Introduction

About Federated Shareholder Services Company’s (FSSC) Secure File Transfer Application

Our Secure File Transfer application is an SSL enabled (HTTPs) web application that supports secure file transfers over the Internet for browser based clients. The provided web site is easy to use, convenient, and most of all secure.

Security Information

Overview

We have long recognized the need to balance access and ease of use against an appropriate level of security when exchanging information between organizations. The communications medium used is the Internet or World Wide Web, a fast, efficient network of computers that serves as the conduit to let clients provide or access the information they need.

We understand that in order to fully realize the benefits of this communications medium, we must understand our clients' potential concerns and work with our clients to implement the best solutions. Therefore, the information on this page describes our approach to making information delivery over the Internet appropriately secure. It is intended for departmental managers, security auditors, information technology managers and other decision-makers to inform them about the security of our online application.

Our goal is to make the time you spend doing business with us as easy—and as secure—as possible.

Disclaimer

It is in our best interest to minimize the disruption created by change. However, security techniques and implementation practices are continually evolving. There may be compelling instances in the future where we believe it is appropriate to change or modify the Secure File Transfer application and its security architecture to take advantage of advancements in the technology.

In addition, because we rely on e-commerce industry-specific software tools and development practices which are themselves in a state of evolution, there is the possibility that changes in these tools and/or practices may necessitate a modification or change to the Secure File Transfer application.

Therefore, we reserve the right to change or modify the Secure File Transfer application to reflect evolving security tools and/or practices at any time without prior notice.

Should you have additional questions, please contact a Systems Client Consultant at 1-800-432-6106.

Security Approach

There is no single technique or technology which can guarantee a secure environment. We believe that it takes a combination of:

• technologies
• industry-standard practices
• partnership with the client

to create an environment that is appropriately secure—that is, an environment that balances accessibility and ease of use against the need to secure the system from unauthorized or inappropriate use.

Increased security necessarily creates greater obstacles, barriers that must be crossed legitimately. Despite the extra effort of carrying keys and taking our time to unlock doors, few of us would choose to forego the benefits of having secure locks on our homes and businesses. Likewise, although we have worked hard to make the Secure File Transfer application security as unobtrusive as possible, the Secure File Transfer application security measures may at times seem to be inconvenient. The security measures are appropriate to the kind of business you are transacting over the Internet.

Therefore, when the Secure File Transfer application security does prove to be inconvenient, we ask you to recall that these measures were put into place and are recommended for your benefit.

Security Technologies

Achieving an appropriately secure environment requires the integration of multiple technologies and techniques. We have taken advantage of the following technologies in the design and implementation of the Secure File Transfer application.

Corporate Position Concerning the Handling of Data and Information

The following statement is taken from the Federated Hermes Privacy Policy and Notice:

Federated Hermes maintains physical, electronic, and procedural safeguards to protect your nonpublic personal information, and has procedures in place for its appropriate disposal and protection against its unauthorized access or use when we are no longer required to maintain the information. When Federated Hermes shares nonpublic personal information, the information is made available for limited purposes and under controlled circumstances. We require third parties to comply with our standards for security and confidentiality. These requirements are included in written agreements between Federated Hermes and such third-party service providers. Each of the following sections explains an aspect of Federated Hermes’ commitment to protecting your personal information and respecting your privacy.

As stated in our corporate Security Policy:

Security

We employ firewalls, encryption technology and user authentication systems (e.g. passwords and personal identification numbers), along with secured connections (digital certificates) where appropriate on our Internet systems to assure the security of data. A firewall is a combination of hardware and software that operates as a selective barrier to let only authorized traffic through to computer systems. The firewall protects both the computer systems and the information stored on them. Federated Hermes’ computer systems also generate system and application activity logs, which are reviewed regularly for anomalies and discrepancies, which are investigated thoroughly.

We use the latest industry standard encryption technology, Transport Layer Security (TLS), to protect private information transferred from your computer.

What is TLS?

TLS stands for Transport Layer Security. This technology is developed and adopted by all vendors producing secure Web-related software. It is used to establish a secure connection between your PC and the server. TLS allows you to transmit information in an encrypted manner, so all data transmitted between the server and your computer will be completely encrypted even while traveling across multiple networks.

Encryption is achieved through an electronic scrambling technology (developed by RSA, Inc.) that uses "keys" to encrypt and decrypt data. Basically, the information is scrambled for data transmission and can be reassembled in its original format only by someone who has the correct "key." Each party has a private "key" that no one can access, and a public "key" that can be passed back and forth among the parties. Information encrypted with a public key can be decrypted only with the associated private key. In other words, the information you send is encrypted using our public "key." It can only be decrypted by us using our private "key." The same goes for the information we send to your computer-we'll encrypt it using your public "key," but only you can decrypt it using the private "key" that you alone hold. To further enhance security, these "keys" are established at the beginning of your secure session and are used for that session only. The "keys" for each secure session are established and retired automatically by the TLS program; it is not necessary for you to learn to operate an encryption program.

Encryption

Federated Hermes, using the industry standard Transport Layer Security (TLS) encryption, provides the maximum encryption key length (up to 2048-bit) allowed by your browser when transmitting your information. When we talk about encryption, such as 256-bit encryption or 2048-bit encryption, we're referring to the length of the "keys" used to encrypt and decrypt data. The longer the key, the more secure the encrypted data. You could think of the key as a password, without which you can't decode a message. Basically, a 2048-bit key is like a 40-character password (and virtually impossible to decode).

