Contact an Expert

Start the Conversation

Honeypot Field to Catch Bots
Honeypot Field to Catch Bots

Reporting on our compliance

DFIN establishes various controls to ensure the confidentiality, integrity and availability of client data. Cornerstones of DFIN cybersecurity are ensuring our security controls are operating effectively and measuring the effectiveness of governance, risk and compliance programs.

Icon 1

IT Governance and Risk

Learn about IT governance and risk @DFIN.

Icon 1

Reports and documents

Learn how DFIN demonstrates compliance throughout the enterprise. Request-up-to-date reports and other artifacts.

Overview

IT Governance

IT Risk Management

Vendor Risk Management

IT Governance and Risk

DFIN’s IT governance is comprised of processes by which we align our IT (development, infrastructure, cybersecurity) practices within our overall business strategy. As a key part of our overall IT governance efforts, we are able to ensure efficiency, security, and effective resource use, as well as compliance with both internal and external regulations.

Additionally, DFIN’s IT governance ensures that the needs of our stakeholders, including our clients, are evaluated to determine enterprise objectives, and are used to set direction (in decision making and prioritization) to monitor performance and compliance.

DFIN’s IT risk management program applies risk management methods to manage IT related threats. Our efforts involve procedures, polices and tools to identify, assess and remediate potential threats and vulnerabilities within DFIN’s information technology landscape. This includes both internal risk analysis as well as third party supplier risk (supply chain security).

DFIN IT Governance

IT Governance is defined as the processes that ensures the effective and efficient use of IT in enabling an organization to achieve its goals by the establishment of protocols such as policy and standards. The DFIN IT governance team facilitates this process by ensuring that these protocols exist, are formalized and are approved. The team tracks the documents throughout this process as well as promoting awareness by making them readily available to the organization. Our clients benefit from this well-organized IT Governance team because it ensures consistency, organization, predictability, and order.

DFIN IT Risk Management

IT Risk Management is a control methodology of detecting, assessing, reviewing, reporting, and tracking follow-up efforts on IT events that could adversely affect the organization. The DFIN IT Risk Management team has developed and implemented a continuous risk assessment program that incorporates risks identified and assessed in varying support systems such as internal and external audit/compliance testing, Security scanning, client and supplier risk management, and exceptions to IT governance. DFIN clients truly benefit from this effort by ensuring that the DFIN IT security exposure/posture is at an acceptable low risk level.

DFIN Vendor Risk Managment

When evaluating partnerships, DFIN continuously looks to reduce risk across all threat vectors. Our vendor risk management program, referred to as supply chain security, evaluates the viability of all potential DFIN suppliers. DFIN’s well defined process categorizes suppliers and evaluates their inherent risk. A vendor can be onboarded only after a supplier has been categorized, risk rated and approved. In addition to new suppliers, existing suppliers are re-evaluated on an annual basis, undergoing a comprehensive security review. A part of this process is complete remediation of issues to become or remain an approved DFIN supplier.

IT Governance and Risk

DFIN’s IT governance is comprised of processes by which we align our IT (development, infrastructure, cybersecurity) practices within our overall business strategy. As a key part of our overall IT governance efforts, we are able to ensure efficiency, security, and effective resource use, as well as compliance with both internal and external regulations.

Additionally, DFIN’s IT governance ensures that the needs of our stakeholders, including our clients, are evaluated to determine enterprise objectives, and are used to set direction (in decision making and prioritization) to monitor performance and compliance.

DFIN’s IT risk management program applies risk management methods to manage IT related threats. Our efforts involve procedures, polices and tools to identify, assess and remediate potential threats and vulnerabilities within DFIN’s information technology landscape. This includes both internal risk analysis as well as third party supplier risk (supply chain security).

DFIN IT Governance

DFIN IT Governance

IT Governance is defined as the processes that ensures the effective and efficient use of IT in enabling an organization to achieve its goals by the establishment of protocols such as policy and standards. The DFIN IT governance team facilitates this process by ensuring that these protocols exist, are formalized and are approved. The team tracks the documents throughout this process as well as promoting awareness by making them readily available to the organization. Our clients benefit from this well-organized IT Governance team because it ensures consistency, organization, predictability, and order.

DFIN IT Risk Management

DFIN IT Risk Management

IT Risk Management is a control methodology of detecting, assessing, reviewing, reporting, and tracking follow-up efforts on IT events that could adversely affect the organization. The DFIN IT Risk Management team has developed and implemented a continuous risk assessment program that incorporates risks identified and assessed in varying support systems such as internal and external audit/compliance testing, Security scanning, client and supplier risk management, and exceptions to IT governance. DFIN clients truly benefit from this effort by ensuring that the DFIN IT security exposure/posture is at an acceptable low risk level.

