1. Select region

3. Select role

Institutional Intermediary

This website is not suitable for retail investors. If you are a retail investor, please contact your financial advisor.


Change country


You are about to enter a website for professional/institutional investors and the information contained herein is not suitable for retail investors. Private/retail investors should not proceed any further.

By clicking “Accept” you expressly acknowledge and confirm that you are accessing this site for the purposes of acquiring information as a professional/institutional investor and accept the Terms of Use.


    Your access to and use of the web sites (“Services”) of Wellington Management are conditioned on your acceptance of and compliance with these Terms of Use (“Terms”). By accessing or using the Services, you agree to be bound by these Terms. If you are accepting these Terms and using the Services on behalf of a company, organization, government, or other legal entity, you represent and warrant that you are authorized to do so. You may use the Services only in compliance with these Terms and all applicable local, state, national, and international laws, rules, and regulations.

    All materials on this web site are owned or licensed by Wellington Management and/or its third-party providers and are protected by US and international intellectual property laws.  Unless otherwise indicated, all service marks, trademarks, and logos appearing on this web site are the exclusive property of Wellington Management. The information, materials, and other content of this web site may not be copied, displayed, distributed, downloaded, licensed, modified, published, reposted, reproduced, reused, sold, transmitted, used to create a derivative work, or otherwise used for public or commercial purposes without the express written consent of Wellington Management.

    Products and services
    The information, materials, products, and services on this web site are current at the time of writing and are subject to change. Not all products and services are available in all geographic areas. Your eligibility for particular products or services is subject to determination by and the approval of Wellington Management. No solicitation is made by Wellington Management to any person to use any information, materials, products, or services in any jurisdiction where the provision of such information, materials, products, and services is prohibited by law.

    The information on this web site or in any communication containing a link to this web site is not intended to constitute investment advice or an offer to sell, or the solicitation of an offer to purchase shares or other securities.

    Investment products and services are available through Wellington Management. Investment products and services are not FDIC-insured, are not deposits or obligations of, or guaranteed by, any bank, and involve investment risks, including the possible loss of the principal amount invested. Investors should always obtain and read an up-to-date investment services description or prospectus before deciding whether to appoint an investment manager or invest in a fund.

    International use
    Wellington Management makes no warranties that materials on this web site are appropriate for use in countries other than the US. Because the web site may be accessed internationally, you agree to comply with all local laws, rules, and regulations including, without limitation, all laws, rules and regulations in effect in the country in which you reside and the country from which you access the web site. The information on this web site is not intended for distribution to, or use by, any person or entity in any jurisdiction or country where such distribution or use would be contrary to law or regulation, or which would subject Wellington Management or its affiliates to any registration requirement within such jurisdiction or country.

    No warranty
    Wellington Management does not warrant the accuracy, adequacy, completeness, or timeliness of the information, materials, products, and services on this web site or the error-free use of this web site. All information, materials, products, and services are “as is” and “as available.” No warranty of any kind, express or implied, including but not limited to the warranties of non-infringement of third-party rights, title, merchantability, fitness for a particular purpose, and freedom from computer virus is given in conjunction with the information, materials, products, and services. Any views expressed herein are those of the author(s), are based on available information, and are subject to change without notice. Individual portfolio management teams may hold different views and may make different investment decisions for different clients. Wellington Management does not warrant that the web site will meet your needs. You agree to assume the entire risk as to your use of the web site.

    Limitation of liability
    In no event shall Wellington Management be liable for any damages, losses, or liabilities including without limitation, direct or indirect, special incidental, consequential damages, losses, or liabilities, in connection with your use of this web site or your reliance on or use or inability to use the information, materials, products, and services on this web site, or in connection with any failure of performance, error, omission, interruption, defect, delay in operation or transmission, computer virus, or line or system failure, even if Wellington Management is advised of the possibility of such damages, losses, or expenses.


    As a condition of your use of the Services, you agree to indemnify and hold Wellington Management, its affiliates, and its and their respective partners, directors, employees, and agents harmless from and against any and all claims, losses, liability, costs, and expenses (including but not limited to attorneys’ fees) arising from your use of the web site or from your violation of these Terms.

    Your use of the hyperlinks on this web site to other Internet web sites is at your own risk. Wellington Management is not responsible for the content or accuracy of third-party web sites hyperlinked from this web site, nor does it guarantee the products or services offered on third-party web sites. You should review the privacy statements of a web site before you provide any personal or confidential information.

    Web site security and restrictions on use
    As a condition to your use of Services, you agree that you will not, and you will not take any action intended to:  (i) access data that is not intended for you; (ii) invade the privacy of, obtain the identity of, or obtain any personal information about any other user of this web site; (iii) probe, scan, or test the vulnerability of this web site or Wellington Management’s network or breach security or authentication measures without proper authorization; (iv) attempt to interfere with service to any user, host, or network or otherwise attempt to disrupt our business; or (v) send unsolicited mail, including promotions and/or advertising of products and services. Unauthorized use of the web site or Services, including but not limited to unauthorized entry into Wellington Management’s systems, misuse of passwords, or misuse of any information posted to a web site, is strictly prohibited. Portions of the web site are designated for password access only as indicated by a lock icon. In these instances, if you do not have an authorized password, no access is permitted.

