ADMINISTRATIVE SERVICES AGREEMENT
Execution Document
Exhibit 10
Material Contracts
1
Execution Document
ADMINISTRATIVE SERVICES AGREEMENT
THIS ADMINISTRATIVE SERVICES AGREEMENT, (this “Services Agreement”) dated as of August 4, 2011 (“Effective Date”), is between ARIA Retirement Solutions, LLC (“ARIA”), and Transamerica Advisors Life Insurance Company (referred to herein as the “Company”).
WHEREAS, the Company or its authorized representatives desire to ensure that the administration of the annuity products, policies, or individual contracts as defined under applicable statue or law, and financial products (the “Contract Certificates”) created for ARIA by the Company pursuant to that Joint Development Agreement (the “Agreement”) entered into between ARIA and the Company, and dated November 22, 2010, are implemented in accordance with all applicable laws and regulations; and
WHEREAS, ARIA, a licensed third party administrator where required by law desires to perform certain administrative functions with respect to the Contract Certificates.
NOW, THEREFORE, in consideration of the promises herein contained and other good and valuable consideration, the sufficiency of which is acknowledged by the parties, the parties hereto agree as follows with respect to the administration of the Contract Certificates.
AGREEMENT
1.1 Administration of Contract Certificates. The Company retains ARIA to perform the administrative services set forth in Exhibit A hereto with respect to the Contract Certificates.
1.2 Term. The term of this Services Agreement shall be for a period commencing immediately upon the Effective Date (“Initial Term”) through November 1, 2015. After the Initial Term, this Services Agreement shall automatically renew each year on the anniversary of the Effective Date following the Initial Term (the “Renewal Date”) for a period of one (1) year, unless either party chooses to terminate in accordance with the terms hereof.
1.3 Termination. This Services Agreement shall automatically terminate :
a. | For Cause (defined below); |
b. | Upon the termination or maturity of the last policy issued pursuant to the Contract Certificates: and/or |
c. | Upon the dissolution or bankruptcy of any party hereto, or in the event any party hereto is placed in receivership or rehabilitation, or in the event that the management of its affairs is assumed by any governmental, regulatory or judicial authority; or |
d. | Upon mutual agreement of the parties hereto. |
2
Execution Document
The Company must fulfill all lawful obligations with respect to the Contract Certificates, regardless of any dispute between the Company and ARIA. In order to fulfill this obligation, ARIA shall maintain and make available to the Company complete Books and Records (defined below) which shall be:
(i) | Readily accessible to the Company at ARIA’s offices during the transition from ARIA to the Company, or another third party administrator selected by the Company; and |
(ii) | Promptly delivered to the Company at its offices or such other location designated by the Company. |
“Cause” shall mean the material duties and obligations hereunder, which breach or default remains uncured for thirty (30) days after the receipt of written notice thereof by the breaching or defaulting party. If ARIA is the breaching or defaulting party, and the Company terminates this Services Agreement for Cause, in addition to its other obligations as outlined in this Section 1.3 and this Services Agreement, ARIA agrees to provide and allow the Company unrestricted, complete and direct access to all of its hosted environments, systems and technology containing and /or used to access Company related data (including the XXXX Product project Platform, as defined in the Agreement), and all Company related data necessary for monitoring investment positions, so that the Company, or a party so designated by the Company can replace ARIA, and administer the Contract Certificates. The right of the Company to replace ARIA will be in addition to all other remedies available to the Company at equity or at law.
The Company shall provide thirty (30) days written notice to ARIA of termination or cancellation of this Services Agreement if the termination is required by applicable law. The Company shall also provide fifteen (15) days’ written notice of termination or cancellation of this Services Agreement, as well as written notice of any changes made to the Services Agreement to any state insurance department, to the extent required by law.
1.4 Receipt of Payments. The payment to ARIA of any funds by or on behalf of a Contract Certificate owner shall be deemed as receipt of those funds by the Company. The payment to Company of any funds by or on behalf of a Contract Certificate owner shall be deemed as receipt of those funds by ARIA and shall not be deemed payment to the Contract Certificate owner until any such funds are received by the Contract Certificate owner. Nothing in this Section 1.4 limits any right of ARIA against the Company resulting from the failure of the Company to make payments to the ARIA. Further, nothing in this Section shall limit the right of the Company against ARIA due to its failure to make payments to the Company or any Contract Certificate owner.
1.5 Bank Account. ARIA will hold in a fiduciary capacity all funds collected by it on behalf of or for the Company as well as all return premiums received from the Company with respect to Contract Certificate owners. ARIA shall comply with all applicable fiduciary account statutes and regulations. In accordance with applicable laws, regulations and rules, ARIA will deposit the funds within one business day in a fiduciary account established and maintained by ARIA in a federally or state-insured financial institution reasonably acceptable to the Company, in the name of the Company. ARIA shall require the bank(s) in which such fiduciary accounts
are maintained to keep records clearly recording the deposits in and withdrawals from such accounts on behalf of or for the Company.
3
Execution Document
ARIA shall promptly obtain and keep copies of all such records and, upon request of the Company, furnish the Company with copies of such records pertaining to deposits and withdrawals on behalf of or for the Company. ARIA shall periodically, but in no event less than [quarterly] render an accounting to the Company detailing all of the transactions performed by ARIA pertaining to business underwritten by the Company. ARIA shall comply with the Company’s reconciliation policy as noted in Exhibit K. ARIA may make withdrawals from such accounts for:
a. | Remittance to the Company when entitled thereto; |
b. | Payment to ARIA of the amounts described in Section 1.8 below. |
1.6 Books and Records.
a. | ARIA shall establish and maintain facilities and procedures for the safekeeping of policy forms, and all other documents, reports, records, books, files, and other materials (whether on paper, microfiche, computer or other forms) relative to this Services Agreement and all transactions between ARIA, the Company, and Contract Certificate owners, which shall include the identity and addresses of Contract Certificate owners and holders (collectively, “Books and Records”), which facilities and procedures shall be reasonably acceptable to the Company. The Company may request additional facilities and procedures if necessary to comply with applicable laws or industry standards. ARIA shall maintain the Books and Records at its principal administrative office, for the duration of this Services Agreement and ten (10) years thereafter, however ARIA agrees that if during the before-mentioned ten (10) year period, it is directed by the Company to deliver the Books and Records to the Company, or to another party designated by the Company, ARIA will deliver all of the Books and Records in good order, to that party no longer than 30 days from request. In the event this Services Agreement is terminated, ARIA will, pursuant to Section 1.3 hereof and applicable law, deliver the Books and Records to the Company and/or a successor administrator rather than maintaining such Books and Records for ten (10) years. The Books and Records shall also be maintained in accordance with the standards as outlined in Exhibit K and Attachment K-1 attached hereto, and as required by any regulation or applicable law. The parties agree that the Company shall own the Books and Records, and that ARIA and the Company shall each retain the right of access to the Books and Records, to fulfill their contractual obligations. |
b. | ARIA shall maintain detailed Books and Records that reflect all administered transactions specifically in regard to the sales, marketing and administration of the Contract Certificates; and |
c. | The detailed preparation, journalizing, and posting of such Books and Records shall be made in accordance with the terms and conditions of this Services Agreement, state insurance, SEC and FINRA requirements, any |
4
Execution Document
other regulatory reporting requirements, and, if applicable, in accordance with ERISA, as amended, and, if necessary, to enable the Company to complete the National Association of Insurance Commissioners’ annual financial statement and any other regulatory reporting as may be required. |
d. | ARIA shall process and respond to customer complaints, and maintain a customer complaint log in accordance with the procedures as established by the Company, from time to time. ARIA shall ensure that its procedures for responding to customer complaints, and for the maintenance of its customer complaint log are in compliance with state insurance, SEC and FINRA requirements, and it shall file the customer complaint log with the applicable regulatory agency if and when required. ARIA agrees to provide the Company with a copy of the customer complaint log on a monthly basis or more frequently if reasonably requested by the Company. ARIA shall respond to customer complaints within ten (10) days or the date required by a regulatory agency. |
e. | ARIA shall comply with the Company’s requirements for safeguarding, retaining, preserving and disposing Books and Record as outlined by the Company from time to time, and as detailed in the “Company Record Retention Requirements” contained in Exhibit K and Attachment K-1 attached hereto. |
1.7 Access to Books and Records. The Company and any applicable regulatory agency (including state insurance departments, the SEC and the FINRA) shall have unrestricted and complete access, during ordinary business hours, to the Books and Records, which shall be in a form usable by them. Each party shall cooperate with the other party and all appropriate governmental authorities in connection with any investigation or inquiry relating to this Services Agreement.
The Company or its duly authorized independent auditors have the right under this agreement to perform on-site reviews of ARIA’s operations and audits of the Books and Records directly pertaining to the Contract Certificates services by ARIA’s facilities hereunder at ARIA’s facilities in accordance with reasonable procedures and reasonable frequencies, including a reasonable period of time in advance of an announced SEC examination. Each party shall pay for its own costs and expenses (including personnel time and materials) incurred in connection with such audits.
ARIA shall provide the Company with an annual SSAE 16 Type II report from an independent auditing firm of national reputation. The audit firm is subject to the approval of the Company. The SSAE 16 report shall cover the period January 1 to September 30. ARIA shall provide the Company a year-end update letter covering the period October 1 to December 31.
The update letter shall outline whether or not: (i) the description of the controls outlined in the most recent SSAE 16 report continue to be present fairly, in all material respects, the controls which were in place at the end of the audit period; (ii) there have been no material changes to the
5
Execution Document
internal control objectives and related procedures specified in the report during the period beginning on October 1 and ending on December 31; (iii) ARIA is not aware of the existence of any significant control deficiencies with regard to the controls described in the report; and (iv) the test exceptions in the report have been resolved or addressed as specified in the management responses of the report.
Upon completion of any audit performed by ARIA or its duly authorized auditors, ARIA shall provide the Company a copy of the audit report(s) and written notice of any deficiencies or material weaknesses relative to services performed under this Services Agreement.
Upon completion of any audit performed by or on behalf of the Company, the Company shall notify ARIA of any deficiencies or material weaknesses found as a result of the audit.
In the event any audit reveals control deficiencies or material weakness that may result in an adverse impact to the Company’s organizational operations, assets, or individuals, ARIA shall provide the Company with a plan of action to correct the deficiency or material weakness, which plan of action shall be subject to the Company’s written approval. ARIA shall provide the plan of action to the Company within fifteen (15) Business Days of receipt of the final audit report.
ARIA shall retain all records, documents and data required to be maintained by it
in a readable form as may be specified in any Service Agreement or, if not so specified, in a readable form in which they are generated and stored in the ordinary course, or as mutually agreed.
1.8 ARIA Platform Fee Payments for Administrative Services.
a. | The Company agrees to pay ARIA an amount equal to the amounts identified in Exhibit B hereto. |
b. | The parties to this Services Agreement recognize and agree that the Company’s payment to ARIA are for non-exclusive administrative services only and do not constitute payment in any manner for investment advisory services. |
c. | ARIA shall not receive from the Company or any Contract Certificate owner any compensation or other payments except as identified in Exhibit B. |
.
1.9 Advertising. ARIA, in their role as third party administrator for the Company, will not advertise the Company’s products without prior written approval. ARIA shall maintain at its principal administrative office a file of all advertisements which are used in the course of ARIA’s business for not less than ten (10) years. A notation shall be made for each advertisement indicating the manner and extent of distribution and the form number of any policy/contract advertised.
6
Execution Document
1.10 Underwriting. The Company shall be responsible for determining the benefits, premium rates, adjudication of claims, underwriting criteria and payment procedures applicable to such coverage; the rules pertaining to these matters must be provided, in writing, by the Company to ARIA.
1.11 Copy of Written Services Agreement. This Services Agreement shall be retained as part of the official records of both the Company and ARIA for the duration of this Services Agreement plus ten (10) years.
1.12 Copy of Trust Agreement. Where the Company issues a policy/contract to a trustee or trustees, a copy of the trust agreement and any amendments shall be furnished to the Company and shall be retained as part of the official records of both the Company and ARIA for the duration of the policy/contract plus ten (10) years.
1.13 Compliance. ARIA is licensed as a third party administrator in the State of California and will seek and maintain a third party administrator license in those states where it is required and will be in material compliance with all laws, rules and regulations applicable to third party administration of the Contract Certificates.