DFIN Vendor Risk Management

DFIN Vendor Risk Management

When evaluating partnerships, DFIN continuously looks to reduce risk across all threat vectors. Our vendor risk management program, referred to as supply chain security, evaluates the viability of all potential DFIN suppliers. DFIN’s well defined process categorizes suppliers and evaluates their inherent risk. A vendor can be onboarded only after a supplier has been categorized, risk rated and approved. In addition to new suppliers, existing suppliers are re-evaluated on an annual basis, undergoing a comprehensive security review. A part of this process is complete remediation of issues to become or remain an approved DFIN supplier.

Icon 1

IT Governance and Risk

Learn about IT governance and risk @DFIN.

Overview

IT Governance

IT Risk Management

Vendor Risk Management

IT Governance and Risk

DFIN’s IT governance is comprised of processes by which we align our IT (development, infrastructure, cybersecurity) practices within our overall business strategy. As a key part of our overall IT governance efforts, we are able to ensure efficiency, security, and effective resource use, as well as compliance with both internal and external regulations.

Additionally, DFIN’s IT governance ensures that the needs of our stakeholders, including our clients, are evaluated to determine enterprise objectives, and are used to set direction (in decision making and prioritization) to monitor performance and compliance.

DFIN’s IT risk management program applies risk management methods to manage IT related threats. Our efforts involve procedures, polices and tools to identify, assess and remediate potential threats and vulnerabilities within DFIN’s information technology landscape. This includes both internal risk analysis as well as third party supplier risk (supply chain security).

DFIN IT Governance

IT Governance is defined as the processes that ensures the effective and efficient use of IT in enabling an organization to achieve its goals by the establishment of protocols such as policy and standards. The DFIN IT governance team facilitates this process by ensuring that these protocols exist, are formalized and are approved. The team tracks the documents throughout this process as well as promoting awareness by making them readily available to the organization. Our clients benefit from this well-organized IT Governance team because it ensures consistency, organization, predictability, and order.

DFIN IT Risk Management

IT Risk Management is a control methodology of detecting, assessing, reviewing, reporting, and tracking follow-up efforts on IT events that could adversely affect the organization. The DFIN IT Risk Management team has developed and implemented a continuous risk assessment program that incorporates risks identified and assessed in varying support systems such as internal and external audit/compliance testing, Security scanning, client and supplier risk management, and exceptions to IT governance. DFIN clients truly benefit from this effort by ensuring that the DFIN IT security exposure/posture is at an acceptable low risk level.

DFIN Vendor Risk Managment

When evaluating partnerships, DFIN continuously looks to reduce risk across all threat vectors. Our vendor risk management program, referred to as supply chain security, evaluates the viability of all potential DFIN suppliers. DFIN’s well defined process categorizes suppliers and evaluates their inherent risk. A vendor can be onboarded only after a supplier has been categorized, risk rated and approved. In addition to new suppliers, existing suppliers are re-evaluated on an annual basis, undergoing a comprehensive security review. A part of this process is complete remediation of issues to become or remain an approved DFIN supplier.

IT Governance and Risk

DFIN’s IT governance is comprised of processes by which we align our IT (development, infrastructure, cybersecurity) practices within our overall business strategy. As a key part of our overall IT governance efforts, we are able to ensure efficiency, security, and effective resource use, as well as compliance with both internal and external regulations.

Additionally, DFIN’s IT governance ensures that the needs of our stakeholders, including our clients, are evaluated to determine enterprise objectives, and are used to set direction (in decision making and prioritization) to monitor performance and compliance.

DFIN’s IT risk management program applies risk management methods to manage IT related threats. Our efforts involve procedures, polices and tools to identify, assess and remediate potential threats and vulnerabilities within DFIN’s information technology landscape. This includes both internal risk analysis as well as third party supplier risk (supply chain security).

DFIN IT Governance

DFIN IT Governance

IT Governance is defined as the processes that ensures the effective and efficient use of IT in enabling an organization to achieve its goals by the establishment of protocols such as policy and standards. The DFIN IT governance team facilitates this process by ensuring that these protocols exist, are formalized and are approved. The team tracks the documents throughout this process as well as promoting awareness by making them readily available to the organization. Our clients benefit from this well-organized IT Governance team because it ensures consistency, organization, predictability, and order.

