EXHIBIT (1)(i) FORM OF SELLING AGREEMENT
EXHIBIT (1)(i)
FORM OF SELLING AGREEMENT
Exhibit (1)(i)
LIFE INSURANCE COMPANY PRODUCT SALES
AGREEMENT
THIS AGREEMENT is made by and among each life insurance company (“Insurer”); each principal securities underwriter for Insurer (“Underwriter”); each selling broker/dealer (“Broker-Dealer”); and each selling insurance agency (“Agency”) in the capacities as set forth on Schedule A-Signature Page which is attached to and made a part of this Agreement by this reference. (Broker-Dealer and Agency are collectively referred to as “Producer”). This Agreement is initially effective on the date of first execution by Xxxxxxx.
RECITALS
A. Insurer offers various life insurance policies and annuity contracts (“Products”) for sale to the public which may be registered with the U.S. Securities and Exchange Commission (“SEC”) or not so registered (either “Registered Products” or “Unregistered Products,” respectively). Pursuant to section 3(a)(8) of the Securities Exchange Act of 1934 (“Exchange Act”), Unregistered Products are insurance products under this Agreement which are exempt securities not underwritten by the Underwriter and excluded from the definition of securities issued by an “issuer.”
B. Underwriter has been appointed as the principal underwriter of the Registered Products of Insurer (Insurer and Underwriter are collectively referred to as “Company”).
NOW, THEREFORE, the parties agree as follows:
1. APPOINTMENT
Company hereby authorizes Producer to solicit and sell Products pursuant to the terms of each attached Schedule B to the extent authorized by and only in the states where: (a) Producer has been separately notified by Company that Products are qualified for sale or exempt from qualification under all applicable securities and insurance laws; (b) Producer is duly life insurance-licensed; (c) Producer is, where required, duly securities licensed; and (d) Producer is duly appointed with Insurer. One or more Product Commission Schedules attached and incorporated as Schedule B from time to time shall identify the specific parties who are authorized to issue, underwrite and distribute Products. Submission of an application or order for Products listed on a Schedule B delivered by Company shall constitute written consent by Producer to the terms of such Schedule B. No exclusive rights are granted to, or required of, Producer except as may be expressly provided by Company in writing or on Schedule B. Producer accepts this appointment as an independent contractor, on the terms set forth in this Agreement. Producers shall only offer such contracts pursuant to the offering restrictions set forth in the applicable Schedule B or in a private placement memorandum describing such contracts.
AUTHORITY AND RESPONSIBILITY
(a) Producer is authorized and responsible in each state to train, use and supervise qualified professional insurance agents and solicitors who are duly qualified as provided in this Agreement to sell the Products (“Subproducers”). Producer shall ensure that each Subproducer has adequate training in the sales practices and disclosures and for the various Products. Producer shall also ensure that Subproducers have reviewed Product marketing materials, guidelines, communications or other tools made available by Company and that Subproducer has sufficient knowledge of each Product’s features, benefits, and costs prior to making any recommendation to a customer. Broker-Dealer shall provide training, conduct manuals, or other information to unregistered employees of Agencies and Subproducers regarding the limitations on such unregistered employees’ permissible securities activities and monitor those activities as Broker-Dealer deems appropriate to maintain compliance with such limitations.
(b) Producer shall notify Company immediately upon hiring or contracting with any Subproducer for solicitation of Products and upon the termination of any Subproducer. Producer shall provide or shall cause Subproducers to provide Company with appropriate authorization to allow Company to conduct the background and credit investigations of Subproducers necessary or appropriate under applicable law. Insurer reserves the right of final approval of the appointment of any Subproducers. Insurer may cancel the appointment of any Subproducer upon notice to Producer.
(c) Producer shall ensure that it and all Subproducers: (i) as fiduciary for Company, collect and submit purchase payments to Company such payments to be in the form of checks made payable solely to the order of Company, or at such time and by such other means (by wire or electronic transfers) as mutually agreed in writing; (ii) in accordance with Company’s communicated guidelines, promptly deliver Product contract to the purchaser, unless Company has done so; (iii) record each transaction, record the fact of delivery, and maintain any other documentation requested by Company; (iv) responsibly perform in good faith each authorized action hereunder in accordance with Company’s administrative procedures as provided to Producer from time-to-time in writing and
cooperate with Company as required to provide service to the purchasers of the Products; (v) make and record suitable recommendations, document the rational for each product recommendation, as required in the Suitability Determination and Supervision Section of this Agreement; (vi) adopt, abide by, and enforce the principles set forth in the ethics code provided to Producer as Exhibit B to this Agreement (“Ethics Code”); (vii) distribute and enforce all Company guidelines and communications related to the marketing and sale of its Products provided or made available to Producer; (viii) monitor both state and federal laws to ensure that the sales practices and disclosures of Producer and Subproducers are compliant; and (ix) establish and maintain guidelines for Subproducers which ensure compliance with both state and federal requirements for do-not-call lists, proper use of designations, and disclosures required by Producer and Subproducer including, but not limited to, compensation-related disclosures and other sales-related disclosures.
