FS-ISAC, Inc. PRIVACY NOTICE

Effective Date: August 27, 2025.

  1. Introduction.

FS-ISAC, Inc. is a 501(c)(6) not-for-profit organization that advances cybersecurity and resilience in the global financial system.

This Privacy Notice describes FS-ISAC, Inc.’s practices regarding information we collect about you and the choices available to you regarding such information. For purposes of this Privacy Notice, unless otherwise stated, “information” or “personal information” or “personal data” means information relating to an identified or identifiable individual or “data subject,” and information that could reasonably be linked, directly or indirectly, with a particular consumer or household.

This Privacy Notice applies to information we collect where we control the purposes and means of processing, specifically information we collect:

      • Through any of our websites, emails, and all products and services offered by FS-ISAC (collectively, “FS-ISAC”, “FS-ISAC Platform”, “we”, “us” or “our”) hereinafter collectively referred to as our “Service” or “Services.”
      • Offline, including in-person at FS-ISAC, Inc.’s events, including conferences, trainings, exercises, member meetings or other activities (each, an “Event”).

This Privacy Notice does not apply to:

      • the practices of third parties we do not control, or to websites that we or Members (defined below) may link to.
      • information collected in a commercial or business-to-business context.
      • information processed by us on behalf of our members and other participants.
      • information collected in the context of your job application or employment with us.
      • information that has been anonymized or, to the extent permitted by law, deidentified such that the recipient may not reasonably reidentify the individual to whom the information may relate

Please note that your use of the Service is subject to our Terms.

See additional disclosures if you live in the EEA, Switzerland, and the UK or Canada.

For our contact details, see the Contact Us section below.

  1. Collection.

This section describes the information we collect and how we collect it.

Information You Provide through the Service.

When you use the Service, you may be asked to provide information to us, such as when you create an account, make a purchase, sign up for our products, newsletters, respond to our surveys, or contact support. The categories of information we collect in this context include:

  • Contact Identifiers, including your name, title, email address, postal address, and phone number, or country.
  • Commercial or transactions information, including records of products or services you purchased, obtained, or considered.
  • Account credentials, including your username, password, password hints, and other information for authentication or account access, including your consents to the processing of personal information, and FS-ISAC’s terms and conditions, and when it was given.
  • Payment information, including your payment instrument number (such as a credit card number), and as relevant, expiration date, and security code as necessary to process your payments. This information is processed by our payment processors.
  • Content, including content within any messages you send to us (such as feedback, questions, or survey responses) or publicly post on the Service (such as in product reviews or blog comments).
  • Speaker information, including name, title, email, company, professional biography, presentation slides, profile picture (if provided), and photos and videos of you at our Events.

Please do not provide any information that we do not request.

Information from Your Browser or Device.

When you use the Service, we and third parties we work with automatically collect information from your browser or device. The categories of information we automatically collect in this context include:

  • Device identifiers, including your device’s IP address.
  • Device information, including your device’s operating software and browser (e.g., type, version, and configuration), internet service provider, and regional and language settings.
  • Internet activity, including information about your browsing history and interactions, such as the features you use, pages you visit, content you view, time of day you browse, and referring and exiting pages.
  • Non-precise location data, such as location derived from an IP address or data that indicates a city or postal code level.

This information is automatically collected through cookies and other tracking technologies incorporated into our Service, as described below:

  • Cookies. Cookies are browser-based text files which are dropped on your browser when you visit a website, open or click on an email, or interact with an advertisement. There are various types of cookies, including session cookies (which are cookies that expire when you close your browser) and persistent cookies (which are cookies that do not expire until a set expiration date, or you manually delete them). Cookies may be first party (which are cookies served directly by us) or third party (which are cookies served by third parties we work with).
  • Pixels (also known as web beacons) are code embedded in a service. There are various types of pixels, including image pixels (which are one-pixel transparent images) and JavaScript pixels (which contain JavaScript code). Pixels are often used in conjunction with cookies. When you access a service that contains a pixel, the pixel may permit us or a third party to collect information from your browser or device, or to drop or read cookies on your browser.

We use these tracking technologies for a variety of purposes, including to help make our Service work, personalize your browsing experience, prevent fraud and assist with security, and perform measurement and analytics.

To exercise choice around tracking technologies, see Your Privacy Choices below.

Information from Our Business Relationships.

