Financial Reporting Requires Security at Every Level, Every Step of the Way
September 2023 | Craig Clay
Compliance
DFIN demonstrates compliance by making a number of reports available to our clients.
Reporting on our compliance
DFIN establishes various controls to ensure the confidentiality, integrity and availability of client data. Cornerstones of DFIN cybersecurity are ensuring our security controls are operating effectively and measuring the effectiveness of governance, risk and compliance programs.
IT Governance and Risk
Learn about IT governance and risk @DFIN.
Reports and documents
Learn how DFIN demonstrates compliance throughout the enterprise. Request-up-to-date reports and other artifacts.
Overview
IT Governance
IT Risk Management
Vendor Risk Management
IT Governance and Risk
DFIN’s IT governance is comprised of processes by which we align our IT (development, infrastructure, cybersecurity) practices within our overall business strategy. As a key part of our overall IT governance efforts, we are able to ensure efficiency, security, and effective resource use, as well as compliance with both internal and external regulations.
Additionally, DFIN’s IT governance ensures that the needs of our stakeholders, including our clients, are evaluated to determine enterprise objectives, and are used to set direction (in decision making and prioritization) to monitor performance and compliance.
DFIN’s IT risk management program applies risk management methods to manage IT related threats. Our efforts involve procedures, polices and tools to identify, assess and remediate potential threats and vulnerabilities within DFIN’s information technology landscape. This includes both internal risk analysis as well as third party supplier risk (supply chain security).
DFIN IT Governance
IT Governance is defined as the processes that ensures the effective and efficient use of IT in enabling an organization to achieve its goals by the establishment of protocols such as policy and standards. The DFIN IT governance team facilitates this process by ensuring that these protocols exist, are formalized and are approved. The team tracks the documents throughout this process as well as promoting awareness by making them readily available to the organization. Our clients benefit from this well-organized IT Governance team because it ensures consistency, organization, predictability, and order.
DFIN IT Risk Management
IT Risk Management is a control methodology of detecting, assessing, reviewing, reporting, and tracking follow-up efforts on IT events that could adversely affect the organization. The DFIN IT Risk Management team has developed and implemented a continuous risk assessment program that incorporates risks identified and assessed in varying support systems such as internal and external audit/compliance testing, Security scanning, client and supplier risk management, and exceptions to IT governance. DFIN clients truly benefit from this effort by ensuring that the DFIN IT security exposure/posture is at an acceptable low risk level.
DFIN Vendor Risk Managment
When evaluating partnerships, DFIN continuously looks to reduce risk across all threat vectors. Our vendor risk management program, referred to as supply chain security, evaluates the viability of all potential DFIN suppliers. DFIN’s well defined process categorizes suppliers and evaluates their inherent risk. A vendor can be onboarded only after a supplier has been categorized, risk rated and approved. In addition to new suppliers, existing suppliers are re-evaluated on an annual basis, undergoing a comprehensive security review. A part of this process is complete remediation of issues to become or remain an approved DFIN supplier.
IT Governance and Risk
DFIN’s IT governance is comprised of processes by which we align our IT (development, infrastructure, cybersecurity) practices within our overall business strategy. As a key part of our overall IT governance efforts, we are able to ensure efficiency, security, and effective resource use, as well as compliance with both internal and external regulations.
Additionally, DFIN’s IT governance ensures that the needs of our stakeholders, including our clients, are evaluated to determine enterprise objectives, and are used to set direction (in decision making and prioritization) to monitor performance and compliance.
DFIN’s IT risk management program applies risk management methods to manage IT related threats. Our efforts involve procedures, polices and tools to identify, assess and remediate potential threats and vulnerabilities within DFIN’s information technology landscape. This includes both internal risk analysis as well as third party supplier risk (supply chain security).
DFIN IT Governance
DFIN IT Governance
IT Governance is defined as the processes that ensures the effective and efficient use of IT in enabling an organization to achieve its goals by the establishment of protocols such as policy and standards. The DFIN IT governance team facilitates this process by ensuring that these protocols exist, are formalized and are approved. The team tracks the documents throughout this process as well as promoting awareness by making them readily available to the organization. Our clients benefit from this well-organized IT Governance team because it ensures consistency, organization, predictability, and order.