(d) Broker-Dealer, on its own behalf and on behalf of Agencies and Subproducers, shall maintain the books and records relating to the sale of the Registered Products and the receipt and disbursement of Commissions (defined in the Commissions and Chargebacks Section) and fees thereon so as to clearly and accurately disclose the nature and details of the transactions. Such books and records shall be maintained and preserved as required under the Exchange Act and the rules thereunder. Duplicate books and records relating to the Registered Products and maintained by Agencies and Subproducers shall be deemed books and records of Broker-Dealer for the purposes of this subsection.
(e) Insurer reserves the unconditional right to refuse to accept applications and purchase orders procured by Producer, or to accept premiums and settlements tendered or made. Insurer reserves the unconditional right to, at any time without prior notice: (i) modify any Product in any respect, modify or alter the conditions or terms under which any policy form may be sold or regulate its sale; (ii) discontinue or withdraw any policy form from any geographic area or market segment without prejudice to continuation of such form in any other area or market segment;
(iii) suspend the sale of any of the Products; or (iv) cease doing business in any area in whole or in part. Notwithstanding these rights, Insurer will use reasonable efforts to provide Producer with notice of its intention to modify or suspend the sale of any Products.
(f) No deviation of Producer’s authority and responsibility granted under this Agreement shall be permitted except with Company’s prior specific written consent.
2. PROHIBITIONS
In addition to any prohibitions contained in applicable law or regulation, and not in limitation thereof, Producer and Subproducers have no authority to, and Producer shall ensure that it and any Subproducers shall not: (a) make any promise or incur any debt on behalf of Company;
(b) hold themselves out as employees or affiliates of Company unless true;
(c) misrepresent, add, alter, waive, discharge, or omit any provision of the Products, the then-current prospectus for the Registered Products or the underlying funds, confirmations, statements, applications, or other Company materials;
(d) waive any forfeiture, extend the time of making any payments, or alter or substitute any of Company’s forms;
(e) use, or supply to a third party for use, any of Company’s forms other than for purposes of this Agreement; (f) make any recommendation or take any action which is likely to induce the surrender, transfer, exchange, replacement, cancellation, non-renewal of, or the withdrawal from, any Product,(i.e., a “Replacement”) except when Producer has documented suitability of the Replacement in accordance with the Suitability Determination and Supervision Section of this Agreement and has first offered Company the opportunity to present a suitable replacement Product; (g) pay or allow to be paid to any prospective owner, insured, annuitant, beneficiary or other person any inducement not specified in the contract for the Products; (h) cause any premium or consideration to be rebated, in any manner whatsoever, directly or indirectly; (i) give or offer to give, on Company’s behalf, any advice or opinion regarding the taxation of any purchaser’s or prospective purchaser’s income or estate in connection with the sale or solicitation for sale of any Products; (j) sign or allow any person to sign a form or other document for another except pursuant to a proper power of attorney or guardianship appointment approved by Company; (k) negotiate, deposit, or co-mingle purchase payments except as may be otherwise specifically agreed in a written addendum to this Agreement; (l) enter into any contracts with Subproducers for the solicitation of the Products or payment of compensation based on sales with anyone not licensed and appointed with Company; (m) engage in speculation on human life in any way; (n) solicit or take applications for the Products in a state other than the purchaser’s state of residence for the sole purpose of circumventing the insurance laws of such purchaser’s state of residence; (o) take any other action beyond the scope of the authority granted under this Agreement; or (p) allow any employee or contractor of Agency or any Subproducer who is not a registered representative of Broker-Dealer to: engage in securities activities, receive compensation based on securities transactions or providing securities advice, recommend any security, give investment advice, discuss the merits of any security or type of security, respond to any question that might require familiarity with the securities industry, handle or maintain customer funds, including checks routed through Broker-Dealer and Agencies, or securities in connection with securities transactions, or have any involvement in securities transactions other than providing clerical or ministerial assistance.
3. REPRESENTATIONS, WARRANTIES AND COVENANTS
(a) More than one Insurer, Underwriter, Broker-Dealer, or Agency may execute this Agreement at its inception, or by subsequent addition of parties from time to time pursuant to a revised Schedule A. Each such execution shall be deemed to create a new and separate agreement between Insurer, and Underwriter if applicable on the one hand and the Broker-Dealer, and/or Agency if applicable, on the other. The existence of more than one executed Schedule A shall not create any agency relationship or other selling authority between any Insurer that executes one Schedule A, and any Underwriter, Broker-Dealer and/or Agency that executes another Schedule A. No Insurer shall be liable for the obligations or actions of any other Insurer.
(b) Underwriter and Broker-Dealer are registered with the SEC as broker-dealers under the Exchange Act, and are members in good standing of the Financial Industry Regulatory Authority (“FINRA”).
(c) Agency is duly licensed and lawfully authorized under applicable insurance or annuity laws and regulations to market and distribute the Products, as set forth in this Agreement. If Agency only markets and distributes Unregistered Products, the provisions of this Agreement that specifically refer to Registered Products or the requirements of FINRA or SEC shall be inapplicable, except to the extent the laws and regulations governing those agencies contain valid requirements applicable to Unregistered products.
