Security risk in financial services: Beyond compliance to competitive advantage

Organizations that provide financial services hold vast amounts of sensitive data, ranging from names and addresses to credit card details and transaction histories. A data breach or cyberattack can expose this information, leading to identity theft, financial fraud, and significant financial losses for their customers.

However, security is no longer just about preventing downside risk – it's about enabling upside opportunity. Companies with robust security programs can:

• Enable faster international expansion through pre-built compliance with global regulations
• Reduce customer acquisition costs by leveraging security certifications as trust signals
• Accelerate enterprise sales cycles by proactively demonstrating strong security controls from day one
• Offer premium pricing structures through demonstrated risk reduction and operational excellence

The financial services landscape is experiencing a fundamental shift. Traditional banks, weighed down by decades of technical debt and compliance overhead, struggle to innovate at the speed modern businesses require. Meanwhile, many fintech startups prioritize rapid feature development over security fundamentals, creating systemic risks that emerge as they scale.

Brex has pioneered a "security-native" approach that treats security controls not as constraints but as enablers of the business, sustainable growth, and customer trust.

So, what makes a security program trustworthy? No security program can eliminate all threats, but to reduce the risk of a security incident, customers should consider the following:

1. Choose a financial service provider that demonstrates security leadership, not just compliance:
   
   1. Review information to gain confidence in a company's security control environment and ask questions relevant to how you will use their technology.
   2. Ensure that the company holds appropriate security certifications and attestations as minimum baselines, such as SOC 2 Type II, ISO 27001, PCI DSS, and SOC 1 Type II, and that its security programs are audited annually.
   3. Review the financial institution’s privacy policy to understand how your data is being used.
2. Follow best practices for securing your own financial accounts:
   
   1. For your online banking and financial accounts, use strong, unique passwords. A password manager will help you with this.
   2. Always enable multi-factor authentication. Opt for an authenticator application or hardware security keys over SMS when possible.
   3. Exercise caution with phishing attempts. Do not click on unfamiliar links or share personal details through email or text messages.
   4. Ensure devices and software are updated with the latest security patches.
   5. Avoid conducting sensitive financial transactions on public Wi-Fi networks.
   6. Routinely check for unauthorized activity on your account and enable account alerts if available.
   7. Retain and dispose of financial and other sensitive documents according to appropriate timelines.
   8. Be aware of social engineering tactics, and do not share sensitive information with unfamiliar or unverified parties.

Buyer insight: The most sophisticated buyers don't just ask "Are you compliant?" They ask, "How does your security architecture enable our business objectives while reducing our risk profile?" and validate what they hear through due diligence.

Security as a business accelerator

To protect our customers, data, and assets, Brex has implemented administrative, technical, and physical security controls that are based not only on regulatory requirements but on thoughtful, substantiated, and tailored strategic thinking.

Brex maintains the philosophy that security should accelerate business outcomes, not inhibit them. Traditional security programs often focus on building walls. We focus on building intelligent bridges that enable secure, rapid business growth while maintaining right-sized risk management.

This approach manifests in several key differentiators:

• Security by design, not by audit: Our controls are built into the product development lifecycle from inception, reducing time-to-market while maintaining enterprise-grade security.
• Transparent security posture: We proactively share security information through our Trust Center, reducing sales friction and building customer confidence.
• Continuous validation: Our security controls are validated not just annually, but through continuous monitoring and real-time threat detection.
• Business-aligned risk management: Our security investments are directly tied to business outcomes and customer value creation; risk management efforts are contextualized to enable business goals.

Cross-functional security partnership

Our Trust organization, guided by our CISO, consists of security engineering (which includes application security, corporate security, infrastructure security, detection and response, and security awareness), product security, and governance, risk, and compliance. Our Trust teams work closely with cross-functional partners in IT, Legal, HR, Sales, Product, and Engineering to foster a collaborative, security-aware culture.

Strategic advantage: Unlike traditional financial institutions where security is often siloed, our security team is either embedded within or partnered with all business functions. This creates a security-first culture, where security considerations are integrated into business strategy, product development, and customer experience design from the ground up.