DFIN IT Risk Management

DFIN IT Risk Management

IT Risk Management is a control methodology of detecting, assessing, reviewing, reporting, and tracking follow-up efforts on IT events that could adversely affect the organization. The DFIN IT Risk Management team has developed and implemented a continuous risk assessment program that incorporates risks identified and assessed in varying support systems such as internal and external audit/compliance testing, Security scanning, client and supplier risk management, and exceptions to IT governance. DFIN clients truly benefit from this effort by ensuring that the DFIN IT security exposure/posture is at an acceptable low risk level.

DFIN Vendor Risk Management

DFIN Vendor Risk Management

When evaluating partnerships, DFIN continuously looks to reduce risk across all threat vectors. Our vendor risk management program, referred to as supply chain security, evaluates the viability of all potential DFIN suppliers. DFIN’s well defined process categorizes suppliers and evaluates their inherent risk. A vendor can be onboarded only after a supplier has been categorized, risk rated and approved. In addition to new suppliers, existing suppliers are re-evaluated on an annual basis, undergoing a comprehensive security review. A part of this process is complete remediation of issues to become or remain an approved DFIN supplier.

Icon 1

Reports and documents

Learn how DFIN demonstrates compliance throughout the enterprise. Request-up-to-date reports and other artifacts.

Overview

SOC 2 Type II

Global Investment Companies

Global Capital Markets

ActiveDisclosure

SOC 2 + HITRUST

ISO 27001 Certification

ISO 9001 Certification

Shared Assessment (SIG)

Cloud Security Alliance CAIQ

Bridge Letters

Reports and documents

DFIN’s GRC (Governance Risk and Compliance) team manages compliance activities across DFIN’s technology landscape to ensure our adherence with industry and governmental regulations. A large part of the GRC team’s efforts center around evaluation defining control frameworks and then evaluating and testing controls within those frameworks. Additionally, DFIN GRC’s Compliance team evaluates and tests our IT standards, policies and procedures via continuous assessment.

DFIN understands that compliance is critical to our clients’ needs and makes several different reports and assessments available for review.

Global Investment Companies

DFIN’s third party auditor conducts an annual SOC 2 audit of GIC’s SOC 2 control framework. Our SOC 2 Type II audit runs for 6 months with the observation period of June 1st to November 30th. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of December 1st through May 31st.

PRODUCTS & SERVICES COVERED

The GIC SOC 2 Type II report is available to current and prospective clients under a signed non-disclosure agreement.

Global Capital Markets

DFIN’s third party auditor conducts an annual SOC 2 audit of GCM’s SOC 2 control framework. Our SOC 2 Type II audit runs for 6 months with the observation period of June 1st to November 30th. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of December 1st through May 31st.

The GCM SOC 2 Type II report is available to current and prospective clients under a signed non-disclosure agreement.

ActiveDisclosure

DFIN’s third party auditor conducts an annual SOC 2 audit of GCM’s ActiveDisclosure SOC 2 control framework. We also test some SOC 1 controls as a part of our SOC 2 audit to provide further assurances related to financial reporting

Our SOC 2 Type II audit runs for 6 months with the observation period of June 1st through November 30st. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of December 1st through May 31st.

PRODUCTS & SERVICES COVERED

The ActiveDisclosure report is available to current clients and prospective clients under a signed non-disclosure agreement.

VENUE SOC 2 + HITRUST

DFIN’s third party auditor conducts an annual SOC 2 + HITRUST of Venue’s SOC 2 control framework. Our SOC 2 + HITRUST type II audit runs for 6 months with the observation period of June 1st to November 30th. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of December 1st through May 31st.

PRODUCTS & SERVICES COVERED

The VENUE SOC 2 + HITRUST report is available to current clients and prospective clients under a signed non-disclosure agreement.

ISO 27001 Certification

DFIN has obtained ISO 27001 in 2022 for the Enterprise.

The ISO 27001 Certification is available to current clients and prospective clients under a signed non-disclosure agreement.

ISO 9001 Certification

DFIN has obtained ISO 9001 for our manufacturing facilities. These facilities cover print and composition work performed domestically.

PRODUCTS & SERVICES COVERED

  • Print
  • Manufacturing
The ISO 9001 certification is available to current clients and prospective clients under a signed non-disclosure agreement.

Security Review Questionnaires

DFIN annually produces several “SIG” type artifacts for client’s consumption to help with their Supplier Risk Management security review and/or audit processes.

PRODUCTS & SERVICES COVERED

SIGs, CAIQs and DDQs are made available to current clients and require a signed non-disclosure agreement or confidentiality language in an existing master service agreement to be in place prior request fufillment.

