What Is Section 16 Filing?
May 2023
Compliance
DFIN demonstrates compliance by making a number of reports available to our clients.
Reporting on our compliance
DFIN establishes various controls to ensure the confidentiality, integrity and availability of client data. Cornerstones of DFIN cybersecurity are ensuring our security controls are operating effectively and measuring the effectiveness of governance, risk and compliance programs.
IT Governance and Risk
Learn about IT governance and risk @DFIN.
Reports and documents
Learn how DFIN demonstrates compliance throughout the enterprise. Request-up-to-date reports and other artifacts.
Overview
IT Governance
IT Risk Management
Vendor Risk Management
IT Governance and Risk
DFIN’s IT governance is comprised of processes by which we align our IT (development, infrastructure, cybersecurity) practices within our overall business strategy. As a key part of our overall IT governance efforts, we are able to ensure efficiency, security, and effective resource use, as well as compliance with both internal and external regulations.
Additionally, DFIN’s IT governance ensures that the needs of our stakeholders, including our clients, are evaluated to determine enterprise objectives, and are used to set direction (in decision making and prioritisation) to monitor performance and compliance.
DFIN’s IT risk management program applies risk management methods to manage IT related threats. Our efforts involve procedures, polices and tools to identify, assess and remediate potential threats and vulnerabilities within DFIN’s information technology landscape. This includes both internal risk analysis as well as third party supplier risk (supply chain security).
DFIN IT Governance
IT Governance is defined as the processes that ensures the effective and efficient use of IT in enabling an organisation to achieve its goals by the establishment of protocols such as policy and standards. The DFIN IT governance team facilitates this process by ensuring that these protocols exist, are formalised and are approved. The team tracks the documents throughout this process as well as promoting awareness by making them readily available to the company. Our clients benefit from this well-organised IT Governance team because it ensures consistency, organisation, predictability, and order.
DFIN IT Risk Management
IT Risk Management is a control methodology of detecting, assessing, reviewing, reporting, and tracking follow-up efforts on IT events that could adversely affect the organisation. The DFIN IT Risk Management team has developed and implemented a continuous risk assessment program that incorporates risks identified and assessed in varying support systems such as internal and external audit/compliance testing, Security scanning, client and supplier risk management, and exceptions to IT governance. DFIN clients truly benefit from this effort by ensuring that the DFIN IT security exposure/posture is at an acceptable low risk level.
DFIN Vendor Risk Managment
When evaluating partnerships, DFIN continuously looks to reduce risk across all threat vectors. Our vendor risk management program, referred to as supply chain security, evaluates the viability of all potential DFIN suppliers. DFIN’s well defined process categorises suppliers and evaluates their inherent risk. A vendor can be onboarded only after a supplier has been categorised, risk rated and approved. In addition to new suppliers, existing suppliers are re-evaluated on an annual basis, undergoing a comprehensive security review. A part of this process is complete remediation of issues to become or remain an approved DFIN supplier.
IT Governance and Risk
DFIN’s IT governance is comprised of processes by which we align our IT (development, infrastructure, cybersecurity) practices within our overall business strategy. As a key part of our overall IT governance efforts, we are able to ensure efficiency, security, and effective resource use, as well as compliance with both internal and external regulations.
Additionally, DFIN’s IT governance ensures that the needs of our stakeholders, including our clients, are evaluated to determine enterprise objectives, and are used to set direction (in decision making and prioritisation) to monitor performance and compliance.
DFIN’s IT risk management program applies risk management methods to manage IT related threats. Our efforts involve procedures, polices and tools to identify, assess and remediate potential threats and vulnerabilities within DFIN’s information technology landscape. This includes both internal risk analysis as well as third party supplier risk (supply chain security).
DFIN IT Governance
DFIN IT Governance
IT Governance is defined as the processes that ensures the effective and efficient use of IT in enabling an organisation to achieve its goals by the establishment of protocols such as policy and standards. The DFIN IT governance team facilitates this process by ensuring that these protocols exist, are formalised and are approved. The team tracks the documents throughout this process as well as promoting awareness by making them readily available to the company. Our clients benefit from this well-organised IT Governance team because it ensures consistency, organisation, predictability, and order.