Security at a glance: Why each control matters

• Brex security controls are aligned with industry-leading frameworks, such as NIST.
  • Strategic value: Framework alignment signals to enterprise customers that we operate at the same security maturity level as their existing vendors, reducing vendor risk assessments and accelerating procurement cycles.
• Role-based access controls are in place for all employees and contractors, in accordance with the principle of least privilege.
  • Business enabler: Granular access controls actually improve operational efficiency by ensuring employees have exactly the access they need to be productive — no more, no less. This reduces security friction while maintaining audit trails that satisfy regulatory requirements.
• Annual security and privacy training is required for all Brex employees and contractors.
  • Competitive advantage: Our security-aware workforce becomes a differentiator in day-to-day interactions, where Brex employees can serve as champions of security on their respective teams and raise any issues or concerns to the Trust team.
• Enterprise information security policies are maintained, reviewed, and socialized annually and upon any significant changes.
  • Market positioning: Our policy framework is a competitive asset that demonstrates operational maturity and reduces customer due diligence burden.
• Contractual security and privacy protections are in place with all service providers, including a DPA and AI addendum where required.
  • Innovation enabler: Robust contractual protections allow us to safely leverage best-of-breed AI and cloud services, giving us technological advantages over competitors who struggle to navigate these security complexities.
• A third-party risk management program featuring subject matter experts who perform security due diligence during onboarding and annually as needed.
  • Business accelerator: Sophisticated third-party risk management actually enables faster innovation by allowing us to quickly and safely integrate with new partners and technologies.
• Activity and access log reviews monitor, detect, and respond to anomalous activity across the environment.
  • Operational excellence: Real-time monitoring provides not just security benefits, but operational insights that improve customer experience and platform reliability.
• Brex employs strong application security programs, such as vulnerability management, penetration testing, and secure product lifecycle.
  • Innovation velocity: Our security-integrated development practices actually increase development velocity by both actively partnering with teams in the design and catching issues earlier when they're cheaper to fix.
• Brex provides a Risk Management Program and Risk Register with associated risk management activities (risk assessment, risk identification, risk treatment, risk acceptance) — all of which occur on an ongoing basis.
  • Strategic insight: Risk management isn't about eliminating risk. It's about taking the right risks at the right time. Our sophisticated risk framework enables us to move fast and innovate while maintaining appropriate controls.

A summary of how we protect our customers' data and secure our environment can be found at brex.com/security, with further details and documentation available upon request in the Brex Trust Center.

Certifications: Trust signals that accelerate business

Brex continuously achieves high external validations of our security control environment, but these aren't just compliance achievements. They're strategic business assets that differentiate us in the market:

• SOC 2 Type II: Compliance with SOC 2 Type II requirements year after year signals that Brex maintains a high bar for information security, has met strict compliance requirements (tested through external, on-site audits), and has implemented effective controls to protect customer data.
  • Business impact: SOC 2 Type II is increasingly table stakes for enterprise sales, but our consistent track record and transparent sharing of results reduces customer security evaluation time from months to weeks.
• SOC 1 Type II: Brex's SOC 1 Type II demonstrates a commitment to robust controls that safeguard the accuracy and reliability of financial data.
  • Strategic value: SOC 1 enables our enterprise customers to rely on our controls for their own financial reporting, reducing their audit burden and ensuring Brex can be a strategic partner rather than just a vendor.
• PCI DSS: PCI DSS compliance means Brex is certified to handle credit card information in adherence with a set of security standards that protect cardholder data, ensuring secure storage, processing, and transmission of payment card data.
  • Competitive advantage: PCI compliance allows us to offer integrated payment processing capabilities that many fintech vendors cannot, creating a more seamless customer experience.
• ITGC: Compliance with IT General Controls (ITGC) audit signifies Brex's adherence to a stringent set of security requirements that allow us to provide financial services. Effective ITGCs help prevent errors, fraud, and unauthorized access, which are critical for accurate financial disclosures and regulatory adherence.
  • Market differentiator: IT general controls are a key differentiator for SOX compliance and broker-dealers because they ensure the integrity, security, and reliability of information systems that support financial reporting.

Need a copy of a Brex audit report for your third-party due diligence? To access the resources below, please visit our Trust Center and log in with your credentials, which allows you to search for and view these materials under an NDA.

