As a service provider to financial institutions, it is our responsibility to establish and manage a culture of security, accountability and regulatory compliance. For this reason, we have implemented an information security management framework in alignment with the International Organization for Standardization (ISO) 27002.

We have made significant investments in business continuity, information security and vendor management tools to further our commitment to our corporate culture while continuing to deliver service excellence.

These investments include:

• Our critical alert and mass notification system that is used to notify employees, associates, agents and clients in the event of emergency or urgent notice. This investment was made as a result of regulatory requirements on financial institutions regarding incident reporting and management programs in order to identify, report, investigate and escalate incidents to our clients as quickly as possible.
• Foundational risk management Governance, Risk and Compliance (GRC) software was put in place to manage HUB’s overall governance, enterprise risk management and compliance with regulations. This allowed for improved decision-making, organization of risk and compliance data and reduction in redundancy of compliance requirements across the organization.
• On the regulatory front, in conjunction with our Legal team, we further enhanced our HIPAA security and control posture and built a GDPR compliance assessment plan including the implementation of consent and opt-out platform for HUB branded websites. Further, we met and delivered controls in support of the New York Cyber Regulations and continue to closely monitor emerging U.S. state privacy law.

Information management is fundamental to how we manage our business. As a result, we introduced additional controls in our operating environment to meet the trust services criteria for the security, availability and confidentiality principles established by the American Institute of Certified Public Accountants (AICPA) as examined and assessed annually by our independent service auditor, RSM US LLP.

To ensure that the reliability, confidentiality and availability protections of our third party vendors meet our vendor integrity, accuracy and security requirements, we established a risk-based Third Party Risk Management Program to (1) identify a potential vendor; (2) determine red flag compliance risk score; (3) selection and risk ranking of vendors; (4) routine assessment and due diligence of vendors; (5) establishment of the escalation process; and lastly, (6) the ongoing auditing and monitoring of our third-party vendors.

We understand the importance of the information security and compliance needs that our clients expect and require from their service providers. We have implemented the necessary controls to tighten our information security practices while still meeting and exceeding the business needs of our clients.