Browser Security

To establish a secure session with our site, your browser must be TLS-compliant. You'll need a Web browser such as Chrome or Microsoft Internet Explorer that supports at least 256-bit encryption. Many other browsers will support encryption, but they may not provide the highest level of security available. To take full advantage of our site's security features, we strongly recommend upgrading to a browser that supports 2048-bit encryption. Newer versions of Chrome and Microsoft Internet Explorer have this capability.

Authentication

An essential part of any security scheme is the need to "authenticate" the person attempting to log on. The Secure File Transfer application uses an industry-standard User ID/password implementation to verify that the person attempting to log on to the Secure File Transfer application is who they say they are and that they are an authorized Secure File Transfer application user. In order to log on to the Secure File Transfer application successfully, the user must enter the correct user ID and password.

Data Privacy

Just as account, transaction, and other information that belongs to your institution should be viewed only by authorized staff, your institution's information will not be available to another institution using the Secure File Transfer application. The system uses web, networking and permission management techniques to create an organizational model that limits delivery and accessibility of your information to your personnel.

Note: Should your internal auditors require additional details, they should contact a Systems Client Consultant at 1-800-432-6106.

Access Control

You are responsible for actively controlling access to the Secure File Transfer application to only your staff who has a legitimate business need. The most frequent cause of security breaches in this regard is human error: simple carelessness or disregard for industry-standard security policies and practices. Examples include: not allowing staff to share passwords and IDs; not allowing the posting of user IDs and passwords on terminals or in other conspicuous locations; requiring users to log off at the end of each session; etc.

User-ID/Password Stewardship

The stewardship of the Secure File Transfer application user IDs and passwords is essential to creating a secure environment. You should impress upon your staff that their Secure File Transfer application user ID and password is sensitive information. We recommend the following guidelines in the management of user IDs and passwords:

• Staff should never share the same user ID and password.
• User IDs and passwords should never be posted or hidden in a location where they can easily be found. Examples include desk drawers, underneath keyboards, etc.
• User IDs and passwords should never be written down or stored in a readable form. Special care should be taken when saving user IDs and passwords to a hard drive. User IDs and passwords saved to a hard drive should be encrypted.
• In addition to securing user IDs and passwords, care needs to be taken in choosing a password. The following is a list of guidelines your staff should use when choosing a password. Passwords should be created that:
  • Are at least 8 characters in length
  • Contain at least one digit, at least two mixed case alphabetic characters, and at least one punctuation symbol. (EX. Msi5YO!)
  • Are not based on common words found in the dictionary of any known current or dead language.
  • Are not proper names, including all first and last names or initials, geographical locations, and other information that can be easily known by others.
  • Do not use numbers that can be derived by others (For example, phone, Social Security, college or employee ID, license plate, credit card number, birth date, etc.).
  • Are not similar to an individual’s first, last, or user name.
  • Are not difficult to remember.
  • Differ substantially from the previous one. A password must be significantly different each time a password is changed.

Attention to the Application Environment

It is important for users to thoroughly familiarize themselves with the Secure File Transfer environment so they can recognize its features and functionality. Attention in this regard can alert users to discrepancies which may signal a potential security problem.

For instance, malicious individuals have been known to create "spoof" sites which on the surface look like a popular site but which operate simply to record User IDs and passwords. The Internet address of the bogus site may be a slight variation on the legitimate site's address to increase the chances that an inattentive user will type in the variation instead of the legitimate address. The initial presentation of the bogus site is made to mirror the legitimate site, including a request for the user's User ID and password. These items are then captured and stored.

You should impress upon your staff that entering the proper URL correctly is critical. Unless the user is attentive, he or she could connect inadvertently to the wrong site. When connecting to the Secure File Transfer site, care must be taken to insure that the proper Internet address is used. Once the connection is made, attention should be paid to the characteristics of the site which prove or disprove its legitimacy as a secure environment.

The correct URL for the Secure File Transfer is: https://sft.federatedinvestors.com

We recommend that users bookmark the URL for the Secure File Transfer site and use the bookmark to connect to the Secure File Transfer site instead of typing the URL in the browser's address field.

Security Partnership

Achieving an appropriately secure data exchange environment requires an ongoing partnership between you and FSSC. The importance of your cooperation can not be overstated.

The Secure File Transfer security requires your active participation. Your commitment to the technology, your enforcement of commonly accepted security practices, and your willingness to partner with us in security efforts are the most important ingredients in creating a secure environment.

Organizational Changes

You should strive to keep us informed in a timely fashion about organizational changes which could affect the Secure File Transfer security. These changes include terminations, reassignments of duties, changes in reporting or problem escalation hierarchies, and so on.

Unless you notify us, we have no way of knowing that a staff member has resigned or been transferred or terminated. In particular, allowing staff members to leave your institution without notifying us of the change exposes your institution to the possibility that an ex-employee could use his or her access to the Secure File Transfer to disrupt operational activities. This is especially true of terminated employees who might be motivated to conduct malicious activities. In all cases where staff have been transferred, reassigned or terminated, you should contact us promptly so that the user ID of the former employee can be disabled.

Reporting Security Problems

We rely on the timely reporting of any security problem or issue you may encounter. Should you identify or suspect a security problem, you should immediately report the circumstances to us so that we can work with you to take appropriate action. You can contact a Systems Client Consultant at 1-800-432-6106.