Effective Date: August 27, 2025.
FS-ISAC, Inc. is a 501(c)(6) not-for-profit organization that advances cybersecurity and resilience in the global financial system.
This Privacy Notice describes FS-ISAC, Inc.’s practices regarding information we collect about you and the choices available to you regarding such information. For purposes of this Privacy Notice, unless otherwise stated, “information” or “personal information” or “personal data” means information relating to an identified or identifiable individual or “data subject,” and information that could reasonably be linked, directly or indirectly, with a particular consumer or household.
This Privacy Notice applies to information we collect where we control the purposes and means of processing, specifically information we collect:
This Privacy Notice does not apply to:
Please note that your use of the Service is subject to our Terms.
See additional disclosures if you live in the EEA, Switzerland, and the UK or Canada.
For our contact details, see the Contact Us section below.
This section describes the information we collect and how we collect it.
Information You Provide through the Service.
When you use the Service, you may be asked to provide information to us, such as when you create an account, make a purchase, sign up for our products, newsletters, respond to our surveys, or contact support. The categories of information we collect in this context include:
Please do not provide any information that we do not request.
Information from Your Browser or Device.
When you use the Service, we and third parties we work with automatically collect information from your browser or device. The categories of information we automatically collect in this context include:
This information is automatically collected through cookies and other tracking technologies incorporated into our Service, as described below:
We use these tracking technologies for a variety of purposes, including to help make our Service work, personalize your browsing experience, prevent fraud and assist with security, and perform measurement and analytics.
To exercise choice around tracking technologies, see Your Privacy Choices below.
Information from Our Business Relationships.
Through our business relationships with you, we collect your contact identifiers and other information relating to you and your business. This information is not subject to this Privacy Notice except as required by applicable law.
Information from Other Sources.
We also collect information from other sources. The categories of other sources from which we collect information include:
Information from our Events
By entering an Event or program of ours, you are entering an area where photography, audio, and video recording may occur and you consent to its/their release, publication, exhibition, or reproduction to be used or any purpose whatsoever in perpetuity in connection with our initiatives, including, by way of example only, use on websites, in social media, news and advertising. Images, photos and/or videos may be used to promote our Events in the future, highlight the Event, or any other promotional or educational purpose.
In order to participate in our in-person Events, you may be issued a name tag that identifies the level of access that your registration grants you. You will be asked to show this name tag at the entry in the various areas of our Events, as this is in our legitimate interest to manage access to our Events. When we provide food and beverage at our Events, we may ask you about food allergies or other conditions, so that we adapt our menu accordingly. Providing this information is optional and we will only process it at your request.
The information above is stored by us in accordance with our data retention practices.
Information We Infer.
We infer new information from other information we collect, including to generate information about your likely preferences or other characteristics.
Sensitive Information.
Some of the information we collect may be considered sensitive under applicable law. See additional disclosures in your region for details.
Our purposes for collecting and using information include:
To exercise choice around our collection and use, see Your Privacy Choices below.
We disclose the information we collect for the purposes described in this Privacy Notice. The categories of persons to whom we disclose information include:
For Protected Video Information governed as “personally identifiable information” under the VPPA, your consent herein to our sharing of that “personally identifiable information” (defined as “information which identifies a person as having requested or obtained specific video materials or services….”) expires two (2) years after it is given; however, not all types of sharing require your consent. To the extent required by applicable law, you may at any time prospectively withdraw your consent regarding ongoing sharing of your Protected Video Information for purposes that the VPPA requires your consent by us by emailing us at the email address listed herein and stating that you desire to terminate your ongoing consent to the sharing of your Protected Video Information for purposes for which express consent is required. This will not affect sharing where consent is not required, and if you subsequently consent that new consent will override a prior withdrawal. The expiration or termination of your consent to Protected Video Information sharing, where required by applicable law, may result in the termination of your ability to continue to use the Services and/or suspension or termination of your account, and only limits our ability to continue to share your Protected Video Information to the extent required by applicable law. Any renewed use of the Services after termination or expiration is a new consent. If we obtain new consent from you after the expiration of the two (2) year period, your consent period may be extended for additional two (2) year periods each time we obtain new consent from you.
