1.1          Client Data Protection & Privacy (Regulation S‑P)

Protect NPI (Non-Public Information) end-to-end, deliver initial/annual privacy notices, maintain Advisers Actbooks/records, and align website/app disclosures with actual processing (including identity verification and account linking).

How we do it, step by step:

1. Data mapping & classification.
   • Build/confirm a processing map for BInvesting: onboarding (Incode), suitability data (ISQ), portfolio/account data (Pershing/IBKR), telemetry/analytics, support channels. 
   • Apply the firm’s data classification and handling rules to each store/flow; enforce “NPI” labeling in M365 and platform repos. 
2. Notices & consent.
   • Publish the updated Privacy Policy (EN/ES) with effective date (Sept 1, 2025) in the app and at binvesting.us, reflecting Incode’s role, data sharing, retention, deletion, SMS/MMS terms, and user rights. 
   • Ensure initial and annual delivery to clients; keep proof of delivery in books and records.
3. Safeguards.
   • Enforce encryption in transit/at rest, DLP rules for NPI in email/SharePoint/OneDrive and block risky exfil paths; require MFA for systems with NPI. 
4. Identity theft program integration.
   • Tie Reg SP controls to Reg SID (ITPP) triggers and client notification workflows. 
5. Records & evidence.
   • Keep notice versions, delivery logs, classification policy, data maps, and vendor DPAs in a dedicated “Privacy Evidence” library.

1.2         Platform Security by Design

A hardened AWS/EKS stack behind WAFs and network gateways; endpoints protected; posture validated by scanning and periodic penetration tests. 

How we do it, step by step

1. Harden the cloud baseline.
   • Enforce private subnets, security groups least open, Cloudflare/AWS WAF rules, secrets management, and logging via CloudWatch; document the standard in the Platform Runbook. 
2. Endpoint & remote access.
   • Complete CrowdStrike migration (policy tuning, prevention modes) and require FortiGate VPN with device posture checks for administrative access. 
3. Continuous verification.
   • Schedule monthly authenticated scans (internal & external), quarterly pen tests, and vendor side scans for delivered changes (Dev contract clause already exists). 

1.3         Identity & Access Management (IAM)

Least‑privilege, strong auth, SoD, time‑bound admin access, and periodic reviews across workforce and service accounts. 

How we do it, step by step

1. JoinerMoverLeaver (JML).
   • Centralize provisioning through identity; auto revoke at termination; gate VPN/WAF console/EKS admin with privileged roles and MFA. 
2. SoD & privileged access.
   • Separate deploy vs. approve vs. operate; enforce just in time access for production (timeboxed, logged). 
3. Recertifications & secrets.
   • Quarterly access recerts for systems with NPI or prod access; rotate secrets/keys per crypto policy (approved algorithms/TLS1.2+ only). 

 

1.4        Secure Software Development Lifecycle (SSDLC)

Security controls baked into CI/CD: peer review, SAST/DAST, dependency scanning, change control, pre‑prod testing; vendor deliverables follow the same. 

How we do it, step by step

1. Branch protection & reviews.
   • Mandatory 2‑person code review; protected branches enforce checks (lint, unit/security tests). 
2. Security testing gates.
   • SAST on PR; DAST on staging; dependency & container image scans; block release on “high/critical” until mitigated/excepted; document in Change Records. 
3. Preprod & post release.
   • Functional + abuse case testing; post release monitoring via CloudWatch; capture vendor scan/remediation reports per contract. 

 

5) Vulnerability & Patch Management

Risk based remediation across cloud, app, endpoints; prove progress with scans and independent assessments. 

How we do it, step by step

1. Scope & cadence.
   • Monthly network/app scans (internal/external); ad hoc zero-day sweeps; track SLAs: Critical (≤7 days), High (≤15), Medium (≤30). 
2. Patch orchestration.
   • Stage patches in lower envs; maintenance windows; rollback plans; evidence via change tickets + scan diffs. 
3. External assurance.
   • Quarterly pen tests or targeted engagements; compare against previous findings to show closure. 