1.14 Confidentiality of Personal Information. Confidential Information shall mean all information, written. verbal, or electronic which may be disclosed, whether or not marked as “Confidential” or “Proprietary” by the Company or to which ARIA may be provided access to by the Company in accordance with this Services Agreement, or which is generated or learned as a result of or in connection with this Services Agreement (“Confidential Information”). Confidentiality obligations hereunder shall not apply to any Confidential Information which: (i) is or later becomes generally available to the public without breach of any express or implied obligation of confidentiality by ARIA; (ii) written evidence shows Confidential Information is in the possession of ARIA with the full right to disclose prior to its receipt from the Company; (iii) is later acquired by ARIA from a third party without any restriction on disclosure or breach of an express or implied obligation of confidentiality; or (iv) ARIA can document in writing that ARIA independently created such information without reference to or use of Confidential Information.
a) | Non-disclosure Obligations. ARIA promises and agrees to use reasonable efforts to hold Confidential Information in confidence, but in any event efforts not less than set forth in the “Company Security Policy” Exhibit, and without limiting the generality of the foregoing, ARIA further promises and agrees: (i) to protect and safeguard the Confidential Information against unauthorized use, publication or disclosure; (ii) not to, directly or indirectly, in any way, reveal, report, publish, disclose, transfer or otherwise use any of the Confidential Information except as specifically authorized in writing by the Company in accordance with this Services Agreement; (iii) not to use any Confidential Information to unfairly compete or obtain an unfair advantage vis-a-vis the Company in any commercial activity which may be comparable to the commercial activity contemplated by the parties in connection with this Services Agreement; (iv) to restrict access to the Confidential Information to those who clearly need such access to carry out the purposes of this Services Agreement; (v) to advise each of the persons to |
7
Execution Document
whom it provides access to any of the Confidential Information that such persons are strictly prohibited from making any use, publishing or otherwise disclosing to others, or permitting others to use for their benefit or to the detriment of the Company, any of the Confidential Information; and (vi) ARIA shall not use any Confidential Information of the Company to engage in any fraudulent, deceptive, manipulative or otherwise unlawful practice in connection with the purchase or sale of securities or to improperly influence the performance of securities. |
b) | Mandatory Disclosure. If ARIA becomes compelled or is ordered to disclose Confidential Information whether (i) by a court order or governmental agency order which has jurisdiction over the parties and subject matter, or (ii) in the opinion of its legal counsel, by law, regulation or the rules of a national securities exchange to disclose any Confidential Information, ARIA will, to the extent practicable and except as may be prohibited by law or legal process, provide the Company with prompt written notice to permit the Company to object to the disclosure or seek an appropriate protective order or other remedy. If a remedy acceptable to the Company is not obtained by the date that the ARIA party must comply with the disclosure requirement, ARIA will furnish only that portion of the Confidential Information it is legally required to furnish, and ARIA will exercise commercially reasonable efforts to obtain confidential treatment for the Confidential Information that is disclosed. It is understood and agreed that regulators having jurisdiction over each party shall have unrestricted access to all books, records, files and other materials in such party’s possession, including the Confidential Information, and disclosure of the Confidential Information to such persons solely for purposes of supervision or examination may occur without written notice to or authorization from the other party. |
c) | Disclosure and Use of Personal Information. If Responsible Party receives, uses, stores, maintains, processes, transmits, disposes or otherwise has access to Personal Information, Responsible Party shall use, store, maintain, process, transmit, dispose of and protect Personal Information in accordance with Applicable Law. Access to and use of Personal Information by Responsible Party is specifically limited to that which is necessary to perform the services set forth in this Services Agreement and Responsible Party shall only disclose Personal Information to those employees who have a need to know such information to perform such services. For those affiliates and contractors for which the Company provides written authorization, Responsible Party shall obligate those affiliates and contractors to terms at least as stringent as those set forth herein. |
d) | Security Requirements. Loss of or Unauthorized Access to Company Information, Intrusions: |
i) | Security Requirements. ARIA will comply with Company’s requirements set forth in Exhibit J “Company Security Policy” for security protocols applicable to ARIA’s delivery in the Services Agreements at the ARIA Locations (which are set forth in Exhibit C to this Services Agreement). Company may notify ARIA in writing from time to time of changes, updates, modifications or amendments to the Security Requirements and the Parties will implement such updated Security Requirements pursuant to the Change Control Procedures. |
8
Execution Document
ii) | Safeguards. As part of the “Company Security Policy” which are set forth in Exhibit J and the “Company Security Requirements” all of which are apart and included in this Services Agreement, ARIA will establish, and provide a copy to Company, an information security program with respect to Personally Identifiable Information and other Company Data which: (i) protects the security and confidentiality of such Personally Identifiable Information and other Company Data; (ii) protects against any anticipated threats or hazards to the security or integrity of such Personally Identifiable Information and other Company Data, and (iii) protects against any unauthorized use of or access to such Personally Identifiable Information or other Company Data. ARIA will also establish and maintain network and internet security procedures, protocols, security gateways and firewalls with respect to such Personally Identifiable Information and other Company Data. All of the foregoing will be consistent with the Security Requirements and no less rigorous than those safeguards and procedures maintained by Company prior to the Effective Date of this Services Agreement and shall be no less rigorous than those maintained by ARIA for its own data and information of a similar nature. |
iii) | Security Assessment. Without limiting the generality of the foregoing, ARIA’s information security policies will provide for (i) regular assessment and reassessment of the risks to the security of Company Data and systems acquired or maintained by ARIA and its agents and contractors in connection with the Services, including: (a) identification of internal and external threats that could result in a Security Breach; (b) assessment of the likelihood and potential damage of such threats, taking into account the sensitivity of such data and systems; and (c) assessment of the sufficiency of policies, procedures, and information systems of ARIA and its agents and subcontractors, and other arrangements in place, to control risks; and (ii) protection against such risks. |
iv) | Media. ARIA shall remove all Company Data from any media taken out of service and shall destroy or securely erase such media in accordance with the Security Requirements and otherwise in a manner designed to protect against unauthorized access to or use of any Company Data in connection with such destruction or erasure. |
v) | Security Breach. In the event ARIA becomes aware of any Security Breach due to ARIA acts or omissions other than in accordance with the terms of this Services Agreement, ARIA will, at its own expense: (i) immediately notify Company’s Enterprise Security Officer of such Security Breach and perform a root cause analysis thereon as outlined in Exhibit J “Company Security Policy”; (ii) investigate such Security Breach and report its findings to Company; (iii) provide Company with a remediation plan, acceptable to Company, to address the Security Breach and prevent any further incidents; (iv) remediate such Security Breach in accordance with such approved plan; (v) conduct an appropriate investigation to determine what systems, data and information have been affected by such event; and (vi) cooperate with |
9
Execution Document
Company in execution of its security incident response plan and otherwise, and, at Company’s request, any law enforcement or regulatory officials, credit reporting companies, and credit card associations investigating such Security Breach. Without limiting the foregoing and notwithstanding anything herein to the contrary, Company will make the final decision on notifying any Third Party of the Security Breach, and the implementation of the remediation plan. If a notification to a customer is required under any Law or pursuant to any of Company’s privacy or security policies, then notifications to all customers who are affected by the same event (as reasonably determined by Company) shall be considered legally required. ARIA will reimburse Company on demand for all reasonable Notification Related Costs incurred by Company arising out of or in connection with any such Security Breach resulting in a requirement for legally required notifications (as determined in accordance with the previous sentence). “Notification Related Costs” shall include Company’s internal and external costs associated with addressing and responding to the Security Breach, including but not limited to: (aa) preparation and mailing or other transmission of legally required notifications; (bb) preparation and mailing or other transmission of such other communications to customers, agents or others as Company deems reasonably appropriate; (cc) establishment of a call center or other communications procedures in response to such Security Breach (e.g., customer service FAQs, talking points and training); (dd) legal and accounting fees and expenses associated with Company’s investigation of and response to such event; and (ee) costs for commercially reasonable credit reporting and watch and similar services that are associated with legally required notifications. In the event that ARIA becomes aware of any Security Breach which is not due to ARIA acts or omissions other than in accordance with the terms of this Services Agreement, ARIA will immediately notify Company of such Security Breach, and the Parties shall reasonably cooperate regarding which of the foregoing or other activities may be appropriate under the circumstances, including any applicable charges for the same. |
vi) | Intrusion Detection/Interception. If either Party knows or has a good faith belief that an intrusion has occurred or is likely to occur, ARIA will provide Customer with appropriate access to ARIA’s systems, policies and procedures relating to intrusion detection and interception. |
e) | Other Agreements. This section does not supersede or replace any other provision in any agreement between the parties with respect to privacy and security of Personal Information except to the extent such provisions are less stringent than the provisions set forth herein. Personal Information shall be construed as Confidential Information under this Services Agreement and subject to paragraphs (b) and (c) above. |
f) | Indemnity. ARIA hereby agrees to defend, indemnify, and hold the Company and its affiliates and all of their directors, officers, personnel, and their successors and assigns harmless from any and all expenses, damages, awards, settlements, claims, actions, demands, losses, obligations, fines, penalties, liabilities, regulatory actions and causes of action (including, but not limited to, attorneys’ fees and expenses, breach notification costs, credit monitoring or watch services, internal and external breach remediation |
10
Execution Document
plans) arising out of or relating to any privacy or security breach Personal Information in the possession of or under the control of the Responsible Party or its Contractors or for Responsible Party’s breach of any obligations set forth in this Section. This Section 1.12 shall survive the termination of this Services Agreement.
1.15 Liability. Each party shall only be responsible or liable to the other party for losses caused by the negligence, bad faith, malfeasance, fraud, or misconduct of such party or its employees, agents, or representatives.
1.16 Payments. To the extent that ARIA pays any funds to any Contact Certificate owner, such payment shall be made only on checks or drafts of, and as authorized by, the Company, or with the consent of any contract certificate owner, via electronic funds transfer.
1.17 Delivery of Written Communications. Any policies, contracts, certificates, booklets, termination notices or any other written communication delivered by the Company to ARIA for delivery to any Contract Certificate owner shall be delivered to such owners promptly after receipt of instructions from the Company to do so.
1.18 Notices of Relationship and Statement of Charges or Premium Coverage. ARIA shall provide a written notice, approved by the Company, to each Contract Certificate owner advising them of the identity of, and relationship among, ARIA, the Contract Certificate owner and the Company. Additionally, to the extent that ARIA collects any funds or charges that are not premium from a Contract Certificate owner, the amount of the funds/charges and the reason for the collection shall be identified to the Contract Certificate owner and the amount of such funds/charges must be shown separately from any premium.
SECTION 2
MISCELLANEOUS
2.1 Ratifications. This Services Agreement, including all exhibits, schedules, attachments and addendums attached hereto, which are incorporated herein by reference, constitutes the entire agreement between the parties hereto and supersedes any prior agreement with respect to the subject matter hereof, whether written or oral.
2.2 Amendments and Modifications. No provision of this Services Agreement may be amended, modified or waived except in a writing signed by the parties hereto.
2.3 Successors and Assigns. This Services Agreement is binding upon and shall inure to the benefit of the Company and ARIA and their respective successors and permitted assigns. This Services Agreement may not be assigned by either party without the prior written consent of the other party.
2.4 Corporate Authority. Each party hereto represents and warrants to the other party that it is empowered under the applicable laws and regulations and by its charter and by-laws to enter into and perform this Services Agreement and that all requisite corporate proceedings have been taken to authorize it to enter into and perform this Services Amendment.
11
Execution Document
2.5 Governing Law. This Agreement shall be governed by the laws of the State of Iowa.
2.6. Severability. If any portion of this Services Agreement shall be held or made invalid by a court decision, statute, rule or otherwise, the remainder of this Services Agreement shall not be affected thereby.
2.7 Remedies Cumulative; No Waiver. No right, power or remedy granted or reserved herein is intended to be exclusive of any other right, power or remedy, but each and every such right, power and remedy shall be cumulative and concurrent and in addition to any other right, remedy or power hereunder or under law. No delay or omission by either party to exercise any right, power or remedy in connection with a default shall exhaust or impair any such right, power or remedy or shall be construed to be a waiver of such default or acquiescence therein.
2.8. Arbitration. Except as otherwise stated in this Services Agreement, the Parties will follow the Dispute Resolution Procedures set forth in Exhibit G to address all Disputes arising between the Parties.
2.9. Errors and Omissions. Any inadvertent error or omission made by either party in connection with this Services Agreement which has been corrected within 30 days, shall not constitute a material breach of the Services Agreement or render the Services Agreement null and void.
