Your data is our top priority

​NextCapital takes client privacy and security very seriously and is committed to providing a secure solution for all its customers. By leveraging Amazon Web Services and combining industry leading practices, we are able to ensure that your information is kept private and remains available at all times.

Security program management

NextCapital’s dedicated leadership team, includes professionals with an average 20 years of experience with Information Security in the financial sector. However, security is not the sole responsibility of this security team. Every employee plays a role in maintaining security of the services provided to every customer. As such, NextCapital has created an approach that identifies current and emerging risks, monitors controls and responds in a timely fashion where needed. This approach is seen as a continuously evolving process with improvements constantly being made. 

Through self assessments and external audits, the management team verifies the effectiveness of controls but also identifies gaps for further improvement. One of the examples is NextCapital’s annual SOC 2 Type II Audit report, available upon request and under Non Disclosure Agreement (NDA).

Governance & policies

NextCapital has developed a comprehensive set of security policies covering a broad range of topics from network security, background checks, incident response to business continuity. These policies are shared with, and made available to, all employees and contractors. Additionally, everyone who is allowed to access the NextCapital environment needs to go through security awareness training on a regular basis. This training informs the users about security risks but also the policies which they will need to comply with.

Protection & prevention

​Our security architecture consists of multiple layers of security. At the core it all starts with security around the data stored within the AWS infrastructure. Each of the layers takes into account the confidentiality, integrity and availability of the data. Encryption is implemented for both data in transit and at rest. This means that communications between the customer and NextCapital’s servers are encrypted via industry best practice principles.
  • Firewalls often form the first layer of defense. Both our internal corporate network and our AWS customer environment is protected by layer 7 firewalls providing a filter for authorized systems, services and applications.
  • Logical access ensures not only that leading practice authentication controls are in place but also that access is restricted to only authorized users and staff. For the administrative access to manage the environment, additional controls like multi-factor authentication and close monitoring with alerting of account usage is in place. All access is also reviewed on a periodic basis.
  • Intrusion prevention solutions monitor the key ingress and egress points. The systems are configured to generate alerts when abnormal behavior is identified and appropriate actions are taken (e.g. blocking of traffic).
  • System hardening is used to secure a system by reducing its vulnerability surface. This is done through disabling unnecessary services, applying critical security updates and monitoring compliance with established settings. NextCapital has implemented a process to harden all infrastructure components including servers and workstations.

Design & development

As NextCapital continues to build and add new features to the web application, it also tests, identifies, analyzes and reports on potential security issues for the application but also the underlying infrastructure. 
  • Static Application Security Testing (SAST) - Source code analysis tools continuously scan our source code repositories during the build process. This helps NextCapital identify issues early on in the development process.
  • Dynamic Application Security Testing (DAST) - Ongoing application vulnerability scans remain a key step in the identification of application vulnerabilities. Although that our developers receive security awareness training, this kind of scanning against the OWASP top 10+ security flaws serves as an extra layer of detection.
  • Penetration Testing picks up the testing where automated tools fall short. Through manual penetration testing, all components are subjected to more specialized and in depth ethical hacking.

Detection & response

NextCapital has implemented processes to timely and effectively identify, respond to, and mitigate cybersecurity threats and vulnerabilities. To accomplish this, NextCapital takes input from various sources including financial industry intelligence programs like FS-ISAC. We monitor threats posted to these threat intelligence networks and take action based on our risk and exposure. 

As NextCapital monitors its critical assets continuously, it is also quick to respond to any issue which may arise. Through its incident response and disaster recovery program, it ensures that customer services remain available or will be easily recoverable in case of a disaster. This is accomplished through: 
  • Redundancy has been implemented throughout the environment to eliminate a single point of failure. Customer data is also replicated across systems, facilities and Amazon AWS regions to ensure a timely recovery in case of problems.
  • Security Incident and Event Monitoring (SIEM) solutions are collecting and correlating information from all assets to identify abnormal behavior. Events are escalated to our 24/7 Operations and Security team.
  • Disaster Recovery plans are used to respond to disasters like Distributed Denial of Service (DDoS) attacks, virus outbreaks or other impact on the environment. To ensure all employees are knowledgeable about the process to follow during such disasters, NextCapital also performs tests to verify the effectiveness of these plans and services can be restored within the targeted recovery time objective (RTO) and potential data loss within the recovery point objective (RPO).

Third party management

​Third parties and vendors bring a variety of skills and services to all organizations. NextCapital leverages these services not only to provide an innovative solution to its partners but also support office functions. To ensure that NextCapital understands and manages the risks associated with these relationships, NextCapital implemented a robust third party management program which ensures adequate due diligence for the engagement of the relationships and ongoing monitoring. 

Throughout the lifecycle of the relationship between NextCapital and the third party various processes oversee the risk: 
  • Due Diligence when selecting the third party includes verification of security requirements.
  • Written contracts that outline the rights and responsibilities of all parties.
  • Ongoing monitoring of the third party’s activities, performance and control environment.
  • Assessment of the third party’s impact on the organization in case of a disaster and how business continuity plans will be used.
  • Documentation and reporting that facilitates oversight, accountability, monitoring, and risk management.

Training & security awareness

All NextCapital employees and contractors receive Security Awareness training on a regular basis. The training occurs through in-person sessions, annual online training, monthly newsletters, security screensaver and other ad hoc communication. The security team monitors threat intelligence reports to ensure that the most up-to-date alerts are also shared throughout the organization.
SECURITY
TERMS OF SERVICE
PRIVACY
FORM CRS
© 2021 NextCapital Group, Inc. All rights reserved.

NextCapital Software, Inc., and NextCapital Advisers, Inc., are wholly owned subsidiaries of NextCapital Group, Inc. NextCapital Advisers is registered with the SEC as an investment adviser. When you use this website, you accept our Terms of Service and Privacy Policy. NextCapital does not guarantee results. All investments involve risk and may result in loss. Past performance does not guarantee future results. Historic returns, projected returns, and probability of investment outcomes may not reflect actual future results.