Through our business relationships with you, we collect your contact identifiers and other information relating to you and your business. This information is not subject to this Privacy Notice except as required by applicable law.

Information from Other Sources.

We also collect information from other sources. The categories of other sources from which we collect information include:

  • Business partners that offer co-branded services, sell or distribute our products, or engage in joint marketing or promotional activities.
  • Third-party vendors and related parties we work with in connection with receiving analytics, security, and fraud prevention services.
  • Social media platforms with which you interact. For example, when you engage with our content on social media (such as through our brand page or direct messages), we may collect information such as your contact identifiers and any comments you provide. We may also receive additional information from the social media platform that you have authorized the platform to disclose to us. If you publicly reference our Service on social media (such as by tagging us or using a hashtag associated with us in a post), we may use your reference on or in connection with our Service.
  • Data providers, such as licensors of private and public databases.
  • Public sources, such as information in the public domain.

Information from our Events

By entering an Event or program of ours, you are entering an area where photography, audio, and video recording may occur and you consent to its/their release, publication, exhibition, or reproduction to be used or any purpose whatsoever in perpetuity in connection with our initiatives, including, by way of example only, use on websites, in social media, news and advertising. Images, photos and/or videos may be used to promote our Events in the future, highlight the Event, or any other promotional or educational purpose.

In order to participate in our in-person Events, you may be issued a name tag that identifies the level of access that your registration grants you. You will be asked to show this name tag at the entry in the various areas of our Events, as this is in our legitimate interest to manage access to our Events. When we provide food and beverage at our Events, we may ask you about food allergies or other conditions, so that we adapt our menu accordingly. Providing this information is optional and we will only process it at your request.

The information above is stored by us in accordance with our data retention practices.

Information We Infer.

We infer new information from other information we collect, including to generate information about your likely preferences or other characteristics.

Sensitive Information.

Some of the information we collect may be considered sensitive under applicable law. See additional disclosures in your region for details.

  1. Purposes for Collection and Use.

Our purposes for collecting and using information include:

  • Providing services. We collect and use information to provide services to you, including to operate the Service, establish and maintain your account, and provide support.
  • Personalizing your experience. We collect and use information to personalize your experience and show you content we believe you will find interesting.
  • Communications. We collect and use information to communicate with you about updates, security alerts, changes to policies, contact you with regard to events or other products you have purchased or registered for, and other transactional messages. We also collect and use information to personalize and deliver marketing communications to you, including by email.
  • Analytics. We collect and use information to understand trends, usage, and activities, for example through surveys you respond to and tracking technologies that we incorporate into the Service (such as Google Analytics).
  • Improvements. We collect and use information to develop and improve our services.
  • Security and enforcement. We collect and use information to prevent, detect, investigate, and address fraud, breach of policies or terms, or threats or harm.
  • At your direction or with your consent. We collect and use information for additional purposes where you direct us to use it in a certain way or with notice to you and your consent.
  • Non-personal information. Sometimes we anonymize or deidentify information, so it is no longer considered personal information under applicable law. Where we deidentify information, we commit to maintain and use the deidentified information in deidentified form and not attempt to reidentify it. We may use non-personal information for any purpose to the extent permitted by applicable law.

To exercise choice around our collection and use, see Your Privacy Choices below.

  1. Disclosure.

We disclose the information we collect for the purposes described in this Privacy Notice. The categories of persons to whom we disclose information include:

  • Business partners. We disclose information to our business partners in connection with offering co-branded services, selling or distributing our products, or engaging in joint marketing or promotional activities.
  • Affiliates. We disclose information to our affiliates and related entities, including where they act as our service providers subject to this Privacy Notice or use the information in accordance with their own privacy policies.
  • The public. We disclose information you make public, such as information in your profile or that you post on public boards. Please think carefully before making information public as you are solely responsible for any information you make public. Once you have posted information, you may not be able to edit or delete such information, subject to any rights you have under applicable law.
  • Recipients of viewing information. In certain circumstances, we disclose information about the videos you view on our Service along with other information we have about you, including information you have provided to us (such as your name or address) and information we have automatically collected (such as an IP address, device identifier, or precise location data) (“User Content Information”). By using the Service, you consent to our doing so, including the collection, use, and disclosure of your User Content Information to third parties in accordance with this Privacy Notice. Some of your User Content Information may be subject to requirements under the federal Video Privacy Protection Act (“VPPA”) and similar state laws that you consent to certain types of sharing of that information with third parties (“Protected Video Information”). By acknowledging this Privacy Notice, you are consenting to our sharing of your Protected Video Information, including what videos were watched and what video programming was otherwise interacted with, on the devices on which the Services have been activated or accessed.

