Six years ago, I wrote a piece on this site about why financial crime and cybersecurity need to team up. The core argument was that cyber-enabled financial crime — attacks that combine technical intrusion with financial exploitation — was outpacing both disciplines because neither was equipped to address the combined threat alone. Cybersecurity teams could detect the intrusion but not the financial manipulation. Financial crime teams could detect the money movement but not the technical compromise that preceded it.
That argument has held up. The problem has gotten worse.
What changed since 2017
The most significant development since I wrote that piece is the industrialisation of crypto-enabled state-sponsored theft. North Korea’s Lazarus Group — a military hacking unit — has stolen an estimated $3 billion in cryptocurrency since 2017, including $625 million from the Ronin Bridge alone. The stolen funds are laundered through mixers like ChipMixer and Tornado Cash, converted to fiat through exchanges like Garantex, and used to fund North Korea’s nuclear weapons programme.
This is not a cybersecurity problem. It is not a financial crime problem. It is both, simultaneously, and any response that treats it as one or the other will fail.
The same convergence is visible in ransomware. A ransomware attack is a cyberattack. The ransom payment is a financial transaction. The laundering of that payment through mixers and unregulated exchanges is a financial crime. The infrastructure that makes it all possible — the initial access brokers, the ransomware-as-a-service platforms, the bulletproof hosting, the cash-out networks — spans both domains.
Yet in most organisations, these domains are still handled by separate teams with separate reporting lines, separate tools, and separate training. The CISO does not attend the MLRO’s meetings. The compliance team does not receive threat intelligence from the SOC. The SAR filed by the financial crime team does not reference the incident response report produced by the cybersecurity team.
Why the silo persists
The organisational separation between financial crime and cybersecurity is not arbitrary. It has historical and regulatory roots. Financial crime compliance is regulated — the BSA, the MLR, the FATF recommendations all impose specific obligations on specific roles within specific institutions. The MLRO has statutory duties. The compliance function has regulatory accountability. These are not roles that can be casually merged with IT security.
Conversely, cybersecurity has evolved from a technology function. CISOs typically report through the CTO or CIO. Their training is technical — network security, application security, incident response. The frameworks they operate under (NIST, ISO 27001, SOC 2) are technology frameworks, not financial crime frameworks.
These separate regulatory and organisational structures made sense when the threats were separate. A bank robber and a hacker were different people with different methods targeting different vulnerabilities. But when the hacker and the money launderer are the same person — or the same state — the organisational separation becomes a vulnerability.
What convergence actually looks like
I am not arguing that every company should merge its CISO and MLRO roles. That would create its own problems, not least because the skill sets are genuinely different. What I am arguing is that the two functions need structured mechanisms for sharing intelligence, coordinating response, and developing joint analytical capabilities.
In practice, this means threat intelligence sharing between SOC and compliance teams, so that indicators of compromise can be correlated with suspicious transaction patterns. It means joint investigation protocols for incidents that have both a cyber and a financial component, so that the forensic evidence chain is preserved for both criminal prosecution and regulatory reporting. It means training that crosses the divide, so that compliance analysts understand basic attack techniques and cybersecurity analysts understand the mechanics of money laundering.
The organisations that have done this well — and there are some, particularly in the larger banks and in the intelligence community — have consistently produced better outcomes than those that have not. The challenge is making it the norm rather than the exception.
The criminals have already converged. Our defences need to do the same.