Cyber-Security Practiced by Stock Transfer Agents

Stock transfer agents must take data protection and cyber-security very, very seriously given the millions of shareholder records they manage.  With all the request for proposal (RFP) facilitation work we do for corporations, we regularly see how transfer agents articulate their ongoing efforts to keep shareholder data safe – and by extension their very livelihood as record keepers secure.

No transfer agent acts the same in this continuing endeavor, but there are a few things we noticed that all large agents do:

  • They enforce the strictest limits on employee access to data in their entire company, after having similarly employed the strictest company screening practices before hiring potential employees in this area.
  • They adhere to either an ISO 27001 or ISO 27002 level security standard, as put forward by the International Organization for Standardization headquartered in Geneva, Switzerland.
  • They further adhere to the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST), including its Special Publication 800-61 (“Computer Security Incident Handling Guide”).
  • They use data encryption, including Secure Sockets Layer (SSL) technology.
  • They engage in data masking (e.g. seen as ****1234) for information that is both “at rest” as well as being transmitted.
  • Protections are multi-layered.
  • There is special focused attention on spotting and rendering harmless “malware,” “ransomware” and other predatory viruses.
  • Some transfer agents have redundant, real-time data storage sites far away from their primary ones, in case immediate data recovery is needed after a debilitating man-made incident or natural disaster.
  • There is continuous vulnerability scanning and penetration testing of the critical data.
  • There are, not surprisingly, even more limits and scrutiny placed on data access by outsiders, including clients and their shareholders.
  • There is robust physical plant security in place.
  • If the transfer agent is huge it maintains most data security resources in-house; however, even if the agent is simply large it will, to some extent, engage the outside services of top-notch data security firms.

All of which should reassure the U.S. investing public, and the corporations who hire transfer agents – and the SEC, who regulates agents – that a LOT goes on behind the scenes to safeguard this critical data and, as we said at the outset here, protect the ongoing viability of the entire stock transfer industry.  Could a serious hacking incident still happen?  We would be foolish to say it could not.  But the odds are small, and the response to the incident would undoubtedly be swift and effective.  It is all one can hope for.