KPIs/Evidence: SLA compliance; open findings trend; exploited CVE exposure window; independent pen test close rates; before/after scan snapshots. 

 

6) Incident Readiness & Response (SIRP)

Detect, triage, contain, eradicate, recover—then learn. Preserve evidence, notify promptly if required, and exercise the plan.

How we do it, step by step

1. Operationalize SIRP.
   • Maintain an on-call roster; incident severity matrix; intake channels; war room protocols; evidence handling (chain of custody). 
2. Runbooks & exercises.
   • Playbooks for credential theft, vendor outage, data exfil, DDoS, mobile archive disruptions; conduct at least 1 live exercise and 1 tabletop annually. (We already validated through Telemessage/Smarsh handling.) 
3. Regulatory notifications.
   • Trigger matrix tied to NPI scope/affiliates; legal leads notifications, Compliance documents supervisory record. 

 

7) Business Continuity & Resilience (BCP/DRP)

Tested recovery procedures for Mission Critical Systems (MCS); clients maintain access to assets with qualified custodians even if the app is impacted.

How we do it, step by step

1. Map dependencies.
   • Document MCS (platform, identity, custody integrations, IAM, logging); define RTO/RPO and failover steps; store in DR playbooks. 
2. Exercises.
   • Annual DR restore of a representative dataset; custody/business simulations (Pershing/IBKR access during portal downtime).
3. Communications.
   • Alternate channels (email/SMS/phone) and website banner procedures ready; summary on public site per BCP rules. 

 

8) Third Party & Vendor Risk Management

Risk based onboarding and oversight for identity verification, market connectivity, development partners, and other service providers. 

How we do it, step by step

Onboarding & contracts.

Use Vendor Security DDQ + Annex; contract in crypto standards, incident reporting MTAs, BCP/DR expectations, scanning/remediation clauses (present in Multi-custody Project schedule). 

Oversight.

Annual DDQ refresh; collect SOC/SIG/ISO evidence; validate privacy posture (Incode link & terms reflected in our policy). 

Critical vendors.

For Pershing/IBKR and dev partners, keep a “Critical Vendor Dossier”: contacts, SLAs, architecture touchpoints, recovery deps, and last assessment.

9) Employee Training & Culture of Security

Annual cyber training, periodic phishing tests, and practical guidance on day-to-day behavior. 

How we do it, step by step

1. Annual training & onboarding.
   • Assign mandatory modules (NPI handling, phishing, incident reporting, off-channel comms); track completion and escalate. 
2. Simulations & refreshers.
   • Quarterly phishing campaigns with targeted micro learnings; measure failure and report rates by department. 
3. Behavioral guardrails.
   • Reinforce practical policy (lock screens, no personal email, VPN offprem, software installs via IT) in handbooks and M365 banners. 

 

10) Governance, Testing & Continuous Improvement

Written policies updated at least annually; ROC reviews; changes informed by audits, incidents, exercises, and metrics; clear publication workflow for client facing docs. 

How we do it, step by step

1. Policy lifecycle.
   • Keep Cybersecurity Program, SIRP, Privacy Policy, ITPP in a governed repository with owners and review dates; log “Material Changes” and route to ROC. 
2. Metrics cadence.
   • Monthly cyber dashboard to ROC: incidents, vuln SLAs, EDR coverage, WAF blocks, training rates, privacy notices, vendor status. 
3. Exercises & audits.
   • At least one DR test, one SIRP tabletop, and one third party pen test per year; record results and close actions. Publish updated client docs (CRS/ADV/policies) on approval. 

I.             GOVERN

1.1          Governance and accountability

Cybersecurity policies for BInvesting are approved by senior management and enforced by the Director of IT in coordination with the Chief Compliance Officer. Oversight occurs within our Regulatory Oversight/Compliance governance routines (ROC), which also coordinate disclosure artifacts (e.g., CRS/ADV, client agreements) and website/app publications.

