Common use of General Security Requirements Clause in Contracts

General Security Requirements. (a) GA will maintain a written, information security program designed to protect the confidentiality, integrity and availability of Confidential Information in paper or other records and within its information system, including computers, devices, applications, and any wireless systems, and designed to perform the following core information security functions: (i) identify and assess both internal and external information security risks (“Risk Assessment”); (ii) utilize a defensive infrastructure; (iii) implement policies and procedures that protect Confidential Information from unauthorized Use; (iv) detect, respond to, and mitigate, Information Security Breaches and Security Incidents, restoring normal operations and services; and (v) fulfill regulatory reporting obligations. (b) The Risk Assessment performed by GA will be: (i) sufficient to inform the design of the information security program; (ii) updated as reasonably necessary to address changes to GA’s information systems, records, Confidential Information, and business operations; and (iii) documented and carried out in accordance with written policies and procedures. (c) GA will designate a qualified individual responsible for overseeing and implementing its information security program and enforcing its information security policy initiatives. (d) GA will assess the effectiveness of its information security program through continuous monitoring, periodic penetration testing and vulnerability assessments, or similar actions, all as dictated by its Risk Assessment. (e) GA, or GA’s designated third party, will: (i) utilize qualified information security personnel to manage its information security risks and perform or oversee the performance of GA’s core information security functions; and (ii) provide or verify that such personnel have obtained periodic information security training to maintain up-to-date knowledge of changing information security threats and countermeasures. (f) GA will provide regular information security awareness training for all personnel. (g) GA will have written policies, implemented and approved by senior management for the protection of its information systems and Confidential Information, addressing the following: (i) data governance and classification; (ii) asset inventory and device management; (iii) access controls and identity management; (iv) business continuity and disaster recovery planning; (v) system security and monitoring; (vi) network security and monitoring; (vii) physical security and environmental controls; (viii) customer data privacy; and (ix) vendor and third-party service provider (“TPSP”) management, to include the following topics: (A) identification and risk assessment of TPSPs; (B) minimum information security practices required of TPSPs; (C) due diligence processes for assessing the information security practices of TPSPs; and (D) periodic assessment of TPSPs, based on the risk and the continued adequacy of the TPSPs’ information security practices. (h) The following information systems’ controls will be utilized by GA, to the extent prescribed by its written information security program: (i) limited user access privileges to information systems providing access to Confidential Information and periodical review of such access privileges, as dictated by GA’s Risk Assessment; (ii) multi-factor authentication for any individual accessing GA’s internal networks from an external network, and for all privileged access to GA’s cloud-based systems; (iii) implementation of risk-based policies, procedures and controls designed to monitor the activity of authorized users and detect unauthorized Use or tampering with Confidential Information; and (iv) implementation of encryption to protect Confidential Information, both in transit over external networks, and at rest. (i) To the extent dictated by GA’s Risk Assessment, and for a duration specified by its records retention standards, GA will maintain audit trails: (i) for material financial transactions; and (ii) sufficient to recreate Security Incidents. (j) GA will have written procedures, guidelines and standards for the secure development of applications created in-house, and procedures for evaluating and testing the security of externally-developed applications used on GA’s information systems. (k) GA will have a written Security Incident response plan designed to promptly respond to, and recover from, any Information Security Breach or successful Security Incident materially affecting the confidentiality, integrity or availability of the Confidential Information or the continuing functionality of any aspect of Company’s business or operations. The plan will address the following areas: (i) internal processes for responding to an Information Security Breach or successful Security Incident; (ii) goals of the plan; (iii) definition and clear roles, responsibilities and levels of decision-making authority; (iv) external and internal communications and information sharing; (v) identification or requirements for the remediation of any identified weaknesses in information systems and associated controls; (vi) documentation and reporting regarding Information Security Breaches or successful Security Incidents and related incident response activities; and (vii) evaluation and revision as necessary of the plan following an Information Security Breach or successful Security Incident. (l) No transfer of Confidential Information may be made by GA outside of the United States without the prior, express written authorization of Company. (m) Company may require GA to have an annual review and/or an annual technical audit of its security policies and practices by Company, or, at GA’s option and expense, an independent auditor, to ensure compliance with this Addendum. The third-party audit report, including recommendations for remedying deficiencies where appropriate, will be provided to Company within seven (7) business days of receipt of the report by GA. GA will have thirty (30) calendar days to implement remedies to any identified deficiencies and notify Company that such deficiencies have been addressed. GA’s failure to remedy the identified deficiencies will be considered in breach of this Section 5.