• SOC 2 Type II
• SOC 1 Type II
• PCI DSS
• ITGC

You can't build secure applications on insecure infrastructure any more than you can build a skyscraper on quicksand. Infrastructure security establishes protections for the underlying systems, networks, and data storage upon which all other security measures rely. Weak infrastructure security can generate vulnerabilities that attackers can exploit to bypass application-level controls and gain access to sensitive information.

Strategic insight: In the cloud-native era, infrastructure security can actually be a competitive differentiator. While legacy financial institutions struggle with decades-old infrastructure that's difficult to secure and update, Brex's modern, security-first cloud architecture enables us to innovate faster, operate more efficiently, and respond to threats more effectively than competitors anchored to legacy infrastructure. In financial services where trust and speed both matter, that's a formidable competitive moat.

This section details the measures we take to protect our systems, networks, and data at the infrastructure level.

Security as a business accelerator

What if a vendor you relied on suddenly went offline for a week? How would it impact your business operations? Business continuity and disaster recovery measures are crucial for maintaining operational resilience and minimizing disruptions in the event of unforeseen incidents. By geographically hosting data in North America with backups and failovers in separate locations, and performing daily, regularly updated backups, Brex can work to maintain the continuous availability and integrity of its services and customer data, safeguarding against potential data loss and service interruptions.

Why this matters strategically: In financial services, uptime is crucial to customer success. When expense management and corporate credit are mission-critical business functions, our ability to maintain 99.9%+ uptime becomes a direct competitive advantage. Traditional banks often struggle with planned maintenance windows and system outages that disrupt business operations. Our cloud-native architecture and automated failover capabilities mean customers experience consistent service availability, enabling their business continuity.

Market differentiation: Many fintech companies offer basic backup and recovery, but few have architected their systems for true business continuity from the ground up. Our geographically distributed infrastructure and automated recovery procedures mean customers can rely on Brex services even during major cloud provider outages or regional disruptions.

Defense in depth for modern threats

Data breaches don't end where they begin. Network security controls are the difference between losing one server and losing the entire environment. Brex implements several network security measures, including firewall implementation, continuous 24/7 anomaly monitoring, intrusion detection and prevention mechanisms on devices and servers, ongoing network traffic analysis, daily internal network scanning supplemented by annual external expert assessments, and continuous security oversight of network device configurations.

Modern security philosophy: Traditional network security focused on building perimeters, but in a cloud-first, mobile-first world, there is no perimeter. Our approach implements “zero trust” principles where every network request is authenticated and authorized, regardless of source. This not only provides superior security but also enables seamless remote work and international operations that many traditional financial institutions struggle to support securely.

Competitive advantage: Our sophisticated network security monitoring not only prevents attacks but also provides operational intelligence that enhances platform performance and customer experience. We can detect and resolve performance issues before customers notice them, creating a reliability advantage over less mature security programs.

Privacy by design in a data-driven world

Encryption is the last line of defense when all other security controls fail. Data encryption transforms sensitive information into an unreadable format, safeguarding it from unauthorized access during transmission and while stored. This protection is essential for maintaining the confidentiality and integrity of financial and personal data, mitigating the risks of data breaches, identity theft, and fraud. At Brex, data is encrypted both while in transit and at rest.

Strategic differentiation: While many companies implement basic encryption, Brex has architected a system that maintains strong encryption without sacrificing functionality. Our encryption implementation supports real-time analytics, machine learning fraud detection, and personalized customer experiences — capabilities that many competitors sacrifice in the name of security.

Business enabler: Advanced encryption protects customer data while enabling new business models. With customer confidence in our data protection, we can offer sophisticated analytics and AI-powered insights that create additional value for customers while maintaining privacy and security.

Application security is a critical component of our overall security strategy. While it may seem like having AppSec processes can slow a business down, the opposite is true. When security is integrated early, you avoid the costly cycle of:

Build feature → Security finds critical flaw in production → Emergency rollback → Rebuild → Retest → Redeploy

Strategic philosophy: Most companies treat security as a gate that slows down development. At Brex, we've reimagined security as an accelerator that enables faster, more confident innovation. By integrating security into every stage of the development lifecycle, we reduce time-to-market while improving quality and customer trust.