DFIN IT Risk Management
DFIN IT Risk Management
IT Risk Management is a control methodology of detecting, assessing, reviewing, reporting, and tracking follow-up efforts on IT events that could adversely affect the organisation. The DFIN IT Risk Management team has developed and implemented a continuous risk assessment program that incorporates risks identified and assessed in varying support systems such as internal and external audit/compliance testing, Security scanning, client and supplier risk management, and exceptions to IT governance. DFIN clients truly benefit from this effort by ensuring that the DFIN IT security exposure/posture is at an acceptable low risk level.
DFIN Vendor Risk Managment
DFIN Vendor Risk Management
When evaluating partnerships, DFIN continuously looks to reduce risk across all threat vectors. Our vendor risk management program, referred to as supply chain security, evaluates the viability of all potential DFIN suppliers. DFIN’s well defined process categorises suppliers and evaluates their inherent risk. A vendor can be onboarded only after a supplier has been categorised, risk rated and approved. In addition to new suppliers, existing suppliers are re-evaluated on an annual basis, undergoing a comprehensive security review. A part of this process is complete remediation of issues to become or remain an approved DFIN supplier.
Overview
SOC 2 Type II
Global Investment Companies
Global Capital Markets
New ActiveDisclosure
eBrevia
SOC 2 + HITRUST
ISO 27001 Certification
ISO 9001 Certification
Shared Assessment (SIG)
Cloud Security Alliance CAIQ
Bridge Letters
Reports and documents
DFIN’s GRC (Governance Risk and Compliance) team manages compliance activities across DFIN’s technology landscape to ensure our adherence with industry and governmental regulations. A large part of the GRC team’s efforts center around evaluation defining control frameworks and then evaluating and testing controls within those frameworks. Additionally, DFIN GRC’s Compliance team evaluates and tests our IT standards, policies and procedures via continuous assessment.
DFIN understands that compliance is critical to our clients’ needs and makes several different reports and assessments available for review.
Global Investment Companies
DFIN’s third party auditor conducts an annual SOC 2 audit of GIC’s SOC 2 control framework. Our SOC 2 Type II audit runs for 6 months with the observation period of May 1st through October 31st. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of November 1st through April 30th.
PRODUCTS & SERVICES COVERED
Global Capital Markets
DFIN’s third party auditor conducts an annual SOC 2 audit of GCM’s SOC 2 control framework. Our SOC 2 Type II audit runs for 6 months with the observation period of May 1st through October 31st. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of November 1st through April 30th.
The GCM SOC 2 Type II report is available to current and prospective clients under a signed non-disclosure agreement.
New ActiveDisclosure
DFIN’s third party auditor conducts an annual SOC 2 audit of GCM’s New ActiveDisclosure SOC 2 control framework. We also test some SOC 1 controls as a part of our SOC 2 audit to provide further assurances related to financial reporting
Our SOC 2 Type II audit runs for 6 months with the observation period of June 1st through November 30st. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of December 1st through May 31st.
PRODUCTS & SERVICES COVERED
eBrevia
DFIN’s third party auditor conducts an annual SOC 2 audit of eBrevia SOC 2 control framework. Our SOC 2 Type II audit runs for 6 months with the observation period of August 1st through January 31st. A SOC 2 type II report is then produced during the month of March and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of February 1st through July 31st.
PRODUCTS & SERVICES COVERED
VENUE SOC 2 + HITRUST
DFIN’s third party auditor conducts an annual SOC 2 + HITRUST of Venue’s SOC 2 control framework. Our SOC 2 + HITRUST type II audit runs for 6 months with the observation period of May 1st through October 31st. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of November 1st through April 30th.
PRODUCTS & SERVICES COVERED
ISO 27001 Certification
DFIN has obtained ISO 27001 in 2022 for VENUE and is pursuing an enterprise ISO 27001 certification in 2023.
PRODUCTS & SERVICES COVERED
ISO 9001 Certification
DFIN has obtained ISO 9001 for our manufacturing facilities. These facilities cover print and composition work performed domestically.
PRODUCTS & SERVICES COVERED
- Manufacturing
Security Review Questionnaires
DFIN annually produces several “SIG” type artifacts for client’s consumption to help with their Supplier Risk Management security review and/or audit processes.