For Protected Video Information governed as “personally identifiable information” under the VPPA, your consent herein to our sharing of that “personally identifiable information” (defined as “information which identifies a person as having requested or obtained specific video materials or services….”) expires two (2) years after it is given; however, not all types of sharing require your consent. To the extent required by applicable law, you may at any time prospectively withdraw your consent regarding ongoing sharing of your Protected Video Information for purposes that the VPPA requires your consent by us by emailing us at the email address listed herein and stating that you desire to terminate your ongoing consent to the sharing of your Protected Video Information for purposes for which express consent is required. This will not affect sharing where consent is not required, and if you subsequently consent that new consent will override a prior withdrawal. The expiration or termination of your consent to Protected Video Information sharing, where required by applicable law, may result in the termination of your ability to continue to use the Services and/or suspension or termination of your account, and only limits our ability to continue to share your Protected Video Information to the extent required by applicable law. Any renewed use of the Services after termination or expiration is a new consent. If we obtain new consent from you after the expiration of the two (2) year period, your consent period may be extended for additional two (2) year periods each time we obtain new consent from you.

CONSENT FOR RESIDENTS OF MINNESOTA, NEW YORK, OR TENNESSEE. If you are a resident of Minnesota, New York, or Tennessee, the following is in addition to your general consent above. By acknowledging this this Privacy Notice, you are effectively “signing” the consent in the corresponding state notices below:

Minnesota: This videotape service provider (videotape seller) from time to time provides marketers of goods and services, the names and addresses of customers and a description or subject matter of materials rented or purchased by video customers. The videotape service provider (videotape seller) may not include your name, address, or the description or subject matter of any material rented or purchased in these lists without your written consent. This election may be changed by you at any time by writing to the email address set out below, and including your name, address, or the description or subject matter of the material viewed, rented, or puchased.

New York: This video tape service provider from time to time provides marketers of goods and services, the names and addresses of customers and a description or subject matter of materials rented by video customers. You have the right to elect not to have your name, address or the description or subject matter of any material rented included in such lists. This election may be changed by you at any time by writing to the email address set out below.

Tennessee: This video tape service provider from time to time provides marketers of goods and services, the names and addresses of customers and a description or subject matter of materials rented by video customers. You have the right to elect not to have your name, address or the description or subject matter of any material rented included in such description or subject matter of any material rented included in such lists. This election may be changed by you at any time by writing to the email address set out below.

  • Recipients for security and enforcement. We disclose information to comply with the law or other legal process, and where required, in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. We also disclose information to protect the rights, property, life, health, security and safety of us, the Service or anyone else.
  • Recipients at your direction or with your consent. We disclose information where you direct us to or with notice to you and your consent.
  • Non-personal information. We may disclose non-personal information for any purpose to the extent permitted by applicable law.

To exercise choice around our disclosures, see Your Privacy Choices below.

  1. Third Parties.

Our Service may link to, or be incorporated into, websites and online services controlled by third parties. In addition, we may integrate technologies into our Service, including those disclosed in the Collection section above, controlled by third parties. Except where third parties act as our service providers, they, and not us, control the purposes and means of processing any information they collect from you, and you should contact them directly to address any concerns you have about their processing. Third-party data practices are subject to their own policies and disclosures, including what information they collect, your choices, and whether they store information in the U.S. or elsewhere. We encourage you to familiarize yourself with and consult their privacy policies and terms of use.

  1. Processing on behalf of Our Members.

In connection with providing services to our members, we collect and use information on their behalf (“member data”). For example, we may collect and process information in order to facilitate your orders, maintain and administer your accounts, respond to your questions, comply with your requests, market to you, and otherwise comply with the law. Member data has historically included contact identifiers, characteristics or demographics, commercial or transactions information, device identifiers, device information, internet activity, and non-precise location data, among other information. Our processing of member data as a processor or service provider is governed by the terms of our service agreements with our members and not this Privacy Notice. We are not responsible for how our clients treat the information we collect on their behalf, and we recommend you review their privacy policies and terms. In the event we are permitted to process client data for our own purposes, we will process the client data in accordance with the practices described in this Privacy Notice.

