Cybersecurity
Cybersecurity you can count on
Cybersecurity you can count on
We earn your trust by protecting your data, identity, and assets.
We stay ahead so you stay protected
With a dedicated team of security professionals and constantly evolving tech, we don’t just react to threats — we anticipate them.
-
Technology Innovation Lab
Constantly evolving defenses to premept tomorrow’s threats today.
-
-
Independent audits
Trusted third-party experts audit and validate our security.
-
Client protection program
Real-time fraud analysis and trusted industry partners bolster our program.
Putting your trust and security first
Hear directly from our Chief Information Security Officer, Doug Peterson, on the people, process, and technology that help keep you secure.
Protecting what matters most
Protecting what matters most
Strong cybersecurity safeguards, trusted encryption, and a firm commitment to protect your data and privacy
We run a formal cybersecurity program with clear oversight, defined roles, and regular risk reviews. We enforce policies and accountability by following regulations, using independent reviews and ongoing monitoring.
How we do this:
- Enterprise risk management framework
- Cybersecurity policies aligned with NIST 800-53, NIST CSF, and ISO 27001
- Information security policies that are reviewed at least once a year and approved by the Information Security Board, including the CISO and company leadership.
- Regulatory supervision and audit oversight (including internal audit and external audit)
- Annual risk assessments
- Unqualified SOC 2 Type 2 third-party attestation
- Formal AI Governance Committee
- AI Risk Management Policy and Standards
- Documented AI risk assessments
We control access through identity controls and defined roles. Only authorized people have access, and responsibilities are clearly assigned and monitored.
How we do this:
- Least privilege access model
- Management approval for access provisioning
- Multifactor authentication for remote and privileged access enabled up front
- Periodic access reviews
- VPN for remote access always on
- Background checks
- Annual mandatory cybersecurity awareness training as well as specialized training based on roles
- Phishing simulation campaigns
- Defined cybersecurity roles and responsibilities
- Oversight by the CISO and Information Security Board
We protect systems with layered controls, secure configurations, encryption, and secure development practices to reduce vulnerabilities and help prevent unauthorized access.
How we do this:
- Minimum AES-256 encryption at rest
- Centrally managed anti-virus protection
- Mobile device management controls
- Hardened server configurations
- Internal and external vulnerability scanning
- Annual independent penetration testing
- Intrusion Prevention System (IPS)
- Multi-layered firewall protection
- Data loss protection technologies
- Geographic redundance/dispersion across regions
- Encryption in transit (minimum TLS 1.2)
- Encryption at rest (minimum AES-256)
- Structured, secure SDLC methodology
- Application security testing (SAST/DAST) aligned to OWASP standards
- Application and API penetration testing
- Audited change management controls
We protect sensitive data and manage third-party risk with strong controls, continuous monitoring, and incident response processes that support fast detection and recovery from threats.
How we do this:
- Data classification framework
- Encryption controls for sensitive data, including back-ups
- Secure file transfer mechanisms
- Data loss prevention controls
- Third-party due diligence and contractual security requirements
- Recurring third-party security assessments for vendors and suppliers
- AI bias and performance monitoring controls
- Human oversight of AI-generated outputs
- Formal incident response plans (IRP)
- Dedicated Cybersecurity Incident Response Team (CSIRT)
- 24x7x365 security monitoring operations
- Continuous vulnerability assessments through internal and external reviews
- Annual business continuity and disaster recovery testing
- Mature security and event logging plus monitoring via a security information and event management platform
Our Empower Security Center
Securing your account and information is a team effort. Learn more about security tips, our security guarantee, and how Empower protects you.