Your information

We understand the importance of information and data security to both our business and to you as our client. We’re committed to protecting the security and integrity of all data within our control including, but not limited to, complying with all data protection legislation, including the GDPR and the Data Protection Act 2018. This is evidenced in part through our ISO27001:2013 and Cyber Essentials Plus compliant information and data security measures summarised below.

Information security is managed by the Information Security Group (ISG) whose role is to ensure our security requirements are maintained, review effectiveness of systems and manage risk. The ISG reports to our Risk and Compliance Committee and the Exec.

We have a comprehensive suite of policies and procedures to deal with data protection and information security and these are available (where applicable) to staff on our microsite. These cover areas such as acceptable use, access control, clear desk and screen, encryption, incident reporting and data classification.

As part of our ongoing awareness programme, we have in place a training plan for data protection and information security (including cyber risk) in order to raise awareness and provide more detailed training and education. In this respect, everyone in the firm has undertaken compulsory information security, data protection and confidentiality e-learning which is completed as part of induction training and annually thereafter. The ISG also raises awareness of information security issues via regular updates and ad-hoc campaigns.

From a data control perspective, we operate a ‘paper light’ approach across our offices whereby documents received are stored within our secure electronic filing systems and hard copies are only retained where absolutely necessary. Where appropriate, access to the electronic file is restricted to those necessary for the efficient running of the file. Also, we use secure datarooms for the exchange of information where possible.

All our devices are encrypted, and we carry out routine vulnerability and penetration testing of the security of our systems. We also have in place a continual monitoring of our cyber space. External vulnerability scans are performed weekly by a CREST member company and internal vulnerability scans performed monthly.

All electronic equipment at 'end of life' is physically destroyed by chipping into 5mm pieces and a certificate of destruction for every piece of hardware destroyed. All mobile phones and tablets are digitally wiped.