  1. Your Privacy Choices.

This section describes the choices available to you regarding your information.

Communications.

You can opt-out of receiving marketing emails from us by changing your communication preferences through your FS-ISAC account settings, follow the unsubscribe instructions near the bottom of such emails, or email us at as set out in the Contact Us section below with the word UNSUBSCRIBE in the subject field of the email. Please note that you cannot opt out of transactional emails. For marketing emails from a partner and member, please opt out through the portal or methods detailed in their privacy policies.

Accounts.

If you have an account with us, you can delete your account through your account settings. We will address your request in accordance with our data retention practices. If you have linked your Company account with certain third-party services, you may unlink your accounts at any time by visiting your Company account settings. Please note that unlinking your accounts will not affect any information previously disclosed through the linking. We are not responsible for the data practices of any third parties, and we recommend that you carefully review their privacy policies and terms of use.

Browser and Device Controls.

  • Cookies and Pixels. You may be able to manage cookies through your browser settings. When you manage cookies, pixels associated with such cookies may also be impacted. Please note that cookie management only applies to our website. If you use multiple browsers, you will need to instruct each browser separately. If you delete or reset your cookies, you will need to reconfigure your settings. Your ability to limit cookies is subject to your browser settings and limitations.
  • Preference signals. Your browser or extension may allow you to automatically transmit Do Not Track and other preference signals. Except as required by law, we do not respond to preference signals.
  • Third-party opt-out tools. Some third parties we work with offer their own opt-out tools related to information collected through cookies and pixels. To opt out of your information being used by Google Analytics, please visit https://tools.google.com/dlpage/gaoptout. We are not responsible for the effectiveness of their tools.
  1. Children.

The Service is not directed toward or intended for individuals under 16 years old, unless permitted by local law with parental consent. We do not knowingly collect personal information (as that term is defined by the U.S. Children’s Online Privacy Protection Act, or “COPPA”) or personal data from children. If you are a parent or guardian and believe we have collected personal information from children, please contact us as set out in the Contact Us section below. We will delete the personal information in accordance with COPPA or applicable law.

  1. Security.

We implement and maintain reasonable administrative, physical, and technical security safeguards to help protect information about you from loss, theft, misuse and unauthorized access, disclosure, alteration and destruction. Please note that transmission via the internet is not completely secure and we cannot guarantee the security of information about you.

  1. Retention.

We retain information for the length of time that is reasonably necessary for the purpose for which it was collected, and as necessary to comply with our legal obligations, resolve disputes, prevent fraud, and enforce our agreements.

  1. International Transfer.

We are based in the U.S. We may transfer, access, or store personal information about you outside of the European Economic Area (“EEA”), Switzerland, or your country of residence, which may not provide the same level of data protection as your home country. If you are located outside the U.S., please be aware that your information may be transferred to and processed in the U.S. or another country where we operate.

  • We may transfer personal information to countries with privacy laws recognized by the country from which the data are transferred as providing similar protections for the data.
  • We may enter into written agreements with recipients that require them, through specific international data transfer sections, to provide the same level of protection for the data. For individuals in the EEA, UK and Switzerland, we implement appropriate safeguards for international data transfer, such as Standard Contractual Clauses, or other mechanisms as required by law.
  • We may rely on other transfer mechanisms approved by authorities in the country from which the data are transferred.

Where required by applicable law, we will provide appropriate safeguards for data transfers.

  1. Changes to this Privacy Notice.

We reserve the right to revise and reissue this Privacy Notice at any time. Any changes will be effective immediately upon posting of the revised Privacy Notice. Your continued use of our Service indicates your consent to the Privacy Notice posted. If the changes are material, we may provide additional notice to you, such as through email or prominent notice on the Service.

  1. Contact Us.

The controller under this Privacy Notice is:

FS-ISAC, Inc. (“Company,” “we,” “our,” or “us”)

12120 Sunset Hills Road

Reston, Virginia 20190

privacy@fsisac.com

If you have questions about our practices regarding your information or have trouble accessing this Privacy Notice, please contact us at the postal address or email address above. To exercise choice available to you, please use the designated methods listed in this Privacy Notice.

