Summary Leaders in Finance Cyber Security Event 2025
Looking to be part of next year’s event?
Join our waiting list to stay informed—we’ll only reach out twice a year with key updates.
On 22 May 2025 more than 100 cybersecurity leaders, risk‑management and policy professionals from more than 50 organisations gathered at the Leaders in Finance Cyber Security Event to tackle one overriding question: how can Dutch financial institutions stay digitally resilient in an era of geopolitical turmoil, exponential AI‑driven threats and shrinking budgets?
This document summarizes the interviews, panels and speeches at the event. It is not a transcript of what was said but provides a paraphrased synopsis of the key points made. It has been prepared and published by Leaders in Finance. Please note that this summary was created with the help of AI tools. While care has been taken to ensure accuracy, the content may contain errors or omissions. For full clarity or specific details, please feel free to contact us at [email protected].
Key takeaways
- Resilience is not optional—it must be rehearsed – Throughout the event, speakers emphasized that resilience requires more than plans and policies—it demands regular, realistic testing. Moderator Irene Rompa challenged the audience to consider whether their institutions could function during a 72-hour outage. Martijn de Laat (Achmea) underscored this by sharing how his organization practices recovery under extreme conditions, such as power outages and cyber incidentts.
- Shared responsibility is the only viable defense – Cybersecurity leaders repeatedly called for cooperation across sectors. Chantal Vergouw (KPN) highlighted the need to move beyond competitive silos: “Cybersecurity is definitely not the area to compete.” Expanding trusted networks, sharing threat intelligence, and conducting joint crisis simulations were recurring themes. As Bas Dunnebier (AIVD) stated: “Have competition on all other things, but not on security. Share everything on security.”
- Cloud and technology concentration creates systemic risk – The growing dependence on a few hyperscalers emerged as a critical concern. Arjan Minten (PGGM) questioned whether simplification via single-cloud strategies was worth the lock-in: “We want to have a single cloud, because we want to reduce complexity, but that leaves us with not much wiggle-room.” Rob Havermans (ABN AMRO) added that threat modeling must go beyond compliance checklists: “Really see, where do we think we will get hacked? And just replay it.” Real preparation starts with honest, technical risk mapping.
- Identity and behavior remain the weakest links – Despite advances in technology, human behavior continues to pose the greatest risk. Ex-fraudster Alex Wood made this painfully clear: “Since the very beginning, cyber criminals trying to steal money from people’s accounts were targeting the weakest link.” He explained how social engineering and psychological manipulation bypass even strong technical controls. The message was clear: culture, awareness, and human-centered training must be prioritized as core elements of any cyber strategy.
- AI is redefining both attack and defense—experimentation is urgent – AI is transforming the threat landscape, amplifying both risk and opportunity. Speakers stressed the need to actively explore how AI can strengthen defense mechanisms—through automation, detection, and response—before attackers fully weaponize it. Alexander Zwart (Rabobank) summarized that we need to make it more painful for attackers and easier for the business to recover. Waiting for regulation or best practices is not an option.
Welcome – Irene Rompa (moderator)
Rompa opened with an unvarnished scan of the landscape: “The world is on fire geopolitically speaking,” she said, citing Ukraine, the Middle East and a newly volatile White House as proof that cyber‐risk now rides on the back of every geopolitical shock. She reminded the room that trust between nations—and therefore between supply-chain partners—“is decreasing while no single organization can defend itself against today’s complex cyber threats by itself.”
The keynote set the tone by linking fast-moving tech to fast-moving threats. Agentic AI models, Rompa warned, can “make attackers 100 times faster” compressing the window defenders once enjoyed . Yet she also pulled the discussion down to earth with examples such as “pig-butchering” romance scams and the debate over whether CISOs should own operational-technology risk. Her message was blunt: budgets are flat, the attack surface is widening, and the community must cooperate or fail.
