The nature of our services requires that we obtain nonpublic, sensitive and confidential information about our clients and their service providers. The security and privacy of this information is of the utmost importance to BFS Group (BFS). While we may be necessary to share your information in certain circumstance (i.e. conduct business on your behalf with life insurance carriers), we do not sell our clients’ information. BFS takes the responsibility of protecting this information very seriously and have implemented technical, administrative, and physical controls to safeguard all data. The following are just some of the ways BFS works to keep client information safe.
BFS uses layers of technical controls to protect its clients’ information:
Antivirus- BFS uses antivirus solutions to protect against malicious code that could compromise client information or damage company systems.
Email filtering– BFS actively filters incoming email messages for phishing and spam attacks.
Encryption– BFS encrypts client information accessed through online account access services to prevent unauthorized users from viewing that information. Company policies require client information stored on mobile devices used for business, including laptops, tablets, and smartphones, to be encrypted as well.
Firewalls- BFS stores client information on its internal network, which resides behind a corporate firewall designed to prevent unauthorized external parties from accessing that data.
System activity monitoring– BFS uses a variety of resources to monitor systems to identify suspicious activity. Intrusion detection systems and data leakage protection systems reduce the risk of incoming attacks and information loss.
BFS supplements its technical controls with processes, procedures, and policies to further protect its clients’ information:
Business need to know– Access to company systems is granted on a business need to know basis. Only those people who need access to a given system and its information to accomplish their job responsibilities receive that access.
Change control– BFS uses a change control process to help ensure all changes to company systems maintain the confidentiality, integrity, and availability of those systems.
Corporate governance- BFS has a strong governance system with multiple committees supporting information protection initiatives.
Cyber Security threat simulations– BFS conducts cyber security threats via penetration testing to identify areas of program strength and opportunities for improvement.
Incident response– BFS maintains a well-defined computer security and privacy incident response program, designed to contain and resolve any incidents efficiently and effectively. The program is periodically reviewed and exercised to train and ensure preparation for events.
Privacy- All new employees receive privacy training. In addition, an Enterprise Privacy team manages the privacy program for BFS. Each department has a designated privacy liaison who also supports the privacy program.
Internal and external IT auditors– BFS’s internal and external auditors regularly review and assess BFS’s information technology systems and operations.
Policies and standards– BFS maintains written policies and standards for information protection. These policies and standards provide the foundation and guidance for BFS’s information security, privacy, and risk management program.
Records management and sanitization– BFS maintains a records management program that manages the lifecycle of BFS’s information, including adherence to regulatory requirements and secure disposal of confidential information.
Risk assessments– BFS performs risk assessments during the development and acquisition of information systems to help ensure those systems include appropriate protection of client information.
Security awareness– BFS recognizes that end users are a critical component of an effective information security and risk management program. BFS provides employees and financial representatives with security awareness and training, such as ongoing security awareness articles and events, training in company policies and standards, and simulated phishing exercises.
Separation of duties– BFS separates specific job duties to prevent a conflict of interest when appropriate.
Threat monitoring– BFS works with internal teams and third-party industry security organizations to monitor its environment for existing and potential threats.
User access reviews– BFS annually reviews user access to company systems to help ensure users maintain an appropriate level of access to those systems.
BFS also protects its clients’ information from physical harm and theft:
Building and data center physical security– BFS controls physical access to its buildings and data centers. Restricted access helps to ensure the confidentiality, integrity, and availability of company systems and physical assets within BFS.
Business continuity and disaster recovery planning– BFS maintains and periodically tests defined business continuity and disaster recovery plans. These plans are designed to maximize the availability of company systems and information and recover from natural or human-made disasters as efficiently and effectively as possible.
Redundancy– As part of its business continuity and disaster recovery plans, BFS maintains redundant data centers to help ensure the availability of company systems and client information.