Phoenix, AZ: The Cyber Risk Institute (CRI) is pleased to announce the appointment of three new Directors to its Board: Shaun Khalfan, Chief Information Security Officer at PayPal; Karl Schimmeck, Chief Information Security Officer at Synchrony Financial; and Howard Whyte, Chief Information Security Officer at CRC Group.
Shaun Khalfan serves as Senior Vice Presidesnt and Chief Information Security Officer at PayPal, where he leads the company’s information security strategy, engineering, and efforts to protect customer data, digital assets, and payments. With more than 20 years of experience in information security and risk management, Mr. Khalfan has held senior leadership roles at major financial institutions and U.S. government agencies. Prior to joining PayPal, he served as SVP and CISO at Discover Financial Services, overseeing enterprise-wide cybersecurity risk management, cloud security, and modernization initiatives. Mr. Khalfan serves on the board of the Kohl Children’s Museum and teaches as an adjunct professor at Carnegie Mellon University.
Karl Schimmeck is Senior Vice President and Chief Information Security Officer at Synchrony Financial, where he oversees Information Security, Cybersecurity, and Data Protection programs and engages with leadership, regulators, and law enforcement on complex security issues. He previously served as EVP and CISO at Northern Trust and held senior cybersecurity roles at Morgan Stanley, including CISO for U.S. Banks and head of Global Security Assurance. Prior to those roles, he led cybersecurity and operational risk initiatives at the Securities Industry and Financial Markets Association (SIFMA), where he helped develop the National Institute of Standards and Technology (NIST) Cybersecurity Framework, and began his financial services career at Goldman Sachs. A former U.S. Marine Corps officer, Mr. Schimmeck has also been a key industry leader, helping to found the Financial Services Analysis and Resiliency Center (FS-ARC) and Sheltered Harbor, and currently serves on the boards of the Financial Services Information Sharing and Analysis Center (FS-ISAC) and CRI.
Howard Whyte serves as Chief Information Security Officer at CRC Group, bringing more than 20 years of cybersecurity leadership across the financial sector, private industry, and government. Most recently, he served as Customer Security Officer at Microsoft, advising global clients on cybersecurity strategy and risk management. Previously, he was CISO at Truist Financial Corporation, Boeing, and the Federal Deposit Insurance Corporation (FDIC), where he also served as Chief Information Officer and Chief Privacy Officer. Mr. Whyte has also served on the boards of the Financial Services Information Sharing and Analysis Center (FS-ISAC) and the Financial Data Exchange (FDX), helping to advance industry collaboration on cybersecurity and data protection. He holds a Bachelor of Science in Management Studies from the University of Maryland and an MBA from the University of Phoenix.
Josh Magri, President and Founder of CRI, expressed his enthusiasm for the new appointments:
“I am honored to welcome Shaun Khalfan and Howard Whyte as new members to the CRI Board. They bring a wealth of experience and insight that will be invaluable as we continue to grow and scale the organization. I am also pleased to welcome back Karl Schimmeck whose deep industry expertise and steady guidance have long benefited CRI.” The CRI Board of Directors is composed of leaders who reflect the complexity and diversity of the financial services industry. The Board plays a critical role in guiding the strategic direction of CRI and its suite of products, including the CRI Profile, the Profile Guidebook, the Maturity Model, and the Cloud Profile.
###
The Cyber Risk Institute mission is to advance the development and harmonization of cybersecurity, technology, and AI risk management standards for the financial services industry. As a not-for-profit (501[c][6]), standards development organization, CRI connects threats to mitigating controls and associated compliance to provide institutions with a comprehensive view of risk—from the server room to the boardroom. CRI does this through our products—CRI Profile, Cloud Profile, and FS AI RMF—member engagement, and an ecosystem of globally known tool providers and consulting firms.
Media Contact:
Emily Beam
Emily.Beam@cyberriskinstitute.org
November 06, 2025
BACK TO TOP