2.10 Notice Addresses. Any notice to be given by one party to the other shall be (i) personally delivered or (ii) mailed certified mail postage prepaid, if to ARIA, at 000 Xxxxxxxxxx Xxxxxx; 27th Floor; San Francisco; CA; 94104, Attn: Xxxxx Xxxxx, President, and if to the Company, at 0000 Xxxxxxxx Xxxx XX; Cedar Rapids; IA; 52499, Attn: Xxxx Xxxxx, Vice President.
12
Execution Document
EXECUTED as of the date first written above.
ARIA Retirement Solutions, LLC | ||
By | /s/ Xxxxx Xxxxx | |
Name | Xxxxx Xxxxx | |
Title | CEO | |
Transamerica Advisors Life Insurance Company | ||
By | /s/ Xxxx X. Xxxxx | |
Name | Xxxx X. Xxxxx | |
Title | Vice President |
13
Execution Document
EXHIBIT 1
TABLE OF EXHIBITS
Exhibit |
Exhibit Title | |
A | Description of Administrative Services | |
B | Administration of Expense Payments | |
C | Listing of ARIA Locations | |
D | Listing of Key ARIA Personnel and Designation of Company Relationship Manager | |
E | List of Service Level Agreements | |
F | Business Continuity, Planning and Disaster Recovery Requirements | |
G | Dispute Resolution Procedures | |
H | Provisions for Account Governance | |
I | Procedures Manual Requirements | |
J | Company Security Policy | |
K | Company Policies | |
L | Background Investigations Requirements | |
M | Definitions |
14
Execution Document
EXHIBIT A
DESCRIPTION
OF
ADMINISTRATIVE SERVICES
This Description of Administrative Services is Exhibit A to that certain Services Agreement, dated , 2011 between ARIA and the Company
Definitions. Capitalized terms used in this Exhibit A but not otherwise defined herein or in Exhibit M, shall have the respective meanings as set forth in the Services Agreement.
Services. Beginning on the Effective Date, ARIA shall provide the services and satisfy its responsibilities as assigned in the columns below (as designated by an [X] in the column under the party’s name) to ARIA in this Exhibit A. Entries which contain an [X] for both Parties’ columns indicate a shared Responsibility or combined effort between the Parties.
ID |
Activity |
ARIA | Company | |||||||
Sales and Marketing | ||||||||||
1.1 |
Agent product training |
X | ||||||||
1.2 |
XXXX training preparation |
X | ||||||||
1.3 |
XXXX training attestation and agent training tracking |
X | ||||||||
1.4 |
Marketing material creation |
X | ||||||||
1.5 |
Advisor’s Edge Annuity, Advisor’s Elite Annuity and the XXXX product illustration tool creation and access control |
X | ||||||||
1.6 |
XXXX calculator creation and access control |
X | ||||||||
1.6a |
Retrofit XXXX calculator into ARIA’s website |
X | ||||||||
New Business Administration | ||||||||||
2.1 |
Collection of fees |
X | ||||||||
2.2 |
Contract / certificate processing |
X | ||||||||
Post Issue Administration | ||||||||||
3.1 |
Death audits as requested |
X | X | |||||||
3.2 |
Privacy statement / letters |
X | ||||||||
3.3 |
Hedging |
X | ||||||||
3.4 |
Collection of fees |
X | ||||||||
3.5 |
Client communications prior to exhaustion |
X | ||||||||
3.6 |
Client communication post-exhaustion |
X |
15
Execution Document
ID |
Activity |
ARIA | Company | |||||||
3.7 |
Form management including updates and mailing | X | X | |||||||
3.8 |
Record management |
X | ||||||||
3.9 |
Daily balancing |
X | ||||||||
3.10 |
Pricing / valuation |
X | ||||||||
3.11 |
Customer question management |
X | ||||||||
Agent Licensing and Commission Administration | ||||||||||
4.1 |
Licensing system administration |
X | X | |||||||
4.2 |
Agent validation |
X | ||||||||
Bank Account | ||||||||||
5.1 |
Ownership |
X | ||||||||
5.2 |
Reconciliation |
X | ||||||||
Financial Controls | ||||||||||
6.1 |
Accounting |
X | ||||||||
6.2 |
Reserving |
X | ||||||||
6.3 |
Fraud Monitoring |
X | ||||||||
Compliance and Company Policies | ||||||||||
7.1 |
Record retention |
X | ||||||||
7.2 |
Broker Dealer transactional suitability reviews |
X | ||||||||
7.3 |
Marketing material review, approval and monitoring |
X | ||||||||
7.4 |
Complaint handling |
X | X | |||||||
7.5 |
Legal hold processing |
X | X | |||||||
7.6 |
SSAE 16 |
X | ||||||||
7.7 |
Quality and control monitoring |
X | ||||||||
7.8 |
Regulatory compliance |
X | X | |||||||
7.9 |
Regulatory reporting |
X | ||||||||
7.10 |
TPA reporting |
X |
FINRA requirements will be addressed as part of a duly executed selling agreement between ARIA and the Company.
16
Execution Document
EXHIBIT B
ADMINISTRATION
OF
EXPENSE PAYMENTS
The Administration of Expense Payments referred to in this Exhibit B is described in that separate Life Insurance Company Product Sales Agreement executed and agreed between ARIA and the Company
17
Execution Document
EXHIBIT C
LISTING
OF
ARIA LOCATIONS
This Listing of ARIA Locations is Exhibit C to that certain Services Agreement, dated , 2011 between ARIA and the Company
DEFINITIONS. Capitalized terms used in this Exhibit C but not otherwise defined herein or in Exhibit L, shall have the respective meanings as set forth in the Services Agreement.
ARIA will perform services at the following locations:
Facility |
Location | |
|
| |
|
| |
|
| |
|
| |
|
|
18
Execution Document
EXHIBIT D
LISTING
OF
KEY ARIA PERSONNEL
AND
DESIGNATION
OF
COMPANY RELATIONSHIP
MANAGER
This Listing of Key ARIA Personnel and Company Relationship Manager is Exhibit D to that certain Services Agreement, dated , 2011 between ARIA and the Company
Definitions. Capitalized terms used in this Exhibit D but not otherwise defined herein or in Exhibit L, shall have the respective meanings as set forth in the Services Agreement”.
The officers of ARIA are hereby designated as Key Personnel under the Services Agreement.
The officers of The Company are hereby designated as Key Personnel under the Services Agreement.
19
Execution Document
EXHIBIT E
SERVICE LEVEL
AGREEMENTS
This List of Service Level Agreements is Exhibit E to that certain Services Agreement, dated , 2011 between ARIA and the Company
Definitions. Capitalized terms used in this Exhibit E but not otherwise defined herein or in Exhibit L, shall have the respective meanings as set forth in the Services Agreement”.
Maximum Allowable Downtime (“MAD”) is the maximum amount of time the business can suffer an inoperable business process before significant negative consequences are felt.
ARIA and the Company agree the following Service Level Agreements, and other Service Level Agreements including but not limited to processing and reporting may be added at the discretion of the Company.
Business Process |
Provided By |
SLS |
MAD | |||
Data Exchange - XXXX |
||||||
XXXXX Record 1203 – Holding Transmittal Transaction files |
ARIA | Daily by 7pm CT, 5pm PT | 3 business days following standard receipt | |||
XXXXX Record 1203— Acknowledge Receipts and Results of File Loads |
Transamerica | Next business day following receipt by 6am CT, 5am PT | 3 business days following receipt of files | |||
Monthly Policy Refresh of XXXXX 1203 files |
ARIA | Monthly – 1st business day of month by 7pm CT, 5pm PT to include data as of last business day of month | 2 business days following standard receipt |
20
Execution Document
Business Process |
Provided By |
SLS |
MAD | |||
Monthly Policy Refresh of XXXXX 1203—Acknowledge Receipts and Results of File Loads |
Transamerica | Monthly – Next business day following receipt by 6am CT, 5am PT | 3 business days following receipt of files | |||
Cash Wire Recon Report |
ARIA | Daily by 7pm CT, 5pm PT | 3 business days following standard receipt | |||
Tax Reporting Extract for APV |
ARIA | Annual – To be determined by mutual agreement by October 15, 2011 | To be determined by October 15, 2011 | |||
APV Input to AEGON Corporate |
Transamerica | Annual – To be determined by mutual agreement by October 15, 2011 | To be determined by October 15, 2011 | |||
Exhaustion, Low Covered Base Report |
ARIA | To be determined by mutual agreement by June 30, 2012 | To be determined by June 30, 2012 | |||
Due and Unpaid Report |
ARIA | Quarterly – 2nd business day of quarter | 3 business days following standard receipt | |||
Transamerica request for error support – acknowledgment of request |
ARIA | As needed | To be determined prior to agreement finalization |
21
Execution Document
Business Process |
Provided By |
SLS |
MAD | |||
Custodian account monitoring |
ARIA | To be determined prior to agreement finalization | To be determined prior to agreement finalization | |||
ARIA Call Center –XXXX |
||||||
Telephone Standards |
ARIA | To be determined by mutual agreement | 30 minutes | |||
XXXX Lock-in |
ARIA | Same day processing | Next business day | |||
XXXX Certificate Issuance |
ARIA | To be determined prior to agreement finalization | To be determined prior to agreement finalization | |||
XXXX Certificate Non-Financial Maintenance Examples include: —Address Changes —Divorces —LPOA |
ARIA | To be determined by mutual agreement | To be determined by mutual agreement | |||
Overall Management |
||||||
ARIA Management Dashboard |
ARIA | Monthly –Delivered by the 15th of the month with data from the preceding month. | 15 days following standard receipt | |||
Marketing Plan |
ARIA | Annual – January 15 | 10 business days following standard receipt |
22
Execution Document
Business Process |
Provided By |
SLS |
MAD | |||
ARIA Retirement Solutions Financials |
ARIA | Quarterly – 30 days after quarter-end | 5 business days following standard receipt | |||
Complaint Log |
ARIA | Monthly – 1st business day of month | 12:00pm CDT next business day following standard receipt | |||
SSAE 16 (applicable to 2012 forward) |
ARIA | Annual – November 30 | 5 business days following standard receipt | |||
SSAE 16 Update Letter (applicable to 2012 review year forward) |
ARIA | Annual - January 31 | 5 business days following standard receipt |
23
Execution Document
EXHIBIT F
BUSINESS CONTINUITY,
PLANNING
AND
DISASTER RECOVERY
REQUIREMENTS
These Business Continuity, Planning, and Disaster Requirements are Exhibit F to that certain Services Agreement, dated , 2011 between ARIA and the Company.
1. General.
Capitalized terms used in this Exhibit F but not otherwise defined herein or in Exhibit L, shall have the respective meanings as set forth in the Services Agreement.
2. Definitions.
• | Business Continuity Planning (“BCP”) is the process of planning for a business outage that may impact the ability to perform business functions that are critical to the Company, and the recovery of those business functions. BCP include, at a minimum: identification of business functions, how soon the business functions need to be operational after an event, people that are responsible for the function, alternative recovery locations, etc. Additionally, the BCP will define the level of recovery, in respect to either staff availability or production throughput, by function that is required to consider a function operational and serve as the end measure for MAD calculation. The BCP will be in place by the end of Group 4 transition. An interim BCP will be in place by the end of Group 1, 2, and 3 transitions. |
• | Disaster Recovery (“DR”) is the process of recovering systems and applications necessary for the business to perform their processes and functions. DR Plans include, at a minimum: applications critical to the business, RTO, dependent servers and other hardware, etc. |
• | Recovery Time Objective (“RTO”) is the time intellectual technology organizations have to recover their systems to an agreed upon operational state so that workers may then recover the lost time of the outage to bring the business process back to acceptable service levels. |
• | Maximum Allowable Downtime (“MAD”) is the maximum amount of time the business can suffer an inoperable business process before significant negative consequences are felt. |
3. Performance Requirements (Generally).
• | DR exercises shall be conducted by the ARIA at least annually at the recovery hot-site, and include the testing of Day 1 through Day 3 critical business processes as defined in the Company’s business continuity plans. |
• | These critical business functions should be defined and agreed upon by both parties, and include MAD for each business function. |
• | For purposes of this Exhibit F, business functions and their associated MAD are listed below in Section 5 “Company Defined Maximum Allowable Downtime”. |
• | BCP exercises should test the functionality of each critical process, the connectivity between the hot-site and the datacenter, and of the virtual workstations required to perform these functions. |
24
Execution Document
• | BCP’s must be kept current with accurate data, including call lists for employees that include current contact information, a list of critical business processes, and recovery time objective for each business process. |
• | Call lists should be exercised at least once annually. |
• | Participation in Company’s semi-annual disaster recovery exercises is required to validate the connectivity between the offshore site and Company’s disaster recovery hotsite and to support testing activities related to the applications in scope of the Services Agreement. . |
4. Reporting
Reporting on the results of a BCP exercise is required and should include at a minimum:
• | the list of systems and applications tested; |
• | problems and issues encountered during the exercise; |
• | problem resolution information including timeline for permanent resolution; |
• | issues identified related to connectivity; |
• | issues identified related to the virtual machines; and |
• | the identification of each critical business process with an indicator if the test of each process was successful or unsuccessful. |
5. Company Defined Maximum Allowable Downtime (MAD).
Maximum Allowable Downtimes are defined in Exhibit E of the Services Agreement.