PRODUCTS & SERVICES COVERED
- Venue
- ActiveDisclosure
- ARC Products
- eBrevia
- File16
- Print and Composition
Cloud Security Alliance CAIQ and STAR Registry
As a part of Cloud Security Alliance (CSA) Security, Trust, Assurance, and Registry (STAR), DFIN has completed the CSA’s CAIQ v3.1 (v.4 pending) The CAIQ offers an industry accepted way to document cloud security controls for IaaS, PaaS and SaaS services and conveys our compliance to the CSA Cloud Controls Matrix. This helps our clients assess DFINs overall cloud security posture. DFIN is not currently STAR registered.
PRODUCTS & SERVICES COVERED
- CAIQ completed for enterprise
Bridge Letter for SOC 2 Attestation
DFIN provides bridge letters supporting all our SOC 2 reports. The bridge letter opines that our controls are in place and have not changed during the non-observation period of our SOC 2 audit. A sample representation is below:
To whom it may concern:
This letter is to confirm, to the best of our knowledge and belief, the following representations:
PRODUCTS & SERVICES COVERED
- GCM SOC 2 Report
- GIC SOC 2 Report
- New ActiveDisclosure SOC 2 Report
- VENUE SOC 2 Report
- eBrevia SOC 2 Report
Reports and documents
DFIN’s GRC (Governance Risk and Compliance) team manages compliance activities across DFIN’s technology landscape to ensure our adherence with industry and governmental regulations. A large part of the GRC team’s efforts center around evaluation defining control frameworks and then evaluating and testing controls within those frameworks. Additionally, DFIN GRC’s Compliance team evaluates and tests our IT standards, policies and procedures via continuous assessment.
DFIN understands that compliance is critical to our clients’ needs and makes several different reports and assessments available for review.
SOC 2 Type II
Global Investment Companies
Global Investment Companies
DFIN’s third party auditor conducts an annual SOC 2 audit of GIC’s SOC 2 control framework. Our SOC 2 Type II audit runs for 6 months with the observation period of May 1st through October 31st. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of November 1st through April 30th.
PRODUCTS & SERVICES COVERED
Global Capital Markets
Global Capital Markets
DFIN’s third party auditor conducts an annual SOC 2 audit of GCM’s SOC 2 control framework. Our SOC 2 Type II audit runs for 6 months with the observation period of May 1st through October 31st. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of November 1st through April 30th.
The GCM SOC 2 Type II report is available to current and prospective clients under a signed non-disclosure agreement.
New ActiveDisclosure
New ActiveDisclosure
DFIN’s third party auditor conducts an annual SOC 2 audit of GCM’s New ActiveDisclosure SOC 2 control framework. We also test some SOC 1 controls as a part of our SOC 2 audit to provide further assurances related to financial reporting
Our SOC 2 Type II audit runs for 6 months with the observation period of June 1st through November 30st. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of December 1st through May 31st.
PRODUCTS & SERVICES COVERED
eBrevia
eBrevia
DFIN’s third party auditor conducts an annual SOC 2 audit of eBrevia SOC 2 control framework. Our SOC 2 Type II audit runs for 6 months with the observation period of August 1st through January 31st. A SOC 2 type II report is then produced during the month of March and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of February 1st through July 31st.
PRODUCTS & SERVICES COVERED
SOC 2 + HITRUST
VENUE SOC 2 + HITRUST
DFIN’s third party auditor conducts an annual SOC 2 + HITRUST of Venue’s SOC 2 control framework. Our SOC 2 + HITRUST type II audit runs for 6 months with the observation period of May 1st through October 31st. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of November 1st through April 30th.
PRODUCTS & SERVICES COVERED
ISO 27001 Certification
ISO 27001 Certification
DFIN has obtained ISO 27001 in 2022 for VENUE and is pursuing an enterprise ISO 27001 certification in 2023.
PRODUCTS & SERVICES COVERED
ISO 9001 Certification
ISO 9001 Certification
DFIN has obtained ISO 9001 for our manufacturing facilities. These facilities cover print and composition work performed domestically.
PRODUCTS & SERVICES COVERED
- Manufacturing
Shared Assessment (SIG)
Security Review Questionnaires
DFIN annually produces several “SIG” type artifacts for client’s consumption to help with their Supplier Risk Management security review and/or audit processes.