Finally, Rompa polled the audience on a three-day ATM outage; most attendees agreed it was a credible scenario. The exercise drove home her closing note: “We now understand that cybersecurity does not only have to do with mail or passwords, but also with clean drinking water, with our energy systems, with our traffic lights, and of course with our ability to withdraw money and to pay electronically.” The stakes, she made clear, are existential.
Video message - Anouk van Brug (Member of the European Parliament)
Anouk van Brug, a former government CISO, delivered a clear message via video from Brussels. Advocating strongly for cross-border cybersecurity collaboration, she highlighted the necessity for a unified EU response, stating that cybersecurity must be seen as a shared responsibility: “If Europe legislates at different speeds, the slowest bank gets hacked first.“
Van Brug emphasized the criticality of acting preemptively, particularly regarding quantum-safe encryption. “We need to be quantum-safe before we are quantum-ready,” she warned, urging institutions to prepare now for future threats. Stressing that cybersecurity must remain high on political and economic agendas, she concluded by challenging financial leaders to prioritize resilience proactively: “Act as if the attack has already happened.”
Speech I and Q&A – Chantal Vergouw (Chief Business Market & Member of the Board of Management, KPN)
Chantal Vergouw of KPN shared compelling data and a call for shared responsibility. “The number of events we monitor only at KPN alone is really shocking. It’s 40 billion events a day. It’s almost impossible to comprehend how big it is.” she said. She described today’s threat landscape as exponential and stressed that 24% of Dutch mid-sized companies feel unprepared. “We are only as strong as the weakest link” she warned.
Her main message was one of radical openness: “Cybersecurity is definitely not the area to compete. Information and knowledge is power, but shared information is strength.” Vergouw described a “circle of trust” formed by KPN, several banks, and other multinationals—calling for more sectors and government actors to join.
Vergouw also connected digital resilience to national defense: “Today’s war always starts as a cyber war” She urged institutions to run joint crisis simulations and prepare for operational outages. “resilience is a question of mindset. And a change in that area requires leaders and courageous people” she concluded. “You don’t want any democracy or discussion when you’re sinking, right? Or when there’s a super storm coming over you, then you need leaders.”
Speech II and Q&A – Alexander Zwart (Chief Information & Technology Officer & Member of the Managing Board, Rabobank)
Zwart began with a candid insight: “If our CEO talks to the ECB and they ask him, what is your biggest worry? Then cyber security is always on the first place.” He explained that boards are finally prioritizing cyber risk, yet they face serious complexity—especially due to reliance on a handful of hyperscalers. “So you have to find a way to create some big European companies instead of a lot of small ones, but you still have to work together with the global partners you’re working with today.”
Zwart advocated for a hybrid IT model and strong cloud portability standards. He explained Rabobank’s “hacker journey” approach, designed to build friction into the attacker’s path. “So we analyse the kill chain, and then we take measures on each step of the chain.” He ended with a clear mandate: collaborate where the risk is shared, but don’t wait for universal consensus. Speed matters.
CISO Panel I – Floor van Eijk (CISO - Head of Enterprise Security Services, NN Group), Arjan Minten (CISO & Head of Security and Quality Office, PGGM), and Martijn de Laat (Group Information Security Officer, Achmea), moderated by Rudrani Djwalapersad (Partner - Cyber Security Financial Services, EY)
The first panel discussion at the Leaders in Finance Cyber Security Event brought together Floor van Eijk (CISO – Head of Enterprise Security Services, NN Group), Arjan Minten (CISO & Head of Security and Quality Office, PGGM), and Martijn de Laat (Group Information Security Officer, Achmea), moderated by Rudrani Djwalapersad (Partner – Cyber Security Financial Services, EY). The panel opened with reflections on how dramatically the threat landscape has shifted in recent years. “Three years ago we weren’t talking about IT and how to keep it secure or how to make sure that developers also work in a secure way” said van Eijk, noting that NN Group now works through a multidisciplinary taskforce that includes IT, finance, and security experts to jointly assess risk.