(d) Broker-Dealer is duly licensed and lawfully authorized under applicable insurance or annuity laws and regulations to market and distribute the Products. If Broker-Dealer is not so licensed, then Agency is duly licensed and lawfully authorized to market and distribute the Products under applicable insurance or annuity regulations, and an associated person of Broker-Dealer.
(e) Producer represents, warrants and covenants that(i) it, and each Subproducer, and any person, or entity employed or contracted with or by Producer or Subproducer in connection with sales of the Products, and/or (ii) any person or entity to whom Producer pays commissions pursuant to this Agreement: (i) will have sound business reputations and backgrounds (as more fully described in the General Letter of Recommendation attached as Exhibit A and incorporated by reference); (ii) will be duly life-insurance licensed, appointed to represent Company, and securities-registered (for Registered Products) in compliance with all applicable federal and state laws and regulations, including those of FINRA or other SROs, prior to and during the sale of any Products pursuant to this Agreement; and (iii) will comply with all other applicable federal and state laws and regulations, including those of FINRA or other SROs, and applicable procedures, Ethics Codes, manuals, and other written rules and regulations of Company as delivered to Producer from time to time, including the provisions of this Agreement. Producer shall take all necessary steps to communicate Company’s rules and regulations to such persons.
(f) Producer represents, warrants and covenants that any Subproducer that sells Registered Products shall be an associated person of Broker- Dealer within the meaning of section 3(a)(18) of the Exchange Act. Broker-Dealer agrees that any Agency or Subproducer whom the SEC, FINRA or any other applicable self-regulatory organization bars or suspends from association with Broker-Dealer or any other broker-dealer will be immediately terminated or suspended from all activities related to Registered Products and Company shall be notified immediately in writing of any such bar or suspension. Producer shall provide prompt notice to Company and cease all Product solicitations if it or any Subproducer is barred or suspended from performing insurance or annuity sales by state insurance regulators, FINRA or other state or federal regulators. Producer shall provide to Company prompt notice and a copy of the regulatory findings of any other fines or disciplinary action by FINRA or state or federal regulators involving Producer or any Subproducer.
(g) Producer represents, warrants and covenants that it has full power and authority to enter into this Agreement and to perform its obligations hereunder.
(h) Company represents, warrants and covenants that all Products have been filed with and approved by the appropriate insurance departments in compliance with the laws of each state and that Company is licensed to do business by the insurance department of each state. Further, Company represents, warrants and covenants that the Registered Products have been filed and registered as appropriate with the SEC and FINRA and are in compliance with the applicable regulations promulgated under the Exchange Act. Company will, during the term of this Agreement, notify Producer of the issuance by the SEC of any stop order with respect to the registration statement or any amendments thereto or the initiation of any proceedings for that purpose or for any other purpose relating to the registration and offering of the Products and of any other action or circumstance that may prevent the lawful sale of the Products in any state or jurisdiction.
(i) Company represents and warrants that it has full power and authority to enter into this Agreement and to perform its obligations hereunder.
(j) This Agreement has been duly authorized, executed, and delivered on behalf of Producer and Company and constitutes a valid and binding agreement of the parties enforceable in accordance with its terms, except (i) as such enforceability may be limited by bankruptcy, moratorium, insolvency, reorganization or other laws affecting or limiting the enforcement of creditors’ rights generally; (ii) as such enforceability is subject to general principles of equity, regardless whether such enforceability is considered in a proceeding in equity or at law; and (iii) as the right of a party to indemnification or contribution may be judicially determined to be unenforceable.
4. SUITABILITY DETERMINATION AND SUPERVISION
As permitted by state insurance laws and regulations, Company contracts with Producer for Producer to establish procedures which are reasonably designed to ensure suitable recommendations and provide appropriate supervision of sales of Products. Producer shall ensure that it monitor federal and state laws, rules and regulations to ensure that the sales practices, suitability determinations and supervision practices of Producer and Subproducer continue to follow all applicable laws, rules and regulations as it relates to Products offered by Producer.
Therefore, Producer shall:
Maintain written suitability procedures which are compliant with SEC and FINRA rules, as well as the laws and regulations of state insurance and other regulatory authorities as applicable;
(a) Ensure all applications are reviewed and approved by a supervising principal prior to application being submitted to Insurer.
(b) Ensure that prior to recommending purchase of a Product all Subproducers make a reasonable effort to obtain information regarding a consumer’s financial status, tax status, investment objectives and any other information either required by state or federal law or considered reasonable by Subproducer, Producer or Company.
(c) Ensure that Subproducers have reasonable grounds for believing that a recommendation is suitable for the consumer on the basis of the facts disclosed by the consumer.
(d) Maintain all information collected and used in determining a recommendation was suitable or the supervision of the transaction for the length of time required by state insurance and other regulatory authorities, but in no case less than five (5) years from the date of the transaction.
(e) Provide Company with information regarding individual product recommendations upon written request from Company.
