Security & privacy

Invesco has a fiduciary responsibility to maintain the confidentiality of information relating to our clients and comply with the data protection requirements imposed by relevant jurisdictions. As such, we’ve established the proper maintenance, controls, processes and protection for our clients’ assets.

The Global Security Department brings together Information Security, Global Privacy Office, Business Continuity & Operational Resilience, Corporate Security, Business Security Officers and Strategy, Projects & Governance in collaboration with Global Intelligence & Threat Analysis. This structure provides a comprehensive, holistic approach to keeping our clients, employees and critical assets safe while enabling a secure and resilient business.

The department is distributed globally to most efficiently provide the appropriate level of support anywhere in the world at any time, while simultaneously maintaining strong working relationships with industry peers, regulators, and intelligence and law enforcement agencies in those locations.

Protecting data is imperative to maintaining our stakeholders’ trust. Our Global Security program promotes all aspects of information security risk and considers the confidentiality, integrity and availability of information assets in order to protect information assets. Our security controls, which identify threats, detect attacks and protect these information assets, are aligned with industry guidelines and applicable statutes and regulations. We have an incident response program that includes periodic testing and is designed to restore business operations in a secure manner.

We also have a privacy oversight and governance framework that includes our privacy strategies, privacy policy, guidance for maintaining compliance with privacy regulatory obligations and our approaches to managing risks related to privacy.

All security policies and standards align with the National Institute of Standards & Technology Cybersecurity Framework and applicable industry frameworks (e.g., ISO, FFIEC) and have been developed, reviewed and approved to support appropriate management of identified risks, align with regulatory and industry guidelines and safeguard Invesco’s assets. In addition, Privacy Impact Assessments are carried out as part of risk management for certain higher-risk processes undertaken by, or on behalf of, Invesco.

Our internal privacy policy applies globally to all processing activities involving personal data and establishes and outlines our core Privacy Principles:

• Transparency
• Purpose Limitation
• Minimization
• Accuracy
• Security
• Rights
• Storage Limitation
• Accountability

We provide our clients with privacy notices and policies aligned to the services we offer and applicable local regulations. Our privacy notices outline aspects such as personal data we collect, why we collect it, how we use it and any and all rights applicable to such data. Our privacy notices are published in the privacy section of our various global websites.

Our global vendor relationship management program standardizes our approach for security and privacy risks related to the relationships we have with vendors and service providers.

As part of the global vendor relationship management program, our Global Security department has a defined third-party security and privacy risk program. Third-party security and privacy due diligence is performed during onboarding of a service and on a defined frequency, based on the risk tiers. The due diligence covers information (cyber) security, business recovery, privacy, technology management, and physical and personnel security expectations. We employ a robust process of questionnaires, third-party follow-ups and site visits when needed to evaluate and monitor these key risk areas.

To keep our employees, contract consultants and temporary employees abreast of security and privacy best practices and protocols, we provide them with regular training, including an annual mandatory security and privacy awareness training. Employees in business functions that interact regularly with client data also participate in tailored security and privacy training.

We also require new employees, contractors, consultants and temporary employees to formally acknowledge Invesco’s Acceptable Use Policy and Code of Conduct, in addition to completing mandatory security and privacy awareness training upon hire. Existing employees, contractors, consultants and temporary employees must reconfirm acceptance of Invesco’s Code of Conduct on a regular basis.

We continuously promote security and privacy awareness through periodic alerts, messages and/or in-person presentations. Invesco security awareness promotes a culture that advocates for employees to report a security concern immediately, at any time. Building on these initiatives, we implement security and privacy tools and exercises that provide additional concentrated messages and training. These include phishing tests, which are designed to simulate security and privacy events and incidents. These tools and exercises allow us to better assess our employees’ recognition of such events and inform new training and awareness programs that further our cyber and information security.