25
Execution Document
EXHIBIT G
DISPUTE
RESOLUTION PROCEDURES
These Dispute Resolution Procedures are Exhibit G to that certain Services Agreement, dated , 2011 between ARIA and the Company
1.0 Definitions.
Capitalized terms used in this Exhibit G but not otherwise defined herein or in Exhibit L, shall have the respective meanings as set forth in the Services Agreement.
“Dispute(s)” means any dispute, controversy or claim, including, without limitation, situations or circumstances in which the Parties are required to mutually agree on additions, deletions or changes to terms, conditions or charges arising under or in connection with the Services Agreement.
“Qualified” means having extensive knowledge or experience regarding the subject of the Dispute.
2.0 Dispute Resolution Procedures.
a) General. Except as otherwise stated in the Services Agreement, the Parties will follow the Dispute Resolution Procedures set forth in this Exhibit G to address all Disputes arising between the Parties.
b) Timely Resolution of Disputes. Company and ARIA will at all times exercise reasonable, good faith efforts to resolve all Disputes in a timely, amicable and efficient manner.
c) Escalation Procedure.
(i) ARIA Key Contact and Company Relationship Manager (“Contract Managers”). All Disputes shall initially be referred by either Party to the Parties’ Contract Managers via a written notice to the other Party referencing these Dispute Resolution Procedures. The Contract Managers shall negotiate with each other to resolve the Dispute in a timely manner. All reasonable requests for information by one Party to the other will be honored.
(ii) Steering Committee. If the Contract Managers do not resolve the Dispute within three (3) Business Days , after the date of referral of the Dispute to them (or such other longer period as the parties may mutually agree in writing), either Party may submit the Dispute to the Steering Committee, which shall convene to resolve the Dispute in a timely manner as set forth herein.
26
Execution Document
(iii) Senior Executives. If the Steering Committee has not resolved Disputes within three (3) Business Days after the date of referral of the Dispute to it, then either Party shall be entitled to require that the Dispute be referred to executive officials of the respective Parties (at least the level of Senior Vice President) (the “Senior Executives”), according to the following procedure:
(a) The Party requiring such referral (Party A) shall serve notice on the other Party, as provided in the Services Agreement, designating a Senior Executive of Party A for this purpose, and certifying that said Senior Executive has full authority from Party A to resolve the Dispute;
(b) Within two (2) Business Days of receipt of said notice, the other Party (Party B) is required to give notice, pursuant to the Services Agreement, to Party A designating a Senior Executive of Party B for this purpose, and certifying that said Senior Executive has full authority from Party B to resolve the Dispute;
(c) The designated Senior Executives shall meet to discuss the Dispute within three (3) Business Days of the notice in Section 2.0 C(iii)(b) above and shall negotiate in good faith to resolve the Dispute, and may include in their meetings such Qualified experts or Qualified advisors as the two of them may mutually agree.
d) Acceleration Beyond Senior Executives.
(i) Accelerated Escalation of Disputes. If the Senior Executives do not resolve the Dispute within five (5) Business Days after the date of the meeting of such executives, either Party may move to resolve the Dispute through Arbitration in accordance with Section 2.0e below of this Exhibit G.
e) Arbitration. Any dispute arising out of or related to this Services Agreement, which cannot be resolved by the negotiation process as outlined in Sections 2.0 a, 2.0b, 2.0c. and 2.0d above in this Exhibit G,, shall be settled by binding arbitration (“Arbitration”) in accordance with and subject to the commercial Arbitration Rules of the American Arbitration Association then applicable (the “Rules”). Unless otherwise mutually agreed upon by the parties, the Arbitration hearings will be held in the City of Chicago, Illinois. A panel of three arbitrators will be selected in accordance with the Rules and the arbitrators will allow such discovery as is appropriate and consistent with the purposes of arbitration in accomplishing fair, speedy and cost effective resolution of Disputes. The arbitrators will reference the rules of evidence and the Federal Rules of Civil Procedure then in effect in setting the scope of discovery. Judgment upon the award rendered in any such Arbitration may be entered in any court having jurisdiction thereof, or application may be made to such court for a judicial acceptance of the award and an enforcement, as the law of such jurisdiction may require or allow.
3.0 Exception
a) Injunctive Relief. Notwithstanding anything to the contrary in this Exhibit G, either Party may seek provisional, temporary or preliminary injunctive relief, in response to an actual or threatened breach of the Services Agreement, or otherwise so as to avoid irreparable harm or damage, or to maintain the status quo, until the Dispute is resolved.
b) Mutual Agreement. The Parties may take any other action to resolve the Dispute, whether or not permitted by or in conflict with this Exhibit G, if the action is specifically agreed to in writing by the Parties.
27
Execution Document
4.0 Miscellaneous.
a) Confidentiality. The proceedings of all negotiations and mediations as part of the Dispute Resolution Procedures shall at all times be privately conducted. The Parties agree that all information, materials, statements, conduct, communications, negotiations, mediations, offers of settlement, documents, decisions, and awards of either Party, in whatever form and however disclosed or obtained in connection with the Dispute Resolution Procedures:
(i) shall be considered Confidential Information (subject to Section 11.3 (Exclusions) of the Master Agreement);
(ii) shall not be offered into evidence, disclosed, or used for any purpose other than the Dispute Resolution Procedures; and
(iii) will not constitute an admission or waiver of rights.
b) Continued Performance. Except where clearly prevented by the nature of the Dispute or where restrained or enjoined by a court or tribunal with appropriate jurisdiction, the Parties agree to continue performing their respective obligations under the Services Agreement while a Dispute is being resolved.
c) Tolling. The exercise of these Dispute Resolution Procedures, in this Exhibit G, to resolve a Dispute shall toll the running of any statute of limitations applicable to that Dispute, effective as of the initial meeting pursuant to these Dispute Resolution Procedures , in this Exhibit G, specifically regarding the Dispute.
28
Execution Document
EXHIBIT H
PROVISIONS
FOR
ACCOUNT
GOVERENCE
These Provisions for Account Governance are Exhibit H to that certain Services Agreement, dated , 2011 between ARIA and the Company
Capitalized terms used in this Exhibit H but not otherwise defined herein or in Exhibit L, shall have the respective meanings as set forth in the Services Agreement.
1. Relationship Managers.
1.1. ARIA Key Contact:
(a) | During the term of the Services Agreement, ARIA will designate a senior-level individual who will be dedicated to Company’s account (the “ARIA Key Contact”). |
(b) | ARIA will identify the ARIA Key Contact in Exhibit D to the Services Agreement. |
(c) | The ARIA Key Contact will be deemed a “Key ARIA Personnel”. |
(d) | The ARIA Key Contact: |
• | must be approved by Company; |
• | will be the primary contact for Company in dealing with ARIA under the Services Agreement; |
• | will have overall responsibility for managing and coordinating the delivery of the Services; |
• | will meet regularly with the Company Relationship Manager; |
• | will have the power and authority to make decisions with respect to actions to be taken by ARIA in the ordinary course of day-today management of Company’s account in accordance with the Services Agreement; and |
• | will serve as an escalated point of contact for service delivery issues in accordance with the Dispute Resolution Procedures. |
1.2. Company Relationship Manager:
(a) During the term of the Services Agreement, Company will designate a senior level individual (“Company Relationship Manager”) who will:
• | serve as Company’s primary contact for ARIA in dealing with Company under the Services Agreement; |
• | have the power and authority to make decisions with respect to actions to be taken by Company in the ordinary course of day-to-day management of the Services Agreement; and |
29
Execution Document
• | serve as an escalated point of contact for any service delivery issues in accordance with the Dispute Resolution Procedures . |
(b) Company will designate the Company Relationship Manager in Exhibit D to the Services Agreement.
1.3. Company Relationship Manager & ARIA Key Contact Meetings:
• | Throughout the term of the Services Agreement, the Company Relationship Manager and the ARIA Key Contact shall meet periodically, at such times as either of them may request and in any event at least monthly, to review each Party’s respective performance under the Services Agreement; |
• | All such meetings shall take place at mutually agreeable locations, or if mutually agreed, by telephone conference call or video conference, and the results of such meetings shall be communicated to the Executive Steering Committee (as such term is defined herein) at its next meeting.; |
• | For each such meeting of the Company Relationship Manager and the ARIA Key Contact shall agree to and publish an agenda sufficiently in advance of the meeting to allow meeting participants a reasonable opportunity to prepare for the meeting.; |
• | The meetings shall address, at a minimum: Service Level performance and exceptions, issues for escalation to the Executive Steering Committee, delinquent actions of either Party, project status, forecast of volumes, and upcoming audits or compliance reviews. |
2. Executive Steering Committee.
2.1. Executive Steering Committee. The Parties shall form and participate in a steering committee (“Executive Steering Committee”) in accordance with the provisions of this Exhibit H for the following purposes:
(i) | to provide leadership and direction for the relationship during the period that ARIA is obligated to perform and deliver the Services; |
(ii) | to monitor the performance of the Parties under the Services Agreement against the purposes and objectives for the Services Agreement; |
(iii) | to assist in prioritizing ARIA’s activities; |
(iv) | to assist the Parties in resolving Disputes; |
(v) | for such purposes set forth in this Exhibit H; and |
(vi) | to report to Company and ARIA regarding each of the foregoing areas . |
2.2. Executive Steering Committee Membership. The Parties agree:
(i) | the Executive Steering Committee shall have been formed no later than the Effective Date of the Services Agreement, on as of the date which is agreed to by the Parties; |
30
Execution Document
(ii) | the Executive Steering Committee shall consist of representatives from both Parties; |
(iii) | and will be mutually agreed upon; |
(iv) | the Customer shall designate one of its representatives on the Executive Steering Committee to act as the chairperson of the Executive Steering at the Committee meeting of the Executive Steering Committee. |
2.3. Executive Steering Committee Meetings. The Parties agree:
a) | The Executive Steering Committee shall meet at least once per month (or at such other more frequent intervals as it may determine by a majority vote of its representatives) and at any time upon request and at least thirty (30) days’ prior written notice by either Party. Meetings of the Executive Steering Committee shall be conducted in person or by telephone conference; |
b) | Responsibilities of the Executive Steering Committee: The Executive Steering Committee shall: |
(i) | Set direction and goals for the sourcing relationship and ensure alignment between Company and ARIA; |
(ii) | Review achievement of key milestones and deliverables; |
(iii) | Review periodic reports from the Company Relationship Manager and ARIA Key Contact and periodic Service Level performance reports; |
(iv) | Advise with respect to Company’s strategic and tactical decisions regarding the establishment, budgeting and implementation of Company’s priorities and plans for the Services; |
(v) | Review the Parties’ overall performance under the Services Agreement; |
(vi) | Review long-term planning with respect to matters related to the Services Agreement; |
(vii) | Periodically evaluate the business and operating strategies of each Party relating to the Services and recommend to the Parties modifications to, and evolution of, the Services (including the Service Levels) to optimize such strategies, and evaluate and report to the Parties the reasonable effect that any such modifications of the Services may have on the Charges under the Services Agreement, taking into account all relevant material facts and circumstances (including reasonable opportunities for Aria to use its scale, leverage and expertise to mitigate costs associated with such changes); |
(viii) | Serve as a point of escalation pursuant to the Dispute Resolution Procedures; and |
(ix) | Consider such other issues or matters related to the Services or the Services Agreement as either Party may from time to time desire. |
2.4. Limited Authority. Neither the Executive Steering Committee nor any representatives of the Executive Steering Committee acting in his or her capacity as an Executive Steering Committee representative shall have any power or authority to act on behalf of either Party, except for the limited powers and authorities of the Executive Steering Committee set forth this Exhibit H.