(f) Notify Company promptly upon learning of any circumstances that render such suitability information inaccurate or a transaction unsuitable.
(g) Establish and maintain reasonable procedures for the inspection and supervision of Product sales practices of its Subproducers.
(h) Provide to Company an annual certification by a senior manager with responsibility for Product suitability supervision in a format acceptable to Company.
(i) Promptly cooperate with any periodic reviews by the Company designed to verify the accuracy of the annual certification and ongoing compliance with this Agreement.
(j) Submit reports to Company as may be reasonably requested regarding compliance with the aforementioned procedures.
5. COMMISSIONS, CHARGEBACKS, AND DISCLOSURE
(a) Company shall pay Producer commissions (“Commissions”), if any, set forth on the applicable Schedule B for sales in the states during the term of this Agreement. Broker-Dealer shall report all Commissions for Registered Products on its FOCUS and FINRA Fee Assessment reports. Insurer is solely responsible for payment of all Commissions under this Agreement. Underwriter has no obligation to make any commission payment unless it receives payment from the Insurer.
(b) Producer shall pay Company in full for any indebtedness to Company arising under this Agreement or otherwise within thirty (30) days of demand. Producer will pay the maximum lawful rate of interest on any indebtedness that Producer owes to Company, along with reasonable legal expenses, attorneys’ fees, and court costs incurred by Company in collecting such indebtedness. Producer shall pay to Company, or Company may offset from Commissions due, any unpaid indebtedness due to Company remaining after demand, and the chargebacks (“Chargebacks”) set forth on the applicable Schedule B. This right to offset shall constitute a first lien against any compensation due Producer from Company or any of its affiliates and shall have priority over any assignment by Producer or by operation of law. Producer has no right to offset.
(c) No Commissions will be paid to Producer on Products that are surrendered or canceled and subsequently reinstated or rewritten, or on subsequent premiums that result from prior partial withdrawals from the Product. No Commissions will be paid to Producer for Contracts for which Producer is no longer Agent of record.
(d) Company reserves the right, upon reasonable notice to Producer, to modify or eliminate any Commissions or Chargebacks payable on Products issued, renewed, converted, or exchanged after the date of the notice. Notwithstanding any other provisions of this Agreement to the contrary, Company shall not be obligated to pay any compensation which would be in violation of any applicable law, rule, regulation or order.
(e) Producer shall be solely liable for and shall promptly pay any and all amounts payable to any Subproducer in connection with the sale of Products. No Subproducer or other person shall have any claim against Company on account of the sale or service of any Product.
(f) Producer shall comply with all applicable laws, rules and regulations pertaining to requirements that persons soliciting applications for the sale of life insurance or annuity contracts disclose compensation arrangements.
6. INDEMNIFICATION
(a) By Insurer. Insurer agrees to indemnify and hold harmless Producer and each officer and director of Producer (“Producer Indemnitee”) against any and all losses, claims, fines, penalties, damages, or liabilities, joint and several (collectively “Claims”), to which Producer Indemnitee may become subject or otherwise, insofar as such Claims arise out of, relate to, or are based upon (i) any untrue statement or alleged untrue statement of a material fact, contained in any registration statement or any post-effective amendment thereto or in the prospectus or any amendment or supplement thereto for the Products, or in any Sales Materials provided by Company or that was required to be stated therein or necessary to make the statements therein not misleading; or (ii) the failure of Insurer, its officers, employees, or agents to comply with the provisions of this Agreement. Insurer agrees to reimburse Producer Xxxxxxxxxx for reasonable legal and other expenses (including attorneys’ fees) incurred by such indemnitee in connection with investigating or defending Claims. This indemnity agreement will be in addition to any liability that Insurer may otherwise have.
(b) By Producer. Producer agrees to indemnify and hold harmless Company and each of its current and former directors and officers, each person, if any, who controls or has controlled Company within the meaning of the Securities Act or the Exchange Act, employees, and agents (“Company Indemnitee”), against any and all Claims to which Company and Company Indemnitee may become subject; or otherwise, insofar as such Claims arise out of, relate to, or are based upon: (i) any unauthorized use of sales materials, any verbal or written misrepresentations, product recommendations which are determined to be unsuitable, or any unlawful sales practices concerning Products by Producer, its agents, employees, or representatives; (ii) claims for commissions, services fees, development allowances, reimbursements, or other compensation or remuneration of any type relating to any Subproducer or former Subproducer or relating to any employee or contractor of Producer or any Subproducer; or (iii) the failure of Producer, its officers, employees, agents or Subproducers to comply with the provisions of this Agreement, including but not limited to any unauthorized actions, failure to timely deliver contracts, or errors or omissions by Subproducers, failure to act as required under any applicable law, rule or regulation, engaging in any unauthorized transactions within a contract including any unauthorized electronic transactions submitted to Company. Producer agrees to reimburse Company Indemnitee for any reasonable legal or other expenses (including attorneys’ fees) incurred by Company Indemnitee in connection with investigating or defending Claims. This indemnity agreement will be in addition to any liability that Producer may otherwise have.