  1. EEA, Switzerland, the UK, and Canada

Data Practices

FS-ISAC is a non-profit organization that advances cybersecurity and resilience in the global financial system, and as such processes personal data for the following purposes:

  • Member engagement and support.
  • Research, education, information and knowledge-sharing.
  • Events and conferences.
  • Provision of a marketplace for services and products as benefits to members.

For individuals located in the European Economic Area, Switzerland, the United Kingdom and Canada, our practices regarding the collection, use, disclosure, and retention of your personal data are set out in the main Privacy Notice above.

Specific retention periods for various categories of personal data are determined based on the nature of the information and the purposes for which it is processed and subject to the records management policy of FS-ISAC and applicable law. Where no specific requirement is set out by law, we apply the following criteria:

  • Account data: retained as long as the account is active plus seven years.
  • Event registration data: retained for seven years after the event.

Website and Browser/Device Information

When you use our Services, we and the third parties we work with automatically collect information from your browser or device as described previously. We undertake such processing with your consent. If you have provided your consent, we process personal information about you to:

  • Send direct email marketing communications about our Services, Events and related resources that may interest you.
  • Use non-necessary cookies and other data collection technologies to help you navigate our website or technical solutions, personalize and provide a more convenient experience to you, analyze which pages you visit, provide features such as social sharing widgets and videos, measure advertising and promotional effectiveness, assess which areas of our site you visit, and to provide content to you from our third-party content partners.

You may withdraw your consent at any time by clicking the “unsubscribe” link in the email communications we send to you. If you are located in the EEA, UK, or Switzerland, we will collect and use non-essential cookies and similar technologies only with your consent, collected through a consent banner or tool available on our website. You may withdraw or change your consent preferences at any time by accessing the cookie settings on our website.

Lawful Basis for Processing

Under data protection laws applicable in the European Economic Area, United Kingdom, and Canada, we are required to identify the legal bases for our processing of your personal data . Our lawful bases include:

(a) you have given consent to the processing for one or more specific purposes (such as certain marketing, special dietary accommodations, or use of cookies), either to us or to our service providers, partners, members, or other participants, to respond to your requests and support you as a member, and to improve how we provide information and engage with our members;

(b) processing is necessary for the performance of a contract with you (such as creation and management of your account);

(c) processing is necessary for compliance with a legal obligation; or

(d) processing is necessary for the purposes of the legitimate interests pursued by us or a third party (for example, for analytics, fraud prevention, and improvement of our Services including to improve how we provide information, events, and engage specifically with you), and where your interests and fundamental rights and freedoms do not override those interests.

Whenever we collect special categories of data (e.g., information regarding food allergies), we will only do so based on your explicit consent.

We do not make any decisions based solely on automated processing, including profiling, about you that would result in legal or other similarly significant effects on you.

Where applicable, we will transfer your personal data to third countries subject to appropriate safeguards, as set out above in International Transfer.

Your Rights

In addition to the rights described here, individuals in the EEA, UK, and Canada have the following rights over their personal data:

  • The right to access and obtain a copy of their personal data.
  • The right to request rectification or correction of inaccurate data.
  • The right to erasure of personal data ('right to be forgotten').
  • The right to restrict or object to specific types of processing (including direct marketing or automated decision-making, and the right to ask us not to process your personal data for marketing purposes or purposes materially different than for which it was originally collected or subsequently authorized by you).
  • The right to data portability (as set out by applicable legislation).
  • The right to withdraw consent at any time (for any data processing we do based on consent you have provided to us).
  • The right to lodge a complaint with the appropriate supervisory authority or data protection regulator.

We aim to respond to requests within one month or as otherwise required by applicable law.

To exercise any of these rights, write us at the email or postal address set out in the Contact Us section above (specifying the rights you wish to exercise). Additionally, your identity must be verified, or if this is done through a legal representative, suitable evidence of authority, with your name and address or other means to communicate the response to your request, as well as any other element or document that facilitates the location of personal data.

If you object to or limit the use or sharing of your personal data necessary to provide the Services or otherwise make the performance of an agreement or contract impossible, it may not be possible to act on such instruction and continue to provide the Services.

Complaints

If you have any issues with our compliance that cannot be addressed through the links provided for access, correction and 'do not sell' above, you may contact our Data Protection Officer at privacy@fsisac.com.

You also have the right to lodge a complaint with the data protection regulator in your jurisdiction.