then dive way deeper, right? Like say, okay, we took a look. We got Kevin’s information about his device and user from these systems. Okay. How do we look this up? Where do we look it up? And then okay, we want to collect forensic evidence from this device. How do we do this? Right. So you can go very granular and assuming like you run this through and then I was saying, okay, this was an actual incident. It was deemed material based on the criteria that we outlined, and it was also affected. Personal data of European citizens or California or other states have similar laws. By this point, how do you actually work together with your legal and communications team to notify regulators and your investors and who’s doing it and who must approve communications, right? Because at this point, once you confirm it’s an actual security incident with real impact, it’s not just security responding to this anymore, right? But you have legal, you have marketing, you have communications, you have finance, right? You might work with outside counsel or with external incident response teams like Mandiant or many others that help you there.

Daniel Schalla: So at this point, you can also think about how can we streamline our communication? How do we keep stakeholders informed? Right. And how do we organize this? And the beauty of this is like role play having an incident. It’s rather simple to start with, right? Everyone in theory, like even the small organizations can, can say, okay, this happens. What do we do? And at least be somewhat prepared. Okay, here’s our plan. This is our external external security partner, like an MSP that is providing services for us for this to happen. What I see many organizations do is like repeat this like you can do it quarterly once per year, and then you can mix it up right and work together with different parts of your organization depending on the type of incident you have. You could even like have a tabletop exercise for financial frauds or for anything else really. Like it’s it’s not unique to a security incident response, but a quite versatile tool, I would say.

Kevin Rosenquist: Yeah, I would agree. That’s that’s an easy thing anybody can do, even if it’s in that mom and pop scenario, even if it’s just sitting around going, so what would we do? You know what I mean? Like like even just sort of like workshopping it and talking about it will at least put you ahead of not doing anything or not talking about it at all, just putting your head in the sand and hoping nothing happens.

Daniel Schalla: This is very critical and we have nobody internally that can support us there. So you may say, actually, we should bring in external vendor, external consultant to support us in these scenarios, right. You may get a retainer with an incident response consultancy. You may realize that you actually have grown too fast, but you don’t have anyone internally to manage it. So you may want to outsource your entire IT operations, right? I think it’s a powerful tool to self reflect a bit on where are we like what is missing. I also know that there’s external consultancies that help organizations to run these tabletop exercises, but you can also run them internally.

Kevin Rosenquist: Working both ways. I could see it being nice for certain organizations to have someone from the outside sort of running those exercises to so that I don’t know, so that you’re it almost feels real, more real that in that sense, you know.

Daniel Schalla: But like, nobody knows like especially if you’re like a small team, let’s say you’re your security team, like, you’re a fintech startup and you have a security team of three, let’s say, and one of them is moderating this exercise. It’s like one third of your security organization is missing, right?

Kevin Rosenquist: Yeah. That’s true. Yeah.

Daniel Schalla: I think somebody outside of security run it is rather hard to keep it realistic. Right. Keep it engaging.

Kevin Rosenquist: Yeah.  to pretend to be that person. Yeah.

Daniel Schalla: Yeah. They may not be able to moderate the group and like, say,  I don’t know about this one or when to give the next hint. Right. So it’s a trade off.

Kevin Rosenquist: Yeah. Yeah for sure. All right. Well, Daniel Schalla,  the company is mattermost.  thank you so much for the conversation and I really appreciate all the tips. I’m sure everybody out there is very appreciative as well. Thanks for your time. Absolutely. It’s great having you.