7. APPROVAL OF ADVERTISING
(a) No sales, promotion or other advertising or training materials relating to the Products or Company (“Sales Material”) shall be used by any Producer or Subproducer unless approved in writing by Company prior to such use. Company approval notice will specify the approved jurisdictions, intended audience and manner of distribution for the specific material. “Sales Material” shall include, but is not limited to, any material relating to the Products or Company which is designed to create public interest in life insurance or annuities or in an insurer, or in an insurance producer, or to induce the public to purchase, modify, increase, reinstate, borrow on, surrender, replace, or retain a policy of insurance or annuity.
(b) The consideration for and the giving of such approval shall apply to each specific request and shall not be construed to have applied to any subsequent materials or programs. All materials shall be subject to annual review after initial approval to ensure continued compliance with applicable law, regulations, and Company policies. At least one hard copy of each piece of Sales Materials in the form proposed to be used shall be supplied to Company at least ten (10) business days prior to first use. Additional copies or longer time period may be required for Sales Materials that must be filed for approval with any regulatory authorities prior to use. Producer or Subproducer shall maintain records of sales material dissemination for no less than five (5) years after discontinuance of use or publication, unless otherwise notified by Company. These dissemination records shall be provided promptly to Company upon request.
(c) Company retains the right to revoke any Sales Material approvals. Upon receipt of a written revocation notice from Company, Producer or Subproducer shall discontinue use of the specific material within three (3) business days.
(d) No representations in connection with the sale or solicitation for sale of the Products, other than those contained in the currently effective registration statement and prospectus for each Registered Product filed with the SEC, or in the approved Sales Materials for each Product, shall be made by Producer. Producer assumes full responsibility for all Sales Materials not prepared or approved by Company and all such Sales Materials will be deemed to be Producer’s materials. Unless otherwise agreed by the parties it shall be Broker-Dealer’s responsibility to file and obtain FINRA approval of any Sales Materials prepared by Producer.
(e) Company will use reasonable efforts to provide Producer with information and marketing assistance, including providing reasonable quantities of advertising materials, sales literature, and reports on such terms and at such costs as Company and Producer shall mutually agree from time to time. Sales Material provided by Company shall have been authorized by Company and shall conform to all applicable legal requirements as of the date of delivery.
(f) Company shall not use any advertising material, prospectus, proposal, or representation referring to Producer or its affiliates unless furnished by Producer or until the approval of Producer shall have been first secured. The consideration for and the giving of such approval shall relate to each specific request and shall not be construed to have applied to any subsequent materials or programs.
(g) As between Company and Producer, all trademarks, service marks, trade names, logos, or other words, symbols or indicia of origin, identifying the Company or the Company’s products or services (the “Marks”) are and will remain the exclusive property of the Company or its licensors. Before publishing or disseminating any materials bearing a Mark, Producer will deliver an exact copy of the materials to the Company for prior written approval. If the Company notifies Producer that the use of the Mark is inappropriate, Producer will not publish or otherwise disseminate the materials until they have been modified and approved by the Company in writing. Producer will not acquire any rights in the Marks, except the limited use rights specified in the written approval provided by the Company. Producer will not register, directly or indirectly, any trademark, service mark, trade name, company name, Internet domain name, or other proprietary or commercial right, that is identical or confusingly similar to a Mark, or constitutes a translation of a Mark. All goodwill arising from the use of the Marks inures to the exclusive benefit of the Company or its licensors.
8. CONFIDENTIALITY AND PRIVACY
(a) Confidential Information. Confidential Information shall mean all information, written or verbal, which may be disclosed, whether or not marked as “Confidential” or “Proprietary” by the disclosing party or to which the receiving party may be provided access to by disclosing party in accordance with this Agreement, or which is generated or learned as a result of or in connection with this Agreement (“Confidential Information”). Confidentiality obligations hereunder shall not apply to any Confidential Information which: (i) is or later becomes generally available to the public without breach of any express or implied obligation of confidentiality by the receiving party; (ii) written evidence shows Confidential Information is in the possession of receiving party with the full right to disclose prior to its receipt from disclosing party; (iii) is later acquired by the receiving party from a third party without any restriction on disclosure or breach of an express or implied obligation of confidentiality; or (iv) receiving party can document in writing that receiving party independently created such information without reference to or use of Confidential Information.
(b) Non-disclosure Obligations. Receiving party promises and agrees to use reasonable efforts to hold Confidential Information in confidence, but in any event efforts not less than receiving party uses to protect and safeguard its own confidential information, and without limiting the generality of the foregoing, receiving party further promises and agrees: (i) to protect and safeguard the Confidential
Information against unauthorized use, publication or disclosure; (ii) not to, directly or indirectly, in any way, reveal, report, publish, disclose, transfer or otherwise use any of the Confidential Information except as specifically authorized in writing by disclosing party in accordance with this Agreement; (iii) not to use any Confidential Information to unfairly compete or obtain an unfair advantage vis-a-vis disclosing party in any commercial activity which may be comparable to the commercial activity contemplated by the parties in connection with this Agreement; (iv) to restrict access to the Confidential Information to those who clearly need such access to carry out the purposes of this Agreement; (v) to advise each of the persons to whom it provides access to any of the Confidential Information that such persons are strictly prohibited from making any use, publishing or otherwise disclosing to others, or permitting others to use for their benefit or to the detriment of disclosing party, any of the Confidential Information; and (vi) receiving party shall not use any Confidential Information of the disclosing party to engage in any fraudulent, deceptive, manipulative or otherwise unlawful practice in connection with the purchase or sale of securities or to improperly influence the performance of securities.
