As a global leader in fintech and payments, cybersecurity is a top priority for Fiserv. We maintain state-of-the art cybersecurity systems and follow industry best practices.
Our full board receives cybersecurity updates regarding any events or threats, the status of our ongoing cybersecurity program and planned initiatives designed to enhance our practices. The technology risk committee engages with management and the board of directors on these topics.
Global Standards for Security
To protect our systems and the information entrusted to us, we have adopted rigorous policies and standards. Our Global Cyber Security Policy, which is based upon the National Institute of Technology (NIST) Cyber Security Framework and NIST SP 800-53 controls, details how we protect information. The policy is fully complementary to the International Standards Organization (ISO) 27001 and 27002 frameworks. To verify the effectiveness of the systems and policies we have in place, internal and external security audits are conducted. These audits consist of third-party vulnerability analysis and internal infrastructure reviews.
Additional Cybersecurity Areas of Focus
- Data Loss Protection
- Cyber Risk Assessment
- Cyber Threat Hunting
- Cyber Incident Management
- 24x7 Cyber Security Threat Monitoring and Response
Our cybersecurity program has five pillars focused on protecting the confidentiality of client data and safeguarding our information systems from cyberthreats.
Our enterprise data encryption program is designed to protect sensitive data, including payments, banking and consumer data, in order to prevent fraud and abuse by rendering sensitive data unusable except by authorized individuals.
Our vulnerability management program seeks to detect and prevent application vulnerabilities early in the software development life cycle and addresses operational application and infrastructure vulnerabilities on a continuous basis.
Our 24/7 security operation center monitors security events using standardized response playbooks and response automation to address security-related issues when they are identified. By monitoring and analyzing our systems, we detect, respond to and contain security incidents, reducing impacts on our clients and their customers.
By implementing enhanced authentication, such as multifactor authentication, we protect against unauthorized access to Fiserv client data and information systems and account takeover fraud due to compromised credentials.
Lastly, our automated access controls allow us to centralize and automate access to critical systems to reduce the risk of inappropriate access to critical systems and sensitive data.
Partnering for Security
Our security operations center works with a variety of outside organizations to enhance our awareness of the rapidly evolving cybersecurity threat landscape. Our external partnerships include law enforcement agencies, private sector organizations and information sharing analysis centers. Our cybersecurity teams gather threat intelligence and vulnerability information from these parties coupled with internal sources to evaluate the nature of the risk and its potential impact on Fiserv in order to rapidly respond to threats appropriately.
We track a variety of key metrics related to cybersecurity and cyberthreats. Our chief information officers are briefed on a regular basis with up-to-date information regarding cybersecurity strategy and priorities. Our cybersecurity team regularly communicates with information risk-aligned committees and teams throughout the enterprise.
Associate awareness is critical to the success of our security program. Accordingly, all new associates are required to take a Cybersecurity Awareness training session during onboarding and annually thereafter. Additional cybersecurity-related programming is provided throughout the year to ensure our associates are aware of existing and emerging threats as well as industry best practices. We reinforce that associates, nonemployee workers and third parties are required and instructed to immediately contact the Joint Security Operations Center by email or phone if they detect or suspect that a cyber incident may have occurred. Our training and awareness programs are vital for utilizing our wide employee base to safeguard the firm and to assist in the identification of cyber-related concerns.