SUMMARY

Control and occupational environments set the tone of the organization, influencing the control consciousness of its people. BFS-MC Group recognizes that the effectiveness of controls and policies is greatly influenced by the people who create, administer, and monitor them. Integrity and ethical values, organizational structure, and management philosophy are important and influencing elements that are held at the high priority of BFS-MC Group.  

BFS-MC Group appreciates and respects the importance of protecting the privacy of data that is exchanged when interacting with our websites or during the normal course of business with our clients, prospects, vendors and staff. This policy outlines the controls, practices, rules and guidelines we employ to safeguard the security and privacy of all data that BFS-MC Group processes and attempts to demonstrate our commitment to integrity, ethical values, competence and to our clients. 

INFORMATION COLLECTED

BFS-MC Group stores only information submitted by website users, clients and prospectsfor the purpose of creating access accounts, information requests and processing documents necessary to administer and manage purchased products, plans and services.

Some examples of personal information collected are:

  • Name, address and email collected to create an access account for BFS-MC Group websites or other software solutions

  • Similar information submitted voluntarily for marketing purposes

  • Company and applicant information required for product and service sales and administration

BFS-MC Group websites collect only information that is offered by site users or customers of their own accord.

INFORMATION SECURITY & PRIVACY SAFEGUARDS

To prevent unauthorized access, maintain data accuracy, and ensure the correct use of information, BFS-MC Group has put in place appropriate physical, logical, and managerial procedures to safeguard and secure the information we collect as detailed below. 

TECHNICAL
BFS-MC Group uses the following layers of technical controls to protect its information:

Antivirus: To protect against malicious code that could compromise information or damage company systems.

Email filtering: Actively filters incoming email messages for phishing and spam attacks.

Encryption: We encrypt client information accessed through online account access services to prevent unauthorized users from viewing that information. Company policies require client information stored on mobile devices used for business, including laptops, tablets, and smartphones, to be encrypted as well.

Firewalls: BFS-MC Group’s internal network resides behind a corporate firewall designed to prevent unauthorized external parties from accessing that data

System activity monitoring: A variety of resources are used to monitor systems and identify suspicious activity. Intrusion detection systems and data leakage protection systems reduce the risk of incoming attacks and information loss.

ADMINISTRATIVE
Our technical controls are supplemented with the following processes, procedures, and policies to further protect information:

Business need to know:  Access to company systems is implemented based on the principle of least privilege. Access is provided to each system user based solely on their job needs with no additional access provided.

Change control: A formal policy is in place to help ensure all changes to company systems maintain the confidentiality, integrity, and availability of those systems.

Corporate governance: Our company’s governance system is abundant, with multiple committees supporting information protection initiatives.

Cyber Security threat simulations: BFS-MC Group conducts cyber security threat assessments via Regularly conducted penetration testing.  This identifies areas of program strength and opportunities for improvement.

Incident response: Our well-defined computer security and privacy incident response program is designed to contain and resolve any incidents efficiently and effectively. The program is periodically reviewed and exercised to train and ensure preparation for events.

Privacy: All employees receive privacy training, with adherence and monitoring of this and all other BFS-MC policies conducted by department supervisors.

Internal and external IT auditors: Internal and external auditors regularly review and assess BFS-MC’s information technology systems and operations to ensure we comply with our documented policies and procedures as well as applicable regulations and industry best practices.

Policies and standards: BFS-MC maintains written policies and standards for information protection. These policies and standards provide the foundation and guidance for our information security, privacy, and risk management program.

Records management and sanitization: Our formalized data management
program manages the lifecycle of all information that we handle, including adherence to regulatory requirements and secure disposal of confidential information.

Risk assessments: Risk assessments are performed biannually as well as during the development and acquisition of information systems to help ensure those systems include appropriate protection of client information.

Security awareness: BFS-MC Group provides employees and financial representatives with security awareness and training, such as ongoing security awareness articles and events, training in company policies and standards, and simulated phishing exercises.

Separation of duties: Specific job duties are separated to prevent a conflict of interest when appropriate.

Threat monitoring: Our internal teams and third-party industry security organizations work together to monitor our environment for existing and potential threats.

User access reviews: BFS-MC reviews user access to company systems quarterly to help ensure users maintain an appropriate level of access to those systems.

PHYSICAL
BFS-MC Group also protects its clients’ information from physical harm and theft with the following methods:

 Building and data center physical security: Physical access to our buildings and data centers is restricted with defense in depth to ensure the confidentiality, integrity, and availability of company systems and physical assets.

Business continuity and disaster recovery planning: Formal business continuity and disaster recovery plans are maintained and tested regularly. These plans are designed to maximize the availability of company systems and information and recover from natural or human-made disasters as efficiently and effectively as possible.

Redundancy: As part of its business continuity and disaster recovery plans, we maintain redundant data centers to help ensure the availability of company systems and client information