1.2         Policy framework

BInvesting’s cybersecurity and privacy controls are documented within the BInvesting Compliance Manual, Code of Ethics, and related regulatory documents (e.g., Form ADV Part 2A). These set expectations for safeguarding non‑public personal information under Regulation S‑P/S‑ID and related guidance.

2.2.1 Standard and references

Our program references NIST CSF 2.0, and integrates complementary procedures such as Security Incident Response Plan (SIRP), Identity Theft Protection Program (ITPP), Business Continuity/Disaster Recovery (BCP/DRP), and vendor due‑diligence standards

2.2.2 Regulatory posture

BInvesting’s advisory disclosures (Form ADV/CRS) describe our services, custody/execution arrangements, and operational practices; governance uses these documents as the canonical reference for external representation.

 

II.          IDENTIFY

2.1         Risk assessment

Our risk identification covers platform, data, and third‑party dependencies (custody, execution, onboarding, data processing). We maintain evidence and checklists to document SEC Internet Adviser Exemption criteria and operational readiness where applicable

2.2        Asset management

The BInvesting platform is hosted on AWS with containerized workloads (Amazon EKS), managed databases (PostgreSQL/RDS) and supporting services (e.g., CloudWatch). Architecture patterns, controls, and environment inventories are maintained as part of our digital program.

1.1          Third-party relationships

The BInvesting platform is hosted on AWS with containerized workloads (Amazon EKS), managed databases (PostgreSQL/RDS) and supporting services (e.g., CloudWatch). Architecture patterns, controls, and environment inventories are maintained as part of our digital program.

1.1          Custody/Execution

Accounts are held at qualified custodians; execution is conducted through designated broker‑dealers as disclosed in client agreements and ADV. Presently, execution services are provided via the affiliated Banorte Securities International, Ltd. (“BSI”) with custody at Pershing LLC.

1.1          Digital Onboarding /Identity

We leverage leading providers (e.g., Incode, Inc) as disclosed in our Privacy Policy.

1.1          Vendor Due Diligence

Security and operational risk are assessed via our Vendor Security DDQ and Annex (encryption, access, incident response, remote access, patching), with ongoing evidence collection and periodic reviews.

 

2. PROTECT

2.1         Access control and identity

Access to internal systems is restricted following least‑privilege principles. Remote access to corporate resources leverages VPN access control (FortiGate) and enterprise identity; privileged access is limited and time‑bound per procedure

2.2        Data Protection & Privacy

2.2.1            Enterprise Data

We apply Microsoft 365 information protection and compliance capabilities; DLP controls (e.g., Sophos in corporate endpoint contexts) are used to reduce exfiltration risk, with encryption in transit/at rest where applicable

2.2.2 Client Data (Platform)

Our Privacy Policy describes how platform data is collected, used, retained, and shared, including integrations (e.g., Incode) and client rights; the latest draft reflects an effective date of September 1, 2025

1. Secure Development & Architecture. 

The platform follows secure by design principles with container isolation, network segmentation, Web Application Firewalls (Cloudflare/AWS WAF), secrets management, and CloudWatch monitoring. Evidence packages note DAST/SAST as part of the release process. 

2. Endpoint & Mobile Security. 

Corporate endpoints and mobiles are managed with enterprise tooling (e.g., Microsoft 365 Business Premium/Intune). Endpoint Detection & Response is being migrated to CrowdStrike, with program milestones tracked. 

3. Encryption & Key Management. 

Cryptographic controls and key management follow documented standards (e.g., approved algorithms, TLS 1.2/1.3) and are reinforced through policy artifacts. 

4. Employee Awareness & Acceptable Use. 

Staff receive guidance on safe computing, phishing reporting, and handling of client data; internal cyber policies are published and reinforced.