Security as an innovation catalyst

A secure product lifecycle program allows fast-moving teams to deploy with confidence. The SPL at Brex is integrated with all stages of the product development lifecycle. It aims to ensure software is developed with security in mind throughout, such that security issues are caught and resolved early. All products shipped go through the SPL with one or more security features embedded within. This includes design and architecture review, threat modeling, code analysis, penetration testing, bug bounty, and secure development training.

Competitive advantage: While many companies bolt security onto finished products, our SPL approach means security is an early consideration in the design stage. This enables us to ship features that would be impossible to secure retroactively.

Innovation velocity: Our security-first development approach actually speeds up product delivery. By identifying and addressing security issues during design rather than after deployment, we avoid costly rework and emergency patches that slow down feature development.

Market positioning: Customers increasingly want to see evidence of secure development practices, not just security certifications. Our SPL demonstrates to enterprise buyers that they can trust Brex with their most sensitive business processes because security is built into our DNA, not added as an afterthought.

Proactive resilience in a dynamic threat landscape

Organizations aren't always breached through sophisticated attacks, it’s often through known vulnerabilities they never got around to fixing. By conducting regular scans and leveraging threat intelligence, Brex can proactively identify and address potential weaknesses. Timely patching of critical vulnerabilities, within 48 hours of release, minimizes the window of opportunity for attackers and significantly reduces the risk of security incidents and data breaches. This proactive approach is essential for maintaining the integrity and confidentiality of sensitive data.

Strategic insight: In the modern threat landscape, the question isn't whether vulnerabilities will be discovered, but it's how quickly you can identify and remediate them. Our 48-hour critical vulnerability response time is a business advantage that ensures customer trust and regulatory compliance.

Competitive differentiation: Many financial technology companies struggle with vulnerability management because they lack the infrastructure and processes for visibility and rapid response. Our automated scanning and streamlined remediation processes enable Brex to maintain security hygiene without sacrificing development velocity

Risk management: Effective vulnerability management is a form of business insurance. By maintaining strong vulnerability management practices, we reduce the likelihood of security incidents that could result in regulatory fines, customer churn, and reputational damage.

Real-world validation of security controls

The difference between a penetration test and a data breach is who finds the vulnerability first. Regular internal and external penetration testing, employing both manual and automated techniques, can help simulate real-world cyberattacks to identify vulnerabilities within our systems and applications before malicious actors can exploit them. By proactively uncovering weaknesses, we can implement necessary remediations, strengthening our overall security posture.

Strategic value: Penetration testing allows us to validate that our security investments are effective against real-world threats. This gives us confidence to take calculated risks that enable business growth.

Customer trust: In enterprise sales conversations, the ability to demonstrate recent penetration testing results and remediation actions provides concrete evidence of our security commitment. This often accelerates customer decision-making and reduces security evaluation overhead.

Continuous improvement: Our approach to penetration testing focuses not only on identifying current vulnerabilities, but also on understanding attack patterns and enhancing our overall security architecture. This means each test cycle makes us more resilient against future threats.

Crowdsourced security at scale

We get notified of vulnerabilities to fix and they get paid (a win-win!). A bug bounty program strengthens security by engaging external researchers to find vulnerabilities, offering cost-effective discovery and uncovering complex weaknesses. It enhances security posture, demonstrates commitment, complements other measures, provides real-world testing, and facilitates rapid remediation of risks. We have partnered with Bugcrowd for our bug bounty program.

Innovation advantage: Bug bounty programs represent a fundamental shift from traditional security thinking. Instead of trying to keep security researchers out, we invite them in as partners. This creates a network effect where the global security community helps protect our customers.

Cost efficiency: Maintaining an internal security team capable of finding all potential vulnerabilities would be prohibitively expensive. Bug bounty programs provide access to diverse security expertise at a fraction of the cost of building equivalent internal capabilities.

Reputation building: Active participation in the security research community through bug bounty programs builds our reputation as a security-conscious organization, which helps with talent recruitment and customer trust.

Rapid response: Our bug bounty program includes clear SLAs for response and remediation, ensuring that identified vulnerabilities are addressed quickly. This responsiveness demonstrates our commitment to security and encourages continued researcher participation.

