Westwood’s approach to cybersecurity recognizes the critical importance of safeguarding our clients’ personal information as well as the confidential and proprietary information related to both our firm and our employees. Maintaining the security, integrity and accessibility of the data maintained or conveyed through our operating systems is a fundamental requisite of our business operations and an important component of our fiduciary duty to our clients. All employees are expected to adhere to our approach to information security. Please review our policy statement for additional detail on how we approach information security.
Maintaining data and financial security is a paramount concern for us. We have taken precautions, including installing SSL certificates on all public websites, to help protect your personal information, companywide.
When managing your assets, we need access to personal information, so we can provide advice to you. We deploy several controls to help prevent unauthorized access, inside the firm as well as on the outside.
To control access within the firm, we practice the principle of least privilege. The principle of least privilege states that a user will only be given access to the applications and programs necessary to perform their job responsibilities.
To manage access outside of the firm, we have various controls in place. We make extensive use of data loss prevention (DLP) features in standalone systems as well as those embedded in other applications. These features include: endpoint controls on both Westwood-owned and employee personal devices; encryption policies with centralized administration; network and endpoint access restrictions; network monitoring; restrictions on employee access to common personal email and cloud storage services from devices connected to Westwood’s network; endpoint anti-virus and security systems; and data retention policies. We routinely monitor and evaluate our DLP systems, available technologies and data loss risks.
We have several layers of security to help protect our clients’ personal information, and we work with industry-leading partners to ensure that we follow the newest protocols in the ever-changing online environment.
Our internal audit firm and outside designated audit IT consultants conduct an annual audit to monitor our corporate network to detect potential cybersecurity events.
Our Risk Committee conducts annual risk assessments and periodic assessments to identify cybersecurity threats, vulnerabilities and potential business consequences.
If a data breach occurs, we rely on our protocols as outlined in the Westwood Information Security Incident Response Plan and respond accordingly.
Protecting all the assets of our clients and safeguarding their proprietary and confidential information is a fundamental responsibility of every Westwood employee.
Our chief operating officer is responsible for reviewing, maintaining and enforcing all cybersecurity policies and procedures to ensure Westwood’s overall cybersecurity goals and objectives while ensuring compliance with applicable federal and state laws and regulations.
The chief operating officer oversees the selection and retention of third-party service providers, taking reasonable steps to select those capable of maintaining appropriate safeguards for the data at issue, and contractually requires service providers to implement and maintain appropriate safeguards.
Our designated Risk Committee has the responsibility for overseeing our cybersecurity practices.
To best protect our clients and the firm, all suspicious activity recognized or uncovered by personnel is promptly reported to the chief compliance operating officer, general counsel and chief compliance officer, anti money laundering compliance officer and/or other designated persons. Employees are expected to immediately notify their supervisor and/or Human Resources and IT to report a lost or stolen laptop, mobile device and/or flash drive.
Westwood provides training to employees regarding information security risks and responsibilities. Such training is provided to all new employees as part of their onboarding process and is provided to all employees annually.
Additional training and/or written guidance also may be provided to employees in response to relevant cyberattacks.