Chief Information Security Officer. (i) The Plan Processor shall designate an employee of the Plan Processor to serve, subject to the approval of the Operating Committee by Supermajority Vote, as the Chief Information Security Officer. The Plan Processor shall also designate at least one other employee (in addition to the person then serving as Chief Information Security Officer), which employee the Operating Committee has previously approved, to serve temporarily as the Chief Information Security Officer if the employee then serving as the Chief Information Security Officer becomes unavailable or unable to serve in such capacity (including by reason of injury or illness). Any person designated to serve as the Chief Information Security Officer (including to serve temporarily) shall be appropriately qualified to serve in such capacity based on the duties and responsibilities assigned to the Chief Information Security Officer under this Agreement and shall dedicate such person’s entire working time to such service (or temporary service) (except for any time required to attend to any incidental administrative matters related to such person’s employment with the Plan Processor that do not detract in any material respect from such person’s service as the Chief Information Security Officer). The Plan Processor may, at its discretion: (A) designate another employee previously approved by the Operating Committee by Supermajority Vote to serve in such capacity to temporarily serve as the Chief Information Security Officer if the employee then serving as Chief Information Security Officer becomes unavailable or unable to serve as Chief Information Security Officer (including by reason of injury or illness) for a period not in excess of thirty (30) days; or (B) designate another employee of the Plan Processor to replace, subject to approval of the Operating Committee by a Supermajority Vote, the Chief Information Security Officer. The Plan Processor shall promptly designate another employee of the Plan Processor to replace, subject to the approval of the Operating Committee by Supermajority Vote, the Chief Information Security Officer if the Chief Information Security Officer’s employment with the Plan Processor terminates or the Chief Information Security Officer is otherwise unavailable or unable to serve as Chief Information Security Officer (including by reason of injury or illness) for a period in excess of thirty (30) days. The Operating Committee shall report any action taken pursuant to Section 6.2(b)(i) to the SEC. (ii) The Plan Processor, subject to the oversight of the Operating Committee, shall ensure that the Chief Information Security Officer has appropriate resources to fulfill the obligations of the Chief Information Security Officer set forth in SEC Rule 613 and in this Agreement, including providing appropriate responses to questions posed by the Participants and the SEC. (iii) In respect of all duties and responsibilities of the Chief Information Security Officer in such capacity (including those set forth in this Agreement), the Chief Information Security Officer shall be directly responsible and directly report to the Operating Committee, notwithstanding that he or she is employed by the Plan Processor. (iv) The compensation (including base salary and bonus) of the Chief Information Security Officer shall be payable by the Plan Processor, but subject to review and approval by the Operating Committee, and the Operating Committee shall render the Chief Information Security Officer’s annual performance review. (v) Consistent with Appendices C and D, the Chief Information Security Officer shall be responsible for creating and enforcing appropriate policies, procedures, and control structures to monitor and address data security issues for the Plan Processor and the Central Repository including: (A) data security, including the standards set forth in Appendix D, Data Security; (B) connectivity and data transfer, including the standards set forth in Appendix D, Connectivity and Data Transfer; (C) data encryption, including the standards set forth in Appendix D, Data Encryption; (D) data storage and environment, including the standards set forth in Appendix D, Data Storage and Environment; (E) data access and breach management, including the standards set forth in Appendix D, Data Access, and Appendix D, Breach Management; (F) PII data requirements, including the standards set forth in Appendix D, PII Data Requirements; (G) industry standards, including the standards set forth in Appendix D, Industry Standards; and (H) penetration test reviews, which shall occur at least every year or earlier, or at the request of the Operating Committee, set forth in Appendix D, Data Storage and Environment. (vi) At regular intervals, to the extent that such information is available to the Company, the Chief Information Security Officer shall report to the Operating Committee the activities of the Financial Services Information Sharing and Analysis Center (“FS-ISAC”) or other comparable body. (vii) The Chief Information Security Officer shall review the information security policies and procedures of the Participants that are related to the CAT to ensure that such policies and procedures are comparable to the information security policies and procedures applicable to the Central Repository. If the Chief Information Security Officer, in consultation with the Chief Compliance Officer, finds that any such policies and procedures are not comparable to the policies and procedures applicable to the CAT System, and the issue is not promptly addressed by the applicable Participant, the Chief Information Security Officer, in consultation with the Chief Compliance Officer, will be required to notify the Operating Committee of such deficiencies.