A product login may be the only security control customers interact with every single day. Make it delightful, not painful. Brex offers a range of built-in security functionality (from authentication and access controls to audit logging) designed to protect your data and provide greater control over your account and information.

Strategic philosophy: Most companies view security features as necessary friction that users must tolerate. At Brex, we design security features that enhance the user experience while providing enterprise-grade protection. This approach creates a competitive advantage where stronger security actually improves customer satisfaction.

Make logging in easy and secure

Users logging in should be effortless; attackers logging in should be impossible. Brex supports comprehensive identity integration capabilities, including all identity providers using OpenID Connect (OIDC) or SAML protocols, SCIM for automated provisioning, and mandatory two-factor authentication across all users via SMS, authenticator apps, SSO providers, or biometric authentication on mobile devices.

Business enabler: SSO and automated provisioning capabilities are sales accelerators for enterprise deals. Complex identity management requirements that could delay implementations by weeks instead integrate seamlessly with customers' existing infrastructure, accelerating time-to-value and removing a common procurement obstacle. While many fintech vendors offer basic SSO, our support for diverse identity providers and SCIM-based lifecycle management demonstrates the enterprise readiness that differentiates mature platforms from startups.

User experience innovation: Multiple 2FA options, including biometrics, make strong authentication convenient rather than burdensome, driving adoption and compliance without friction. Universal 2FA requirements significantly reduce account takeover risk while signaling to enterprise customers that security is embedded at every platform layer, not treated as an afterthought.

Operational efficiency: SCIM support enables customers to integrate Brex into existing user lifecycle management processes, reducing administrative overhead and improving security through automated deprovisioning when employees leave or change roles. Our multi-method authentication approach also positions us to rapidly adopt emerging standards, such as WebAuthn and passkeys, as they mature.

Transparency builds trust

The expense you can't explain is the compliance risk you can't mitigate. Every card transaction and reimbursement in Brex generates a complete, immutable audit trail capturing the full lifecycle, from initial swipe through budget mapping, policy reviews, itemizations, approvals, rejections, accounting categorization, payment, and returns until final export to GL accounts.

Competitive advantage: Audit trail visibility is an enterprise sales differentiator. During procurement evaluations, finance teams consistently cite auditability as a top requirement. While competitors offer basic transaction logs, Brex provides transparency into every decision point and workflow stage. This capability shortens sales cycles by directly addressing CFO and controller concerns about financial controls and compliance readiness.

Risk mitigation: Comprehensive audit trails transform regulatory compliance from a manual burden into an automated evidence collection system. When auditors request documentation for expense decisions, accounting teams provide complete digital trails in minutes rather than reconstructing events from emails and spreadsheets. This reduces audit preparation costs and eliminates the compliance risk of incomplete or contradictory records.

Operational efficiency: Audit trails empower accounting teams to resolve discrepancies and answer questions without involving multiple stakeholders. Rather than chasing down approvers to understand why an expense was processed a certain way, controllers can independently trace the complete path from submission to payment, dramatically reducing resolution time and administrative overhead.

Trust building: Giving customers unrestricted access to audit their own financial data demonstrates confidence in our platform's integrity and respect for their governance requirements, a stark contrast to fintech solutions that treat audit capabilities as optional features rather than foundational trust mechanisms.

Please see our security measures webpage for more information on our security features and functionality. Developers can also use our API to build custom workflows.

Sophisticated threats make headlines, but most breaches exploit basic IT security gaps: weak passwords, unmanaged devices, and excessive access. Complementing other security programs, our IT security measures play a vital role in the protection of our internal systems and employee devices.

Strategic insight: IT security is often overlooked as a competitive advantage, but in financial services, the security of internal systems directly impacts customer protection. A breach of employee systems can lead to customer data exposure, making internal security a customer protection imperative.

Workforce enablement through security

Endpoints are where users work, where data lives, and where most breaches begin. Endpoint security safeguards Brex's internal systems and employee devices, preventing data leakage and protecting against malware and phishing attacks. Measures such as data loss prevention, device encryption, multi-factor authentication, regular patching, and advanced email protection minimize vulnerabilities and maintain the security of sensitive information.

