Transfer Agents Focus on Cyber-Security
From the many stock transfer service Requests for Proposal (RFPs) we facilitate for corporate clients, there appears to be a healthy level of paranoia among the largest U.S. transfer agents about shareholder data security – and potentially being hacked. We read about embarrassing, high-profile data breaches all too often in the press these days, and transfer agents have clearly taken notice.
We believe the “Top Five” agents in the stock transfer industry, in particular, which serve 85% of listed public companies, have long been good at these core shareholder data security functions:
- Uploading data from a prior agent or in the context of an IPO or corporate action (like a spin-off)
- Categorization of data into that which is at rest (e.g., archived), in use and in transit
- Classification of data from least to most sensitive personally identifiable information (“PII”)
- Restriction of data access and transaction performance via proper and effective authentication of individuals and tasks
- Segregation of duties to enhance multiple controls
- Human resource security such as screening of employees via thorough background checks, required signing of non-disclosure agreements and more
- Physical security of data centers
- Encryption of data transmissions via SSL, SFTP, HTTPS and PGP protocols – including in the context of corporate client and shareholder online access
- Data/disaster recovery practices to ensure business continuity, via fully redundant systems, hardware and off-site locations
…all of which is great, and explains why there have been very few instances of data breach, loss or corruption in the stock transfer industry. (Almost amusingly, the last such instance in 2008 involved one of the very largest transfer agents losing a box of data off a truck in New York City, not knowing if it was a “mis-placement” or an actual theft – but having to act as if it were the latter.)
Which brings us to the more recent and scary phenomenon of data hackers, often from overseas, hoping to steal PII and embarrass large U.S. data keepers, among other things. This requires transfer agents to engage in more intensive “vulnerability management” where, fortunately, there is a rapidly growing body of expertise and level of collaboration in the world of information technology to provide assistance. There is the OWASP Top 10, a key “awareness document” detailing the ten most important web application security flaws, and how to correct them. The Threat Classification Reference Grid lists dozens of risk areas for IT personnel, like “WASC-25” that details a hacker practice called “HTTP response splitting,” showing how hackers can trick a target into believing a “second request” for data to a web server is as legitimate as the first one, when it is not – which awareness gives the data keeper information necessary to counter the attack. Indeed, there is a whole IT field devoted to anti-hacking defense, and we believe the largest transfer agents (and many smaller ones) are active participants in it. After all, stock transfer IS data record keeping, so agents literally cannot afford to be anywhere but in the forefront of these efforts.
We will keep a close eye on developments here, for our readers.