    Confidentiality and password security
    Certain parts of this web site may be protected by passwords or require a login. You are responsible for maintaining the confidentiality of any user names, passwords, security questions, and answers. All information available through the privileged area of the site is confidential and proprietary to us. This includes all investment information and results, offering materials, financial statements, and other information provided through this part of the site.

    You will use your best efforts to keep all this information strictly confidential. You will not disclose any of this information to any person or use it for any purpose other than those strictly permitted by us, in writing.

    If any provision of these Terms is deemed unlawful, void, or for any reason unenforceable, then that provision will be reformed only to the extent necessary to make it enforceable, and it will be deemed severable from these Terms and will not affect the validity and enforceability of the remaining provisions.

    Applicable law
    These Terms and any action related thereto are governed by Massachusetts law and applicable US federal law. Any dispute relating to the above shall be resolved solely in the state or federal courts located in Massachusetts.

    Privacy statement
    Wellington Management respects the privacy of its clients and the confidentiality of information pertaining to its clients.

    Information we collect
    We may collect non-public personal information about you on RFPs, questionnaires, and other forms we receive from you, as well as from personal contacts such as correspondence, e-mail, telephone calls, or meetings. We may also receive information about you from third parties, such as your accountants, lawyers, financial consultants, and/or other service providers.

    It also is possible to receive information from web browsers and apps regarding certain of your online activities using cookies, or other common tracking technologies.  Some web browsers and other applications may provide a Do Not Track (DNT) preference setting.  When a user turns on a tracking preference, the browser or application may send a message to web sites requesting that they do or do not track the user. At this time, we take no actions in response to any DNT settings or messages.

    Information sharing
    Wellington Management seeks to provide seamless service to all clients. To facilitate that process, information regarding client accounts is shared broadly between affiliates within the Wellington Management group of companies. For example, an affiliate may share information with other affiliates in order to facilitate portfolio management or provide client liaison services to a particular client. Client information may be used by Wellington Management in order to identify potential client needs for additional investment management services.

    Wellington Management generally does not share non-public client information with unaffiliated third parties, except as necessary to perform the investment management services it has been hired to provide. For example, Wellington Management may share non-public client information with brokers and custodian banks in order to buy and sell securities and record those purchases and sales accurately. As a general rule, Wellington Management does not engage in joint marketing arrangements with unaffiliated third parties that involve the sharing of non-public information regarding Wellington Management’s clients. Wellington Management does not provide client information to unaffiliated third parties for their own marketing purposes.

    Wellington Management does not disclose your information except as required or permitted by law. In the event that Wellington Management is involved in a merger, acquisition, reorganization or sale of assets, or bankruptcy, your information may be transferred or sold as part of that transaction.

    Security policies
    We use technical, administrative, and procedural measures in an attempt to safeguard your personal and other information from unauthorized access or use. No such measure is ever 100% effective though, so we do not guarantee that your personal and other information will be secure from theft, loss, or unauthorized access or use, and we make no representation as to the reasonableness, efficacy, or appropriateness of the measures we use to safeguard such information. Users are responsible for maintaining the secrecy of their own passwords. If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that the security of any account you might have with us has been compromised), please immediately notify us by contacting your relationship team member.

    Transfer of data to other countries
    Any information you provide to Wellington Management through use of the Site may be stored and processed, transferred between, and accessed from the US and other countries which may not guarantee the same level of protection of personal information as the one in which you reside. However, Wellington Management will handle your personal information in accordance with this Privacy Statement regardless of where your personal information is stored/accessed.

    Changes to Terms of use

    We may revise these Terms from time to time; the most current version will always be at http://www.wellington.com/terms-use. By continuing to access or use the Services after those revisions become effective, you agree to be bound by the revised Terms.

    Effective as of  17 January 2014

This web site uses cookies; by continuing to browse you consent to our cookies usage.
See our policy for more details.

January 2018 | Jeff Barbieri, ESG Analyst; Justin Peavey, Chief Information Security Officer

Cybersecurity: The first line of defense for companies in every sector

We expect companies we engage with to understand the cyber threats they face and to articulate their protection protocols. See the types of questions our ESG Team asks every company we invest in.

Key points

  • As cyber criminals and their tools become more advanced, the importance of a good cybersecurity program grows for companies in every sector.
  • When we engage with company management teams, we expect them to be able to articulate how they’ve aligned information security programs to mitigate their biggest cyber threats.
  • We prefer every company we invest in to have a robust information security program, headed by a Chief Information Security Officer (CISO).

Cyber attacks can result in lost or compromised data and business disruptions that result in litigation, loss of customer trust, and brand deterioration. Unfortunately, even the most sophisticated, comprehensive cybersecurity policies and systems cannot deter every attacking attempt. As cyber criminals and their tools become more advanced and nuanced, the importance of a good cybersecurity program grows for companies in every sector.

