Our goal is to continuously strengthen Commonwealth's information security program and provide senior management with visibility into cybersecurity risks relevant to the organization, capability delivery improvements, and threats and vulnerabilities that require intervention.

We take a risk-based, data-driven approach to identifying threats. This allows us to layer defensive and protective processes across our environment to protect valuable data, information, and systems and defend Commonwealth against cyberattacks.

We have safeguards in place to help mitigate the risk of cyberattacks, such as unauthorized access, data breaches, malware attacks, and denial of service attacks. We host information in state-of-the-art, co-location data centers with strict access controls. 

We also offer:

• The Commonwealth Shield: This comprehensive security solution includes software like antimalware and endpoint detection capabilities, operating system updates and patching, encryption, and secure access to our network and applications—all designed to protect advisor firms from the persistent threat of cyberattacks and provide a more secure platform to run your business.

• Endpoint Detection Capabilities and Antivirus Software: Available on Shielded laptops, these capabilities offer proactive, real-time detection, response, and threat hunting to identify attacks before they can impact devices.

• Email Security and Phishing Protections: A secure email solution scans millions of incoming emails to prevent unwanted messages—including spam, phishing attacks, malware, ransomware, and fraudulent content—from making it to their destination. Additionally, a Mobile Application Management solution safeguards work-related email data on your mobile devices, providing enhanced security for Outlook users.

• Encryption: Information is encrypted in transit and at rest using industry-standard encryption algorithms based on the firm's methods for classifying information. Full-disk encryption protections are available for laptops, workstations, and removable media.

• Data Security Program: Data classification and data loss prevention processes secure sensitive and personal information. The data classification capability uses machine learning to detect suspicious user behavior and identify overexposed sensitive data, and dramatically reduces the risk of sensitive data breaches. 

• Patch and Vulnerability Management: The vulnerability and patch management program helps us keep antivirus and antimalware protections up to date as well as assess, manage, and resolve operating system vulnerabilities promptly. 

• Secure Access and Edge Services: These services secure connectivity to the internet and Commonwealth applications and resources while providing:

  • Always-on protection secures connections from any network to uncover and thwart known and unknown attacks, keeping advisor offices and Commonwealth secure

  • Ransomware protection by inspecting traffic for hidden threats and quarantining suspicious files, analyzing them for malware before delivery and significantly reducing the potential for malicious files to reach their destination

  • Multifactor authentication (MFA) across a variety of critical applications for advisors and staff, making it more challenging for attackers to gain access to corporate resources

To remain current with all industry standards, we have implemented the following controls:

• Security Orchestration, Automation, and Response: Through our Security Operations Center, we continuously monitor the security of applications and infrastructure by collecting, identifying, and responding to security events; managing vulnerabilities; and using threat intelligence to find indicators of compromise and limit the impact on the organization and advisors.

• Remote Systems Monitoring and Management: We use remote monitoring and management solutions to securely administer your systems remotely. This enables our team to efficiently troubleshoot issues and provide timely user support.

• Risk Management and Vendor Security Due Diligence: Our framework helps us more readily understand critical risks to the organization, assess vendor security capabilities, and identify risks that require remediation, resulting in opportunities to further secure the organization. 

• Security Awareness, Training, and Education: We sponsor educational initiatives, such as in-person training, newsletters, workshops, and simulated phishing assessments for advisors, employees, interns, contractors, and consultants. All Commonwealth staff complete security awareness training at least annually. 

• Human Resources Security: All potential Commonwealth employees are subject to a background verification process before employment. They also sign pre-hire agreements that explain their and Commonwealth’s responsibilities for information security. Commonwealth employees must adhere to the information security program and safeguards, as well as our Acceptable Use Policy.

• Cyber Liability Insurance: Our private liability and network insurance policy covers the costs associated with investigating and responding to breaches of client information at the enterprise level.

• Incident Response: Our plan provides a formal approach for investigating suspected and actual cybersecurity events and incidents, as well as communicating with the relevant groups—internally and externally, as required by law—when a potential breach has occurred.

• Information Security Consultancy Services: Our Information Security team can help you navigate complex security challenges, stay informed on the latest cyber threats, and answer your information security questions.