General Security Requirements. (a) GA General Agent will maintain a written, information security program designed to protect the confidentiality, integrity and availability of Confidential Information in paper or other records and within its information system, including computers, devices, applications, and any wireless systems, and designed to perform the following core information security functions: (i) identify and assess both internal and external information security risks (“Risk Assessment”); (ii) utilize a defensive infrastructure; (iii) implement policies and procedures that protect Confidential Information from unauthorized Use; (iv) detect, respond to, and mitigate, Information Security Breaches and Security Incidents, restoring normal operations and services; and (v) fulfill regulatory reporting obligations. (b) The Risk Assessment performed by GA General Agent will be: (i) sufficient to inform the design of the information security program; (ii) updated as reasonably necessary to address changes to GAGeneral Agent’s information systems, records, Confidential Information, and business operations; and (iii) documented and carried out in accordance with written policies and procedures. (c) GA General Agent will designate a qualified individual responsible for overseeing and implementing its information security program and enforcing its information security policy initiatives. (d) GA General Agent will assess the effectiveness of its information security program through continuous monitoring, periodic penetration testing and vulnerability assessments, or similar actions, all as dictated by its Risk Assessment. (e) GAGeneral Agent, or GAGeneral Agent’s designated third party, will: (i) utilize qualified information security personnel to manage its information security risks and perform or oversee the performance of GAGeneral Agent’s core information security functions; and (ii) provide or verify that such personnel have obtained periodic information security training to maintain up-to-date knowledge of changing information security threats and countermeasures. (f) GA General Agent will provide regular information security awareness training for all personnel. (g) GA General Agent will have written policies, implemented and approved by senior management for the protection of its information systems and Confidential Information, addressing the following: (i) data governance and classification; (ii) asset inventory and device management; (iii) access controls and identity management; (iv) business continuity and disaster recovery planning; (v) system security and monitoring; (vi) network security and monitoring; (vii) physical security and environmental controls; (viii) customer data privacy; and (ix) vendor and third-party service provider (“TPSP”) management, to include the following topics: (A) identification and risk assessment of TPSPs; (B) minimum information security practices required of TPSPs; (C) due diligence processes for assessing the information security practices of TPSPs; and (D) periodic assessment of TPSPs, based on the risk and the continued adequacy of the TPSPs’ information security practices. (h) The following information systems’ controls will be utilized by GAGeneral Agent, to the extent prescribed by its written information security program: (i) limited user access privileges to information systems providing access to Confidential Information and periodical review of such access privileges, as dictated by GAGeneral Agent’s Risk Assessment; (ii) multi-factor authentication for any individual accessing GAGeneral Agent’s internal networks from an external network, and for all privileged access to GAGeneral Agent’s cloud-based systems; (iii) implementation of risk-based policies, procedures and controls designed to monitor the activity of authorized users and detect unauthorized Use or tampering with Confidential Information; and (iv) implementation of encryption to protect Confidential Information, both in transit over external networks, and at rest. (i) To the extent dictated by GAGeneral Agent’s Risk Assessment, and for a duration specified by its records retention standards, GA General Agent will maintain audit trails: (i) for material financial transactions; and (ii) sufficient to recreate Security Incidents. (j) GA General Agent will have written procedures, guidelines and standards for the secure development of applications created in-house, and procedures for evaluating and testing the security of externally-developed applications used on GAGeneral Agent’s information systems. (k) GA General Agent will have a written Security Incident response plan designed to promptly respond to, and recover from, any Information Security Breach or successful Security Incident materially affecting the confidentiality, integrity or availability of the Confidential Information or the continuing functionality of any aspect of Company’s business or operations. The plan will address the following areas: (i) internal processes for responding to an Information Security Breach or successful Security Incident; (ii) goals of the plan; (iii) definition and clear roles, responsibilities and levels of decision-decision- making authority; (iv) external and internal communications and information sharing; (v) identification or requirements for the remediation of any identified weaknesses in information systems and associated controls; (vi) documentation and reporting regarding Information Security Breaches or successful Security Incidents and related incident response activities; and (vii) evaluation and revision as necessary of the plan following an Information Security Breach or successful Security Incident. (l) No transfer of Confidential Information may be made by GA General Agent outside of the United States without the prior, express written authorization of Company. (m) Company may require GA General Agent to have an annual review and/or an annual technical audit of its security policies and practices by Company, or, at GAGeneral Agent’s option and expense, an independent auditor, to ensure compliance with this Addendum. The third-party audit report, including recommendations for remedying deficiencies where appropriate, will be provided to Company within seven (7) business days of receipt of the report by GAGeneral Agent. GA General Agent will have thirty (30) calendar days to implement remedies to any identified deficiencies and notify Company that such deficiencies have been addressed. GA’s failure to remedy the identified deficiencies will be considered in breach of this Section 5.thirty