 

5. DETECT

2.3        Monitoring & Logging

We monitor platform health and security events via AWS CloudWatch and enterprise monitoring. External vulnerability scans and platform security scans are scheduled, with remediation expectations defined in contracts and internal procedures

1.1          Vulnerability & Thread Management

We perform periodic scanning and track remediation through ticketing and vendor SLAs. Our supervisory procedures also reference external vulnerability scanning capabilities engaged by the firm

1.1          Records & Retention

Electronic records are preserved consistent with applicable SEC rules (e.g., SEC Rule 17a‑4(f) for WORM‑storage requirements as applicable to affiliated broker‑dealer records); advisory books‑and‑records are handled per the Compliance Manual.

6. RESPOND

2.4       Incident Response (SIRP)

We maintain an enterprise Security Incident Response Plan that defines intake, severity, roles (Incident Commander/SIRT), evidence handling, containment, eradication, recovery, post‑incident reviews, and regulatory/law‑enforcement coordination. Incident records, playbooks, and contact rosters are maintained; lessons learned feed back into controls.

1.2         Identity Theft Program

Our ITPP (Reg. S‑ID) addresses red‑flag detection, response, and client notification procedures.

1.2         Off-Channel Communication Controls

Firm communications are governed by policies requiring capture/retention and supervision; off‑channel use is restricted and monitored per supervisory procedures.

7. RECOVER

2.5       Business Continuity and Disaster Recovery

We maintain BCP/DRP procedures covering data backup/restoration, alternate communications, workspace recovery, vendor continuity expectations, and periodic testing. The Director of IT oversees DR protocols; annual testing and tabletop exercises are documented with remediation of findings.

1.3         Custody and Continuity

Because assets are custodied with qualified custodians (e.g., Pershing LLC; expansion to Interactive Brokers per roadmap), clients retain continuous access to their funds and securities even if the advisory platform experiences a disruption.

8. VENDOR SECURITY

2.6       Due Diligence and onboarding

All critical vendors complete our Vendor Security DDQ (and Annex) that addresses policy governance, independent reviews, data protection, encryption, device provisioning/hardening, patch management, remote access, MFA, and incident response. We retain supporting evidence and certifications as provided.

1.4        Scanning & remediation

Development partners accept responsibility for vulnerability scanning and prompt remediation associated with their deliverables, with reporting to BInvesting.

1.   PRIVACY

Our Privacy Policy details data categories, purposes, sharing, retention/deletion, and third‑party integrations (including identity and account‑linking vendors such as Incode). The policy (English/Spanish) is scheduled for publication with an effective date of September 1, 2025, and will be available within the app and at binvesting.us.

1.   CONTINUOUS IMPROVEMENT

BInvesting is progressing a cybersecurity maturity roadmap aligned to NIST CSF, including expansion of EDR coverage, multi‑custody security hardening, and ISO‑aligned documentation. A broader ISO 27001 certification initiative has been initiated at the group level and is being coordinated with stakeholders. (Note: This is an initiative in progress; BInvesting does not represent itself as ISO‑certified at this time.)

1.   OUR EXPECTATIONS OF YOUR SECURITY PRACTICES

2. Safeguard login credentials and enable device security (screen locks/biometrics).
3. Keep contact details current and promptly review statements/notifications.
4. Use only official BInvesting channels; do not share sensitive information over unapproved apps.
5. Report suspected fraud or account compromise immediately to [email protected].

6. DISCLOSURE & LIMITATIONS

This Statement summarizes our cybersecurity approach for BInvesting and may evolve as threats, business operations, or regulations change. The controls described apply to our advisory operations and digital platform; certain controls are implemented by or in concert with our affiliates, custodians, and service providers under their respective obligations and contracts. For comprehensive details, please refer to our Form ADV/CRS, client agreements, Compliance Manual, and posted privacy disclosures.

7. APPENDIX

7.1         Documents available on request

• Security Incident Response Plan (SIRP) – Client Summary 
• Business Continuity Plan (BCP) & Disaster Recovery Plan (DRP) – Summary 
• Vendor Security Requirements & DDQ (including encryption, key management, and incident response expectations) 

7.2        Documents publicly available

• ADV/CRS & Client Agreements (custody/execution, conflicts, fees, operational details) binvesting.us/disclosure

 

 

August, 2025