Trust Center
Welcome to Broadridge's Trust Center. Our commitment to data privacy and security is embedded in every part of our business. Use this Trust Center to learn about our security posture and request access to our security documentation.
The goal of the Broadridge Information Security Group (BISG) is to provide guidance to all Broadridge associates and contingent workers on Information Security standards, polices, and procedures so that they can incorporate security into their job functions
The mission of the BISG is to provide the guidance and practical solutions to support the business to ensure the confidentiality, integrity, and availability of Broadridge’s information assets through the implementation and management of the Information Security Management Program. This includes guidance for the collection, use, maintenance, security, and disclosure practices of personal information by Broadridge and its subsidiaries as outlined in the BR Global Privacy Policy. This involves the creation, administration, and communication of policies and
standards to ensure the correct protection mechanisms are in place to support the mission.
The purpose of the Information Security Management Program is to ensure that management is appropriately advised and supported so that Broadridge can effectively implement security controls that enable Broadridge to meet the requirements of Internal Audit, external auditors, applicable regulations, clients, and other parties that trust Broadridge to safeguard their information.
The charter of the BISG is to:
• Identify/assess operational and application risks/vulnerabilities and propose recommendations for mitigation through the utilization of appropriate information security controls. (Risk Assessment)
• Protect against any anticipated threats and hazards of information resources (Security Incidents).
• Establish controls to prevent loss or compromise of information resources. (Data Loss Prevention)
• Promote information security awareness within the organization. (Training and Awareness)
• Establish core competencies of Information Security within the business. (Standardization)
• Provide guidance on user and system access to ensure appropriateness for
business functions (Entitlements Management)
• Establish control frameworks (ex. ISO, HIPAA, PCI, NIST, SSAE-18) gather
evidence, and report to management the state of information security within the business. (Risk & Compliance)
• Govern the processes to ensure the proper disposal of company and client
information
Asset Management
Asset Management
We have strict asset management policies in place to ensure that all assets are accounted for and secure.
BC/DR
BC/DR
We have a business continuity plan in place to ensure that we can continue to operate in the event of a disaster.
Training
Training
We provide security awareness training to all employees to ensure that they are aware of security best practices.
Change Management
Change Management
We have a change and configuration management process in place to ensure that changes are properly reviewed and approved.
Physical & Environment
Physical & Environment
We have physical and environmental controls in place to ensure that our data centers are secure and reliable.
Continuous Monitoring
Continuous Monitoring
We continuously monitor our systems for security threats and vulnerabilities. We are happy to provide more details about our continuous monitoring practices upon request.
CVE-2025-24813
April 2, 2025
BROADRIDGE RESPONSE STATEMENT
Thank you for reaching out to us on this matter, the reputation, security, and the relationship with our clients is paramount in everything that Broadridge does, which is why we were working quickly to validate and address any immediate and systemic issue presented.
On March 10th, 2025, the Apache Software Foundation released a patch for CVE-2025-24813 (CVSS score 9.8), a remote code execution (RCE) vulnerability in Apache Tomcat. If successfully exploited, attackers can execute code remotely on target systems via unsafe deserialization. There is a proof-of-concept for this vulnerability and exploitation has been observed. Apache Tomcat versions before 11.0.3, 10.1.35, and 9.9.99 with writes enabled for the default servlet (disabled by default) and support for partial PUT (enabled by default) are impacted by this vulnerability. Apache recommends users update to a patched version of Apache Tomcat. Multiple security researchers, such as GreyNoise and Wallarm, have reported active exploitation.
In response to the vulnerability addressing the Apache Tomcat Vulnerability (CVE-2025-24813), Broadridge identified that we are not operating a vulnerable version of Apache Tomcat.
CVE-2025-0282
January 14, 2025
BROADRIDGE RESPONSE STATEMENT
Thank you for reaching out to us on this matter, the reputation, security, and the relationship with our clients is paramount in everything that Broadridge does, which is why we were working quickly to validate and address any immediate and systemic issue presented.
Description
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.
Broadridge has investigated and analyzed its use of the Ivanti products and services. Broadridge has determined that it is not being utilized. Therefore, Broadridge has not been impacted by the Ivanti (CVE-2025- 0282) vulnerability.
CVE-2024-40711
Tuesday, February 25, 2025
BROADRIDGE RESPONSE STATEMENT
Thank you for reaching out to us on this matter, the reputation, security, and the relationship with our clients is paramount in everything that Broadridge does, which is why we were working quickly to validate and address any immediate and systemic issue presented.
Description
A deserialization of untrusted data vulnerability with a malicious payload can allow an unauthenticated remote code execution (RCE).
Broadridge has investigated and analyzed all of the servers that ran vulnerable versions of Veeam Backup & Replication (CVE-2024-40711) are upgraded to fixed releases of 12.2 and above.
CVE-2024-4879
December 5, 2024
Executive Summary
ServiceNow has addressed an input validation vulnerability that was identified in Vancouver and Washington DC Now Platform releases. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. ServiceNow applied an update to hosted instances, and ServiceNow released the update to our partners and self-hosted customers. Listed below are the patches and hot fixes that address the vulnerability. If you have not done so already, we recommend applying security patches relevant to your instance as soon as possible.
Technical Summary
ServiceNow applied an update to hosted instances, and ServiceNow released the update to our partners and self-hosted customers. Listed below are the patches and hot fixes that address the vulnerability. If you have not done so already, we recommend applying security patches relevant to your instance as soon as possible.
Release Fixed Version
Utah Utah Patch 10 Hot Fix 3
Utah Patch 10a Hot Fix 2
Vancouver Vancouver Patch 6 Hot Fix 2 Vancouver Patch 7 Hot Fix 3b Vancouver Patch 8 Hot Fix 4
Vancouver Patch 9
Vancouver Patch 10
Washington Washington DC Patch 1 Hot Fix 2b Washington DC Patch 2 Hot Fix 2 Washington DC Patch 3 Hot Fix 1
Washington DC Patch 4
BROADRIDGE RESPONSE STATEMENT
Broadridge has investigated and analyzed its use of Service Now and has determined that our servers are configured to receive auto-updates from the vendor. Therefore, Broadridge has not been impacted by the ServiceNow vulnerabilities.
CVE-2024-5217
Tuesday, February 25, 2025
BROADRIDGE RESPONSE STATEMENT
Thank you for reaching out to us on this matter, the reputation, security, and the relationship with our clients is paramount in everything that Broadridge does, which is why we were working quickly to validate and address any immediate and systemic issue presented.
Description
ServiceNow has addressed an input validation vulnerability that was identified in the Washington DC, Vancouver, and earlier Now Platform releases. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. The vulnerability is addressed in the listed patches and hot fixes below, which were released during the June 2024 patching cycle. If you have not done so already, we recommend applying security patches relevant to your instance as soon as possible.
Broadridge has investigated and analyzed its use of Service Now and has determined that our servers are configured to receive auto-updates from the vendor. Therefore, Broadridge has not been impacted by the ServiceNow vulnerabilities.