31
Execution Document
EXHIBIT I
PROCEDURES
MANUAL REQUIREMENTS
These Procedures Manual Requirements are Exhibit I to that certain Services Agreement, dated , 2011 between ARIA and the Company
1. Definitions.
Capitalized terms used in this Exhibit I but not otherwise defined herein or in Exhibit L, shall have the respective meanings as set forth in the Services Agreement.
2. Introduction.
Unless otherwise specified, references to “Section” refer to the applicable Section of this Schedule J. The purpose of this Schedule J is to provide an outline for the Procedures Manual to be prepared by ARIA (subject to approval by the Company) during the Transition for the Services Agreement. To further such purposes, this Schedule J provides a template for the table of contents and descriptions, without limitation of additional content, for the Procedures Manuals.
3. Procedures Manual Creation and Updates.
ARIA will create and maintain written procedures for activities performed on behalf of the Company. The written procedures are subject to the approval of the Company. The activities to be documented include but are not limited to:
• | Processing |
• | Banking |
• | Communications – internal and client |
• | Do Not Call |
• | Control monitoring |
• | Technology |
• | Review of data for accuracy and completeness, regardless of source |
• | Data modeling, calculation and transformation |
Written procedures shall be provided within a reasonable time upon request of the Company and its duly authorized independent auditors.
32
Execution Document
EXHIBIT J
COMPANY
SECURITY
POLICY
This Company Security Policy is Exhibit J to that certain Services Agreement, dated , 2011 between ARIA and the Company
1. | Overview. The purpose of this Exhibit J is to define the Information Security practices that ARIA is required to establish, administer and maintain to protect Company Information Assets. |
2. | Policy. It is Company’s policy that the following Information Security practices be established, administered and maintained by any third party having access to Company Information Assets, without exception. |
3. | Definitions. |
Capitalized terms used in this Exhibit J but not otherwise defined herein or in Exhibit L, shall have the respective meanings as set forth in the Services Agreement.
a. | “Agent” means anyone who, through either an agency or contractual relationship, has authority to view, host, store, process, transmit, print, back-up or destroy Company Information Assets. |
b. | “Agreement” means the Services Agreement entered into between the Company and the ARIA, and to which this document is attached as an Exhibit. |
c. | “Company Information Assets” are Information Assets belonging to or under the control of Company, including without limitation, all information and data provided by Company to ARIA in any form, and any information or data generated as a result thereof (excluding any information that is properly of public record or that Company provides written permission for its disclosure). |
d. | “Information Assets” is defined as information and data in any form, whether electronic, hardcopy, photographic image, microfiche or microfilm or in digital, magnetic, optical or electronic form, including non-public personal information. It also includes all computing, network, and telecommunications systems and equipment which view, host, store, process, transmit, print, back-up or destroy information and data (e.g. personal computers, laptops, workstations, servers, network devices, software, portable storage devices, electronic storage media, cabling, and other computing and infrastructure equipment). |
e. | “Information Security” is defined as the protection against the loss of Information Assets’ confidentiality, integrity and availability. |
33
Execution Document
f. | “Information Security Breach” is defined as any unauthorized act that bypasses or contravenes Company’s information security measures as defined herein. It also encompasses the unauthorized use or disclosure of, or unauthorized access to or acquisition of, Company Information Assets. |
g. | “Information Security Program” is defined as the collection of policies, standards, Security procedures and controls, taken as a whole and implemented by Company or ARIA, that are designed to protect the confidentiality, integrity, and availability of Information Assets. |
h. | “Information Security Vulnerability” is defined as a weakness in information security controls which could be exploited to gain unauthorized access to Company Information Assets. |
i. | “Physical Security” or “Physically Secured” is defined as the protection of information in hardcopy form against loss or unauthorized acquisition, access or disclosure during its production, storage, distribution, use or destruction. It also encompasses the protection of information technology hardware, infrastructure and facilities, as well as power or environmental control utilities used in data processing operations to protect against damage, destruction, or misuse of Information Assets. |
j. | “ARIA” is defined to include any third party who views, hosts, stores, processes, transmits, prints, backs-up or destroys any Company Information Assets. It includes all parties including Agents that the ARIA may hire or contract with to store, transmit, process or destroy any Company Information Assets acting on behalf of the ARIA. |
4. | Organizational Roles and Responsibilities. ARIA organizational roles and responsibilities must include a chief information security officer, or comparable role assigned to one of ARIA’s officers or senior management, to be responsible for the establishment, administration, and maintenance of a comprehensive written Information Security Program. The Information Security Program must include, at a minimum, the practices described in this Exhibit J. |
5. | Non-Disclosure of Company Information Assets. ARIA acknowledges that the unauthorized release or misuse of the Information Assets could cause harm to the business reputation of either or both ARIA and Company. ARIA will not, and will cause its employees and Agents engaged in providing services to Company to not, take any action or omission which would result in the unauthorized release or misuse of the Information Assets of Company. Any actual or suspected Information Security Breach experienced by ARIA involving Company Information Assets, must be reported in writing by ARIA to Company within twenty-four (24) hours of its detection. |
6. | Information Framework and Right to Audit. |
a. | The ARIA’s Information Security Program shall conform to the framework set forth by the International Standards Organization in a standards document entitled “Code of |
34
Execution Document
practice for information security management” (ISO/IEC 27002:2005, and as may be amended from time to time.). In addition to the standards outlined therein, ARIA’s Information Security Program must include the practices described in this Exhibit J. ARIA’s Information Security Program must be reviewed annually or whenever there is a material change in business practices that may implicate the security program.
b. | ARIA shall grant Company, or a third party on Company’s behalf, permission to perform an audit or assessment of ARIA’s compliance with the Information Security Program requirements at least annually, and following any Information Security Breach of ARIA involving Company Information Assets. The audits or assessments may be written or physical or as otherwise determined by Company. At Company’s request at any time during the term of this Agreement, ARIA agrees to certify in writing to Company ARIA’s compliance with the terms of this Exhibit J. |
c. | Company may audit ARIA’s Business Continuity Plan (“BCP”) and Disaster Recovery (“DR”) materials which pertain to or affect Company Information Assets, including BCP and DR plans and test results, at least annually, and following any man-made or natural disaster. |
7. | General Information Security Requirements. |
a. | ARIA must ensure appropriate segregation of duties exist for all job functions and roles performed by its employees and Agents to ensure that no individual, within or external to ARIA’s organization, has conflicting duties that could jeopardize Company Information Assets. |
b. | Company Information Assets should not be divulged in any way to anyone without a specific valid business “need to know” and Company written authorization. |
c. | Access to all Company Information Assets must: |
1. | adhere to the principle of “least privilege,” ensuring that only the most minimal level of access needed for a given job function of access is granted to ARIA’s employees and its Agents; |
2. | be restricted to only authorized personnel who have a specific business “need to know.” |
d. | Computer services employed to view, host, store, process, transmit, print, back-up or destroy Company Information Assets must adhere to the principle of “least privilege,” ensuring that only the most minimal level of access needed to perform processing is granted to these computer services. |
e. | Hardware and software owned by ARIA personnel must not be allowed to connect to or interact with the Company’s company network without: |
1. | an appropriately scoped risk assessment, including the identification of existing and compensating controls based upon the requirements within this Exhibit; |
2. | verification of the implementation of controls identified within the risk assessment; |
3. | obtained approvals of Company IT Network Management and the appropriate Chief Information Officer of the enterprise or division of Company involved. |
35
Execution Document
f. | ARIA’s users should not be allowed to install their own personal software on ARIA Information Assets. |
g. | ARIA portable devices that store, process, transmit or destroy Company Information Assets, such as laptops, personal digital assistants, Blackberries®, smart phones, hand-held or palmtop computers, portable memory drives, and other similar portable devices must be configured to make use of industry standard encryption technology that fully protects these devices’ storage and transmission capabilities from unauthorized access. |
8. | Information Asset Classification and Management. ARIA must classify and control its Information Assets to indicate the ownership, custodianship, and degree of sensitivity consistent with Company’s Information Asset classification in order to ensure that Company Information Assets receive an appropriate level of protection by ARIA. The inventory of ARIA’s Information Asset classification repository must be maintained and kept current. Recommended classifications are as follows: |
a. | Non-sensitive Business Data and Public Information Assets. |
1. | “Non-sensitive Business Data” refers to all Information Assets determined by Company to not be sensitive or confidential as defined below; |
2. | “Public Information” refers to all Information Assets that comes from public sources or is provided by Company to the general public; examples include periodicals, public bulletins, published company information, published press releases, etc. |
b. | Confidential and Proprietary Company Information Assets. |
1. | “Confidential” or “Proprietary Information Assets” refers to Information Assets that are internal to Company, though it may be shared with Vendor under the terms of the Agreement, and are not considered by Company to be Public Information; examples include unpublished corporate financial information, information about impending mergers and acquisitions, dormant account information, marketing plans, passwords and encryption keys, employee and Company non-public personal information (such as personally identifiable information, personal financial information or personal protected health information), product designs, Company records and correspondence, and other information or data which if disclosed without appropriate authorization could result in a competitive disadvantage or liability or loss to the Company. |
c. | Record retention periods that meet federal and state retention requirements must be established and maintained by ARIA. In addition, Company may provide specific retention requirements that ARIA will apply, including but not limited to, retention for compliance, litigation, legal or regulatory purposes. |
d. | Destruction of Company Information Assets must not occur without authorization from Company management. The destruction methodologies must be performed in a secure manner such that the information cannot be read or re-created after disposal. ARIA is encouraged to adhere to the guidelines provided by the National Association for Information Destruction, which can be found at xxxx://xxx.xxxxxxxxxx.xxx. ARIA must also take into consideration the impact of disposal on the environment. |
36
Execution Document
9. | Human Resources Management. The following administrative requirements must be implemented by ARIA where Company Information Assets are stored, processed, transmitted, or destroyed; except as may be otherwise required for compliance, litigation or legal or regulatory purposes. |
a. | ARIA employees and Agents must be subject to a sufficient criminal background check prior to employment to ensure people with a criminal history do not have access to Company Information Assets. The ARIA agrees it will provide no employees or Agents who have been convicted of a felony involving theft, dishonesty, or breach of trust, or any other crime that disqualifies someone from working in the business of insurance as set forth in the Federal Crime Xxxx. Further, ARIA will conduct a background check on each employee or Agent that is sufficient to screen out those who have been convicted of crimes involving behavior that, if it occurred on the Company’s site, could result in injury to people or impairment of assets. |
b. | ARIA must follow a documented method or procedure that governs the creation, suspension, cancellation, modification, and deletion of user accounts for its employees and Agents. These methods or procedures must include, at a minimum, the following: |
1. | Employees and Agents with valid user accounts must have their user accounts disabled immediately upon termination of employment or business engagement; |
2. | Employees and Agents who experience an absence longer than sixty (60) days must have their user accounts disabled. These user accounts may be re-enabled upon their return to work; otherwise, these accounts shall be deleted upon termination of the Employee or Agent; |
3. | Employees and Agents whose job responsibilities change must have their access levels reviewed to determine if changes need to be made in order to ensure they do not have access to Information Assets for which they do not have a specific business need. |
c. | During employment or when under contract: |
1. | ARIA must include Information Security requirements within job descriptions or other written documentation for ARIA employees and Agents whose job roles will have access to Company Information Assets; |
2. | ARIA must maintain an Information Security awareness and training program for its employees and Agents to ensure the employees and Agents are aware of their responsibility to protect and maintain the confidentiality and security of ARIA and Company Information Assets; |
3. | ARIA shall impose disciplinary measures for violations of its Information Security Program. |
37
Execution Document
d. | Upon termination of employment or contract: |
1. | ARIA shall notify Company in writing within 24 hours when ARIA’s employees and Agents who have access to Company’s network and internal systems are reassigned and no longer need access, or are no longer working for ARIA, thereby enabling Company to remove access in a timely manner; |
2. | XXXXx must secure all Company Information Assets within their custody from employees and Agents upon termination of employment or contract. |