Remote work enabler: Our comprehensive endpoint security enables secure remote work without compromising security posture. This gives us access to global talent and operational flexibility that many traditional financial institutions cannot match due to security constraints or a lack of visibility.

Productivity enhancer: Advanced threat protection and automated security management reduce the security friction that typically slows down employee productivity. Our security tools work invisibly in the background, allowing employees to focus on customer value creation.

Cultural advantage: By providing employees with secure, well-managed devices and systems, we create a security-conscious culture where good security practices become natural rather than burdensome.

Modern authentication for a mobile workforce

Passwords are the keys to your kingdom; don’t leave them under the doormat. Brex employs a password manager that adheres to NIST guidelines. Multi-factor authentication (MFA) is mandatory for employees and contractors across all systems, whether managed internally or by third parties.

Security evolution: Our password policy reflects modern NIST guidelines that prioritize usability alongside security. By providing password managers and supporting diverse authentication methods, we achieve stronger security with a better user experience.

Risk reduction: Universal MFA requirement across all systems, including third-party services, significantly reduces our attack surface and demonstrates our commitment to defense in depth.

Compliance advantage: Our advanced password and authentication policies often exceed customer requirements, reducing security evaluation time and demonstrating our security leadership.

Least privilege as a business principle

Every employee needs access to do their job, but access that is too broad can have catastrophic consequences. Brex employs role-based access to internal systems, requiring manager approval, and reviews permissions quarterly to uphold the principle of least privilege. As a remote/hybrid company, Brex maintains strict standards for data access and usage, including provisioning, deprovisioning, auditing, background checks, logging, alerting, monitoring, and endpoint security.

Operational efficiency: Sophisticated IAM actually improves productivity by ensuring employees have exactly the access they need when they need it. Automated provisioning and deprovisioning reduce administrative overhead while improving security.

Scalability enabler: As Brex grows rapidly, our IAM system ensures we can onboard new employees quickly while maintaining security controls. This enables business growth without security compromise.

Audit readiness: Comprehensive access logging and regular reviews mean we're always audit-ready, reducing compliance burden and enabling faster customer security evaluations.

The best security controls in the world are worthless if nobody knows who's responsible for them, how to respond when they fail, or whether your vendors are undermining them. Operational security, encompassing governance, risk and compliance (GRC), incident response, and vendor management, is what transforms security from a collection of tools into a functioning defense system. Our operational security practices are designed not just to protect data, but to enable business operations while maintaining appropriate risk levels. It’s where security theory meets business reality.

Strategic security leadership

Without clear governance, security becomes reactive chaos. Who owns security decisions? How are policies updated? What happens when controls conflict with business objectives? Effective governance establishes accountability, defines decision-making authority, and ensures security evolves with the business rather than blocking it. Organizations like Brex with mature governance frameworks make consistent, defensible security decisions; those without governance make expedient ones they later regret.

Risk and compliance as business enablers: GRC programs often get dismissed as checkbox exercises, but sophisticated organizations use them strategically. Continuous risk assessment identifies which threats actually matter to your business, allowing you to allocate security resources where they'll have the greatest impact to enable the business to innovate safely.

Market differentiation: Compliance frameworks like SOC 2, SOC 1, PCI DSS, and industry-specific standards aren't burdens. They're competitive differentiators that unlock enterprise sales, command premium pricing, and demonstrate operational maturity that Brex customers, investors, and regulators value.

Operational excellence: Comprehensive governance and risk management programs that leverage AI and automation to reduce manual processes allow GRC teams to streamline operations, invest in thoughtful and strategic controls, and identify and address potential issues before they impact customers. GRC Engineering is here.

Turning disruption into advantage

Most security programs will eventually face a breach, compromise, or operational failure. The only way to minimize damage is preparation. Formal incident response capabilities (e.g., documented playbooks, practiced tabletop exercises, clear escalation paths, and pre-established communication channels) determine whether you contain a breach in hours or discover it after months of undetected access.

