Trust & Security: Overview

EquityMultiple employs a holistic and layered approach to cybersecurity. We believe cybersecurity doesn’t have to be complicated and we are more secure with a solid foundation built on security fundamentals. Our focus on People, Process and Technology encompasses the primary pillars for proactive compliance and defense-in-depth.

PEOPLE

Ongoing Cyber Awareness Campaign:

Our staff is comprised of experienced technologists and professionals. Nonetheless, EquityMultiple provides ongoing technology and cybersecurity educational campaigns for all employees.

Staff Cybersecurity Training:

EquityMultiple provides its employees cybersecurity and technology risk awareness training at hire and on an at minimum annual basis. Web-based training helps introduce cybersecurity, promotes key cybersecurity awareness concepts, and provides actionable knowledge for employees.

Social Engineering Exercises:

EquityMultiple frequently employs targeted simulations to test our collective knowledge of and response to phishing attacks. Simulations are actively paired with training exercises to keep defenses up as attacks grow in sophistication and in frequency.

Third-Party Risk Management:

EquityMultiple requires a risk assessment of third-party service providers with access to sensitive data and critical services. This included defining minimum cybersecurity practices for third party service providers and periodically reassessing based on potential risks.

Information Security Committee:

EquityMultiple utilizes an information security committee of members with diverse backgrounds and expertise to make informed and impactful decisions to govern the information security program. The InfoSec Committee meets no less than once a quarter.

Virtual CISO:

EquityMultiple engages with a service provider for fractional Virtual CISO services and cybersecurity subject matter expertise. Riskigy provides ongoing cybersecurity oversight and continuous advisory.

PROCESS

Risk Assessment:

EquityMultiple performs independent risk assessment annually and regularly scheduled health checks for timely insights and recommendations to help enhance cybersecurity posture, identify areas for improvement, and actionable next steps.

Written Information Security Policy:

EquityMultiple has developed a formal set of written policies that are focused on electronic communications, data protection and general technology acceptable use.

Cyber Security Incident Response Plan:

Our Incident Response Plan details what steps need to be taken, when they need to happen, and who on our CSIRT takes responsibility for what in critical security matters. EquityMultiple recognizes a plan in place is required to take action and mitigate damage in the unfortunate case of a breach or incident.

Business Continuity Plan:

EquityMultiple has implemented a business continuity plan. Key elements of this plan include response, notification and continuing business operations during disruptive events.

Data Governance:

EquityMultiple’s data governance methodology is based on a blend of well-known frameworks, including NIST CSF, SANS/CIS 20, and regulatory guidance from various state privacy and cybersecurity requirements. The method defines how to identify, protect, detect, respond and recover from risks and incidents.

Vendor Risk Management:

EquityMultiple performs annual reviews and diligence should be conducted on all vendors to maintain a consistent understanding of the overall environment.

TECHNOLOGY

Endpoint Protection:

EquityMultiple actively deploys and maintains endpoint protection on internal systems to defend against malware, exploits, and other attacks. Endpoint protection tools are continually updated; scans run no less than daily.

Web Application Firewall:

EquityMultiple utilizes WAFs to protect internet facing systems and services from unauthorized access, cyber-attacks, zero-day vulnerabilities, and denial-of-service attacks.

Vulnerability Scans:

EquityMultiple performs external vulnerability scanning against external resources such as firewalls, servers, routers, and cloud applications on a routine basis to identify gaps in security and proactively respond to issues.

Penetration Testing:

EquityMultiple routinely engages with authorized third parties to perform coordinated attacks on systems to evaluate security posture. This proactive testing utilizes real-world adversarial tools and black-hat hacker activities by our trusted security professionals to uncover and remediate vulnerabilities before malicious attackers.

Website Monitoring:

EquityMultiple proactively scans our websites and Web API services on a routine basis to identify security issues and quick remediate vulnerabilities.

Access Controls:

EquityMultiple has implemented least privileged access to all sensitive data and systems. Wherever possible, multifactor authentication is required to access EquityMultiple systems and services. EquityMultiple performs routine access control reviews on a regular basis and during on/off boarding of staff.

Encryption:

EquityMultiple encrypts sensitive data in transit and at rest. We also routinely perform automated SSL scans to identify potential vulnerabilities as standards evolve

Email Security:

EquityMultiple implements email spam and malware filtering using best-in-class services. EquityMultiple email supports transport layer security (TLS) and requires multi-factor authentication for access. DMARC and SPF email records reduce spam and look-a-like domains.

Domain & DNS Monitoring:

EquityMultiple utilizes Domain reconnaissance tools to find sub-domains and hosts for the organization. By utilizing OSINT (Open Source Intelligence Gathering) techniques we can passively discover and monitor our Internet footprint.

Dark Web Monitoring:

EquityMultiple leverages third-party Dark Web scanning agencies to identify employee accounts that may have been compromised and to proactively monitor for compromised or stolen data, including credentials.