DFIN IT Risk Management
DFIN IT Risk Management
IT Risk Management is a control methodology of detecting, assessing, reviewing, reporting, and tracking follow-up efforts on IT events that could adversely affect the organization. The DFIN IT Risk Management team has developed and implemented a continuous risk assessment program that incorporates risks identified and assessed in varying support systems such as internal and external audit/compliance testing, Security scanning, client and supplier risk management, and exceptions to IT governance. DFIN clients truly benefit from this effort by ensuring that the DFIN IT security exposure/posture is at an acceptable low risk level.
DFIN Vendor Risk Management
DFIN Vendor Risk Management
When evaluating partnerships, DFIN continuously looks to reduce risk across all threat vectors. Our vendor risk management program, referred to as supply chain security, evaluates the viability of all potential DFIN suppliers. DFIN’s well defined process categorizes suppliers and evaluates their inherent risk. A vendor can be onboarded only after a supplier has been categorized, risk rated and approved. In addition to new suppliers, existing suppliers are re-evaluated on an annual basis, undergoing a comprehensive security review. A part of this process is complete remediation of issues to become or remain an approved DFIN supplier.
Overview
SOC 2 Type II
Global Investment Companies
Global Capital Markets
ActiveDisclosure
eBrevia
SOC 2 + HITRUST
ISO 27001 Certification
ISO 9001 Certification
Shared Assessment (SIG)
Cloud Security Alliance CAIQ
Bridge Letters
Reports and documents
DFIN’s GRC (Governance Risk and Compliance) team manages compliance activities across DFIN’s technology landscape to ensure our adherence with industry and governmental regulations. A large part of the GRC team’s efforts center around evaluation defining control frameworks and then evaluating and testing controls within those frameworks. Additionally, DFIN GRC’s Compliance team evaluates and tests our IT standards, policies and procedures via continuous assessment.
DFIN understands that compliance is critical to our clients’ needs and makes several different reports and assessments available for review.
Global Investment Companies
DFIN’s third party auditor conducts an annual SOC 2 audit of GIC’s SOC 2 control framework. Our SOC 2 Type II audit runs for 6 months with the observation period of May 1st through October 31st. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of November 1st through April 30th.
PRODUCTS & SERVICES COVERED
Global Capital Markets
DFIN’s third party auditor conducts an annual SOC 2 audit of GCM’s SOC 2 control framework. Our SOC 2 Type II audit runs for 6 months with the observation period of May 1st through October 31st. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of November 1st through April 30th.
The GCM SOC 2 Type II report is available to current and prospective clients under a signed non-disclosure agreement.
ActiveDisclosure
DFIN’s third party auditor conducts an annual SOC 2 audit of GCM’s ActiveDisclosure SOC 2 control framework. We also test some SOC 1 controls as a part of our SOC 2 audit to provide further assurances related to financial reporting
Our SOC 2 Type II audit runs for 6 months with the observation period of June 1st through November 30st. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of December 1st through May 31st.
PRODUCTS & SERVICES COVERED
eBrevia
DFIN’s third party auditor conducts an annual SOC 2 audit of eBrevia SOC 2 control framework. Our SOC 2 Type II audit runs for 6 months with the observation period of August 1st through January 31st. A SOC 2 type II report is then produced during the month of March and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of February 1st through July 31st.
PRODUCTS & SERVICES COVERED
VENUE SOC 2 + HITRUST
DFIN’s third party auditor conducts an annual SOC 2 + HITRUST of Venue’s SOC 2 control framework. Our SOC 2 + HITRUST type II audit runs for 6 months with the observation period of May 1st through October 31st. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of November 1st through April 30th.
PRODUCTS & SERVICES COVERED
ISO 27001 Certification
DFIN has obtained ISO 27001 in 2022 for VENUE and is pursuing an enterprise ISO 27001 certification in 2023.
PRODUCTS & SERVICES COVERED
ISO 9001 Certification
DFIN has obtained ISO 9001 for our manufacturing facilities. These facilities cover print and composition work performed domestically.