General Security Requirements. (a) GA SPECIAL AGENT will maintain a written, information security program designed to protect the confidentiality, integrity and availability of Confidential Information in paper or other records and within its information system, including computers, devices, applications, and any wireless systems, and designed to perform the following core information security functions: (i) identify and assess both internal and external information security risks (“Risk Assessment”); (ii) utilize a defensive infrastructure; (iii) implement policies and procedures that protect Confidential Information from unauthorized Use; (iv) detect, respond to, and mitigate, Information Security Breaches and Security Incidents, restoring normal operations and services; and (v) fulfill regulatory reporting obligations. (b) The Risk Assessment performed by GA SPECIAL AGENT will be: (i) sufficient to inform the design of the information security program; (ii) updated as reasonably necessary to address changes to GASPECIAL AGENT’s information systems, records, Confidential Information, and business operations; and (iii) documented and carried out in accordance with written policies and procedures. (c) GA SPECIAL AGENT will designate a qualified individual responsible for overseeing and implementing its information security program and enforcing its information security policy initiatives. (d) GA SPECIAL AGENT will assess the effectiveness of its information security program through continuous monitoring, periodic penetration testing and vulnerability assessments, or similar actions, all as dictated by its Risk Assessment. (e) GASPECIAL AGENT, or GASPECIAL AGENT’s designated third party, will: (i) utilize qualified information security personnel to manage its information security risks and perform or oversee the performance of GASPECIAL AGENT’s core information security functions; and (ii) provide or verify that such personnel have obtained periodic information security training to maintain up-to-date knowledge of changing information security threats and countermeasures. (f) GA SPECIAL AGENT will provide regular information security awareness training for all personnel. (g) GA SPECIAL AGENT will have written policies, implemented and approved by senior management for the protection of its information systems and Confidential Information, addressing the following: (i) data governance and classification; (ii) asset inventory and device management; (iii) access controls and identity management; (iv) business continuity and disaster recovery planning; (v) system security and monitoring; (vi) network security and monitoring; (vii) physical security and environmental controls; (viii) customer data privacy; and (ix) vendor and third-party service provider (“TPSP”) management, to include the following topics: (A) identification and risk assessment of TPSPs; (B) minimum information security practices required of TPSPs; (C) due diligence processes for assessing the information security practices of TPSPs; and (D) periodic assessment of TPSPs, based on the risk and the continued adequacy of the TPSPs’ information security practices. (h) The following information systems’ controls will be utilized by GASPECIAL AGENT, to the extent prescribed by its written information security program: (i) limited user access privileges to information systems providing access to Confidential Information and periodical review of such access privileges, as dictated by GASPECIAL AGENT’s Risk Assessment; (ii) multi-factor authentication for any individual accessing GASPECIAL AGENT’s internal networks from an external network, and for all privileged access to GASPECIAL AGENT’s cloud-based systems; (iii) implementation of risk-based policies, procedures and controls designed to monitor the activity of authorized users and detect unauthorized Use or tampering with Confidential Information; and (iv) implementation of encryption to protect Confidential Information, both in transit over external networks, and at rest. (i) To the extent dictated by GASPECIAL AGENT’s Risk Assessment, and for a duration specified by its records retention standards, GA SPECIAL AGENT will maintain audit trails: (i) for material financial transactions; and (ii) sufficient to recreate Security Incidents. (j) GA SPECIAL AGENT will have written procedures, guidelines and standards for the secure development of applications created in-house, and procedures for evaluating and testing the security of externally-developed applications used on GASPECIAL AGENT’s information systems. (k) GA SPECIAL AGENT will have a written Security Incident response plan designed to promptly respond to, and recover from, any Information Security Breach or successful Security Incident materially affecting the confidentiality, integrity or availability of the Confidential Information or the continuing functionality of any aspect of Company’s business or operations. The plan will address the following areas: (i) internal processes for responding to an Information Security Breach or successful Security Incident; (ii) goals of the plan; (iii) definition and clear roles, responsibilities and levels of decision-making authority; (iv) external and internal communications and information sharing; (v) identification or requirements for the remediation of any identified weaknesses in information systems and associated controls; (vi) documentation and reporting regarding Information Security Breaches or successful Security Incidents and related incident response activities; and (vii) evaluation and revision as necessary of the plan following an Information Security Breach or successful Security Incident. (l) No transfer of Confidential Information may be made by GA SPECIAL AGENT outside of the United States without the prior, express written authorization of Company. (m) Company may require GA SPECIAL AGENT to have an annual review and/or an annual technical audit of its security policies and practices by Company, or, at GASPECIAL AGENT’s option and expense, an independent auditor, to ensure compliance with this Addendum. The third-party audit report, including recommendations for remedying deficiencies where appropriate, will be provided to Company within seven (7) business days of receipt of the report by GASPECIAL AGENT. GA SPECIAL AGENT will have thirty (30) calendar days to implement remedies to any identified deficiencies and notify Company that such deficiencies have been addressed. GASPECIAL AGENT’s failure to remedy the identified deficiencies will be considered in breach of this Section 5.