PRODUCTS & SERVICES COVERED
- Venue
- ActiveDisclosure
- ARC Products
- eBrevia
- File16
- Print and Composition
Cloud Security Alliance CAIQ
Cloud Security Alliance CAIQ and STAR Registry
As a part of Cloud Security Alliance (CSA) Security, Trust, Assurance, and Registry (STAR), DFIN has completed the CSA’s CAIQ v3.1 (v.4 pending) The CAIQ offers an industry accepted way to document cloud security controls for IaaS, PaaS and SaaS services and conveys our compliance to the CSA Cloud Controls Matrix. This helps our clients assess DFINs overall cloud security posture. DFIN is not currently STAR registered.
PRODUCTS & SERVICES COVERED
- CAIQ completed for enterprise
Bridge Letters
Bridge Letter for SOC 2 Attestation
DFIN provides bridge letters supporting all our SOC 2 reports. The bridge letter opines that our controls are in place and have not changed during the non-observation period of our SOC 2 audit. A sample representation is below:
To whom it may concern:
This letter is to confirm, to the best of our knowledge and belief, the following representations:
PRODUCTS & SERVICES COVERED
- GCM SOC 2 Report
- GIC SOC 2 Report
- New ActiveDisclosure SOC 2 Report
- VENUE SOC 2 Report
- eBrevia SOC 2 Report
IT Governance and Risk
Learn about IT governance and risk @DFIN.
Overview
IT Governance
IT Risk Management
Vendor Risk Management
IT Governance and Risk
DFIN’s IT governance is comprised of processes by which we align our IT (development, infrastructure, cybersecurity) practices within our overall business strategy. As a key part of our overall IT governance efforts, we are able to ensure efficiency, security, and effective resource use, as well as compliance with both internal and external regulations.
Additionally, DFIN’s IT governance ensures that the needs of our stakeholders, including our clients, are evaluated to determine enterprise objectives, and are used to set direction (in decision making and prioritisation) to monitor performance and compliance.
DFIN’s IT risk management program applies risk management methods to manage IT related threats. Our efforts involve procedures, polices and tools to identify, assess and remediate potential threats and vulnerabilities within DFIN’s information technology landscape. This includes both internal risk analysis as well as third party supplier risk (supply chain security).
DFIN IT Governance
IT Governance is defined as the processes that ensures the effective and efficient use of IT in enabling an organisation to achieve its goals by the establishment of protocols such as policy and standards. The DFIN IT governance team facilitates this process by ensuring that these protocols exist, are formalised and are approved. The team tracks the documents throughout this process as well as promoting awareness by making them readily available to the company. Our clients benefit from this well-organised IT Governance team because it ensures consistency, organisation, predictability, and order.
DFIN IT Risk Management
IT Risk Management is a control methodology of detecting, assessing, reviewing, reporting, and tracking follow-up efforts on IT events that could adversely affect the organisation. The DFIN IT Risk Management team has developed and implemented a continuous risk assessment program that incorporates risks identified and assessed in varying support systems such as internal and external audit/compliance testing, Security scanning, client and supplier risk management, and exceptions to IT governance. DFIN clients truly benefit from this effort by ensuring that the DFIN IT security exposure/posture is at an acceptable low risk level.
DFIN Vendor Risk Managment
When evaluating partnerships, DFIN continuously looks to reduce risk across all threat vectors. Our vendor risk management program, referred to as supply chain security, evaluates the viability of all potential DFIN suppliers. DFIN’s well defined process categorises suppliers and evaluates their inherent risk. A vendor can be onboarded only after a supplier has been categorised, risk rated and approved. In addition to new suppliers, existing suppliers are re-evaluated on an annual basis, undergoing a comprehensive security review. A part of this process is complete remediation of issues to become or remain an approved DFIN supplier.
IT Governance and Risk
DFIN’s IT governance is comprised of processes by which we align our IT (development, infrastructure, cybersecurity) practices within our overall business strategy. As a key part of our overall IT governance efforts, we are able to ensure efficiency, security, and effective resource use, as well as compliance with both internal and external regulations.