PRODUCTS & SERVICES COVERED
- Manufacturing
Security Review Questionnaires
DFIN annually produces several “SIG” type artifacts for client’s consumption to help with their Supplier Risk Management security review and/or audit processes.
PRODUCTS & SERVICES COVERED
- Venue
- ActiveDisclosure
- ARC Products
- eBrevia
- File16
- Print and Composition
Cloud Security Alliance CAIQ and STAR Registry
As a part of Cloud Security Alliance (CSA) Security, Trust, Assurance, and Registry (STAR), DFIN has completed the CSA’s CAIQ v3.1 (v.4 pending) The CAIQ offers an industry accepted way to document cloud security controls for IaaS, PaaS and SaaS services and conveys our compliance to the CSA Cloud Controls Matrix. This helps our clients assess DFINs overall cloud security posture. DFIN is not currently STAR registered.
PRODUCTS & SERVICES COVERED
- CAIQ completed for enterprise
Bridge Letter for SOC 2 Attestation
DFIN provides bridge letters supporting all our SOC 2 reports. The bridge letter opines that our controls are in place and have not changed during the non-observation period of our SOC 2 audit. A sample representation is below:
To whom it may concern:
This letter is to confirm, to the best of our knowledge and belief, the following representations:
PRODUCTS & SERVICES COVERED
- GCM SOC 2 Report
- GIC SOC 2 Report
- ActiveDisclosure SOC 2 Report
- VENUE SOC 2 Report
- eBrevia SOC 2 Report
Reports and documents
DFIN’s GRC (Governance Risk and Compliance) team manages compliance activities across DFIN’s technology landscape to ensure our adherence with industry and governmental regulations. A large part of the GRC team’s efforts center around evaluation defining control frameworks and then evaluating and testing controls within those frameworks. Additionally, DFIN GRC’s Compliance team evaluates and tests our IT standards, policies and procedures via continuous assessment.
DFIN understands that compliance is critical to our clients’ needs and makes several different reports and assessments available for review.
SOC 2 Type II
Global Investment Companies
Global Investment Companies
DFIN’s third party auditor conducts an annual SOC 2 audit of GIC’s SOC 2 control framework. Our SOC 2 Type II audit runs for 6 months with the observation period of May 1st through October 31st. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of November 1st through April 30th.
PRODUCTS & SERVICES COVERED
Global Capital Markets
Global Capital Markets
DFIN’s third party auditor conducts an annual SOC 2 audit of GCM’s SOC 2 control framework. Our SOC 2 Type II audit runs for 6 months with the observation period of May 1st through October 31st. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of November 1st through April 30th.
The GCM SOC 2 Type II report is available to current and prospective clients under a signed non-disclosure agreement.
ActiveDisclosure
ActiveDisclosure
DFIN’s third party auditor conducts an annual SOC 2 audit of GCM’s ActiveDisclosure SOC 2 control framework. We also test some SOC 1 controls as a part of our SOC 2 audit to provide further assurances related to financial reporting
Our SOC 2 Type II audit runs for 6 months with the observation period of June 1st through November 30st. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of December 1st through May 31st.
PRODUCTS & SERVICES COVERED
eBrevia
eBrevia
DFIN’s third party auditor conducts an annual SOC 2 audit of eBrevia SOC 2 control framework. Our SOC 2 Type II audit runs for 6 months with the observation period of August 1st through January 31st. A SOC 2 type II report is then produced during the month of March and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of February 1st through July 31st.
PRODUCTS & SERVICES COVERED
SOC 2 + HITRUST
VENUE SOC 2 + HITRUST
DFIN’s third party auditor conducts an annual SOC 2 + HITRUST of Venue’s SOC 2 control framework. Our SOC 2 + HITRUST type II audit runs for 6 months with the observation period of May 1st through October 31st. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of November 1st through April 30th.
PRODUCTS & SERVICES COVERED
ISO 27001 Certification
ISO 27001 Certification
DFIN has obtained ISO 27001 in 2022 for VENUE and is pursuing an enterprise ISO 27001 certification in 2023.
PRODUCTS & SERVICES COVERED
ISO 9001 Certification
ISO 9001 Certification
DFIN has obtained ISO 9001 for our manufacturing facilities. These facilities cover print and composition work performed domestically.
