Data Protection, Mobvista
September 22, 2020

Sean Song: How Mobvista Built a Data Security “Moat”

With the development of the mobile Internet industry and technological innovation, the amount of personal information has grown exponentially, resulting in increasingly stronger data security concerns.

Vali Scorus

Content Marketing Manager

According to the Global Data Leakage Report 2019 released by InfoWatch, the volume of global corporate confidential data breaches increased by nearly 28% compared to the same period in 2018, with data of 216 million users being leaked in Q2 2019 alone. At the same time, Internet giants like Facebook and Google have been frequently investigated or prosecuted by governments of multiple countries for data privacy issues over the past few years. Evidently, data breaches and privacy protection have become some of the most common types of cybersecurity concerns worldwide, which has resulted in serious public opinion and trust crises for companies.

The large-scale mobile advertising industry is inextricably linked to data, and extensive user data is extremely important for mobile advertising platforms in order to run targeted personalized marketing campaigns. The data security and user privacy protection of such platforms, which connect advertisers and traffic owners and rest at the core of networks for the industry, have become highly sensitive, and the two issues will always have an impact on the entire ecosystem. That’s because the data on those platforms does not only belong to them, but is also closely related to major Internet companies and a large number of mobile Internet users. Therefore, ensuring complete data security has become the top priority and foundation of mobile advertising platforms.

Under this circumstance, what should mobile advertising platforms and related companies in the industry do to solve the data security and user privacy protection issues they have encountered or will encounter in the future? To answer this question, we interviewed Mobvista CFO Sean Song, who introduced the company’s strategic layout for data security and user privacy protection, while also looking at future trends in terms of data security and compliance in the mobile advertising industry.

An industry pioneer that is always compliant with the latest regulations

Song pointed out that Mobvista has been continuously working to understand existing data security issues and has been collecting opinions on requirements that industry members may put forward for data security in the future. In addition, the company is constantly following up international laws and regulations around data security in order to keep up and remain compliant.

As early as 2017, Mobvista observed that people were increasingly concerned about data security and privacy protection in the mobile Internet industry. For example, Facebook is frequently asked by Congress about the violation of user privacy, and Google’s Android is also questioned by many people about its data security. Besides, numerous famous and successful companies are often inquired by legislative bodies and the public media whether they have proper user privacy procedures in place.

This has enabled Mobvista to realize the importance of data security and user privacy protection for its long-term growth. Moreover, the company began to follow up on international data security laws and regulations, hire lawyers to conduct risk assessments, and exchange best practices with large companies around data security and user privacy protection.

Song said: “We have been compliant with GDPR (General Data Protection Regulation) as well as CCPA (California Consumer Privacy Act) and COPPA (Children’s Online Privacy Protection Act) in the U.S. for a long time. Apart from that, we have employed legal experts in Europe and the U.S. to learn about the latest data security legislations and to have them help assess our data security risks in terms of contracting, daily operations, and data processing.”

It is also worth mentioning that Mobvista has been making some breakthroughs in the mobile advertising industry in China. On May 14 this year, the company released the Mobvista Mobile Ad Fraud White Paper 2.0 which elaborated on the current status of mobile ad fraud, fraud methods, and anti-fraud strategies, with the aim to enhance the industry’s transparency and promote a healthy expansion of the mobile advertising ecosystem.

Using third-party audits to increase credibility

With a good understanding of the specific data security and privacy protection required by the industry, Mobvista began to take a more proactive and practical approach – using audits and oversight from an independent third-party agency to ensure data compliance and security at all levels within the platform, in a bid to further bolster its credibility in the industry.

On August 26 this year, Mobvista commissioned one of the four major international accounting firms to perform the SOC2 audit and obtained the SOC2 Type1 report.

The SOC report is a System and Organization Controls (SOC) service audit report formulated by the American Institute of Certified Public Accountants (AICPA), which includes three forms: SOC1, SOC2, and SOC3. Among them, SOC2 is a standard dedicated to data security and privacy protection. The SOC2 report is recognized as the world’s most authoritative and professional report on data security, which can accurately reflect the data security realities of the audited company.

According to Song, the SOC2 audit assessed the design suitability and implementation effectiveness of control measures concerning security, availability, process integrity, confidentiality, and privacy of services such as Mobvista’s top media advertising solutions, programmatic advertising solutions, network-wide traffic aggregation marketing solutions, SpotMax central technology platform, and mobile analytics solutions.

Furthermore, during the SOC2 audit process, Mobvista also undertook comprehensive internal improvements and enhancements based on the requirements and opinions of the third-party auditors. For instance, the company standardized its systems to further clarify operational boundaries as well as the division of roles and responsibilities, optimized internal controls by organizing training courses and traceability processes, tightened access management, and set out to build a robust information security management system.

