We’ve explored the challenges of the 2020 virtual shareholder meeting (VSM) experience in a previous post, but this one focuses on why a collective approach to data security in the proxy voting industry is beneficial not only for improving the shareholder experience but also for enhancing security. This is also an excerpt from a playbook we are developing that discusses how listed companies can better serve shareholders and protect their businesses in the future.
Security Drove Adoption of the Digital Legal Proxy
Data sharing is always a point of risk. But Mediant’s concept of a Digital Legal Proxy (DLP), which uses application program interfaces (APIs) to deliver everything needed to process a shareholder as they would in a physical meeting in a secure electronic package, was developed with input from the End-to-End Vote Confirmation Working Group. This resulted in security controls that were exceptionally strong and consistently applied. Putting security at the core of the DLP and limiting access to working group members was fundamental to its adoption by the majority of VSM providers in time for the 2021 proxy season.
The DLP provides an instructive example of how collaboration within the proxy voting industry enables security to become stronger. It’s a best practice that should be broadly applied.
The Proxy Industry Needs a Secure Supply Chain
A robust information security program is one that embraces all parties in a supply chain: internal IT, engineering, all external vendors, and all industry participants. Protection against unauthorized access by hackers and other bad actors is improved when collective thinking is used for the development and implementation of security controls.
We acknowledge the reality that it’s a matter of when, not if, you’re going to be subjected to a cyberattack. Therefore, it’s not enough simply to have controls in place. They also need to be tested and retested to ensure they’re effective.
Mediant follows this method with our own cybersecurity strategy. Working in partnership with industry participants and vendors means we can develop an end-to-end approach with defenses such as encryption and whitelists, giving everyone confidence in the integrity of the entire lifecycle of a data transfer event.
Tips for Building a Supply Chain Defense
The massive SolarWinds cyberattack, which penetrated thousands of organizations globally including multiple parts of the U.S. federal government, demonstrated the risks of a failure to collaborate with supply chain members. The best solution is for all members of an IT supply chain to work together on policies for defenses and responses. Consider the following tips:
- Identify all your IT supply chain partners including the vendors used to run your business or move data.
- Establish a vendor risk management program that includes all these partners. This can ensure all vendors have controls that minimize the risk of any one party being infected and passing that on to others.
- Take a zero-trust approach and assume that at some point, one or more supply chain partners will be hacked.
- Consider additional controls to secure how vendors update their software, including how to validate updates before they get pushed to production.
- Assume that something will get through and develop robust monitoring and detection so that malware that is executed can be found and eradicated or contained.
- Understand what “normal” looks like in your network. Without a good baseline, seeing unusual behavior is much more challenging.
- Understand the limits of your internal teams and have relationships in place if you need outside help during an incident.
- Establish a working group to manage your vendor risk management program so you can be confident that all parties are applying the same exacting approach.
Be on the lookout for the release of the complete Issuers Playbook. In the meantime, for more information about Mediant’s approach to security, contact us.