PRODUCTS & SERVICES COVERED
- Manufacturing
Shared Assessment (SIG)
Security Review Questionnaires
DFIN annually produces several “SIG” type artifacts for client’s consumption to help with their Supplier Risk Management security review and/or audit processes.
PRODUCTS & SERVICES COVERED
- Venue
- ActiveDisclosure
- ARC Products
- eBrevia
- File16
- Print and Composition
Cloud Security Alliance CAIQ
Cloud Security Alliance CAIQ and STAR Registry
As a part of Cloud Security Alliance (CSA) Security, Trust, Assurance, and Registry (STAR), DFIN has completed the CSA’s CAIQ v3.1 (v.4 pending) The CAIQ offers an industry accepted way to document cloud security controls for IaaS, PaaS and SaaS services and conveys our compliance to the CSA Cloud Controls Matrix. This helps our clients assess DFINs overall cloud security posture. DFIN is not currently STAR registered.
PRODUCTS & SERVICES COVERED
- CAIQ completed for enterprise
Bridge Letters
Bridge Letter for SOC 2 Attestation
DFIN provides bridge letters supporting all our SOC 2 reports. The bridge letter opines that our controls are in place and have not changed during the non-observation period of our SOC 2 audit. A sample representation is below:
To whom it may concern:
This letter is to confirm, to the best of our knowledge and belief, the following representations:
PRODUCTS & SERVICES COVERED
- GCM SOC 2 Report
- GIC SOC 2 Report
- ActiveDisclosure SOC 2 Report
- VENUE SOC 2 Report
- eBrevia SOC 2 Report
IT Governance and Risk
Learn about IT governance and risk @DFIN.
Overview
IT Governance
IT Risk Management
Vendor Risk Management
IT Governance and Risk
DFIN’s IT governance is comprised of processes by which we align our IT (development, infrastructure, cybersecurity) practices within our overall business strategy. As a key part of our overall IT governance efforts, we are able to ensure efficiency, security, and effective resource use, as well as compliance with both internal and external regulations.
Additionally, DFIN’s IT governance ensures that the needs of our stakeholders, including our clients, are evaluated to determine enterprise objectives, and are used to set direction (in decision making and prioritization) to monitor performance and compliance.
DFIN’s IT risk management program applies risk management methods to manage IT related threats. Our efforts involve procedures, polices and tools to identify, assess and remediate potential threats and vulnerabilities within DFIN’s information technology landscape. This includes both internal risk analysis as well as third party supplier risk (supply chain security).
DFIN IT Governance
IT Governance is defined as the processes that ensures the effective and efficient use of IT in enabling an organization to achieve its goals by the establishment of protocols such as policy and standards. The DFIN IT governance team facilitates this process by ensuring that these protocols exist, are formalized and are approved. The team tracks the documents throughout this process as well as promoting awareness by making them readily available to the organization. Our clients benefit from this well-organized IT Governance team because it ensures consistency, organization, predictability, and order.
DFIN IT Risk Management
IT Risk Management is a control methodology of detecting, assessing, reviewing, reporting, and tracking follow-up efforts on IT events that could adversely affect the organization. The DFIN IT Risk Management team has developed and implemented a continuous risk assessment program that incorporates risks identified and assessed in varying support systems such as internal and external audit/compliance testing, Security scanning, client and supplier risk management, and exceptions to IT governance. DFIN clients truly benefit from this effort by ensuring that the DFIN IT security exposure/posture is at an acceptable low risk level.
DFIN Vendor Risk Managment
When evaluating partnerships, DFIN continuously looks to reduce risk across all threat vectors. Our vendor risk management program, referred to as supply chain security, evaluates the viability of all potential DFIN suppliers. DFIN’s well defined process categorizes suppliers and evaluates their inherent risk. A vendor can be onboarded only after a supplier has been categorized, risk rated and approved. In addition to new suppliers, existing suppliers are re-evaluated on an annual basis, undergoing a comprehensive security review. A part of this process is complete remediation of issues to become or remain an approved DFIN supplier.
