Trust Center

Start your security review

Overview

Welcome to Broadridge's Trust Center. Our commitment to data privacy and security is embedded in every part of our business. Use this Trust Center to learn about our security posture and request access to our security documentation.

The goal of the Broadridge Information Security Group (BISG) is to provide guidance to all Broadridge associates and contingent workers on Information Security standards, polices, and procedures so that they can incorporate security into their job functions

The mission of the BISG is to provide the guidance and practical solutions to support the business to ensure the confidentiality, integrity, and availability of Broadridge’s information assets through the implementation and management of the Information Security Management Program. This includes guidance for the collection, use, maintenance, security, and disclosure practices of personal information by Broadridge and its subsidiaries as outlined in the BR Global Privacy Policy. This involves the creation, administration, and communication of policies and
standards to ensure the correct protection mechanisms are in place to support the mission.

The purpose of the Information Security Management Program is to ensure that management is appropriately advised and supported so that Broadridge can effectively implement security controls that enable Broadridge to meet the requirements of Internal Audit, external auditors, applicable regulations, clients, and other parties that trust Broadridge to safeguard their information.
The charter of the BISG is to:
• Identify/assess operational and application risks/vulnerabilities and propose recommendations for mitigation through the utilization of appropriate information security controls. (Risk Assessment)
• Protect against any anticipated threats and hazards of information resources (Security Incidents).
• Establish controls to prevent loss or compromise of information resources. (Data Loss Prevention)
• Promote information security awareness within the organization. (Training and Awareness)
• Establish core competencies of Information Security within the business. (Standardization)
• Provide guidance on user and system access to ensure appropriateness for
business functions (Entitlements Management)
• Establish control frameworks (ex. ISO, HIPAA, PCI, NIST, SSAE-18) gather
evidence, and report to management the state of information security within the business. (Risk & Compliance)
• Govern the processes to ensure the proper disposal of company and client
information

Compliance

CSA STAR

CSA STAR Attestation

CSA STAR Certification

Risk Profile

Data Access LevelInternal

Critical DependenceYes

Third Party DependenceYes

Product Security

Audit Logging

Data Security

Multi-Factor Authentication

Reports

HIPAA Report

Other Reports

PCI DSS

Self-Assessments

CSA

SIG

Data Security

Access Monitoring

Certificates of Destruction

Data Asset Classification

App Security

Application Penetration Testing

Bot Detection

Code Analysis

AI

AI Monitoring

AI Governance

Legal

Customer Audit Rights

Data Subject Requests

Data Privacy

Data Breach Notifications

Data Protection Impact Assessment (DPIA)

Access Control

Access Log Management

Authentication Standards

Bring Your Own Device (BYOD)

Infrastructure

Amazon Web Services

BC/DR

Endpoint Security

Anti-Malware

Disk Encryption

Endpoint Detection & Response

Network Security

Data Loss Prevention

Distributed Denial of Service Protection (Anti-DDoS)

Firewall

Corporate Security

Asset Management Practices

Employee Training

HR Security

Policies

Acceptable Use Policy

Cloud Security Strategy

Access Control Policy

Security Grades

BitSight

Incident Response

Designated Response Personnel

Forensic Retainer

Incident Reporting Process

Risk Management

Risk Assessments

BC/DR

We have a business continuity plan in place to ensure that we can continue to operate in the event of a disaster.

Trust Center Updates

Emerging AI-driven cybersecurity risks

Copy link

General

Broadridge actively monitors emerging AI-driven cybersecurity risks and evaluates their potential impact through our existing enterprise cybersecurity, software security, and risk management programs. With respect to developments such as Anthropic’s Mythos model and Project Glasswing, we are assessing the broader implications of AI-enabled vulnerability discovery and exploitation as part of our ongoing threat monitoring and control evaluation processes.

Assessment and response to emerging AI-driven security risks
Broadridge is addressing emerging AI-related risks through established governance and security processes, including threat intelligence review, vulnerability management, secure development practices, and third-party risk oversight. We see how AI increases the speed or scale of vulnerability discovery, exploitation attempts, phishing, or other malicious activity, and we have been enhancing our controls to address those risks effectively.
Current and planned controls
Broadridge maintains layered security controls designed to protect our environment, including secure development practices, vulnerability scanning, patch management, penetration testing, monitoring and detection capabilities, access controls, incident response procedures, and third-party risk management. We are also adopting control enhancements, as appropriate, in areas such as AI governance, monitoring for anomalous activity, secure use of AI-enabled tools, and software supply chain risk management.
Timeframe for enhanced measures
Our approach is ongoing and risk-based. Many relevant controls are already in place today, including AI based security monitoring, automated controls for remediation and any additional enhancements are being evaluated and implemented through our normal cybersecurity and change management processes based on risk priority.
Vulnerability identification, management, and disclosure
Broadridge maintains processes to identify, assess, prioritize, remediate, and track vulnerabilities using a combination of scanning, testing, threat intelligence, and internal review. Where a vulnerability or security issue materially affects LPL data, services, or the Broadridge environment supporting LPL, notification would be made in accordance with applicable contractual obligations and established incident response procedures.

Thank you, Broadridge.