Additionally, DFIN’s IT governance ensures that the needs of our stakeholders, including our clients, are evaluated to determine enterprise objectives, and are used to set direction (in decision making and prioritisation) to monitor performance and compliance.
DFIN’s IT risk management program applies risk management methods to manage IT related threats. Our efforts involve procedures, polices and tools to identify, assess and remediate potential threats and vulnerabilities within DFIN’s information technology landscape. This includes both internal risk analysis as well as third party supplier risk (supply chain security).
DFIN IT Governance
DFIN IT Governance
IT Governance is defined as the processes that ensures the effective and efficient use of IT in enabling an organisation to achieve its goals by the establishment of protocols such as policy and standards. The DFIN IT governance team facilitates this process by ensuring that these protocols exist, are formalised and are approved. The team tracks the documents throughout this process as well as promoting awareness by making them readily available to the company. Our clients benefit from this well-organised IT Governance team because it ensures consistency, organisation, predictability, and order.
DFIN IT Risk Management
DFIN IT Risk Management
IT Risk Management is a control methodology of detecting, assessing, reviewing, reporting, and tracking follow-up efforts on IT events that could adversely affect the organisation. The DFIN IT Risk Management team has developed and implemented a continuous risk assessment program that incorporates risks identified and assessed in varying support systems such as internal and external audit/compliance testing, Security scanning, client and supplier risk management, and exceptions to IT governance. DFIN clients truly benefit from this effort by ensuring that the DFIN IT security exposure/posture is at an acceptable low risk level.
DFIN Vendor Risk Managment
DFIN Vendor Risk Management
When evaluating partnerships, DFIN continuously looks to reduce risk across all threat vectors. Our vendor risk management program, referred to as supply chain security, evaluates the viability of all potential DFIN suppliers. DFIN’s well defined process categorises suppliers and evaluates their inherent risk. A vendor can be onboarded only after a supplier has been categorised, risk rated and approved. In addition to new suppliers, existing suppliers are re-evaluated on an annual basis, undergoing a comprehensive security review. A part of this process is complete remediation of issues to become or remain an approved DFIN supplier.
Reports and documents
Learn how DFIN demonstrates compliance throughout the enterprise. Request-up-to-date reports and other artifacts.
Overview
SOC 2 Type II
Global Investment Companies
Global Capital Markets
New ActiveDisclosure
eBrevia
SOC 2 + HITRUST
ISO 27001 Certification
ISO 9001 Certification
Shared Assessment (SIG)
Cloud Security Alliance CAIQ
Bridge Letters
Reports and documents
DFIN’s GRC (Governance Risk and Compliance) team manages compliance activities across DFIN’s technology landscape to ensure our adherence with industry and governmental regulations. A large part of the GRC team’s efforts center around evaluation defining control frameworks and then evaluating and testing controls within those frameworks. Additionally, DFIN GRC’s Compliance team evaluates and tests our IT standards, policies and procedures via continuous assessment.
DFIN understands that compliance is critical to our clients’ needs and makes several different reports and assessments available for review.
Global Investment Companies
DFIN’s third party auditor conducts an annual SOC 2 audit of GIC’s SOC 2 control framework. Our SOC 2 Type II audit runs for 6 months with the observation period of May 1st through October 31st. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of November 1st through April 30th.
PRODUCTS & SERVICES COVERED
Global Capital Markets
DFIN’s third party auditor conducts an annual SOC 2 audit of GCM’s SOC 2 control framework. Our SOC 2 Type II audit runs for 6 months with the observation period of May 1st through October 31st. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of November 1st through April 30th.
The GCM SOC 2 Type II report is available to current and prospective clients under a signed non-disclosure agreement.
New ActiveDisclosure
DFIN’s third party auditor conducts an annual SOC 2 audit of GCM’s New ActiveDisclosure SOC 2 control framework. We also test some SOC 1 controls as a part of our SOC 2 audit to provide further assurances related to financial reporting
Our SOC 2 Type II audit runs for 6 months with the observation period of June 1st through November 30st. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of December 1st through May 31st.
PRODUCTS & SERVICES COVERED
eBrevia
DFIN’s third party auditor conducts an annual SOC 2 audit of eBrevia SOC 2 control framework. Our SOC 2 Type II audit runs for 6 months with the observation period of August 1st through January 31st. A SOC 2 type II report is then produced during the month of March and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of February 1st through July 31st.
