Security and privacy
At a time when cyber threats are considered one of the most significant risks facing financial institutions, we continue to invest in our security and privacy capabilities to help keep clients, employees and critical assets safe, uphold privacy rights and enable a secure and resilient business.
It is also our fiduciary responsibility to maintain the confidentiality of information relating to our clients and comply with the data protection requirements imposed by relevant jurisdictions. As such, we’ve established the proper maintenance, controls, processes and protection for our clients’ assets.
Security and privacy governance
Invesco’s Global Security department includes Information Security, Global Privacy Office, Corporate Security, Business Security, Business Continuity and Resilience, and Strategy and Reporting under a single umbrella. This structure provides a comprehensive, holistic approach to keeping our clients, employees and critical assets safe while enabling a secure and resilient business.
The department is distributed globally to ensure that we can provide the appropriate level of support anywhere in the world at any time, while simultaneously maintaining strong working relationships with industry peers, regulators, and intelligence and law enforcement agencies in those locations.
Information security and privacy policies and procedures
Our Global Security program oversees all aspects of information security risk and ensures the confidentiality, integrity and availability of information assets. Our security controls, which identify threats, detect attacks and protect these information assets, are aligned with industry guidelines and applicable statutes and regulations. We have an incident response program that includes periodic testing and is designed to restore business operations in a secure manner.
All security policies and standards align with the National Institute of Standards & Technology (NIST) Cybersecurity Framework and applicable industry frameworks (e.g., ISO, ASIS) and have been developed, reviewed and approved to support appropriate management of identified risks, align with regulatory and industry guidelines and safeguard Invesco’s assets. In addition, Privacy Impact Assessments are carried out as part of risk management for certain higher-risk processes undertaken by, or on behalf of, Invesco.
Invesco’s Privacy Principles
Transparency and privacy notices
We provide our clients with privacy notices/policies aligned to the services we offer and applicable local regulations. Our privacy notices outline aspects such as personal data we collect, why we collect it, how we use it and any and all rights applicable to such data. Our privacy notices are published in the privacy section of our various global websites.
Security and privacy expectations for vendors and service providers
We expect vendors and service providers to abide by our information security and privacy standards. Our global vendor relationship management program standardizes our approach for security and privacy risks related to the relationships we have with vendors and service providers.
As part of the global vendor relationship management program, our Global Security department has a defined third-party security and privacy risk program aligned as part of the global vendor relationship management program. Third-party security and privacy due diligence is performed during onboarding of a service and on a defined frequency, based on the risk tiers. The due diligence covers information (cyber) security, business recovery, privacy, technology management, physical and personnel security expectations. We employ a robust process of questionnaires, third-party follow-ups and site visits when needed to evaluate and monitor these key risk areas.
Security and privacy training
To keep our employees, contractors, consultants and temporary employees abreast of security and privacy best practices and protocols, we provide them with regular training, including an annual mandatory security and privacy awareness training. Employees in business functions that interact regularly with customer data also participate in tailored security and privacy training.
We also require new employees, contractors, consultants and temporary employees to formally acknowledge Invesco’s Acceptable Use Policy and Code of Conduct, in addition to completing mandatory security and privacy awareness training upon hire. Existing employees, contractors, consultants and temporary employees must reconfirm acceptance of Invesco’s Code of Conduct on a regular basis.
We ensure security and privacy awareness through periodic alerts, messages and/or in-person presentations. Building on these initiatives, we implement security and privacy tools and exercises that provide additional concentrated messages and training. These include phishing tests, which are designed to simulate security and privacy events and incidents. These tools and exercises allow us to better assess our employees’ recognition of such events and inform new training and awareness programs that further our cyber and information security.