Microsoft Announcement; 56 security vulnerabilities across Windows, Office, Exchange Server, and other components

Copy link

Vulnerabilities

BROADRIDGE RESPONSE STATEMENT

On December 9th, 2025, Broadridge was notified about a recent announcement from Microsoft where they released its final Patch Tuesday updates addressing 56 security vulnerabilities across Windows, Office, Exchange Server, and other components. This patch includes three zero-day flaws (CVE-2025-62221, CVE-2025-64671, and CVE-2025-54100): two publicly disclosed remote code execution issues and one actively exploited elevation of privilege vulnerability.

The vulnerabilities CVE-2025-62221, CVE-2025-64671, and CVE-2025-54100 represent a meaningful security risk to Windows environments and developer workstations by enabling privilege escalation and arbitrary code execution. CVE-2025-62221 is the most critical, as it is actively exploited in the wild and allows a local attacker to escalate privileges to full SYSTEM control through a flaw in the Windows Cloud Files Mini Filter Driver, significantly increasing the impact of any initial compromise. CVE-2025-64671 affects GitHub Copilot for JetBrains IDEs and permits command injection leading to code execution on a developer’s machine through malicious prompts or project content, raising concerns around AI-assisted development and supply-chain security. CVE-2025-54100 impacts Windows PowerShell, where improper handling of web-sourced content can result in unintended code execution when users run certain commands against untrusted sources. Together, these vulnerabilities underscore the importance of timely patching, secure development practices, and heightened monitoring for privilege escalation and suspicious command execution.

Broadridge has investigated the Microsoft Vulnerabilities (CVE-2025-62221, CVE-2025-64671, and CVE-2025-54100) and has determined that there is no threat to Broadridge as our SCCM automatically pushes patches in our environment when they are released. Currently there have been no signs of these vulnerabilities across our environment but Broadridge continues to continuously monitor its environments to ensure our clients, customers, stakeholders, and associates remain unaffected by today’s cyber threats.

NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2026-3055 and CVE-2026-4368

Copy link

Vulnerabilities

Broadridge Threat Response March 2, 2026.

BROADRIDGE RESPONSE STATEMENT

In March of 2026, Broadridge was notified about two vulnerabilities, CVE-2026-3055 and CVE-2026-4368, affecting NetScaler ADC and NetScaler Gateway.

In response to these vulnerabilities, Broadridge has investigated, and we can confirm we are not impacted by either of the vulnerabilities referenced; however, we are continuously monitoring our environment to ensure our clients, customers, stakeholders, and associates remain unaffected.

Thank you,

Broadridge

MongoBleed (CVE-2025-14847

Copy link

Vulnerabilities

Threat Response January 15, 2026

BROADRIDGE RESPONSE STATEMENT
On December 29th, 2025, Broadridge was notified about a recent announcement by the Cybersecurity and Infrastructure Security Agency (CISA) regarding MongoDB servers (CVE-2025-14847) which have been actively exploited in the wild. CVE-2025-14847, also known as “MongoBleed”, stems from improper handling of length fields in zlib-compressed network protocol messages, allowing unauthenticated remote attackers to coerce MongoDB into returning uninitialized heap memory to the client.

Affected versions of the MongoBleed (CVE-2025-14847) include:

• MongoDB Server v7.0 prior to 7.0.28 versions
• MongoDB Server v8.0 versions prior to 8.0.17
• MongoDB Server v8.2 versions prior to 8.2.3
• MongoDB Server v6.0 versions prior to 6.0.27
• MongoDB Server v5.0 versions prior to 5.0.32
• MongoDB Server v4.4 versions prior to 4.4.30
• MongoDB Server v4.2 versions greater than or equal to 4.2.0
• MongoDB Server v4.0 versions greater than or equal to 4.0.0
• MongoDB Server v3.6 versions greater than or equal to 3.6.0.

Affected versions should be upgraded to versions equal or greater to the below versions:
• Version 7.0.28
• Version 8.0.17
• Version 8.2.3
• Version 6.0.27
• Version to 5.0.32
• Version 4.4.30

Broadridge has investigated MongoBleed vulnerability (CVE-2025-14847) across the enterprise and has detected a few vulnerable versions of MongoDB. Broadridge has patched most of the instances to the non-vulnerable versions and is in the final stage of upgrading the last few instances. All identified remaining versions will be patched by January 19th, 2025. Broadridge continues to continuously monitor its environments to ensure our clients, customers, stakeholders, and associates remain unaffected by today’s cyber threats.

Thank you, Broadridge

React2Shell remote code execution flaw, CVE-2025-55182 and CVE-2025-66478

Copy link

Vulnerabilities

Broadridge Threat Response December 10th, 2025

On December 3rd, Broadridge was informed of a critical vulnerability, React2Shell remote code execution flaw, CVE-2025-55182 and CVE-2025-66478. More details over the React2Shell vulnerability can be viewed at: NVD - CVE-2025-55182 and NVD - CVE-2025-66478

Broadridge has examined our perimeter systems, applied patches/mitigation as needed, and current scans have found no trace of the React2Shell vulnerability. Broadridge is continuously monitoring our environments to ensure our clients, customers, stakeholders, and associates remain unaffected.

If you think you may have discovered a vulnerability, please send us a note.

Report issue