(c) Mandatory Disclosure. If the receiving party becomes compelled or is ordered to disclose Confidential Information whether (i) by a court order or governmental agency order which has jurisdiction over the parties and subject matter, or (ii) in the opinion of its legal counsel, by law, regulation or the rules of a national securities exchange to disclose any Confidential Information, the receiving party will, to the extent practicable and except as may be prohibited by law or legal process, provide the disclosing party with prompt written notice to permit the disclosing party to object to the disclosure or seek an appropriate protective order or other remedy. If a remedy acceptable to the disclosing party is not obtained by the date that the receiving party must comply with the disclosure requirement, the receiving party will furnish only that portion of the Confidential Information it is legally required to furnish, and the receiving party will exercise commercially reasonable efforts to obtain confidential treatment for the Confidential Information that is disclosed. It is understood and agreed that regulators having jurisdiction over each party shall have unrestricted access to all books, records, files and other materials in such party’s possession, including the Confidential Information, and disclosure of the Confidential Information to such persons solely for purposes of supervision or examination may occur without written notice to or authorization from the other party.
(d) Privacy. For purposes of this Section 9 only, the following definitions apply:
(i) Applicable Privacy Law: means any law, ordinance, statute, rule or regulation applicable to or binding on either or each party with respect to privacy or data security, including but not limited to, the Xxxxx-Xxxxx-Xxxxxx Act (Pub. L. 106-102), Regulation S-P (17 CFR 248), the Fair and Accurate Credit Transactions Act of 2003 (Pub. L. 108-159), and the Standards for the Protection of Personal Information of Residents of the Commonwealth (201 CMR 17), as each may be amended from time to time.
(ii) Personal Information: means, in addition to any definition under Applicable Law, any personally identifiable information about any individual, including, but not limited to, name, email address, telephone number, age or date of birth, gender, demographic information, marketing preferences, social security number, alien identification number, credit or debit card numbers, other financial account numbers, application data, credit history, financial information, drivers license number, other unique identifier or authenticator, health insurance or medical information, consumer report information and data about transactions or experiences with the Insurer or marketing partner of the Insurer. The term “individual” for purposes of this definition includes, but is not limited to, a customer, client, employee, or contractor of the Insurer.
(iii) Responsible Party: means Producer, Subproducer, and any party acting on behalf of or at the direction and control of Producer or Subproducer, e.g. sales assistant or back-office assistant.
(iv) Security Breach: means any actual or potential breach under Applicable Law with respect to any record or data containing Personal Information, and shall include any incident involving the unauthorized access to or acquisition of encrypted or unencrypted, electronic or paper copy of Personal Information or where the potential exists that encrypted information could be compromised.
(e) Disclosure and Use of Personal Information. If Responsible Party receives, uses, stores, maintains, processes, transmits, disposes or otherwise has access to Personal Information, Responsible Party shall use, store, maintain, process, transmit, dispose of and protect Personal Information in accordance with Applicable Law. Access to and use of Personal Information by Responsible Party is specifically limited to that which is necessary to perform the services set forth in this Agreement and Responsible Party shall only disclose Personal Information to those employees who have a need to know such information to perform such services. For those affiliates and contractors for which the Insurer provides written authorization, Responsible Party shall obligate those affiliates and contractors to terms at least as stringent as those set forth herein.
(f) Information Security Program. Responsible Party shall develop and implement, within thirty (30) days after the date of execution of this Agreement, if it has not already done so, and thereafter maintain a comprehensive written information security program that contains administrative, technical, and physical safeguards compliant with Applicable Law (the “Security Program”) designed to (i) protect the confidentiality, integrity and availability of Personal Information; (ii) protect against anticipated threats or hazards to the security, confidentiality, integrity and/or availability of Personal Information; (iii) protect against any unauthorized access, disclosure or use of Personal Information ; (iv) address computer and network security; (v) address physical security; (vi) address business continuity and disaster recovery, (vii) address a security incident response program and (viii) provide for the secure destruction and disposal of Personal Information. The Security Program shall comply with all Applicable Law and shall be updated as required by Applicable Law and industry best practices. Responsible Party shall require its contractors who provide services on behalf of the Responsible Party and who may have access to Personal Information (“Contractors”) to develop, implement and maintain a written Security Program and to provide Responsible Party with written acknowledgement of compliance of Contractors’ Security Program. Nothing herein should be construed to waive any requirement in any agreement between Responsible Party and its Contractors for compliance with the Insurer’s security standards and requirements for Personal Information, privacy, data security and network/systems security that have or may from time to time be communicated to Responsible Party. At the Insurer’s request, Responsible Party agrees to certify in writing to Insurer its compliance with the terms of this Section.
