Security By Design

FinClusive Prioritizes Information Security and Cyber Controls

  • We embed robust security controls as a holistic function that is core to the mission of the company. As a premier risk and compliance management platform, we are committed to ensuring our information management and data systems are built against global standards.
  • Security is not secondary — our products, data warehousing and delivery channels are built, tested and audited around this central security posture, with senior management, board and relevant expertise engaged across our ecosystem.

FinClusive’s technology stack and Risk Management framework is based on the National Institute of Standards and Technology (NIST) Risk Management Framework.

infosec diagram

NIST SP 800-37 “Risk Management Framework”

FinClusive’s implementation of the NIST Risk Management Framework includes:


FinClusive has a comprehensive and tested set of policies and procedures to cover key risks of the platform:

  • Contingency Planning Policy:

    Focused on the recovery and restoration of an Information Technology (IT) system following any potential disruption

  • Incident Response Policy:

    Handling of cyber incidents based on the NIST Computer Security Incident Handling Guide

  • Risk Assessment Policy:

    Used to identify, estimate, and prioritize risk to organizational operations

  • Financial Crimes Compliance (FCC) Policy:

    Governs the application of our anti-money laundering / counter financing of terrorism (AML/CFT), sanctions compliance, anti-bribery and corruption (ABC), USA PATRIOT Act, and Bank Secrecy Act (BSA)

  • Secure Software Development Lifecycle (SDLC) Policy:

    Open framework used to formulate a software security strategy based on the Open Web Application Security Project (OWASP) Software Assurance Maturity Model (SAMM)


Categorization includes asset identification and loss impact:

  • Asset identification is critical in understanding asset ownership and business criticality

  • Loss impact identifies the potential monetary or reputational loss due to the exploit of a vulnerability


FinClusive selects security controls based on the business criticality and attack surface of an asset.


Once the initial set of controls have been selected, we implement those controls within our environment to achieve an initial level of risk mitigation.


We perform risk assessments on our platforms to have a clear picture of both Inherent Risk and Residual Risk.

  • Inherent Risk is used to guide and confirm the selection of initial controls

  • Residual risk incorporates data from vulnerability assessments and penetration tests to determine what additional compensating controls must be implemented for an effective level of mitigation


FinClusive has developed a Compliance-Readiness program in preparation for an annual American Institute of CPAs (AICPA) System and Organization Controls (SOC2) audit. With this SOC2 Compliance Readiness initiative updated annually, FinClusive ensures we are compliant across the enterprise.


We perform risk assessments on our platforms to have a clear picture of both Inherent Risk and Residual Risk.

  • FinClusive implements monitoring and filtering via a “Defense in Depth” strategy. We have implemented infrastructure and application monitoring based on Center for Internet Security (CIS) benchmarks

  • FinClusive utilizes Application Performance Management (APM) tools to instrument our applications to provide real-time telemetry to help manage risk

  • FinClusive aggregates events from these and other authentication, authorization and filtering devices into a Security Incident and Event Management (SIEM) tool. The SIEM too gives us consolidated view of our prioritized issues to help us manage actionable events in our environment

  • FinClusive continuously strives to improve our overall security posture and provide a feature rich, secure platform for our customers, clients, counterparties and partners