AMG has a formal information security program, designed to develop and maintain privacy and data security practices to protect company assets and sensitive third-party information (including personal information). This program is governed by a committee comprising members of senior management, including the Company’s Chief Information Officer, which meets regularly and reports to the Board of Directors at least annually.

AMG recognizes the importance of protecting information assets such as personally identifiable information (PII) of our clients and employees, and has adopted policies, management oversight and accountability structures, and technology processes designed to safeguard this information. Client-facing data privacy and security policies may be viewed here. All AMG employees and contractors with access to AMG data attest annually to information security policies, and are required to participate in regular security awareness training to protect themselves and the AMG data to which they have access. These trainings also instruct employees and contractors with access to AMG data on how to report any potential privacy or data security issues.

AMG’s Information Security organization comprises internal and external resources designed to identify, protect, detect, resolve, and recover from various threats and attacks of malicious actors. AMG leverages 24x7x365 monitoring tools and services to address the confidentiality, integrity, and availability of company assets and data. Regular internal and third-party reviews are performed on processes and technologies to validate the effectiveness of privacy and data security controls, with external independent audits at least once every two years. Employees also undergo annual cybersecurity training and periodic randomized testing to mitigate external threats.

AMG monitors best practices and developments in data privacy and security, including increased scrutiny of third-party service providers with access to sensitive company data. AMG works with third-party service providers to monitor and support the control environment and breach notification processes. AMG also maintains its own fully documented proprietary security incident response plan, with defined roles and responsibilities that address notification obligations and procedures in the event of a data breach.

AMG is dedicated to business continuity and resiliency. We have documented strategies, policies, and procedures in place to protect employee, business, and client data in the event of an emergency or natural disaster.