Security Policy

As a pioneering cyber risk management organisation, we recognise the importance of cybersecurity and privacy. Our aim is to surpass industry benchmarks and encourage improved cyber practices across sectors. We maintain transparency in our programs, processes, and metrics, which form the foundation of our infrastructure and data security.

Vulnerability and risk management

We are committed to minimising vulnerabilities in our products, platform, and infrastructure. To achieve this, we have incorporated vulnerability management into our security program, utilising both manual and automated processes to detect, track, and resolve vulnerabilities throughout our applications and infrastructure.

We identify security vulnerabilities through many sources including automated scanners, regular internal security reviews, and vulnerability reports. Upon identification of a vulnerability, a ticket is logged in our bug tracking platform and assigned to the appropriate security or engineering teams based on priority.

We value responsible disclosure and welcome vulnerability reports from security researchers.

Platform and Network Security

We employ a layered approach to networking for enhanced security. Our security controls are deployed at each layer of our corporate and cloud environments, dividing our infrastructure into zones with restricted access. Staff, data, and assets are controlled through zoning restrictions and VPN requirements, in addition to our general internet accessibility restrictions via firewalls and endpoint software.

Production data is restricted to its dedicated zone, only accessible through authorized virtual private network access, with no interaction between production and non-production zones.

Access controls are applied throughout our networks via virtual private networks, routing, firewall rules, and other means. All network traffic and communications are encrypted using industry standards. We maintain constant monitoring and logging of all traffic and review any flagged activity.

Internal Security Review

Our Engineering and Security teams regularly review our internal security, including ci/cd security integration into the development process. We also conduct regular penetration testing to identify and resolve vulnerabilities.

To maintain compliance with cyber security standards, we conduct scheduled audits, internal reviews, and risk assessments of both our cloud infrastructure and physical assets.

We continuously monitor our externally visible assets, website, and infrastructure using a range of in-house, open source, and industry standard tools.

Network Scans and Asset Management

We identify active services, open ports and applications running across our infrastructure and platforms.

We have an internal asset inventory and discovery program, and conduct security risk analysis across our network perimeters.

We monitor the configuration of our cloud environments against established best practices for security, identity and compliance.

We are continually reviewing and improving our security and vulnerability management processes.

Compliance and Assessment

We are proud to have routine compliance and assessment testing as part of our security benchmarks. We currently meet Cyber Essentials Plus certification standards and we continue to work hard and ensure we maintain and exceed them.

We continue to monitor and assess all software on critical and non-critical systems, from devices to our cloud servers to ensure they meet security benchmarks.