Brex has an Incident Response Framework and a dedicated response team that is leveraged in case of an information security event, such as a data breach or fraud. The framework outlines the identification of incidents and their characteristics to ensure consistent classification and reporting. It also delineates ownership responsibilities and defines goals. Brex Incident Response Plan Stages include:

• Preparation and detection
• Analysis
• Containment and eradication
• Recovery and post-incident activity

Strategic value: Effective incident response works to minimize damage while learning from events to strengthen overall security posture. Our structured approach to incident response often yields security improvements that enhance our overall programs and posture.

Customer confidence: Having a proven incident response capability gives customers confidence that if something does go wrong, we have the processes and expertise to respond effectively. This reduces customer risk perception and competitive evaluation time. Our structured incident response framework also ensures we meet regulatory notification requirements while maintaining business continuity.

A critical component of your security program

Your security perimeter now includes every third-party vendor with access to your systems or data. Let that sink in. The most robust internal controls mean nothing if a vendor's compromised credentials provide a backdoor into your environment. Systematic vendor risk assessment, ongoing monitoring of vendor security posture, contractual security requirements, and periodic reassessment transform your supply chain from a liability into a managed risk. For a growing technology company, third-party risk management is no longer optional, it's foundational.

Brex's approach includes policies, subject matter experts, annual reviews, contractual requirements (DPAs/SCCs), AI risk management, and ongoing monitoring to safeguard customer and employee data in its extended ecosystem.

Innovation enabler: Sophisticated vendor management allows us to more safely leverage best-of-breed third-party services, giving us technological capabilities that would be prohibitively expensive to build internally while allowing us to adapt to risks posed by emerging technologies.

Risk mitigation: By extending our security standards to our vendor ecosystem, we create a “security network effect" where our vendors become additional layers of protection rather than potential vulnerabilities.

Operational efficiency: Standardized vendor security requirements, right-sized risk management, and monitoring reduce the time and effort required to onboard new partners, enabling faster business development and partnership formation.

AI represents the most significant opportunity to reimagine financial operations in decades, yet it also introduces new attack surfaces, privacy risks, and regulatory uncertainties. Brex is harnessing AI to transform how customers manage expenses, optimize cash flow, and streamline financial operations. But unlike those racing to ship AI features without adequate safeguards, we've anchored our AI strategy in a principle that guides every decision: innovation and security are not tradeoffs to balance. They're both requirements to integrate.

Companies treating AI as simply another feature to bolt onto existing products are building tomorrow's breaches today. The winners in AI-powered financial services won't be the fastest to market; they'll be those who earn customer trust through demonstrable commitment to secure, privacy-respecting AI development.

For an introduction to how Brex publicly discusses its usage of AI, see our Brex AI Risks and Guidelines whitepaper. More information on our use of AI can be found on our intelligent finance webpage.

Leading through responsible innovation

Brex has developed a comprehensive AI risk management framework that treats security and privacy as architectural requirements, not compliance afterthoughts. This framework governs everything from how we select and evaluate AI vendors to how we design prompts, protect customer data, and respond to emerging AI-specific threats. Every AI capability in Brex, including our Brex Assistant, is developed under this framework, ensuring that the intelligence we add to our platform never compromises the security customers depend on.

Brex mitigates risks from AI through a cross-functional team across Trust, Privacy/Legal, Engineering, and AI internal SMEs to govern Brex's use of AI. This team is charged with ensuring Brex takes full advantage of AI while addressing risk via:

• Documented AI-specific risk assessments (internal and as part of our third-party risk management program)
• Internal AI usage guidelines, recommendations, and best practices that cover privacy and security
• Brex's Secure Product Lifecycle
• Annual, external penetration tests
• Policies and procedures specific to AI
• Contractual protections (i.e. MSA, DPA, etc.)
• Note: Customer data is not used to train any external third-party AI model.

Rather than constraining AI development, our governance framework provides clear guidelines that actually accelerate AI deployment by reducing uncertainty and ensuring consistent risk management.

Market-leading innovation: While reactive companies will spend the next several years retrofitting security into AI systems they've already deployed, Brex is building AI capabilities with security embedded from inception. This commitment to building safer AI solutions positions us as the partner of choice for enterprises that recognize AI's potential but won't sacrifice security to capture it.

Future readiness: Our comprehensive AI risk management framework positions us to adapt quickly to emerging AI regulations and industry standards, maintaining our competitive position as the AI landscape evolves.