No company or industry is insulated. Cyber criminals and spies don’t target only those companies with highly sensitive information; they attack any company they can and figure out afterward whether they’ve obtained valuable information. Acknowledging that any company is a potential target, we take a “when, not if” approach to this issue during ESG engagement, focusing on management’s awareness of cybersecurity risks and planned responses to a data breach or other cyber crisis. As with any form of corporate risk, we expect management teams to understand their biggest cyber threats and be able to articulate how they’ve aligned information security programs to mitigate these threats.

The following are the types of cybersecurity questions we typically ask
companies across all sectors.

What are your company’s top three information security risks?

We expect an answer that may include one or more of the following:

Vulnerability management. With software and system vulnerabilities identified constantly, it can be extremely difficult to update systems promptly each time a vendor releases new security patches. Companies with highly distributed and heterogeneous computer systems, including those embedded in manufacturing, point-of-sale, or other delivery-chain components, may be at risk of service outages and compromise.

Insufficient tools and staff to investigate attacks. Companies should recognize that detection of and response to cyber attacks is just as important as protection, and that they can’t predict what the next successful attack will look like. We like to see companies treat cyber defense as an active rather than a passive process, with staff assigned to watch for and investigate anomalies. We also like to see strong collaborative cyber-information-sharing relationships with industry associations and peers.

Unintentional user error and process risks. Companies should recognize that most data breaches are caused by accidental or careless mishandling of information, or from failure to follow established processes. They should be able to discuss their challenges and approaches to reducing risks in this area, including user training, data-loss prevention programs, and an operational risk-management focus.

Excessive access privileges and challenges managing access.Attackers often take on the identity of internal staff. Breaches are much more manageable if staff have access only to necessary information and functionality for their jobs. For many companies, managing proper access across disparate applications and data systems as staff members change roles is a complex yet common problem, one that often requires significant attention.

Who are your most likely cyber attackers, and why?

We look for an informed answer that demonstrates an understanding of their chief cyber risks. For example:

Cyber criminals who look for information they can quickly profit from, such as consumer data, material nonpublic information (MNPI), financial accounts access, or other information that can be resold or otherwise used to make money. Companies should also recognize their “ransom risk” and realize where and how their operations might be easily compromised, or where damaging and embarrassing information might be accessed by criminals looking for extortion opportunities.

Hacktivists (computer hackers whose aim is to promote a social or political cause) who may have objections to the company’s business or executives and who may wish to publicly harm or disparage the firm. This risk is acute for companies perceived as socially irresponsible.

Spies who target proprietary information of competitor firms or who target companies to benefit a foreign government. Companies should recognize whether they might be a target for espionage and be aware of whom the most likely attackers might be. Firms that compete directly with foreign government interests should be particularly concerned.

How do you collaborate with your industry peers on cybersecurity?

Even the fiercest industry competitors should consider an open dialogue with peers; no one goes it alone when identifying cyber threats. If attackers find vulnerability in one company’s systems, they’ll surely try the same approach with that company’s industry peers.

Has your company experienced a cyber attack? What changes have been made as a result?

We worry when a company answers “no” or suggests that its systems are impenetrable. Nearly every company has been attacked by cyber criminals, so the question is how aware the company is of their cyber-attack risks. Conversely, we aren’t necessarily concerned if a company has been successfully attacked if they can express lessons learned and improvements made. Unfortunately, many firms aren’t prompted to improve their cyber programs until they experience a cyber crime firsthand. Those that have been attacked may have better, more mature programs as a result.

Does your firm have an information security program?

Of course, we want to hear a definitive “yes.” If the function reports to the highest levels of the company (the board, CEO, or a senior-level committee), this can signal that the company takes cyber risk seriously. However, reporting to someone senior doesn’t help if that individual isn’t interested in cyber risk or doesn’t have the time to provide proper oversight.

When the information security program doesn’t report to the highest level, we inquire further about whether escalation channels are available and if information security is part of a company’s information technology (IT) department, which can have its own budget constraints and competition for resources with other IT priorities. Regardless of structure, every company should have a Chief Information Security Officer (CISO) with an unobstructed escalation channel to the board or board equivalent. Notably, both structures have proven successful; the more important question is why the current structure works for the company and how leadership arrived at this structure.

Is a board member or committee responsible for cyber risk, and if so, how often does the CISO update them?

It is not feasible for every company to have a cybersecurity expert on its board. Boards have limited seats to cover vast areas of expertise, so it may not be efficient to dedicate one of those seats to something as specific as cybersecurity. Nonetheless, a board should be receiving frequent education and updates from the CISO.

At some companies, the audit committee is responsible for overseeing cyber risk. While this may work in certain sectors, most audit committees already have extensive and complex responsibilities, making it unlikely that they can dedicate the time necessary to manage cybersecurity. If a company has shoehorned responsibility for cyber risk into its audit committee, this may signal that the company is not taking the issue seriously.

At Wellington, our ESG and information security teams regularly collaborate to update our engagement questions and discuss what we should expect to hear in response from management teams on this evolving topic.


Explore insights