As a service provider to financial institutions, it is our responsibility to establish and manage a culture of security, accountability and regulatory compliance. For this reason, we have implemented an information security management framework in alignment with the International Organization for Standardization (ISO) 27002.

We have made significant investments in business continuity, information security and vendor management tools to further our commitment to our corporate culture while continuing to deliver service excellence. As an example, we purchased a critical alert and mass notification system that is used to notify employees, associates, agents and clients in the event of emergency or urgent notice. This investment was made as a result of regulatory requirements on financial institutions regarding incident reporting and management programs in order to identify, report, investigate and escalate incidents to our clients as quickly as possible.

Information management is fundamental to how we manage our business. As a result, we introduced additional controls in our operating environment to meet the trust services criteria for the security principle established by the American Institute of Certified Public Accountants (AICPA) as examined and assessed annually by our independent service auditor, RSM US LLP.

We continue to carefully monitor our control environment as we look forward to adding the AICPA availability principle to our control environment. To further deepen our investment in our infrastructure, we plan to expand the scope of our control environment annual assessment.

To ensure that the reliability, confidentiality and availability protections of our third party vendors meet our vendor integrity, accuracy and security requirements, we established a risk-based Third Party Risk Management Program to (1) identify a potential vendor; (2) determine red flag compliance risk score; (3) selection and risk ranking of vendors; (4) routine assessment and due diligence of vendors; (5) establishment of the escalation process; and lastly, (6) the ongoing auditing and monitoring of our third-party vendors.

We understand the importance of the information security and compliance needs that our clients expect and require from their service providers. We have implemented the necessary controls to tighten our information security practices while still meeting and exceeding the business needs of our clients.