(g) Security Breach Reporting. Responsible Party shall notify Insurer within forty-eight (48) hours upon learning of an actual or potential Security Breach involving Personal Information. Responsible Party must provide notice to Insurer’s Security Office by emailing xxxxxxxx@xxxxxxxxxxxx.xxx and must include, at a minimum, and to the extent known the following information: (a) the nature of the Security Breach; (b) the estimated impact on the Insurer; (c) the name of a senior level person responsible for communicating with the Insurer regarding the Security Breach; and (e) the investigative action taken or planned. Responsible Party must cooperate fully with all Insurer requests for information regarding the Security Breach and Responsible Party must provide regular updates on each Security Breach and the investigative and corrective action taken. Any action taken with respect to such Security Breach, including but not limited to the investigation and any communication to internal or external parties regarding the Security Breach, will be at the sole discretion of the Insurer unless otherwise required by applicable law.
(h) Other Agreements. This section does not supersede or replace any other provision in any agreement between the parties with respect to privacy and security of Personal Information except to the extent such provisions are less stringent than the provisions set forth herein. Personal Information shall be construed as Confidential Information under this Agreement and subject to paragraphs (b) and (c) above.
(i) Indemnity. Producer hereby agrees to defend, indemnify, and hold the Insurer and its affiliates and all of their directors, officers, personnel, and their successors and assigns harmless from any and all expenses, damages, awards, settlements, claims, actions, demands, losses, obligations, fines, penalties, liabilities, regulatory actions and causes of action (including, but not limited to, attorneys’ fees and expenses, breach notification costs, credit monitoring or watch services, internal and external breach remediation plans) arising out of or relating to any privacy or security breach Personal Information in the possession of or under the control of the Responsible Party or its Contractors or for Responsible Party’s breach of any obligations set forth in this Section.
9. COMPLAINTS AND INVESTIGATIONS
(a) Producer, upon notification, shall promptly notify Company of any notice of any regulatory or self-regulatory investigation or proceeding or judicial proceeding arising in connection with the Products or the solicitation or sale of the Products no later than by next day express or overnight mail, secure e-mail, or facsimile. Producer and Company further agree to cooperate fully in any regulatory or self-regulatory investigation or proceeding or judicial proceeding with respect to Producer, Subproducers, Company, their affiliates, and their agents or representatives to the extent that such investigation or proceeding is in connection with this Agreement or the transactions contemplated hereunder. Producer shall furnish applicable federal, state, and self-regulatory authorities with any information or reports in connection with their services under this Agreement which such authorities may request in order to ascertain whether Producer’s or Company’s operations are being conducted in a manner consistent with any applicable law, regulation, or rule of an SRO. Each party shall bear its own costs and expenses in complying with any regulatory or self-regulatory requests, subject to any right of indemnification that may be available pursuant to this Agreement.
(b) Company and Producer shall each develop and maintain appropriate procedures to ensure timely response to Policyholder complaints and ensure they maintain a log of Policyholder complaints arising out of the solicitation or sale of the Products. The log will record the date and substance of each Policyholder complaint and the date and substance of the resolution of each such complaint. Each party’s log, maintained for no less than seven (7) years, shall be provided to the other upon request.
(c) Producer and Subproducer shall promptly respond to any inquiries from Company for information necessary to provide a response to an investigation or complaint within the timeframe requested by Company Producer understands that failure to respond within the requested timeframes may result in fines, penalties, unnecessary settlements and other increased expenses for Company. Producer will indemnify Company for fines, penalties or expenses incurred due to a failure of Producer or Sub-Producer to respond as requested.
(d) Each party will immediately notify the other of any Policyholder complaint or other complaint against that party, its agents or Sub-Producers or third party vendors arising from the performance, or failure to perform, the terms of this Agreement. For purposes of this Agreement, a Policyholder complaint includes, but is not limited to, a written notification (including a notification by electronic mail) that: (1) expresses a grievance or alleges misrepresentation of information, improper sales practices or confusion over the Product’s status as an insurance or annuity product; or (2) an error or inaction or unfair treatment by former or current employees or agents of Producer, Company or affiliates of each, and (3) requests resolution of the matter. Each party shall reasonably determine, in accordance with state and federal law, whether an oral or telephonic notification that clearly meets the foregoing requirements should be treated as a written complaint for the purposes of this Agreement. Each party will, upon receipt of any summons, complaint, or notice of suit, forward such notice to the other party no later than by next-day express or overnight mail, secure e-mail, or facsimile.
10. TERMINATION
(a) This Agreement shall continue in force from its effective date and may be terminated by any party, as to that party, by providing thirty (30) days written notice to the others.
(b) Notwithstanding the provisions of subsection (a), either Company or Producer may terminate this Agreement immediately and without notice if (i) the Underwriter or Broker-Dealer ceases to be registered under the Exchange Act or to be a member in good standing of FINRA; (ii) the other party fails to comply with any licensing laws or any other applicable law or regulation; (iii) the other party becomes insolvent, either voluntarily or involuntarily declares or files bankruptcy, or suffers other financial impairment that may affect its or the other party’s performance of this Agreement; or (iv) the other party is prohibited from offering the Products hereunder as a result of any change in federal or state laws or regulations.
