The safety and security of data and information is everyone’s responsibility, and is of key importance to Quilter. We ensure that its capture, storage, processing, transmission, and destruction is secure at all times, and we do so by employing a ‘defence in-depth’ model that comprises organisational, technical and procedural controls. These are managed by our Information Security team.
Quilter’s IT infrastructure is kept in secure physical or cloud data centres. Internal and external security assessments to check for potential security flaws and vulnerabilities are carried out continually. Third party security testing organisations are also regularly used for more in-depth inspections, and issues from these activities are logged, reviewed and tracked through to their documented resolution.
Access to data and information is provided on a need-only basis and is strictly controlled by procedures that require specific authorisation, formal reviews and approval processes and audits. Changes to system data go through a change control process which requires formal review and approval both before and after the change is committed, and all data fixes are audited and auditable.
Access to removable media (for example USB drives) is by exception, and controlled by approvals. All emails and documents created within the organisation are digitally categorised as Public, Internal, Confidential or Restricted. These are then analysed by Quilter’s Data Loss Prevention tool when being sent externally, and any flagged material is reviewed.
Client account-specific information is only provided to external parties that are authorised to receive this information, and only once ID verification checks are completed for that account.
Quilter has an Information Security Training and Awareness programme in place for employees on subjects such as email security, phishing, social engineering and password security. It’s delivered through a variety of channels such as online workshops, in-person events (when permitted), Intranet information libraries, Computer Based Training, internal and external blogs, articles, and exercises such as phishing simulations.
Third parties that collate, process or store sensitive information on behalf of Quilter, or those that have access to our systems, are continually assessed, from selection and contractual negotiation through to service delivery, to ensure they continue to meet our requirements with respect to data and information security. Suspicious activity, which includes movement of sensitive data, is flagged and reviewed.