Song mentioned that “The majority of clients who use the SOC audit services provided by the Big Four international accounting firms are big enterprises and multinational companies, such as banks, insurance companies, Internet giants and server suppliers; the Big Four had little experience in offering advertising companies these types of services. As a result, auditors spent a long time carrying out the SOC2 auditing process and as a company, we were definitely inexperienced with this kind of process. Since the auditors had never audited similar companies before and they didn’t know much about our company’s internal processes, the audit process took a lot of effort.”

Song also revealed that he had started to negotiate the signing of a SOC2 service agreement with auditors and potential partners as early as October last year, but it was not until April this year that the contract was eventually signed. It took Mobvista four months to obtain the SOC2 report on August 26 this year, which can be a long and arduous process.

Since the SOC2 audit takes so much effort, requires cooperation from all parties to complete, and few companies in the mobile advertising industry have done the audit, why did Mobvista agree to do this and devote so much time and resources to pass it?

Song revealed that “We learned about SOC2 through our interactions with large financial companies. Although the mobile advertising industry does not require companies like Mobvista to acquire the SOC2 report, it is essential to invest energy and resources to improve our internal controls and procedures as data security and privacy protection are becoming increasingly important. While this is not something that will yield immediate results in the short term, from a long-term perspective, as a global company, not only is it important to lead in business scale, but it is also important to adhere to globally recognized standards and hold ourselves to stricter standards to lead in data compliance. At the same time, we hope that by doing this we can slowly influence other players in the industry and play a leading role in promoting the development of the entire industry ecosystem.”

All in all, Mobvista has refined its internal data security procedures through third-party auditing and supervision, thereby achieving the ultimate goal of ensuring its partners’ data security as well as the privacy and security of individual users. It is worth noting that Mobvista is the first mobile advertising company in the industry to obtain the SOC2 report. Song also stated that because the SOC2 Type1 report is a testimony of an organization’s procedures at a specific point in time, Mobvista has added the SOC2 Type2 report to its roadmap. Looking ahead, the company will conduct annual audits and will continue to enhance its internal controls in accordance with SOC2 requirements to ensure that it is always compliant with the latest data security standards.

Building an internal management system for information security

Since its inception, Mobvista has always believed in the importance of data security and has constantly taken steps in this direction, such as understanding relevant laws and regulations, and entrusting a third-party agency to offer audit and supervision services to optimize internal data management systems and processes. However, these measures are not enough for absolute data security. In order to truly achieve a high level of data security, it is vital for Mobvista to set up its own information security management system.

ISMS (Information Security Management System), a concept developed in the UK around 1998, is an idea and method of management system that is applied in the area of information security. ISMS refers to standardizing corporate information security management, raising the internal security awareness of the organization, strengthening the protection of information assets, avoiding legal compliance risks caused by information security, and supporting the organization’s security development in a safe environment.

In order to strengthen its internal data security, Mobvista has started working on building its own ISMS. Currently, this project has passed internal review and is ready to enter the audit stage. Once the company meets the review and development criteria, it will obtain an ISO certification. This certification will provide the company with integrity credentials, and it will also be strong proof of Mobvista’s business operation capabilities and its ability to continuously improve them.

Developing an ISMS will focus on accomplishing Mobvista’s security management goals, including the establishment of a macro organizational structure, rule generation, implementation at all business levels, continuous review and standardization of personnel structure, as well as adjustments and improvements after the system goes live.

 As Internet information security is facing threats from many areas and the accountability of corporate information breach becomes the norm, more and more mobile advertising companies will develop their own information security systems. On one hand, building an ISMS can effectively improve the company’s security attributes, so that the information assets on which the organization’s core business depends for continuity are properly protected, and establish a continuous planning framework for strong business growth. On the other hand, this can also avoid some disputes concerning Internet rights and liabilities such as privacy disputes, fraud suspicion, data breaches and so on.

Based on Mobvista’s data information security layout, we can see that mobile advertising companies can guarantee their own data security through three levels.

Firstly, those enterprises should pay attention to data security trends in the global Internet industry as early as possible, understand relevant laws and regulations, develop an initial awareness of protecting data security, and look for suitable methods to regulate data security and privacy protection. Secondly, they should entrust a third-party independent organization for auditing and supervision, as well as constantly adjust and optimize their internal control structure according to the ever-changing regulatory requirements to protect their internal data security. Thirdly, they should build an internal ISMS that involves formulating information security guidelines and policies as well as performing information security work, so that all staff will have a good information security awareness, from top to bottom.

Especially in the context of multifaceted threats to Internet information security and the implementation of more and more data privacy protection laws and regulations around the world, mobile advertising companies should make all the preparations necessary for protecting information security in advance, take the initiative to improve internal controls and create a real data security “moat”, in order to increase the industry’s credibility and achieve healthy, long-term development.