CONSENT FOR RESIDENTS OF MINNESOTA, NEW YORK, OR TENNESSEE. If you are a resident of Minnesota, New York, or Tennessee, the following is in addition to your general consent above. By acknowledging this this Privacy Notice, you are effectively “signing” the consent in the corresponding state notices below:
Minnesota: This videotape service provider (videotape seller) from time to time provides marketers of goods and services, the names and addresses of customers and a description or subject matter of materials rented or purchased by video customers. The videotape service provider (videotape seller) may not include your name, address, or the description or subject matter of any material rented or purchased in these lists without your written consent. This election may be changed by you at any time by writing to the email address set out below, and including your name, address, or the description or subject matter of the material viewed, rented, or puchased.
New York: This video tape service provider from time to time provides marketers of goods and services, the names and addresses of customers and a description or subject matter of materials rented by video customers. You have the right to elect not to have your name, address or the description or subject matter of any material rented included in such lists. This election may be changed by you at any time by writing to the email address set out below.
Tennessee: This video tape service provider from time to time provides marketers of goods and services, the names and addresses of customers and a description or subject matter of materials rented by video customers. You have the right to elect not to have your name, address or the description or subject matter of any material rented included in such description or subject matter of any material rented included in such lists. This election may be changed by you at any time by writing to the email address set out below.
To exercise choice around our disclosures, see Your Privacy Choices below.
Our Service may link to, or be incorporated into, websites and online services controlled by third parties. In addition, we may integrate technologies into our Service, including those disclosed in the Collection section above, controlled by third parties. Except where third parties act as our service providers, they, and not us, control the purposes and means of processing any information they collect from you, and you should contact them directly to address any concerns you have about their processing. Third-party data practices are subject to their own policies and disclosures, including what information they collect, your choices, and whether they store information in the U.S. or elsewhere. We encourage you to familiarize yourself with and consult their privacy policies and terms of use.
In connection with providing services to our members, we collect and use information on their behalf (“member data”). For example, we may collect and process information in order to facilitate your orders, maintain and administer your accounts, respond to your questions, comply with your requests, market to you, and otherwise comply with the law. Member data has historically included contact identifiers, characteristics or demographics, commercial or transactions information, device identifiers, device information, internet activity, and non-precise location data, among other information. Our processing of member data as a processor or service provider is governed by the terms of our service agreements with our members and not this Privacy Notice. We are not responsible for how our clients treat the information we collect on their behalf, and we recommend you review their privacy policies and terms. In the event we are permitted to process client data for our own purposes, we will process the client data in accordance with the practices described in this Privacy Notice.
This section describes the choices available to you regarding your information.
Communications.
You can opt-out of receiving marketing emails from us by changing your communication preferences through your FS-ISAC account settings, follow the unsubscribe instructions near the bottom of such emails, or email us at as set out in the Contact Us section below with the word UNSUBSCRIBE in the subject field of the email. Please note that you cannot opt out of transactional emails. For marketing emails from a partner and member, please opt out through the portal or methods detailed in their privacy policies.
Accounts.
If you have an account with us, you can delete your account through your account settings. We will address your request in accordance with our data retention practices. If you have linked your Company account with certain third-party services, you may unlink your accounts at any time by visiting your Company account settings. Please note that unlinking your accounts will not affect any information previously disclosed through the linking. We are not responsible for the data practices of any third parties, and we recommend that you carefully review their privacy policies and terms of use.
Browser and Device Controls.
The Service is not directed toward or intended for individuals under 16 years old, unless permitted by local law with parental consent. We do not knowingly collect personal information (as that term is defined by the U.S. Children’s Online Privacy Protection Act, or “COPPA”) or personal data from children. If you are a parent or guardian and believe we have collected personal information from children, please contact us as set out in the Contact Us section below. We will delete the personal information in accordance with COPPA or applicable law.
We implement and maintain reasonable administrative, physical, and technical security safeguards to help protect information about you from loss, theft, misuse and unauthorized access, disclosure, alteration and destruction. Please note that transmission via the internet is not completely secure and we cannot guarantee the security of information about you.
We retain information for the length of time that is reasonably necessary for the purpose for which it was collected, and as necessary to comply with our legal obligations, resolve disputes, prevent fraud, and enforce our agreements.