Appears in 10 contracts
Samples: Limited Liability Company Agreement, Limited Liability Company Agreement, Limited Liability Company Agreement
Chief Information Security Officer. (i) The Plan Processor shall designate an employee of the Plan Processor to serve, subject to the approval of the Operating Committee by Supermajority Vote, as the Chief Information Security Officer. The Plan Processor shall also designate at least one other employee (in addition to the person then serving as Chief Information Security Officer), which employee the Operating Committee has previously approved, to serve temporarily as the Chief Information Security Officer if the employee then serving as the Chief Information Security Officer becomes unavailable or unable to serve in such capacity (including by reason of injury or illness). Any person designated to serve as the Chief Information Security Officer (including to serve temporarily) shall be appropriately qualified to serve in such capacity based on the duties and responsibilities assigned to the Chief Information Security Officer under this Agreement and shall dedicate such person’s entire working time to such service (or temporary service) (except for any time required to attend to any incidental administrative matters related to such person’s employment with the Plan Processor that do not detract in any material respect from such person’s service as the Chief Information Security Officer). The Plan Processor may, at its discretion: (A) designate another employee previously approved by the Operating Committee by Supermajority Vote to serve in such capacity to temporarily serve as the Chief Information Security Officer if the employee then serving as Chief Information Security Officer becomes unavailable or unable to serve as Chief Information Security Officer (including by reason of injury or illness) for a period not in excess of thirty (30) days; or (B) designate another employee of the Plan Processor to replace, subject to approval of the Operating Committee by a Supermajority Vote, the Chief Information Security Officer. The Plan Processor shall promptly designate another employee of the Plan Processor to replace, subject to the approval of the Operating Committee by Supermajority Vote, the Chief Information Security Officer if the Chief Information Security Officer’s employment with the Plan Processor terminates or the Chief Information Security Officer is otherwise unavailable or unable to serve as Chief Information Security Officer (including by reason of injury or illness) for a period in excess of thirty (30) days. The Operating Committee shall report any action taken pursuant to Section 6.2(b)(i) to the SEC.
(ii) The Plan Processor, subject to the oversight of the Operating Committee, shall ensure that the Chief Information Security Officer has appropriate resources to fulfill the obligations of the Chief Information Security Officer set forth in SEC Rule 613 and in this Agreement, including providing appropriate responses to questions posed by the Participants and the SEC.
(iii) In respect of all duties and responsibilities of the Chief Information Security Officer in such capacity (including those set forth in this Agreement), the Chief Information Security Officer shall be directly responsible and directly report to the Operating Committee, notwithstanding that he or she is employed by the Plan Processor.
(iv) The compensation (including base salary and bonus) of the Chief Information Security Officer shall be payable by the Plan Processor, but subject to review and approval by the Operating Committee, and the Operating Committee shall render the Chief Information Security Officer’s annual performance review.
(v) Consistent with Appendices C and D, the Chief Information Security Officer shall be responsible for creating and enforcing appropriate policies, procedures, and control structures to monitor and address data security issues for the Plan Processor and the Central Repository including:
(A) data security, including the standards set forth in Appendix D, Data Security;
(B) connectivity and data transfer, including the standards set forth in Appendix D, Connectivity and Data Transfer;
(C) data encryption, including the standards set forth in Appendix D, Data Encryption;
(D) data storage and environment, including the standards set forth in Appendix D, Data Storage and Environment;
(E) data access and breach management, including the standards set forth in Appendix D, Data Access, and Appendix D, Breach Management;
(F) PII data requirements, including the standards set forth in Appendix D, PII Data Requirements;
(G) industry standards, including the standards set forth in Appendix D, Industry Standards; and
(H) penetration test reviews, which shall occur at least every year or earlier, or at the request of the Operating Committee, set forth in Appendix D, Data Storage and Environment.
(vi) At regular intervals, to the extent that such information is available to the Company, the Chief Information Security Officer shall report to the Operating Committee the activities of the Financial Services Information Sharing and Analysis Center (“FS-ISAC”) or other comparable body.
(vii) The Chief Information Security Officer shall review the information security policies and procedures of the Participants that are related to the CAT to ensure that such policies and procedures are comparable to the information security policies and procedures applicable to the Central Repository. If the Chief Information Security Officer, in consultation with the Chief Compliance Officer, finds that any such policies and procedures are not comparable to the policies and procedures applicable to the CAT System, and the issue is not promptly addressed by the applicable Participant, the Chief Information Security Officer, in consultation with the Chief Compliance Officer, will be required to notify the Operating Committee of such deficiencies.
