A LETTER TO OUR CLIENTS
Last August, we released the results of two reviews relating to our company’s client data
practices and the relationship between our editorial operation and our commercial businesses.
Although these reviews found that we have appropriate client data policies and controls in
place, we undertook a series of actions, many based on the recommendations in the reviews,
to enhance the integrity and confidentiality of our client data. Six months later, we are
providing an update on our progress, which can be found at RVWS<GO> and online at
Our efforts over the past several months have been designed to serve three key objectives.
First, to maintain and enhance a strong culture of data protection. Second, to ensure that our
editorial operations live up to their high standards and address areas where standards and
practices may need to be revisited in a changing environment. Third, to apply the same spirit of
innovation to data protection that we have brought to the building of our products and services.
We also made the decision to adopt every recommendation from the August reports, and
66 of these recommendations have now been completed. The remaining recommendations
are largely scheduled to be completed by the end of this year.
To accomplish our first objective, we have undertaken many initiatives to further institutionalize
our principles, policies and procedures regarding the protection of client data. We enhanced
our policies with the publication of 59 additional procedures. The principles, policies and
procedures are available for all employees through a dedicated function on the terminal, and
all employees are required to acknowledge and agree to follow them. We have instituted
several required trainings, including annual manager and employee trainings around information
security. New employee performance metrics have been added regarding client data
confidentiality to ensure that all Bloomberg employees are accountable for upholding client
data principles, policies and procedures, including identifying risks and escalating those risks
to management and other compliance resources. Many other related changes are described
throughout the six-month update.
In mid-January, we took an important step forward in continuing to institutionalize a strong
culture of data protection by bringing Paul Wood onboard as our first ever Chief Risk and
Compliance Officer. Paul has more than 30 years of experience in the security and risk space
in both the public and private sectors. Both the Security and the Client Data Compliance Office
report to Paul and he reports directly to me.
Our second objective was to build on the safeguards we put in place last summer regarding
Bloomberg News employees’ access to client data by identifying other aspects of our editorial
operations that warranted revisiting in a changing environment. We promulgated several new
policy guidelines regarding News employees’ interactions with other parts of the business,
and all News employees are now required to take an “Information Security for News” training
course in addition to the other mandatory employee trainings. In the fall, Tim Quinson was
appointed as the Standards Editor for Bloomberg News to help ensure adherence to our
standards for accuracy, balance and tone in our reporting, and Clark Hoyt was appointed as the
Senior Independent Editor, reporting to me, to provide an alternative and independent channel
to review comments and complaints regarding news coverage. In addition, our facilities team
reviewed every Bloomberg office to determine what, if any, changes were appropriate where
News and commercial employees share office space. Of the 145 locations reviewed, 53
will be altered.
Finally, in the spirit of innovation, we have tapped the best technical minds at our company,
including our R&D department, to build off some of our historic innovations like the use of
biometric finger image authentication, and to perform a comprehensive analysis of our systems
to identify deficiencies and recommend enhancements. Among the many actions that resulted
was a change in the way access to client data is granted from an individual level to a role-based
system. This was done by integrating our access control systems with our personnel databases,
so that as employees move through the employee lifecycle, access to client data is removed
and/or granted according to the needs of their role. We have also employed new technology
to enhance the monitoring of our systems, and we have used technology to better document
and track access requests and anomalous behavior.
The six-month update details all the recommendations from both of the reports issued
in August, the current status in executing on those recommendations, and the additional
actions we have undertaken that were not outlined in the August reports but that we felt were
necessary to achieve the best standards in data security. We will issue another report at the
one year mark this August.
As we move forward, we are also continuing to review our third-party audit program with the
intention of expanding the scope of products covered. Our third-party audit program has grown
over the past several years to include Bloomberg’s Order Management Systems, Bloomberg’s
Valuation Service (BVAL) and Bloomberg Vault (BVault), where annual, third-party SysTrust
audits are available to clients of those products. Last year, we expanded our program again to
include an AT-101 for our BSTP product. In the coming months, our Security team is evaluating
our other products to develop a schedule of additional audits, and we will publish this schedule
as part of our one year update report. This schedule will also include the timing for a SOC3
audit of our terminal, and when completed the results of that SOC3 audit will be made available
to our clients.
Although there is still much to be done, I’m pleased with the substantial progress we have
made in a relatively short period of time. We have listened carefully to you, and your feedback
and suggestions have played a critical role in our progress. I’m also particularly grateful to our
employees, who have embraced these changes while continuing to stay focused on being the
best partner to you.
Last August, I told you that our ultimate goal was not just to fix the issues at hand; it was to
establish new standards for ourselves and, in doing so, set a higher bar for the entire industry.
Going forward, we will continue to proactively consider the evolution of client data issues, as
well as the relationship between our editorial and commercial operations. We will keep you
apprised of important developments and we will continue to focus on giving you the service
and protection you deserve.
Thank you for your support throughout this process, and as always, don’t hesitate to reach out
to me with any questions or concerns.
Daniel L. Doctoroff