IT Governance and Risk
DFIN’s IT governance is comprised of processes by which we align our IT (development, infrastructure, cybersecurity) practices within our overall business strategy. As a key part of our overall IT governance efforts, we are able to ensure efficiency, security, and effective resource use, as well as compliance with both internal and external regulations.
Additionally, DFIN’s IT governance ensures that the needs of our stakeholders, including our clients, are evaluated to determine enterprise objectives, and are used to set direction (in decision making and prioritization) to monitor performance and compliance.
DFIN’s IT risk management program applies risk management methods to manage IT related threats. Our efforts involve procedures, polices and tools to identify, assess and remediate potential threats and vulnerabilities within DFIN’s information technology landscape. This includes both internal risk analysis as well as third party supplier risk (supply chain security).
DFIN IT Governance
DFIN IT Governance
IT Governance is defined as the processes that ensures the effective and efficient use of IT in enabling an organization to achieve its goals by the establishment of protocols such as policy and standards. The DFIN IT governance team facilitates this process by ensuring that these protocols exist, are formalized and are approved. The team tracks the documents throughout this process as well as promoting awareness by making them readily available to the organization. Our clients benefit from this well-organized IT Governance team because it ensures consistency, organization, predictability, and order.
DFIN IT Risk Management
DFIN IT Risk Management
IT Risk Management is a control methodology of detecting, assessing, reviewing, reporting, and tracking follow-up efforts on IT events that could adversely affect the organization. The DFIN IT Risk Management team has developed and implemented a continuous risk assessment program that incorporates risks identified and assessed in varying support systems such as internal and external audit/compliance testing, Security scanning, client and supplier risk management, and exceptions to IT governance. DFIN clients truly benefit from this effort by ensuring that the DFIN IT security exposure/posture is at an acceptable low risk level.
DFIN Vendor Risk Management
DFIN Vendor Risk Management
When evaluating partnerships, DFIN continuously looks to reduce risk across all threat vectors. Our vendor risk management program, referred to as supply chain security, evaluates the viability of all potential DFIN suppliers. DFIN’s well defined process categorizes suppliers and evaluates their inherent risk. A vendor can be onboarded only after a supplier has been categorized, risk rated and approved. In addition to new suppliers, existing suppliers are re-evaluated on an annual basis, undergoing a comprehensive security review. A part of this process is complete remediation of issues to become or remain an approved DFIN supplier.
Reports and documents
Learn how DFIN demonstrates compliance throughout the enterprise. Request-up-to-date reports and other artifacts.
Overview
SOC 2 Type II
Global Investment Companies
Global Capital Markets
ActiveDisclosure
eBrevia
SOC 2 + HITRUST
ISO 27001 Certification
ISO 9001 Certification
Shared Assessment (SIG)
Cloud Security Alliance CAIQ
Bridge Letters
Reports and documents
DFIN’s GRC (Governance Risk and Compliance) team manages compliance activities across DFIN’s technology landscape to ensure our adherence with industry and governmental regulations. A large part of the GRC team’s efforts center around evaluation defining control frameworks and then evaluating and testing controls within those frameworks. Additionally, DFIN GRC’s Compliance team evaluates and tests our IT standards, policies and procedures via continuous assessment.
DFIN understands that compliance is critical to our clients’ needs and makes several different reports and assessments available for review.
Global Investment Companies
DFIN’s third party auditor conducts an annual SOC 2 audit of GIC’s SOC 2 control framework. Our SOC 2 Type II audit runs for 6 months with the observation period of May 1st through October 31st. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of November 1st through April 30th.
PRODUCTS & SERVICES COVERED
Global Capital Markets
DFIN’s third party auditor conducts an annual SOC 2 audit of GCM’s SOC 2 control framework. Our SOC 2 Type II audit runs for 6 months with the observation period of May 1st through October 31st. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of November 1st through April 30th.
The GCM SOC 2 Type II report is available to current and prospective clients under a signed non-disclosure agreement.
ActiveDisclosure
DFIN’s third party auditor conducts an annual SOC 2 audit of GCM’s ActiveDisclosure SOC 2 control framework. We also test some SOC 1 controls as a part of our SOC 2 audit to provide further assurances related to financial reporting
Our SOC 2 Type II audit runs for 6 months with the observation period of June 1st through November 30st. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of December 1st through May 31st.