Appears in 5 contracts
Samples: Limited Liability Company Agreement, Limited Liability Company Agreement, Limited Liability Company Agreement
Chief Information Security Officer. (i) The Plan Processor shall designate an employee of the Plan Processor to serve, subject to the approval of the Operating Committee by Supermajority Vote, as the Chief Information Security Officer. The Plan Processor shall also designate at least one other employee (in addition to the person then serving as Chief Information Security Officer), which employee the Operating Committee has previously approved, to serve temporarily as the Chief Information Security Officer if the employee then serving as the Chief Information Security Officer becomes unavailable or unable to serve in such capacity (including by reason of injury or illness). Any person designated to serve as the Chief Information Security Officer (including to serve temporarily) shall be appropriately qualified to serve in such capacity based on the duties and responsibilities assigned to the Chief Information Security Officer under this Agreement and shall dedicate such person’s entire working time to such service (or temporary service) (except for any time required to attend to any incidental administrative matters related to such person’s employment with the Plan Processor that do not detract in any material respect from such person’s service as the Chief Information Security Officer). The Plan Processor may, at its discretion: (A) designate another employee previously approved by the Operating Committee by Supermajority Vote to serve in such capacity to temporarily serve as the Chief Information Security Officer if the employee then serving as Chief Information Security Officer becomes unavailable or unable to serve as Chief Information Security Officer (including by reason of injury or illness) for a period not in excess of thirty (30) days; or (B) designate another employee of the Plan Processor to replace, subject to approval of the Operating Committee by a Supermajority Vote, the Chief Information Security Officer. The Plan Processor shall promptly designate another employee of the Plan Processor to replace, subject to the approval of the Operating Committee by Supermajority Vote, the Chief Information Security Officer if the Chief Information Security Officer’s employment with the Plan Processor terminates or the Chief Information Security Officer is otherwise unavailable or unable to serve as Chief Information Security Officer (including by reason of injury or illness) for a period in excess of thirty (30) days. The Operating Committee shall report any action taken pursuant to Section 6.2(b)(i) to the SEC.
(ii) The Plan Processor, subject to the oversight of the Operating Committee, shall ensure that the Chief Information Security Officer has appropriate resources to fulfill the obligations of the Chief Information Security Officer set forth in SEC Rule 613 and in this Agreement, including providing appropriate responses to questions posed by the Participants and the SEC.
(iii) In respect of all duties and responsibilities of the Chief Information Security Officer in such capacity (including those set forth in this Agreement), the Chief Information Security Officer shall be directly responsible and directly report to the Operating Committee, notwithstanding that he or she is employed by the Plan Processor.
(iv) The compensation (including base salary and bonus) of the Chief Information Security Officer shall be payable by the Plan Processor, but subject to review and approval by the Operating Committee, and the Operating Committee shall render the Chief Information Security Officer’s annual performance review.
(v) Consistent with Appendices C and D, the Chief Information Security Officer shall be responsible for creating and enforcing appropriate policies, procedures, and control structures to monitor and address data security issues for the Plan Processor and the Central Repository including:
(A) data security, including the standards set forth in Appendix D, Data Security;
(B) connectivity and data transfer, including the standards set forth in Appendix D, Connectivity and Data Transfer;
(C) data encryption, including the standards set forth in Appendix D, Data Encryption;
(D) data storage and environment, including the standards set forth in Appendix D, Data Storage and Environment;
(E) data access and breach management, including the standards set forth in Appendix D, Data Access, and Appendix D, Breach Management;
(F) PII data requirements, including the standards set forth in Appendix D, PII Data Requirements;
(G) industry standards, including the standards set forth in Appendix D, Industry Standards; and
(H) penetration test reviews, which shall occur at least every year or earlier, or at the request of the Operating Committee, set forth in Appendix D, Data Storage and Environment.
(vi) At regular intervals, to the extent that such information is available to the Company, the Chief Information Security Officer shall report to the Operating Committee the activities of the Financial Services Information Sharing and Analysis Center (“FS-ISAC”) or other comparable body.
(vii) The Chief Information Security Officer shall review the information security policies and procedures of the Participants that are related to the CAT to ensure that such policies and procedures are comparable to the information security policies and procedures applicable to the Central Repository. If the Chief Information Security Officer, in consultation with the Chief Compliance Officer, finds that any such policies and procedures are not comparable to the policies and procedures applicable to the CAT System, and the issue is not promptly addressed by the applicable Participant, the Chief Information Security Officer, in consultation with the Chief Compliance Officer, will be required to notify the Operating Committee of such deficiencies.
Appears in 1 contract
Samples: Limited Liability Company Agreement