We are based in the U.S. We may transfer, access, or store personal information about you outside of the European Economic Area (“EEA”), Switzerland, or your country of residence, which may not provide the same level of data protection as your home country. If you are located outside the U.S., please be aware that your information may be transferred to and processed in the U.S. or another country where we operate.
Where required by applicable law, we will provide appropriate safeguards for data transfers.
We reserve the right to revise and reissue this Privacy Notice at any time. Any changes will be effective immediately upon posting of the revised Privacy Notice. Your continued use of our Service indicates your consent to the Privacy Notice posted. If the changes are material, we may provide additional notice to you, such as through email or prominent notice on the Service.
The controller under this Privacy Notice is:
FS-ISAC, Inc. (“Company,” “we,” “our,” or “us”)
12120 Sunset Hills Road
Reston, Virginia 20190
If you have questions about our practices regarding your information or have trouble accessing this Privacy Notice, please contact us at the postal address or email address above. To exercise choice available to you, please use the designated methods listed in this Privacy Notice.
Data Practices
FS-ISAC is a non-profit organization that advances cybersecurity and resilience in the global financial system, and as such processes personal data for the following purposes:
For individuals located in the European Economic Area, Switzerland, the United Kingdom and Canada, our practices regarding the collection, use, disclosure, and retention of your personal data are set out in the main Privacy Notice above.
Specific retention periods for various categories of personal data are determined based on the nature of the information and the purposes for which it is processed and subject to the records management policy of FS-ISAC and applicable law. Where no specific requirement is set out by law, we apply the following criteria:
Website and Browser/Device Information
When you use our Services, we and the third parties we work with automatically collect information from your browser or device as described previously. We undertake such processing with your consent. If you have provided your consent, we process personal information about you to:
You may withdraw your consent at any time by clicking the “unsubscribe” link in the email communications we send to you. If you are located in the EEA, UK, or Switzerland, we will collect and use non-essential cookies and similar technologies only with your consent, collected through a consent banner or tool available on our website. You may withdraw or change your consent preferences at any time by accessing the cookie settings on our website.
Lawful Basis for Processing
Under data protection laws applicable in the European Economic Area, United Kingdom, and Canada, we are required to identify the legal bases for our processing of your personal data . Our lawful bases include:
(a) you have given consent to the processing for one or more specific purposes (such as certain marketing, special dietary accommodations, or use of cookies), either to us or to our service providers, partners, members, or other participants, to respond to your requests and support you as a member, and to improve how we provide information and engage with our members;
(b) processing is necessary for the performance of a contract with you (such as creation and management of your account);
(c) processing is necessary for compliance with a legal obligation; or
(d) processing is necessary for the purposes of the legitimate interests pursued by us or a third party (for example, for analytics, fraud prevention, and improvement of our Services including to improve how we provide information, events, and engage specifically with you), and where your interests and fundamental rights and freedoms do not override those interests.
Whenever we collect special categories of data (e.g., information regarding food allergies), we will only do so based on your explicit consent.
We do not make any decisions based solely on automated processing, including profiling, about you that would result in legal or other similarly significant effects on you.
Where applicable, we will transfer your personal data to third countries subject to appropriate safeguards, as set out above in International Transfer.
Your Rights
In addition to the rights described here, individuals in the EEA, UK, and Canada have the following rights over their personal data:
We aim to respond to requests within one month or as otherwise required by applicable law.
To exercise any of these rights, write us at the email or postal address set out in the Contact Us section above (specifying the rights you wish to exercise). Additionally, your identity must be verified, or if this is done through a legal representative, suitable evidence of authority, with your name and address or other means to communicate the response to your request, as well as any other element or document that facilitates the location of personal data.
If you object to or limit the use or sharing of your personal data necessary to provide the Services or otherwise make the performance of an agreement or contract impossible, it may not be possible to act on such instruction and continue to provide the Services.
Complaints
If you have any issues with our compliance that cannot be addressed through the links provided for access, correction and 'do not sell' above, you may contact our Data Protection Officer at privacy@fsisac.com.
You also have the right to lodge a complaint with the data protection regulator in your jurisdiction.
© Copyright 1999 - FS-ISAC, Inc. All Rights Reserved.