PRODUCTS & SERVICES COVERED
eBrevia
DFIN’s third party auditor conducts an annual SOC 2 audit of eBrevia SOC 2 control framework. Our SOC 2 Type II audit runs for 6 months with the observation period of August 1st through January 31st. A SOC 2 type II report is then produced during the month of March and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of February 1st through July 31st.
PRODUCTS & SERVICES COVERED
VENUE SOC 2 + HITRUST
DFIN’s third party auditor conducts an annual SOC 2 + HITRUST of Venue’s SOC 2 control framework. Our SOC 2 + HITRUST type II audit runs for 6 months with the observation period of May 1st through October 31st. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of November 1st through April 30th.
PRODUCTS & SERVICES COVERED
ISO 27001 Certification
DFIN has obtained ISO 27001 in 2022 for VENUE and is pursuing an enterprise ISO 27001 certification in 2023.
PRODUCTS & SERVICES COVERED
ISO 9001 Certification
DFIN has obtained ISO 9001 for our manufacturing facilities. These facilities cover print and composition work performed domestically.
PRODUCTS & SERVICES COVERED
- Manufacturing
Security Review Questionnaires
DFIN annually produces several “SIG” type artifacts for client’s consumption to help with their Supplier Risk Management security review and/or audit processes.
PRODUCTS & SERVICES COVERED
- Venue
- ActiveDisclosure
- ARC Products
- eBrevia
- File16
- Print and Composition
Cloud Security Alliance CAIQ and STAR Registry
As a part of Cloud Security Alliance (CSA) Security, Trust, Assurance, and Registry (STAR), DFIN has completed the CSA’s CAIQ v3.1 (v.4 pending) The CAIQ offers an industry accepted way to document cloud security controls for IaaS, PaaS and SaaS services and conveys our compliance to the CSA Cloud Controls Matrix. This helps our clients assess DFINs overall cloud security posture. DFIN is not currently STAR registered.
PRODUCTS & SERVICES COVERED
- CAIQ completed for enterprise
Bridge Letter for SOC 2 Attestation
DFIN provides bridge letters supporting all our SOC 2 reports. The bridge letter opines that our controls are in place and have not changed during the non-observation period of our SOC 2 audit. A sample representation is below:
To whom it may concern:
This letter is to confirm, to the best of our knowledge and belief, the following representations:
PRODUCTS & SERVICES COVERED
- GCM SOC 2 Report
- GIC SOC 2 Report
- ActiveDisclosure SOC 2 Report
- VENUE SOC 2 Report
- eBrevia SOC 2 Report
Reports and documents
DFIN’s GRC (Governance Risk and Compliance) team manages compliance activities across DFIN’s technology landscape to ensure our adherence with industry and governmental regulations. A large part of the GRC team’s efforts center around evaluation defining control frameworks and then evaluating and testing controls within those frameworks. Additionally, DFIN GRC’s Compliance team evaluates and tests our IT standards, policies and procedures via continuous assessment.
DFIN understands that compliance is critical to our clients’ needs and makes several different reports and assessments available for review.
SOC 2 Type II
Global Investment Companies
Global Investment Companies
DFIN’s third party auditor conducts an annual SOC 2 audit of GIC’s SOC 2 control framework. Our SOC 2 Type II audit runs for 6 months with the observation period of May 1st through October 31st. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of November 1st through April 30th.
PRODUCTS & SERVICES COVERED
Global Capital Markets
Global Capital Markets
DFIN’s third party auditor conducts an annual SOC 2 audit of GCM’s SOC 2 control framework. Our SOC 2 Type II audit runs for 6 months with the observation period of May 1st through October 31st. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of November 1st through April 30th.
The GCM SOC 2 Type II report is available to current and prospective clients under a signed non-disclosure agreement.
ActiveDisclosure
ActiveDisclosure
DFIN’s third party auditor conducts an annual SOC 2 audit of GCM’s ActiveDisclosure SOC 2 control framework. We also test some SOC 1 controls as a part of our SOC 2 audit to provide further assurances related to financial reporting
Our SOC 2 Type II audit runs for 6 months with the observation period of June 1st through November 30st. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of December 1st through May 31st.