Minten acknowledged the sector’s growing discomfort with tech dependency: “Can we still trust the collaborators and how does this match with European sovereignty? Are there alternatives at the moment and how do we evaluate this risk?”
Ransomware emerged as the central concern for all panelists. “We already have a ransomware resilience program within ACMEA to be prepared for a heavy attack and being operatable within a couple of days.” said de Laat. Van Eijk added: “When you are crippled because you can’t operate your systems and you can’t access your data, I think that’s the scarier scenario.” The speakers emphasized that recovery is as vital as protection. Minten explained how PGGM tested its ability to issue essential pension payments even without IT systems and confirmed: “We figured it out so even without IT we can run a business. That’s the conclusion and that’s also a good realization.”
Exercises and simulations were also a major theme. De Laat shared how his team recently conducted a nationwide power outage simulation involving their executive board. All three panelists agreed: real resilience isn’t about avoiding disruption at all costs but about recovering quickly and maintaining core services when—not if—things go wrong.
Speech III – Bas Dunnebier (Chief Science & Technology Officer, Algemene Inlichtingen- en Veiligheidsdienst (AIVD))
Dunnebier brought an intelligence services perspective to the event. He began with a rallying cry borrowed from the UK’s GCHQ: “Let’s make the Netherlands a great place to do business and a secure place to do business.” He urged financial institutions to treat national resilience as a shared mission, not a competitive arena: “We need to work together and not have competition on security. Have competition on all other things, not on security. Share everything on security.”
Dunnebier revealed the growing collaboration between the AIVD, NCSC, and the private sector, pointing to intelligence-sharing cells that help detect and respond to threats more quickly. “He described the Netherlands as an extraordinary organisation, highlighting the unique openness of the Dutch system.
His biggest concern? “I’m the most afraid of insider threats, because you can invest as much as you want in protection, but then you still have a huge problem, irrespective of all the investments you have done to secure yourself”. He advocated for rigorous onboarding, continuous monitoring, and cultural awareness. Cybersecurity, he argued, is no longer a back-office function—it’s a board-level issue tied directly to national safety.
CISO Panel II – Ricardo Ferreira (Moderator & Field CISO, EMEA, Fortinet), Rob Havermans (Head of CISO Technology & Engineering, ABN AMRO) & Sam van Rooij (CISO, IG&H)
The second panel, moderated by Ricardo Ferreira (Moderator & Field CISO, EMEA, Fortinet), brought together Rob Havermans (Head of CISO Technology & Engineering, ABN AMRO) and Sam van Rooij (CISO, IG&H) to explore how regulatory frameworks, digital interconnectedness, and emerging technologies are reshaping cybersecurity in financial services. Rob emphasized how compliance has become a license to operate: “We also really build out our threat practice. That basically means: where do we think we will get hacked? And we just replay it”. He described ABN AMRO’s practice of simulating top threat scenarios, calling it a painful but essential process: “it takes a lot of time. You need good people.”
Third-party risk and API oversight were major concerns. Havermans shared how a vendor-related data breach revealed gaps in API tracking: “We had a registry, but it wasn’t up to date. People had built APIs we didn’t even know about.” This led ABN AMRO to expand its focus from general compliance toward specific technical risks, especially involving API flows and dependencies. Sam added that while they don’t heavily rely on open source, for many firms it poses a dilemma—disallow it and lose developers, or allow it and inherit complexity. “It’s a balancing act” he concluded.
On emerging threats, the panel discussed GenAI and quantum. Havermans stressed the importance of experimentation: “Whether you build your own machine models or whether you buy something off the shelf. Test it out, see what happens.” Both agreed that organizational resilience, not just technical tools, will be the defining factor. When asked to summarize the future in one word, Havermans answered: “Organizatio,” and van Rooij chose “Explicit risk management.” The message was clear: clarity, readiness, and internal alignment are essential for what’s coming next.