Cloud Security Alliance CAIQ and STAR Registry

As a part of Cloud Security Alliance (CSA) Security, Trust, Assurance, and Registry (STAR), DFIN has completed the CSA’s CAIQ v3.1 (v.4 pending) The CAIQ offers an industry accepted way to document cloud security controls for IaaS, PaaS and SaaS services and conveys our compliance to the CSA Cloud Controls Matrix. This helps our clients assess DFINs overall cloud security posture. DFIN is not currently STAR registered.

PRODUCTS & SERVICES COVERED

  • CAIQ completed for enterprise
The CAIQ can be made available to current and future clients and require a signed non-disclosure agreement or confidentiality language in an existing master service agreement to be in place prior request fulfillment.

Bridge Letter for SOC 2 Attestation

DFIN provides bridge letters supporting all our SOC 2 reports. The bridge letter opines that our controls are in place and have not changed during the non-observation period of our SOC 2 audit.

PRODUCTS & SERVICES COVERED

  • GCM SOC 2 Report
  • GIC SOC 2 Report
  • ActiveDisclosure SOC 2 Report
  • VENUE SOC 2 Report
Bridge letters are available to current and prospective clients under a signed non-disclosure agreement.

Reports and documents

DFIN’s GRC (Governance Risk and Compliance) team manages compliance activities across DFIN’s technology landscape to ensure our adherence with industry and governmental regulations. A large part of the GRC team’s efforts center around evaluation defining control frameworks and then evaluating and testing controls within those frameworks. Additionally, DFIN GRC’s Compliance team evaluates and tests our IT standards, policies and procedures via continuous assessment.

DFIN understands that compliance is critical to our clients’ needs and makes several different reports and assessments available for review.

SOC 2 Type II

Global Investment Companies

Global Investment Companies

DFIN’s third party auditor conducts an annual SOC 2 audit of GIC’s SOC 2 control framework. Our SOC 2 Type II audit runs for 6 months with the observation period of June 1st to November 30th. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of December 1st through May 31st.

PRODUCTS & SERVICES COVERED

The GIC SOC 2 Type II report is available to current and prospective clients under a singed non-disclosure agreement.

Global Capital Markets

Global Capital Markets

DFIN’s third party auditor conducts an annual SOC 2 audit of GCM’s SOC 2 control framework. Our SOC 2 Type II audit runs for 6 months with the observation period of June 1st to November 30th. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of December 1st through May 31st.

The GCM SOC 2 Type II report is available to current and prospective clients under a signed non-disclosure agreement.

ActiveDisclosure

ActiveDisclosure

DFIN’s third party auditor conducts an annual SOC 2 audit of GCM’s ActiveDisclosure SOC 2 control framework. We also test some SOC 1 controls as a part of our SOC 2 audit to provide further assurances related to financial reporting

Our SOC 2 Type II audit runs for 6 months with the observation period of June 1st through November 30st. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of December 1st through May 31st.

PRODUCTS & SERVICES COVERED

The ActiveDisclosure report is available to current clients and prospective clients under a signed non-disclosure agreement.

SOC 2 + HITRUST

VENUE SOC 2 + HITRUST

DFIN’s third party auditor conducts an annual SOC 2 + HITRUST of Venue’s SOC 2 control framework. Our SOC 2 + HITRUST type II audit runs for 6 months with the observation period of June 1st to November 30th. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of December 1st through May 31st.

PRODUCTS & SERVICES COVERED

The SOC 2 + HITRUST report is available to current clients and prospective clients under a signed non-disclosure agreement.

ISO 27001 Certification

ISO 27001 Certification

DFIN has obtained ISO 27001 in 2022 for the Enterprise.

The ISO 27001 Certification is available to current clients and prospective clients under a signed non-disclosure agreement.

ISO 9001 Certification

ISO 9001 Certification

DFIN has obtained ISO 9001 for our manufacturing facilities. These facilities cover print and composition work performed domestically.

PRODUCTS & SERVICES COVERED

  • Print
  • Manufacturing
The ISO 9001 Certification is available to current clients and prospective clients under a signed non-disclosure agreement.

Shared Assessment (SIG)

Security Review Questionnaires

DFIN annually produces several “SIG” type artifacts for client’s consumption to help with their Supplier Risk Management security review and/or audit processes.

PRODUCTS & SERVICES COVERED

SIGs, CAIQs and DDQs are made available to current clients and require a signed non-disclosure agreement or confidentiality language in an existing master service agreement to be in place prior request fufillment.