PRODUCTS & SERVICES COVERED
VENUE SOC 2 + HITRUST
DFIN’s third party auditor conducts an annual SOC 2 + HITRUST of Venue’s SOC 2 control framework. Our SOC 2 + HITRUST type II audit runs for 6 months with the observation period of May 1st through October 31st. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of November 1st through April 30th.
PRODUCTS & SERVICES COVERED
ISO 27001 Certification
DFIN has obtained ISO 27001 in 2022 for VENUE and is pursuing an enterprise ISO 27001 certification in 2023.
PRODUCTS & SERVICES COVERED
ISO 9001 Certification
DFIN has obtained ISO 9001 for our manufacturing facilities. These facilities cover print and composition work performed domestically.
PRODUCTS & SERVICES COVERED
- Manufacturing
Security Review Questionnaires
DFIN annually produces several “SIG” type artifacts for client’s consumption to help with their Supplier Risk Management security review and/or audit processes.
PRODUCTS & SERVICES COVERED
- Venue
- ActiveDisclosure
- ARC Products
- eBrevia
- File16
- Print and Composition
Cloud Security Alliance CAIQ and STAR Registry
As a part of Cloud Security Alliance (CSA) Security, Trust, Assurance, and Registry (STAR), DFIN has completed the CSA’s CAIQ v3.1 (v.4 pending) The CAIQ offers an industry accepted way to document cloud security controls for IaaS, PaaS and SaaS services and conveys our compliance to the CSA Cloud Controls Matrix. This helps our clients assess DFINs overall cloud security posture. DFIN is not currently STAR registered.
PRODUCTS & SERVICES COVERED
- CAIQ completed for enterprise
Bridge Letter for SOC 2 Attestation
DFIN provides bridge letters supporting all our SOC 2 reports. The bridge letter opines that our controls are in place and have not changed during the non-observation period of our SOC 2 audit. A sample representation is below:
To whom it may concern:
This letter is to confirm, to the best of our knowledge and belief, the following representations:
PRODUCTS & SERVICES COVERED
- GCM SOC 2 Report
- GIC SOC 2 Report
- New ActiveDisclosure SOC 2 Report
- VENUE SOC 2 Report
- eBrevia SOC 2 Report
Reports and documents
DFIN’s GRC (Governance Risk and Compliance) team manages compliance activities across DFIN’s technology landscape to ensure our adherence with industry and governmental regulations. A large part of the GRC team’s efforts center around evaluation defining control frameworks and then evaluating and testing controls within those frameworks. Additionally, DFIN GRC’s Compliance team evaluates and tests our IT standards, policies and procedures via continuous assessment.
DFIN understands that compliance is critical to our clients’ needs and makes several different reports and assessments available for review.
SOC 2 Type II
Global Investment Companies
Global Investment Companies
DFIN’s third party auditor conducts an annual SOC 2 audit of GIC’s SOC 2 control framework. Our SOC 2 Type II audit runs for 6 months with the observation period of May 1st through October 31st. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of November 1st through April 30th.
PRODUCTS & SERVICES COVERED
Global Capital Markets
Global Capital Markets
DFIN’s third party auditor conducts an annual SOC 2 audit of GCM’s SOC 2 control framework. Our SOC 2 Type II audit runs for 6 months with the observation period of May 1st through October 31st. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of November 1st through April 30th.
The GCM SOC 2 Type II report is available to current and prospective clients under a signed non-disclosure agreement.
New ActiveDisclosure
New ActiveDisclosure
DFIN’s third party auditor conducts an annual SOC 2 audit of GCM’s New ActiveDisclosure SOC 2 control framework. We also test some SOC 1 controls as a part of our SOC 2 audit to provide further assurances related to financial reporting
Our SOC 2 Type II audit runs for 6 months with the observation period of June 1st through November 30st. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of December 1st through May 31st.
PRODUCTS & SERVICES COVERED
eBrevia
eBrevia
DFIN’s third party auditor conducts an annual SOC 2 audit of eBrevia SOC 2 control framework. Our SOC 2 Type II audit runs for 6 months with the observation period of August 1st through January 31st. A SOC 2 type II report is then produced during the month of March and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of February 1st through July 31st.