CISO Panel III – Tom-Martijn Roelofs (Global Head of Security Strategy & Data, ING), Filip Verloy (Field CTO EMEA & APJ Rx, Rubrik) & Alex Kuznetsov (Head of Product Marketing Security Business Unit, OneSpan)
In the third panel, Tom-Martijn Roelofs (Global Head of Security Strategy & Data, ING), Filip Verloy (Field CTO EMEA & APJ Rx, Rubrik), and Alex Kuznetsov (Head of Product Marketing Security Business Unit, OneSpan) explored the intersection of user behavior, identity, and organizational resilience. Roelofs warned against excessive security layers that frustrate users: “So it gets quite complex. We try to reduce that. But it’s all about customers understanding just the right bit of it to also do their part.” The panel agreed that a resilience mindset is still lacking at executive level, with Verloy citing data: “UK banks were offline for 33 days over two years— still people don’t have this mindset yet at financial institutions. At least not on the CEO level.”
Internally, the panel emphasized the role of culture and onboarding. “We are an interesting target for an APT or a hacking group. We would lose all our customers potentially” said Verloy, explaining why Rubrik embeds cybersecurity from Day One. Kuznetsov added: “I still think that I’m not educated enough.You cannot have this feeling of complacency, right? You need to continuously be educating yourself and the people around you so you keep that.” Roelofs argued that behavioral change comes from visibility and accountability: “Over the last couple of years we’ve really improved our insights, metrics and reports on things not going well and really put let’s say the names and numbers on that in terms of responsible CIOs and we actually see numbers improving when the accountability is there.”
The discussion ended with warnings on complacency around mobile and identity. “There’s a false sense of security on mobile”. In Asia, millions were hit in days,” Kuznetsov said. Verloy underscored the foundational role of identity: “If your identity system is not operational then sort of everything stops and identity therefore is in our world it’s part of the tier zero.” The panel called for tighter integration across fraud and cyber teams, more deliberate data management, and a push to unify tooling to reduce blind spots.
Speech IV and Q&A – Alex Wood (Reform Fraudster, Motivational Speaker & Government / Banking Advisor
Wood took the stage to share the inside story of APP fraud. “My role today is really to give you a very rich understanding into what I call the criminal mind” he said. Wood detailed how he once convinced a victim to transfer £1.3 million in a single 40-minute call, with tragic consequences: the victim suffered a stroke.
Wood explained that upcoming reimbursement legislation won’t deter fraudsters. “It shows you how light-footed fraudsters are, how quickly they can pivot.” He described social engineering as a psychological game, not a technical one—and warned that real-time voice and video deepfakes will soon become mainstream.
His advice to CISOs? Study psychopathy, understand the human mind, and assume attackers will adapt within hours of any new control.
Networking Drinks & Closing Remarks
The final session returned to the theme of collective resilience. Vergouw called on attendees to help expand the “circle of trust” while Dunnebier challenged organizations to map which critical tasks they could take over for each other in the event of a crisis.
Participants emphasized that cooperation should not be limited to information-sharing; it must extend to action. The sentiment was clear: resilience is not a document or a dashboard—it is a rehearsed capability.
The organizers closed by announcing that the next edition will be held on 21 May 2026. Until then, the Dutch financial sector has one job: turn intent into tested capability.
Uniting the financial sector by discussing pressing topics and enhancing cooperation. That’s what we love to do at Leaders in Finance. By listening, learning, and connecting with others, we accelerate the sharing of ideas, thus powering (upcoming) leaders and organizations to shape the future of financial services.
Want to explore how we can benefit your organizational goals? We’re happy to meet and discuss opportunities. Each part of the Leaders in Finance Group has its unique approach. Want to explore how we can benefit your organizational goals? We’re happy to meet and discuss opportunities.