10. Physical Security.
a. | Access to Company Confidential Information Assets must be controlled to protect the confidentiality, integrity, and availability of Company Confidential Information Assets with appropriate administrative, logical, and physical safeguards, including but not limited to: |
1. | locking office doors; |
2. | securing storage containers; |
3. | shredding or otherwise securely destroying Information Assets at appropriate times. |
b. | Physical entry to ARIA’s premises must be controlled such that unauthorized entry is prevented, detected and reported to appropriate ARIA personnel immediately. All entry and exit points must be secured, logged and monitored to ensure only authorized personnel may gain entry to ARIA’s buildings and secured areas. |
c. | Where ARIA has utilized identification badges or similar tokens for its employees and Agents, a documented process must exist, along with supporting procedures, to ensure lost badges and tokens are disabled immediately upon notification of the loss. |
d. | When a ARIA employee or other Agent is terminated, procedures must exist to ensure the identification badges are immediately disabled. |
e. | All Company Information Assets in ARIA’s possession must be physically secured in an access-controlled area, in a locked room, or secured storage container or file cabinet. |
f. | Company Information Assets must not be removed from ARIA’s premises without written consent from Company and written authorization from ARIA management. |
g. | All Company Information Assets, together with ARIA Information Assets used to provide services to Company, must be protected to minimize the risk of physical and environmental threats that could jeopardize Information Asset confidentiality, integrity, and availability. |
h. | Physical access to computer sessions must be secured when a user who is actively logged into session is not physically present to monitor activity and viewing of Information Assets displayed within that session. Examples of physical controls include, but are not limited to: |
1. | utilizing screen savers which lock the screen and keyboard access after a short period of inactivity; |
2. | manually locking the keyboard; |
3. | physically securing the office where the computer resides; |
4. | positioning the monitor away from an unauthorized view. |
38
Execution Document
11. Information Back-up.
a. | Adequate backup facilities should be provided to support the recovery of Company Information Assets in accordance with Company disaster recovery requirements and record retention schedules. Minimal requirements include: |
1. | Media containing back-up copies of Confidential and Proprietary Company Information Assets should be encrypted using industry standard methods to conceal these Information Assets from unauthorized access; |
2. | The back-up storage media used to store Company Information Assets must be of a type that has been determined by ARIA to be appropriate for the confidentiality and retention requirements of the data it will contain; |
3. | As it is critical that the back-up storage media be machine readable in the event it is needed for restore and recovery operations, random controlled testing of the restoration process must occur; |
4. | Back-up copies of Company Information Assets, together with complete and accurate records of the back-up copies, must be stored at a physically secured offsite location as a measure of protection against total loss of Information Assets in the event of a system failure or disaster; |
5. | Company Information Assets should be backed up on a schedule that aligns with disaster recovery requirements. This schedule includes requirements for weekly full backups, daily incremental backups, quarter end backups and year end backups; |
6. | No more than no more than one (1) full back-up and six (6) days of subsequent incremental back-ups may be stored on ARIA premises at any time. |
12. Network Security.
a. | Company may terminate any network or other Remote Connection with ARIA at any time without warning if it is suspected or confirmed that any such connection is not secure. |
b. | Company Information Assets must not exist on any computer or device that is directly exposed to the Internet or other non-ARIA network, unless specifically authorized by Company in writing. |
c. | ARIA shall establish and maintain appropriate controls for its electronic interfaces and connections between its own systems and those of others (“Remote Connections”) utilizing industry best practices. |
d. | Devices must be verified prior to connecting to the Company or ARIA network segments where Company Information Asserts reside to comply with the following hardening requirements to protect from compromise: |
1. | Devices must employ an antivirus and file integrity checking system with: |
(1) | A method for updating antivirus definition information to be current at all times; |
(2) | Enabled real-time antivirus scanning of system activity, including all accessed files and memory; |
39
Execution Document
(3) | Scheduled weekly full directory and file antivirus scan; |
2. | Devices must employ up-to-date system software, including but not limited to, up-to-date system software patches and security updates. |
3. | Devices must employ a firewall, proxy or other network traffic filtering technology to deny invalid in-bound traffic to and reasonably protect out-bound traffic from that device; |
4. | System logs or equivalent tracking software must be configured to reasonably capture common errors and invalid access attempts; |
5. | The integration of new software on devices granted connectivity permission must be preceded by a risk assessment and incorporate formal change control procedures to determine and protect the impact to the Company network. |
e. | Permission to connect any device to the Company network shall be proceeded by: |
1. | A Company risk assessment to determine the impact to the Company network; |
2. | Approvals from Company, including its IT Network Manager, impacted technical IT managers, and a divisional Chief Information Officer or his/her designee. |
f. | ARIA networks must have firewalls deployed at the network perimeter to deny unauthorized in-bound and appropriate out-bound network traffic from the Internet and other non-ARIA networks. |
g. | ARIA applications and systems that view, host, store, process, transmit, print, back-up or destroy Company Information Assets must be logically segregated from other systems on the ARIA internal network by an appropriate firewall- or proxy-based, or similar, architecture that will disallow unauthorized in-bound and out-bound connections to Company Information Assets. |
h. | Intrusion detection systems or intrusion prevention systems must be in place to provide reasonable logging and protection against malicious network activity. These systems should be configured to alert appropriate information security and information technology personnel who will then bear the responsibility to take action to disallow said network activity from affecting Company Information Assets. |
i. | Unattended network ports must be secured or disabled when not in use. Where business requirements justify the need, network ports may remain active provided that ARIA management has reviewed the business need and there is documented approval. Examples of such need would include network ports in conference rooms, shared work areas, etc. |
j. | Wireless network access points must be configured to ensure that only authorized ARIA devices may establish a connection to the ARIA internal network where Company Information Assets are viewed, hosted, stored, processed, transmitted, printed, backed-up or destroyed. Further, the wireless network connections established must utilize industry best practices for encryption and other appropriate safeguards designed to protect against unauthorized access and use. |
40
Execution Document
13. | System Event Logging, Monitoring, and Reporting. |
a. | ARIA computer and network systems used to provide services to Company must log significant events including, but not limited to, the following: |
1. | Unauthorized attempts to access ARIA network or Company Information Assets must be captured and securely logged in such a way to support error handling and forensic needs. |
2. | Logs must be configured or secured such that they cannot be viewed or altered by anyone without authorization, including those with administrative privileges, unless such access is also logged in a tamper-evident manner; |
3. | Logs of unsuccessful login attempts to network and unsuccessful access to Information Assets must be reviewed on a regular basis to detect and appropriately act upon anomalous and suspicious system access attempts; |
4. | When suspicious or anomalous activity is detected during a review of the aforementioned logs, it should be reported as directed by approved event handling procedures aligning with ISIRP plans. |
14. | Logical Access. |
a. | All computer-based information systems connected to any portion of the ARIA network where Company Information Assets are located or processed must employ, at a minimum, the following requirements: |
1. | ARIA shall grant access to each user on a personally identifiable unique user account; |
2. | Wherever technically possible, the password settings for each user account must be configured using the following minimal configuration: |
(1) | Minimum of eight (8) characters in length and contain characters from at least three (3) of the following four (4) character types: |
(a) | upper case alpha characters; |
(b) | lower case alpha characters; |
(c) | numeric characters; |
(d) | special characters (e.g., !, $, @, etc.). |
(2) | Expiration of password must be minimally set as follows: |
(a) | Set to automatically require password changes, at a maximum, every sixty (60) days, for user accounts and any system account where the setting will not hinder production processing; |
(b) | If the automatic expiration of a system account would potentially cause the risk of interruption of production processing, password changes may occur manually with the following alternate controls in place: |
(i) | The system account is assigned a unique owner who is ultimately responsible for the disposition and usage of the account and password; |
(ii) | The system account is configured with advanced complex password creation rules (e.g., extended password length, hashing algorithms, etc.); |
41
Execution Document
(iii) | The system account is limited wherever possible to allow log on capabilities only to required computers and/or services; |
(iv) | The system account is changed manually at least once a year and upon turnover of staff at the earliest time available so as not to affect processing; |
(v) | The system account complies with all other requirements within this Exhibit. |
3. | The password settings for each ARIA-supplied default account must be changed and configured using the minimal configuration outlined in this 14. a. ii. |
4. | Accounts with any access to Company Information Assets must be configured wherever technically possible to disallow login capability after a maximum of seven (7), unless otherwise required to be a lesser number (e.g., PCI, etc.), consecutive unsuccessful login attempts. |
b. | Stored password text must be stored in an encrypted form in the user identity database, and they must be rendered unreadable during transmission and storage (e.g., appropriately concealed within strongly restricted directories, etc.) if embedded within batch files, automatic login scripts, software macros, terminal function keys, on computers where access controls are otherwise disabled, or any location where unauthorized individuals might discover them. |
c. | Passwords must be changed immediately if it is discovered that they are disclosed to or discovered by unauthorized parties. |
d. | ARIA systems must be configured wherever technically possible to disable user sessions after a reasonable period of inactivity, based upon business risk. |
e. | Additional and/or stronger logical access safeguards may be implemented by ARIA at its discretion, so long as such additional controls do not neutralize nor negate the effectiveness of existing controls for Company Information Assets as outlined within this Exhibit. |
15. | System Development. |
Application and system development must follow a defined and documented systems development life cycle (“SDLC”) methodology that includes a preliminary review of information security requirements to ensure, at a minimum, the following:
1. | Vulnerability testing must be performed to ensure common security weaknesses are detected and corrected prior to being implemented; |
2. | There must be separate physical or logical environmental partitions separating development, test, staging and production environments; |
3. | The use of data within non-production environments must adhere to the following at a minimum: |
(1) | Wherever possible, fictitious data based upon real data cases must be employed in test environments; |
42
Execution Document
(2) | If Company Information Assets are used, the same controls must exist as within the production environment; |
(3) | If Company Information Assets are used, it must be immediately removed from all non-production environments upon the completion of is use; |
(4) | Handling and destruction of sensitive non-production data and output must be treated as the same level of confidentiality as if it were production; |
4. | Logical access controls must be defined, tested and incorporated to ensure they work as designed and support the ability to restrict access to only those Company Information Assets required for ARIA and Company business requirements, while also supporting the principle of least privilege; |
5. | Segregation of duties must be incorporated into the design of applications and systems to prevent the ability of a single person to perform multiple functions that could lead to fraud, theft, or other illicit or unethical activity through the use of the functions of the applications and systems where Company Information Assets are stored, processed, transmitted, or destroyed; |
6. | Web-based applications exposed to the Internet must ensure vulnerability testing is performed to ensure the most common vulnerability weaknesses based upon industry best practices are identified and remediated to prevent them from being exploited in a way that could lead to unauthorized access to or disclosure of Company Information Assets; |
7. | A formal, documented change management process must be used when making changes to applications and systems that view, host, store, process, transmit, print, back-up or destroy Company Information Assets. This change management process must, at a minimum, include the following: |
(1) | Each change must be reviewed and approved by appropriate ARIA and Company management; |
(2) | Changes to applications and systems must not be deployed into production environments by the same people who do the development and quality assurance of applications and systems; |
(3) | A record of all changes to applications and systems must be maintained that identifies: |
(a) | a brief description of each change that was made; |
(b) | who made each change; |
(c) | test plans and results for each change; |
(d) | who approved each change; |
(e) | when each change was made. |
16. | Information Security Incident Response and Breach Notification. |
a. | ARIA must establish and maintain a documented Information Security Incident Response program (“ISIRP”) that includes, at a minimum, the following: |
1. | ARIA must define and document the roles and responsibilities of its ISIRP team members; |
43
Execution Document
2. | ARIA ISIRP team members must receive training at least annually to ensure they understand what to do during an Information Security event or incident; |
3. | ARIA must establish and maintain a documented set of procedures and notification requirements to follow that provides guidance to the ISIRP team when responding to an event or incident; |
4. | Procedures and other documentation must provide guidance to the ISIRP team regarding Information Security event and incident records. All relevant event and incident logs, along with any related notes of actions taken in response to these events and incidents, must be secured and retained, based upon an approved retention schedule; |
b. | Company shall be entitled to audit ARIA’s practices and procedures annually to confirm compliance with this Section. In the event the audit determines that ARIA is in material breach of this Section, ARIA will reimburse Company for all direct costs associated with such audit. ARIA shall correct any such breach within five (5) days or Company shall be entitled to terminate the underlying agreement. In addition, in the event ARIA experiences an Information Security Breach, Company shall have the right to conduct a security audit in addition to any audit allowed for under this Section or the underlying agreement. |
c. | Any unmitigated Information Security Breach experienced by ARIA prior to the execution of the Agreement must be disclosed to Company. |
d. | Any actual or suspected Information Security Breach experienced by ARIA involving Company Information Assets must be reported to Company promptly and without unreasonable delay, but in no event more than twenty-four (24) hours from its detection. Thereafter, ARIA will, at its own cost and expense: |
1. | Promptly furnish Company with full details of the Information Security Breach; |
2. | Take immediate steps to remedy the Information Security Breach in accordance with applicable privacy rights and laws; |
3. | Cooperate with Company to determine: (1) whether notice is to be provided to any individuals, regulators, law enforcement agencies, consumer reporting agencies, or others as required by law or regulation, or in Company’s discretion; and (2) the contents of such notice, whether any type of remediation may be offered to affected persons, and the nature and extent of any such remediation. |
4. | Use its best efforts to prevent a reoccurrence of any such Information Security Breach; |
5. | Assist and cooperate fully with Company in Company’s investigation of the Information Security Breach and/or the ARIA, ARIA’s employees, contractors, subcontractors or third parties related to the Information Security Breach, including but not limited to providing Company with physical access to the facilities and operations affected, facilitating interviews with anyone involved in the Information Security Breach, and making available all relevant records, logs, files, and data; |
44
Execution Document
6. | Cooperate with Company in any litigation or other formal action against third parties deemed necessary by Company to protect its rights, and the rights of its clients and users; and |
7. | Reimburse Company for actual costs incurred by Company in responding to/and or mitigating damages caused by an Information Security Breach. |
e. | Nothing herein shall prevent Company from taking any actions required by law, including the notification to the appropriate law enforcement agencies. |
17. | Business Continuity. |
a. | Business continuity recovery point objectives (“RPO”) and recovery time objectives (“RTO”) must be discussed with Company and agreed to commensurate with the execution of the Agreement. This is done to ensure ARIA recovery capabilities and subsequent commitments to do so will meet Company’s business requirements. |
b. | ARIA or Agent shall maintain a documented BCP and DR plan which, at a minimum, must: |
1. | Govern and define the objectives and actions required during a BCP/DR event; |
2. | Secure offsite copies of appropriate business continuity and disaster recovery documentation for retrieval in a reasonable time period by those who will need access to this information following a disaster event; |
3. | Define and document business continuity processes and procedures to enable ARIA to perform the actions necessary to maintain critical business functions following a disaster event; |
4. | Define and document Information Asset disaster recovery procedures to enable ARIA to recover Company Information Assets in a manner consistent with established and agreed upon RPO and RTO business continuity requirements; |
5. | Prioritize recovery activity based upon a documented inventory of Company Information Assets in accordance with the established and agreed upon RPO and RTO; |
6. | Define and document a formal communication plan to require that notification of any BCP/DR invocation be provided to Company within twenty-four (24) hours of its occurrence. |
18. | Compliance. |
a. | ARIA must comply with all applicable international, state, federal, and private industry regulatory and statutory requirements as may be applicable to the services being provided to Company by ARIA or its Agents. Examples of some of these requirements include adherence to the Health Insurance Portability and Accountability Act (“HIPAA”), the Xxxxx-Xxxxx-Xxxxxx Act (“GLBA”) and the Payment Card Industry (“PCI”) data security requirements. |
b. | Unlicensed and/or unapproved software must not be used on any Company Information Asset or on ARIA Information Assets. |
45
Execution Document
c. | All software installed on ARIA Information Assets must be approved by appropriate ARIA management to ensure it satisfies a business need, configured to conform to the principle of “least privilege,” and is in compliance with applicable technical and information security requirements. |