Cloud Security Alliance CAIQ

Cloud Security Alliance CAIQ and STAR Registry

As a part of Cloud Security Alliance (CSA) Security, Trust, Assurance, and Registry (STAR), DFIN has completed the CSA’s CAIQ v3.1 (v.4 pending) The CAIQ offers an industry accepted way to document cloud security controls for IaaS, PaaS and SaaS services and conveys our compliance to the CSA Cloud Controls Matrix. This helps our clients assess DFINs overall cloud security posture. DFIN is not currently STAR registered.

PRODUCTS & SERVICES COVERED

  • CAIQ completed for enterprise
The CAIQ can be made available to current and future clients and require a signed non-disclosure agreement or confidentiality language in an existing master service agreement to be in place prior request fulfillment.

Bridge Letters

Bridge Letter for SOC 2 Attestation

DFIN provides bridge letters supporting all our SOC 2 reports. The bridge letter opines that our controls are in place and have not changed during the non-observation period of our SOC 2 audit.

PRODUCTS & SERVICES COVERED

  • GCM SOC 2 Report
  • GIC SOC 2 Report
  • ActiveDisclosure SOC 2 Report
  • VENUE SOC 2 Report
Bridge letters are available to current and prospective clients under a signed non-disclosure agreement.

We can provide additional information including our SOC 2 Type II report, once a Non-Disclosure Agreement is signed

or

call +1 800 823 5304

Insider by Dfin

Our CISO, Dannie Combs, discusses security and regulatory compliance

Read the blog
Dannie Combs - Chief Information Security Officer

More findings, right this way

Article

Cloud Solutions For Efficient ACFR And Government Financial Reporting

Cloud Solutions for Efficient ACFR and Government Financial Reporting - Card
Read article

Video Podcast

Webinar Replay: Preparing for Your Exit: Public Company Readiness

Preparing for Your Exit: Public Company Readiness - Card
Watch podcast

White Paper

CFO’s And Controllers Know – The Journey Towards Mandated ESG Reporting Starts Now

CFO’s and Controllers Know – The Journey Towards Mandated ESG Reporting Starts Now - Card
Read white paper

Video Podcast

Webinar Replay: How to Prepare for Sustainability Requirements

Webinar Replay: How to Prepare for Sustainability Requirements - Card
Watch podcast

Blog

What is an SEC Form 40-F Filing?

| Marcie Clark

clark
View blog

Report

DFIN's IPO & Public Listing Report - Q1 2024 Edition

DFIN's IPO & Public Listing Report - Q1 2024 Edition - Card
Read report

Case Study

How We Helped a Biotech Company Save Hours on Their SEC Filings & Increase Reporting Productivity

How we helped a biotech company - Card
Read case study

Blog

C-Suite White Paper Now Available: How Today’s Strategic Cybersecurity Initiatives Can Fuel Tomorrow’s Business Advances

How Today’s Strategic Cybersecurity Initiatives Can Fuel Tomorrow’s Business Advances - Card
View blog

E-Book

Five SEC Rules to Watch in 2024

Five SEC Rules to Watch in 2024 - Card
Read e-book

E-Book

Finance Industry Leaders Discuss the Future of AI

Finance Industry Leaders Discuss the Future of AI - Card
Read e-book

Guide

Annual Meeting Handbook - 2024 Edition

Annual Meeting Handbook 2024 Edition - Card
View guide

Guide

Proxy Season Field Guide - 11th Edition

Proxy Season Field Guide 11th Edition - Card
View guide

Video Podcast

ESG Reporting Rules & Their Impact with Frank Kelley, Director of ESG & Compliance Services, DFIN

ESG Reporting Rules & Their Impact with Frank Kelley, Director of ESG & Compliance Services, DFIN - Card
Watch podcast

Case Study

How We Helped a Community Energy Company Save 40 Hours on Their 10-k Filings & Increase Reporting Efficiencies

How we helped a community energy company save 40 hours on their 10-K filings &increase reporting efficiencies - Card
Read case study

Guide

From Private to Public: Expert Insights For Foreign Private Issuers Pursuing U.S. Public Listing in 2024 And Beyond

From Private to Public: Expert Insights for Foreign Private Issuers Pursuing U.S. - Card
View guide

White Paper

The Importance Of IPO Readiness: An Essential Framework For Success

The Importance of IPO Readiness: An Essential Framework for Success - Card
Read white paper

Blog

Navigating the Latest SEC Climate Disclosure Rules: We’ve Got Your Back

| Craig Clay

Craig Clay
View blog

Resources

What is ESMA?

What is ESMA - Card
View resource

Blog

How to Think About AI When You’re Planning an IPO

| Craig Clay

Craig Clay
View blog

Blog

Software Shines in DFIN’s 2023 Earnings Report

| Craig Clay

Craig Clay
View blog