Information security is a vital prerequisite for any firm that wishes to interact with the capital markets. Industry firms must exchange large quantities of highly sensitive information and signal stability to their clients and counterparties.

The requirements are numerous, and the increasing need to operate in multiple asset classes or jurisdictions compounds the problem.

At Itiviti, a Broadridge business, we understand that these considerations are fundamental. That’s why we are pleased to announce that a few weeks ago, following an extensive audit, Itiviti’s Information Security Management System (ISMS) Program has been awarded the ISO/IEC 27001:2013 certification for the fourth consecutive year. 

Adherence to globally recognized standards for reliability and confidentiality is one of our top priorities, and it is our hope that this recognition will raise awareness of our market-leading position in these areas.

“Our ISMS Program encompasses our entire operations globally, from the managed infrastructure where client data is housed to our internal corporate network.“

Omar McKenzie

A culture of security

Our ISMS Program covers a range of functions – information security, network security and data protection services, as well as our risk and governance committee. It encompasses our entire operations globally, from the managed infrastructure where client data is housed to our internal corporate network. 

Regular infrastructure review and improvements

From top to bottom, we strive to maintain a culture of security, with the full support of our management and board of directors and a dedicated budget for infrastructure improvements.

We perform quarterly reviews and make continuous updates to ensure any vulnerabilities are identified and resolved as quickly as possible.

Upholding best practices for clients

While vendors are not required to maintain such a robust security operation, we have identified it as one of our most crucial best practices.

Our clients are among the most regulated firms in the world, with numerous security and compliance burdens across a wide range of jurisdictions, and we want them to see that we have received a vote of confidence from a respected standard. We understand what it means to go through an audit and answer tough questions about our infrastructure, and that puts us in an ideal position to help our clients meet the very same challenges with confidence and efficiency.

“We strive to maintain a culture of security, with the full support of our management, board of directors, and a dedicated budget for infrastructure improvements.“

Omar McKenzie

High resiliency and continuity at all times

While the ISO/IEC certification lasts for three years, it involves an annual surveillance audit as part of its ongoing oversight. Receiving our fourth consecutive certification means we just started our second three-year cycle, which marks a significant milestone for our ISMS team.

Passing the audit once is validation in itself, but doing so multiple times is evidence of a sustained effort and commitment to maintain robust security protocols on an enterprise level.

Beyond demonstrating a general commitment to security, the onset of the COVID-19 pandemic thrust our ISO/IEC audit into the spotlight. The implementation of our business continuity plan occurred seamlessly in part because we were asked to sort it out two years ahead to receive our initial certification. While we had always been attuned to potential disruption, the need to refine our process, secure the necessary approvals and put it all in writing meant we were ready to go from the moment the lockdowns began.

Proven infrastructure and operations during COVID-19

March 2020 was a true all-hands-on-deck moment – we needed every single employee working to help our clients navigate a rapidly changing world.

The necessary security adjustments were minimal – devices that our people brought home were already prepped for remote use, so they were fully secure regardless of the user’s home network. On the client side, our multiple data centers were managed remotely and tested continuously, minimizing disruption.

While we worked to increase bandwidth on the back end, all products and services remained fully functional throughout this shift. This was critical as our clients were forced to navigate not just new work environments, but also highly volatile markets.

Proven infrastructure and operations, settling 6 million new orders a day in highly volatile times.

“On the client side, our multiple data centers were managed remotely and tested continuously, minimizing disruption [...] This was critical as our clients were forced to navigate new work environments and highly volatile markets.“

Omar McKenzie

Staying Ahead and Ongoing Innovations

Keep up with global information security standards

Having a global customer base means accounting for diverse needs, and we are no exception. At Itiviti, our ISMS team is in constant improvement mode, actively monitoring relevant information security standards around the globe. These include GDPR in the EU, Hong Kong's (HK) Securities and Futures Commission (SFC), Monetary Authority of Singapore (MAS), UK Financial Conduct Authority (FCA), and the US  Financial Industry Regulatory Authority (FINRA), among others.

In recent years, we have streamlined our client due diligence process and act on client audit requests quickly and efficiently. We perform as many as 250 of these audits a year, so efficiencies in this area make a real difference. We have also implemented a Security Operations Center (SOC) to serve as the eyes and ears of our network on a 24/7 basis, serving as an additional line of defense to complement our global monitoring team.

New initiatives to support future growth

Now part of the larger Broadridge family, the added scale has spurred the team to take a closer look at the legal dynamics between the US and the EU in terms of exporting data. It has also prioritized data encryption. While Itiviti does not process or store  personally identifiable information, some of our clients have alerted us that they would prefer some amount of encryption, and we are making progress in this area.

Looking ahead, there is still much fertile ground for innovation. We are actively working to make our SOC group  more proactive by providing them with the necessary resources to perform threat hunting and searching for and remediating vulnerabilities throughout our ecosystem. We also strive to stay on top of all manner of threats, and to that end constantly train our people and systems to respond to new forms of ransomware and phishing, even training them in lab environments.

Overall, every division of Itiviti is working to support the firm’s growth ambitions, and the ISMS team is no exception. This is especially important as new players with a strong grasp of security, including crypto firms, private equity firms and hedge funds, continue to enter the space. The information security landscape is ever-changing, and we stand ready to support our business and our clients through adaptation, expertise and constant improvement.

“The information security landscape is ever-changing, and we stand ready to support our business and our clients through adaptation, expertise and constant improvement.“

Omar McKenzie

Omar round 2

Written by

Omar McKenzie

Head of Security & Compliance Services, Itiviti, a Broadridge Business

Share this insight