PRODUCTS & SERVICES COVERED
eBrevia
eBrevia
DFIN’s third party auditor conducts an annual SOC 2 audit of eBrevia SOC 2 control framework. Our SOC 2 Type II audit runs for 6 months with the observation period of August 1st through January 31st. A SOC 2 type II report is then produced during the month of March and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of February 1st through July 31st.
PRODUCTS & SERVICES COVERED
SOC 2 + HITRUST
VENUE SOC 2 + HITRUST
DFIN’s third party auditor conducts an annual SOC 2 + HITRUST of Venue’s SOC 2 control framework. Our SOC 2 + HITRUST type II audit runs for 6 months with the observation period of May 1st through October 31st. A SOC 2 type II report is then produced during the month of December and made available to clients thereafter. A bridge letter attesting that the effectiveness of our controls remains in place during the non-observation period of November 1st through April 30th.
PRODUCTS & SERVICES COVERED
ISO 27001 Certification
ISO 27001 Certification
DFIN has obtained ISO 27001 in 2022 for VENUE and is pursuing an enterprise ISO 27001 certification in 2023.
PRODUCTS & SERVICES COVERED
ISO 9001 Certification
ISO 9001 Certification
DFIN has obtained ISO 9001 for our manufacturing facilities. These facilities cover print and composition work performed domestically.
PRODUCTS & SERVICES COVERED
- Manufacturing
Shared Assessment (SIG)
Security Review Questionnaires
DFIN annually produces several “SIG” type artifacts for client’s consumption to help with their Supplier Risk Management security review and/or audit processes.
PRODUCTS & SERVICES COVERED
- Venue
- ActiveDisclosure
- ARC Products
- eBrevia
- File16
- Print and Composition
Cloud Security Alliance CAIQ
Cloud Security Alliance CAIQ and STAR Registry
As a part of Cloud Security Alliance (CSA) Security, Trust, Assurance, and Registry (STAR), DFIN has completed the CSA’s CAIQ v3.1 (v.4 pending) The CAIQ offers an industry accepted way to document cloud security controls for IaaS, PaaS and SaaS services and conveys our compliance to the CSA Cloud Controls Matrix. This helps our clients assess DFINs overall cloud security posture. DFIN is not currently STAR registered.
PRODUCTS & SERVICES COVERED
- CAIQ completed for enterprise
Bridge Letters
Bridge Letter for SOC 2 Attestation
DFIN provides bridge letters supporting all our SOC 2 reports. The bridge letter opines that our controls are in place and have not changed during the non-observation period of our SOC 2 audit. A sample representation is below:
To whom it may concern:
This letter is to confirm, to the best of our knowledge and belief, the following representations:
PRODUCTS & SERVICES COVERED
- GCM SOC 2 Report
- GIC SOC 2 Report
- ActiveDisclosure SOC 2 Report
- VENUE SOC 2 Report
- eBrevia SOC 2 Report
We can provide additional information including our SOC 2 Type II report, once a Non-Disclosure Agreement is signed
or
call +1 800 823 5304
Our CISO, Dannie Combs, discusses security and regulatory compliance
DFIN is talking cybersecurity on the webinar series hosted by DFIN President of Global Capital Markets, Craig Clay.
Read the blog
More findings, right this way
Blog
SEC Introduces EDGAR BETA Testing for Filing Fee Modernization Rule
August 2023 | Marcie Clark
Resources
Electronic Data Gathering Analysis and Retrieval (EDGAR)
August 2023 | Marcie Clark
Video Podcast
Webinar Replay: SEC Regulatory Update, Trends, Lessons Learned from Proxy Season
August 2023
Blog
Life Sciences Organizations Look to Virtual Data Rooms to Manage Clinical Trial Confidential Data, and More
August 2023
Case Study
How we helped a major regional bank accelerate filing and improve reporting efficiencies by 20%
July 2023
White Paper
The Importance of IPO Readiness: An Essential Framework for Success
July 2023
White Paper
Beyond the Financials: CFOs Can Help Boards Address New Challenges
July 2023