46
Execution Document
EXHIBIT K
COMPANY
POLICIES
1. Introduction.
These Company Policies (and attachment K-1 – Company Records Retention Schedule) are Exhibit K to that certain Services Agreement, dated , 2011 between ARIA and the Company
2. Definitions.
Capitalized terms used in this Exhibit K (and attachment K-1 – Company Records Retention Schedule) but not otherwise defined herein or in Exhibit L, shall have the respective meanings as set forth in the Services Agreement.
3. Customer Policies.
ARIA shall comply with all Company policies, guidelines and practices with regard to activities performed by ARIA on behalf of the Company. This includes but is not limited to:
• | Codes of Conduct |
• | Bank Account Management and Signatory Authority |
• | Disbursement Authorization |
• | Information and Physical Security |
• | Record Retention |
• | Separation of Duties |
• | Privacy |
47
Execution Document
Attachment K-1
To ARIA Administrative Services Agreement
Company Record Retention Requirements
1. General Policies
a. | The record retention schedule (“ Schedule “) contained within this Attachment K-1 (“Attachment”) and Exhibit K, and which may be revised or amended by the Company from time to time, identifies the records (“ Records”) which ARIA will maintain on behalf of the Company; |
b. | ARIA will maintain the Records in compliance with the Company’s requirements, as established by the Company from time to time, and as outlined in the Schedule and this Attachment; |
c. | ARIA agrees that in the event of business needs, litigation, regulatory action or investigation, the Company reserves the right to amend, revise, change and/or suspend the Schedule; |
d. | ARIA agrees that the requirements outlined in Exhibit K and this Attachment shall apply to all Records identified in the Schedule, including Records stored in any format and on any media. |
e. | The Parties agree that the Company may review ongoing business and legal issues, and retains the right to revise or update its requirements, as needed; |
f. | ARIA agrees that Records that have been identified as expired, based on the Schedule, will be destroyed in accordance with Company requirements, as outlined in this Attachment and Exhibit K |
g. | ARIA agrees to provide an annual report detailing records and storage mediums that have been purged in accordance with the terms outline in the Schedule and this Attachment |
h. | The Parties agree that electronic storage systems; if properly implemented and maintained, are acceptable as a means of retention media, and may be utilized by ARIA in complying with the requirements described in this Attachment and Exhibit K. |
2. Schedule
a. | The Schedule identifies the Records that ARIA has agreed to maintain on the Company’s behalf, and outlines the required time periods for which the Records must be retained. |
b. | ARIA agrees that if it is unable to comply with one or more of the requirements of the Schedule (for example, when technical reasons will prevent it from purging expired electronic Records), ARIA must provide the Company with prompt notice, explaining the reason(s) for its inability to comply. |
48
Execution Document
Record Type |
Retention Period | |
Bank records |
Current year + 7 years | |
Agent licensing |
7 years after termination | |
Audit reports – internal and external |
7 years | |
Complaints |
7 years after disposition of complaint | |
Contracts |
6 years after termination | |
Correspondence with State Insurance Department |
Current year + 7 years | |
Litigation |
Coordinate with Company | |
Product and Forms |
6 years after business is no longer on the books | |
SOX documentation including control documentation, control reviews and audit reports |
Current year + 7 years | |
Advertising |
10 years after discontinuance of use or publication | |
Marketing |
7 years after last use date | |
OFAC – Transaction History |
5 years | |
Operational Risk Management records |
Current year + 7 years | |
Contract records and claim files |
7 years after termination | |
Do Not Call records |
7 years | |
Premium remittances |
7 years | |
Agent training / monitoring information and inquiries |
3 years | |
Anti-Money Laundering – proof of training |
6 years after termination | |
Claims investigation for fraud |
Current year + 7 years |
3. Legal hold notice (“Legal Hold Notice”).
a. | The Legal Hold Notice response plan lists and describes the obligations ARIA has agreed to accept in connection with preserving relevant documents for litigation or regulatory investigations, as required by the Company. |
49
Execution Document
b. | ARIA agrees that if a Legal Hold Notice has been issued by the Company, and the order directs ARIA to suspend destruction of Company Records and other documentation, as described in the Legal Hold Notice, ARIA will comply with the Legal Hold Notice. |
c. | ARIA agrees and understands, that while the Schedule is concerned with the retention and eventual disposal of Company Records, a Legal Hold Notice will usually address all documents matching a certain description, related to a particular topic. Therefore, ARIA agrees and understands that the Legal Hold Notice may be much more far-reaching than the requirements set forth in the Schedule. |
d. | ARIA agrees that where there is a conflict between the Schedule and the instructions in the Legal Hold Notice, the Legal Hold Notice will always take precedence. |
e. | ARIA agrees that it must take steps reasonably designed to halt the destruction of any Records and documents, on any media type and in any iteration, subject to a Legal Hold Notice. |
f. | The Parties agree that when a Legal Hold Notice is no longer required, it will be rescinded by the Company via a legal hold notice release (“Legal Hold Release”) delivered to ARIA. Upon receipt of the Legal Hold Release and upon the effective date of the Legal Hold Notice Release, ARIA agrees to immediately resume normal retention procedures, including purging of expired Records*. |
4. Purging/Destruction
a. | ARIA agrees that it is responsible for purging/destruction of Company Records which have reached the end of their retention period, based on the Schedule, and are not required to be preserved under a Legal Hold Notice. |
b. | ARIA agrees and understands that the nature of the information contained in the Records, the asset classification, as well as the media on which it is stored dictate the method by which the expired Records should be purged. Additionally, ARIA agrees and understands: |
i. | Disposition by recycling or daily waste pick up is typically an appropriate mode of purging/destruction. However, Records which contain personal, private, or confidential information must be purged/destroyed in a manner so as to prevent unauthorized access or disclosure of the contents (as required by numerous laws and regulations). |
ii. | Additional precautions must be taken in purging/destroying such Records (as referred to in the immediately preceding Section 4 (b)(i)) so as to make them unreadable or undecipherable through any readily accessible means. |
c. | ARIA agrees to use and follow the following purging/destruction procedures: |
50
Execution Document
i. | Verify that Records have expired, based on the Schedule; |
ii. | Verify that Company has not placed a Legal Hold Notice requiring preservation of the Records; |
iii. | If Records are expired and there is no Legal Hold Notice preventing destruction, purge/destroy the Records using the most destructive technique, based on classification and media type. |
d. | ARIA agrees the following are suitable destruction techniques, based on media on which Records are stored: |
Media Type (Examples) |
Destruction Techniques |
Notes | ||
Databases (DB2, IMS, MS-SQL, Oracle) |
• Compress • Export / Import • Reorganize |
• To purge a Record that has been deleted within a database. | ||
Film (microfilm, microfiche) |
• Physical destruction |
• Chemical, Melting, Incineration, Shredding (cross cut / confetti cut) • Cross cut – no larger than 5/32” x 4/5” | ||
Magnetic Media (diskettes, tapes, hard-drives) |
• Bulk erase (except for hard-drives) • Destructive write, Secure deletion / erasure • Physical destruction (hammer mill, shredding) |
• Overwrite with high-values (binary 1’s), low-values (binary 0’s), or random bit patterns. | ||
Optical (CD-ROM, DVD) |
• Physical destruction |
• Incineration, Melting, Shredding | ||
Paper (reports, books, statements) |
• Incineration • Shredding (cross cut / confetti cut) |
• Cross cut – no larger than 5/32” x 1 1/16” | ||
Solid State (flash drives, memory sticks, PDA / cell phone / Black Xxxxx) |
• Destructive write, Secure deletion / erasure • Physical destruction (hammer mill, shredding) |
• Overwrite with high-values (binary 1’s), low-values (binary 0’s), or random bit patterns. |
51
Execution Document
EXHIBIT L
DEFINITIONS
These Definitions are Exhibit L to that certain Services Agreement, dated , 2011 between ARIA and the Company.
Capitalized terms used in this Exhibit L but not otherwise defined herein, shall have the respective meanings as set forth in the Services Agreement.
The following terms used in Exhibits A-L shall have the meanings indicated:
“Affiliate” means, with respect to a Party, any entity at any tier that controls, is controlled by, or is under common control with that Party. For purposes of this definition, the term “control” (including with correlative meanings, the terms “controlled by” and “under common control with”) means the possession directly or indirectly of the power to direct or cause the direction of the management and policies of an entity, whether through the ownership of voting securities, by trust, management agreement, contract or otherwise.
“Agreement” means the Services Agreement and all Exhibits, Schedules, addendums or attachments thereto, and all Change Orders, which documents are incorporated into the “Agreement” by reference.
“Annual Audit Plan” has the meaning set forth in the Services Agreement and Exhibits.
“ARIA Audits” has the meaning set forth in the Services Agreement and Exhibits.
“ARIA Contract Manager” has the meaning set forth in the “Account Governance” Exhibit H to the Services Agreement.
