Banks, broker-dealers, issuers, mutual funds and institutional investors worldwide trust Broadridge to securely process and distribute the securities data and investor information that drives their businesses and the global marketplace.
To protect the technology infrastructure that stores, processes and transmits our clients’ confidential information, Broadridge has a dedicated and trained Information Security team with the sole purpose of managing Broadridge’s internal and external security efforts including securing our facilities and data centers, educating our associates, and protecting our clients’ confidential information.
Our information security program is designed to meet the needs of our clients who entrust us with their sensitive information. We maintain International Organization for Standardization (“ISO”) 27001 certification for most of our business units and core applications and facilities, and, where applicable, align to other industry standards or frameworks, including Cloud Security Alliance’s Cloud Controls Matrix (“CSA CCM”), Payment Card Industry Data Security Standard (“PCI DSS”), Health Insurance Portability and Accountability Act (“HIPAA”), and HITRUST Common Security Framework (“HITRUST CSF”).
We take the following actions, among others, to demonstrate our commitment to maintaining the highest levels of information security, provide for the availability of critical data and systems, maintain regulatory compliance, manage our material risks from cybersecurity threats, and to identify, protect against, detect, respond to, and recover from cybersecurity incidents:
- leverage encryption, data masking technology, data loss prevention technology, authentication technology, entitlement management, access control, network and application segmentation, anti-malware software, and transmission of data over private networks, among other systems and procedures designed to protect against unauthorized access to information;
- conduct annual reviews with many of our clients on our cybersecurity and data security policies, practices and controls, and engage with regulators across the world, to remain apprised of cybersecurity and data security standards and best practices;
- utilize the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity (the “NIST Framework”) issued by the U.S. government as a guideline to manage our cybersecurity-related risk. We are currently evaluating our program against the newly issued NIST Framework 2.0. The NIST Framework outlines security controls and outcomes over five functions: identify, protect, detect, respond, and recover;
- conduct network and endpoint monitoring, vulnerability assessments, and network penetration testing;
- conduct quarterly information security management and incident training, and regular phishing email simulations for all associates to enhance awareness and responsiveness to possible threats;
- run tabletop exercises to simulate a response to a cybersecurity incident and use the findings to improve our policies and procedures;
- conduct information security reviews and due diligence on key service providers to identify, assess, mitigate, and monitor risks associated with our use of third-party software and services; and
- maintain global information security policies and procedures, including an incident response and crisis management plan which include processes to triage, assess, investigate, escalate, contain, and remediate cybersecurity incidents.