Security & Privacy Policy Summary

FCI does not access, transmit, store or control NPI from its clients.

FCI has a comprehensive set of documented, current policies that are periodically reviewed, updated, and enforced. Such security policies specifically address the purpose and scope of FCI Services.

FCI asserts that its security policies and procedures are compliant with the United States government regulations for the financial services industry and those that its clients has or may have provided to FCI and do not conflict. Where compliance and conflict issues exist, the parties will jointly work to fix such issues.

FCI asserts that it meets applicable United States legal and regulatory requirements and commits to a timely implementation and demonstration of compliance procedures when such legal and regulatory requirements are created or updated. FCI asserts that it is exercising an appropriate standard of due care with respect to securing information assets, primarily accomplished through security policies, procedures, and practices that are documented and enforced.

FCI implemented business continuity and disaster recovery (BC/DR) plans for critical assets and asserts that they are periodically tested and found effective. FCI has deployed operational redundancy (via a dual, high availability environment) in the event of a primary SOC failure and a failover site, physically and geographically separated from FCI’s primary site, which exists in the event of a natural disaster (earthquake, hurricane) or other circumstances that affect business continuity such as interruptions in local/regional utility service (communications, gas, electric, sewer, water).

FCI can support periodic testing of its BC/DR plans. Such tests include impact scenarios that could potentially cause unacceptable interruption of FCI Services.

FCI controls physical access to information assets, services and resources based on their importance, and monitors and reviews all physical access. This includes (i) identification and authentication of FCI employees who have physical access to assets providing FCI Services, (ii) the process for requesting and approving physical access, and (iii) client asset protection from unauthorized physical access.

FCI asserts the presence of physical security systems such as uninterruptible power supplies, backup generators, redundant climate control systems, and a data-center-grade fire control system for prevention and protection.

FCI has implemented appropriate levels of user authentication and control of user access. User access can occur through network connections from both inside and outside FCI’s organization. FCI practices take into account levels of restricted access required for specific assets and levels of data classification. FCI requires the use of at least two-factor authentication for administrative control of all devices and software.

FCI protects critical assets when authenticating and authorizing users and administrators working remotely. This is implemented by using strong encryption and virtual private networks, access controls at the level of networks, systems, files, and applications, and by restricting access to authorized times and tasks as required. These practices apply to wireless network access as well.

FCI verifies the integrity of installed software by (i) regularly checking for all viruses, worms, Trojan horses, and other malicious software and eradicating them, (ii) keeping up-to-date virus signatures and other relevant signatures such as those for intrusion detection systems, and (iii) regularly comparing all file and directory cryptographic checksums with a trusted baseline.

To monitor and audit its own systems and networks, FCI uses appropriate monitoring, auditing, and inspection tools and assigns responsibility for reporting, evaluating, and responding to system and network events and conditions. This includes (i) regularly using system and network monitoring tools and examining the results they produce and (ii) regularly using log filtering and analysis tools and examining the results they produce.

We will provide you with a notification as soon as possible, but no later than 72 hours after becoming aware that a security breach has occurred, resulting in unauthorized access to an information system containing information from your firm.