“ARIA Information System” means the hardware, software, data network(s) and systems provided and/or used (whether owned, under contract and/or licensed) by ARIA (including, without limitation, ARIA Equipment) to perform and/or provide the Services.
“ARIA Licensed Software” means ARIA Software developed by Third Parties and licensed to ARIA.
“ARIA Records” has the meaning set forth in the Services Agreement and Exhibits.
“ARIA Software” means the Software used by ARIA or its subcontractors in providing the Services and: (i) owned by ARIA before the Effective Date or acquired by ARIA after the Effective Date; (ii) developed by ARIA; or (iii) developed by Third Parties and licensed to ARIA. ARIA Software includes Software licensed by ARIA pursuant to ARIA Third Party Agreements. For the avoidance of doubt, ARIA Software shall not include ARIA Proprietary Materials.
52
Execution Document
“ARIA Third Party Agreements” means Software or services that ARIA will obtain or maintain on Company’s behalf pursuant to one or more new or existing agreements between ARIA and a Third Party for such Software or service.
“Assets” means the equipment, Software, goods and other assets which are owned or used by Company or ARIA, or their Affiliates, agents or subcontractors, in connection with the provision or receipt of the Services, including but not limited to the ARIA Information System
“Audits” means collectively and individually, Company Audits, ARIA Audits, Operational Audits and Financial Audits.
“Business Day(s)” means each Monday through Friday, other than national holidays recognized by the Company. Unless specifically identified as a Business Day, the term “day” shall mean calendar day.
“Change” means: (1) any change to (a) the Services, (b) the Service Levels or (c) ARIA Assets used to provide the Services that, in each case, would alter the (i) functionality, Service Levels or technical environment of the ARIA Assets used to provide the Services, (ii) manner in which the Services are provided, (iii) composition of the Services or (iv) cost to Company or ARIA of the Services; (2) any change to (a) the Locations or (b) the Security Requirements, Disaster Recovery Plan or Company Compliance Requirements; (3) any change that disrupts the provision of the Services; or (4) any amendment, modification, addition or deletion proposed by a Party to the Services Agreement.
“Claim” means any civil, criminal, administrative, regulatory or investigative action or proceeding commenced or threatened by a Third Party, including, without limitation, Governmental Authorities and regulatory agencies, however described or denominated.
“Company Information” means collectively the Confidential Information and Trade Secrets of a Party and/or a designated group including such Party, and with respect to the Company and includes the Company Data.
“Confidential Information” means with respect to a Party or a designated group including such Party, any and all proprietary information of the disclosing Party, of such group and/or of Third Parties in the possession of the disclosing Party and/or such group, treated as secret or confidential by the disclosing Party and/or such group that does not constitute a Trade Secret. For the avoidance of doubt, Confidential Information also includes: (i) information which has been disclosed to such Party and/or such group by a Third Party, which Party and/or group is obligated to treat as confidential or secret; (ii) with respect to the Company, the Company Data, underlying literary material, creative elements, style guides, research material and data, specifications, processes, technological developments or other proprietary materials as well as other confidential and proprietary information unrelated to the foregoing such as patents, copyrights, trademark, trade secrets, sales and financial data, prices and manufacturing and distribution methods, which ARIA has heretofore obtained or may obtain during the term of the Services Agreement, or which has been or may be developed by ARIA for
53
Execution Document
Company, as well as any proprietary technical or business information of third parties which is made available to ARIA in connection with Services hereunder; (iii) with respect to ARIA, Software and with respect to Company, Company Owned Software and Company Owned Work Product; and (iv) with respect to both Parties, the financial and other terms of the Services Agreement and the Services.
“Critical Services” means the Services identified in the “Critical Services” Exhibit to the Services Agreement.
“Company Auditors” has the meaning set forth in the Services Agreement and Exhibits.
“Company Audits” has the meaning set forth in the Services Agreement and Exhibits.
“Company Competitors” means any company that is authorized to issue, underwrite or reinsure annuity contracts or life insurance policies.
“Company Compliance Directives” has the meaning set forth in the Services Agreement and Exhibits.
“Company Compliance Requirements” has the meaning set forth in the Services Agreement and Exhibits.
“Company Relationship Manager” has the meaning set forth in the “Account Governance” Exhibit H.
“Company Data” means: (i) all data and information generated, provided or submitted by, or caused to be generated, provided or submitted by, the Company in connection with the Services; (ii) all data and information regarding the business and customers and potential customers of the Company collected, generated or submitted by, or caused to be generated, provided or submitted by, ARIA and/or its Affiliates and subcontractors; (iii) all such data and information processed or stored, and/or then provided to or for the Company, as part of the Services, including, without limitation, data contained in forms, reports and other similar documents provided by ARIA as part of the Services; and (iv) Personally Identifiable Information.
“Company Policies” has the meaning set forth in Exhibit K.
“Disaster Recovery Plan” means the disaster recovery plan set forth in “Disaster Recovery Requirements” in Exhibit F to the Services Agreement or developed by ARIA in accordance with Exhibit F.
“Disaster Recovery Services” means those services described in Exhibit F of the Services Agreement and the “Disaster Recovery Requirements” described in Exhibit F of the Services Agreement. The Disaster Recovery Services are part of the Services.
54
Execution Document
“Dispute” means any dispute, controversy or Claim, including, without limitation, situations or circumstances in which the Parties are required to mutually agree on additions, deletions or changes to terms, conditions or charges, arising out of, or relating to, the Services Agreement.
“Dispute Resolution Procedures” means the process for resolving Disputes set forth in the “Dispute Resolution Procedures” Exhibit G.
“Effective Date” means the date as set forth in the Services Agreement.
“Execution Date” means the date of execution of the Services Agreement by the Parties as set forth on the signature page thereof.
“Exhibit(s)” means an attachment to the Services Agreement and as such attachment may be amended from time to time.
“Exploit” means, with respect to any item or intangible, the ability to access, modify, distribute, maintain, enhance or use such item or intangible.
“Financial Audits” has the meaning set forth in the Services Agreement and Exhibits.
“Intellectual Property Rights” means any and all intellectual property rights existing from time to time under any Law including patent law, copyright law, semiconductor chip protection law, moral rights law, trade secret law, trademark law (together with all of the goodwill associated therewith), unfair competition law, publicity rights law, or privacy rights law, and any and all other proprietary rights, and any and all applications, renewals, extensions and restorations of any of the foregoing, now or hereafter in force and effect worldwide. For purposes of this definition, rights under patent law shall include rights under any and all United States patent applications and patents (including letters patent and inventor’s certificates) anywhere in the world, including, without limitation, any provisional’s, substitutions, extensions, supplementary patent certificates, reissues, renewals, divisions, continuations in part (or in whole), continued prosecution applications, requests for continued examination, and other similar filings or stages thereof provided for under the laws of the United States.
“Key Personnel” means those ARIA employees set forth in “Key Personnel” Exhibit D to the Services Agreement.
“Key Service Provider Positions” has the meaning set forth in Exhibit H to the Services Agreement.
“Law” means all applicable laws (including those arising under common law), statutes, codes, rules, regulations, reporting or licensing requirements, ordinances and other pronouncement having the effect of law of the United States, any foreign country or any domestic or foreign state, county, city or other political subdivision, including those promulgated, interpreted or enforced by any governmental or regulatory authority, and any order of a court or governmental agency of competent jurisdiction.
55
Execution Document
“Locations” means the ARIA Locations set forth in Exhibit C, and at and from which ARIA will provide and perform the Services set forth in the Services Agreement.
“Losses” means all judgments, settlements, awards, damages, fines, losses, charges, liabilities, penalties, interest claims (including taxes and all related interest and penalties incurred directly with respect thereto), however described or denominated, and all related reasonable costs, expenses and other charges (including all reasonable attorneys’ fees and reasonable internal and external costs of investigations, litigation, hearings, proceedings, document and data productions and discovery, settlement, judgment, award, interest and penalties), however described or denominated.
“Notification Related Costs” has the meaning set forth in the Services Agreement and Exhibits.
“Operational Audits” has the meaning set forth in the Services Agreement and Exhibits.
“Organizational Conflict of Interest” has the meaning set forth in the Services Agreement and Exhibits.
“Party or Parties” means Company and/or ARIA, as Parties to the Services Agreement.
“Pass Through Charges” has the meaning set forth in the “Charges” Schedule to the Services Agreement and Exhibits.
“Person” means an individual, corporation, limited liability company, partnership, trust, association, joint venture, unincorporated organization or entity of any kind or nature, or a Governmental Authority.
“Procedures Manual” has the meaning set forth in Exhibit I to the Services Agreement.
“Protected Health Information” has the meaning given such term in section 106.103 of title 45, Code of Federal Regulations.
“Personally Identifiable Information” has the meaning given such term in the Memorandum M-07-16 issued by the Executive Office of the President, Office of the Management and Budget, dated May 22, 2007. For purpose of this definition, Personally Identifiable Information includes the nonpublic personal information as defined in 15 U.S.C. §6809(4) or similar privacy statues enacted by state law. For purposes of this definition, Personally Identifiable Information also includes Protected Health Information.
“Privacy Regulations” has the meaning set forth in the Services Agreement and Exhibits.
“Processing” means any operation or set of operations which is performed upon Personally Identifiable Information, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
56
Execution Document
“Reports” has the meaning set forth in Exhibit E to the Services Agreement.
“Representatives” means employees, subcontractors, consultants, representatives or agents of a Party hereunder.
“Responsibilities” has the meaning set forth in the Services Agreement and Exhibits.
“Security Breach” means: (A) any circumstance pursuant to which applicable Law or Company privacy or security policy or statement requires notification of such breach to be given to affected parties or other activity in response to such circumstance; or (B) any actual, attempted, suspected, threatened, or reasonably foreseeable circumstance that compromises, or could reasonably be expected to compromise, either Physical Security or Systems Security (as such terms are defined herein) in a fashion that either does or could reasonably be expected to permit unauthorized Processing, use, disclosure or acquisition of or access to any Company Data,
“Security Requirements” has the meaning set forth in Exhibit J to the Services Agreement.
“Service Level” has the meaning set forth in the “Service Level Agreement” Exhibit E to the Services Agreement. The “Service Level Agreement” Exhibit E shall be promptly updated and modified from time to time by the Parties to reflect changes to the Service Levels related to the Services Agreement.
“Services” means the services, functions, responsibilities, activities, tasks and projects: (i) to be performed by ARIA and set forth in the Services Agreement, including the “Administrative Services Description” Exhibit A to the Services Agreement, as it may evolve and be supplemented and enhanced during the term; or (ii) that are an inherent, necessary, or customary part of the services or are reasonably necessary for the proper performance and provision of the services.
“Software or software” means any computer programming code consisting of instructions or statements in a form readable by individuals (source code) or machines (object code), and related documentation and supporting materials therefor, in any form or medium, including electronic media.
“Third Party” means a business or entity other than an Affiliate of the Company , or ARIA or its Affiliates.
“Third Party Agreements” means those agreements for which ARIA has undertaken financial, management, operational, use, access and/or administrative responsibility and/or benefit in connection with the provision of the Services, and pursuant to which the Company has contracted with a Third Party Provider to obtain any Third Party products, software and/or services that will be used, accessed and/or managed in connection with the Services. Third Party Agreements are listed on “Third Party Agreements” Schedule to the Services Agreement , which schedule shall be promptly updated and modified from time to time by the Parties to reflect the then-current Third Party Agreements.
57
Execution Document
“Third Party Provider” means a business or entity other than the Company or ARIA or their Affiliates that provides products, software and/or services under a Third Party Agreement.
“Trade Secrets” means with respect to a Party and/or designated group including such Party, information related to the services and/or business of the disclosing Party of such group and/or of a Third Party which: (a) derives economic value, actual or potential, from not being generally known to or readily ascertainable by other persons who can obtain economic value from its disclosure or use; and (b) is the subject of efforts by the disclosing Party and/or such group that are reasonable under the circumstances to maintain its secrecy, including without limitation: (i) marking any information clearly and conspicuously with a legend identifying its confidential or proprietary nature; (ii) identifying any oral presentation or communication as confidential immediately before, during or after such oral presentation or communication; or (iii) otherwise, treating such information as confidential or secret. Assuming the criteria in sections (a) and (b) above are met, Trade Secrets include, but are not limited to, technical and nontechnical data, formulas, patterns, compilations, computer programs and software, devices, drawings, processes, methods, techniques, designs, programs, financial plans, product plans, and lists of actual or potential customers and suppliers.
58