PRODUCTS & SERVICES COVERED
SOC 2 + HITRUST
VENUE SOC 2 + HITRUST
DFIN’s third party auditor conducts an annual SOC 2 + HITRUST of Venue’s SOC 2 control framework. Our SOC 2 + HITRUST type II audit runs for 6 months with the observation period of May 1st through October 31st. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of November 1st through April 30th.
PRODUCTS & SERVICES COVERED
ISO 27001 Certification
ISO 27001 Certification
DFIN has obtained ISO 27001 in 2022 for VENUE and is pursuing an enterprise ISO 27001 certification in 2023.
PRODUCTS & SERVICES COVERED
ISO 9001 Certification
ISO 9001 Certification
DFIN has obtained ISO 9001 for our manufacturing facilities. These facilities cover print and composition work performed domestically.
PRODUCTS & SERVICES COVERED
- Manufacturing
Shared Assessment (SIG)
Security Review Questionnaires
DFIN annually produces several “SIG” type artifacts for client’s consumption to help with their Supplier Risk Management security review and/or audit processes.
PRODUCTS & SERVICES COVERED
- Venue
- ActiveDisclosure
- ARC Products
- eBrevia
- File16
- Print and Composition
Cloud Security Alliance CAIQ
Cloud Security Alliance CAIQ and STAR Registry
As a part of Cloud Security Alliance (CSA) Security, Trust, Assurance, and Registry (STAR), DFIN has completed the CSA’s CAIQ v3.1 (v.4 pending) The CAIQ offers an industry accepted way to document cloud security controls for IaaS, PaaS and SaaS services and conveys our compliance to the CSA Cloud Controls Matrix. This helps our clients assess DFINs overall cloud security posture. DFIN is not currently STAR registered.
PRODUCTS & SERVICES COVERED
- CAIQ completed for enterprise
Bridge Letters
Bridge Letter for SOC 2 Attestation
DFIN provides bridge letters supporting all our SOC 2 reports. The bridge letter opines that our controls are in place and have not changed during the non-observation period of our SOC 2 audit. A sample representation is below:
To whom it may concern:
This letter is to confirm, to the best of our knowledge and belief, the following representations:
PRODUCTS & SERVICES COVERED
- GCM SOC 2 Report
- GIC SOC 2 Report
- New ActiveDisclosure SOC 2 Report
- VENUE SOC 2 Report
- eBrevia SOC 2 Report
We can provide additional information including our SOC 2 Type II report, once a Non-Disclosure Agreement is signed
or
call +44 203 047 6100
Our CISO, Dannie Combs, discusses security and regulatory compliance
DFIN is talking cybersecurity on the webinar series hosted by DFIN President of Global Capital Markets, Craig Clay.
Read the blog
More findings, right this way
Video Podcast
TSR Complexities You Can Solve for Today - Web Hosting & ADA Compliance
May 2023
Video Podcast
NYSE Floor Talk with Meaghan Miller, Vice President of Global Capital Markets at DFIN
May 2023
Blog
The SEC Reopens Comment Period for Proposed Amendments to the Beneficial Ownership Forms
May 2023 | Marcie Clark
Blog
Listing in America. Why More European Companies May List in the U.S.
May 2023 | Craig Clay
Article
An Early Lesson In Leadership Changed My Perspective On How To Treat Others
May 2023 | Dawnet Beverley
Blog
The Financial Data Transparency Act Takes Center Stage at Municipal Securities Disclosure Conference
May 2023 | Craig Clay
Blog
Insights into Today’s Data Security Landscape and Risk Mitigation Strategies
April 2023 | Dannie Combs
Video Podcast
DFIN's Digital Transformation and how Force Management Platform Assists with Sales
April 2023 | Craig Clay
Blog
Hester Peirce’s RegTech Speech is Good Sign for Financial Data Transparency Act (FDTA) Success
April 2023 | Craig Clay
White paper
Ringing the Bell at Lightning Speed: How Cloud ERP Helps Speed Up IPO Readiness
April 2023
Press Release
DFIN and The Data Foundation Host RegTech 2023 Data Summit
April 2023