(c) Upon material breach of this Agreement any party may terminate the Agreement, ten (10) days after the receipt of written notice to the other parties. In the event of the receipt of such notice, and upon request, the other party has the right to a ten day cure period for the breach. If the party is able to cure the breach to the good faith satisfaction of the other party within the cure period, this Agreement will continue in effect as though it were never terminated.
11. ANTI-MONEY LAUNDERING
(a) Each party represents that it has implemented programs reasonably designed to comply with all applicable anti-money laundering laws, regulations, rules and government guidance. These include the reporting, recordkeeping, auditing, and compliance requirements of, to the extent applicable, the Bank Secrecy Act (“BSA”), as amended by the International Money Laundering Abatement and Financial Anti-Terrorism Act of 2002, Title III of the USA PATRIOT Act (“Patriot Act”), its implementing regulations, and related SEC and SRO Rules.
(b) The programs shall include, but not be limited to (i) policies, procedures and internal controls for complying with all applicable laws and regulations; (ii) policies, procedures and internal controls, for identifying, evaluating and reporting suspicious activity; (iii) a designated compliance officer or officers; and (iv) an independent audit function.
(c) Producer acknowledges that Company shall rely on Producer to have in place appropriate anti-money laundering training and, if applicable, customer identification program (“CIP”) procedures and controls. Producer acknowledges that it will follow such procedures and controls in connection with the sale of Company’s Products.
(d) Producer represents it will not sell any Products to any person listed on the U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”) list of prohibited persons, entities, and countries, and which any Company transaction with such investor are prohibited under the various economic sanctions, laws, and regulations administered by OFAC.
12. MARKET TIMING
(a) Company reserves the right to terminate this Agreement immediately without notice to any party if Company, in its discretion, determines that any of Producer’s or Subproducers’ clients are engaging in market timing activities (defined as programmed, large or frequent transfers) with respect to any portfolios of the Registered Products or that any Producer or Subproducer is providing advice or assistance to any persons to engage in such activities.
(b) Company reserves the right to reject any purchase orders submitted by any parties whom (or whose clients) Company determines to be engaging in market timing activity. In addition to the indemnification provided in the Indemnification Section of this Agreement, and any other liability Producer may have, Producer will be liable to Company and each portfolio affected by such market timing activity for any damages or losses, actual or consequential, sustained by them as a result of such market timing activity.
13. BOOKS AND RECORDS
Each party shall create and maintain at its principal administrative office books and records of all transactions under this Agreement as required by applicable state and federal law and regulations. Each party hereto shall have the right, during normal business hours and upon ten (10) days prior written notice, to inspect and audit the books and records of the other party relating solely to the business contemplated by this Agreement, including files, letters, Sales Material, and other documents relating in any way to such business. Such books and records shall be maintained in accordance with the respective record retention policy of Company or Producer and applicable federal or state law or regulation.
14. PRODUCER’S TERMINATION OF SERVICING DUTIES
Producer must promptly notify Company of its intent to remove itself as Agent of record or Broker Dealer of record on specific policies. Producer shall assist with the transfer of Broker Dealer of record responsibilities to another duly licensed Broker Dealer, including the transfer of customer files. Producer must promptly provide Company information including, but not limited to, the following: client records, initial suitability analysis, annual suitability analysis, principal sign-off.
15. GENERAL PROVISIONS
(a) This Agreement shall be governed as to its validity, interpretation, and effect by the substantive and procedural laws of the state of domicile of Insurer as set forth on Schedule A without giving effect to principles of conflicts of laws.
(b) This Agreement, including each Schedule, Exhibit, and Addendum to this Agreement, contains the entire understanding and agreement among the parties with respect to its subject matter and with respect to sales of the Products, and supersedes all prior and contemporaneous discussions, agreements, and understandings. Producer and Company hereby acknowledge that they have not relied upon any representations other than the representations expressly contained within this Agreement except as otherwise provided herein. This Agreement may be amended, assigned and/or supplemented (“Amended” or “Amendment”) by mutual written consent signed by the parties to this Agreement, except as otherwise provided herein. In addition, this Agreement also may be Amended by Company at any time by providing a written copy of such Amendment to Broker-Dealer and Agency. In the absence of written objection to the Amendment within fifteen days after notification is sent, continued performance by Broker-Dealer and Agency under the Agreement shall constitute acceptance of any such Amendment. A change in control of the Company shall not constitute an Amendment of this Agreement.
(c) This Agreement shall inure to the benefit of and be binding upon the parties hereto and their respective successors and, to the extent permissible hereunder, assigns. Producer may only assign this Agreement to an affiliate of Producer.
(d) Company and Producer shall be held to the exercise of reasonable care in carrying out the provisions of this Agreement.
(e) The relationship of Producer or Subproducer to Company under this Agreement shall be that of an independent contractor. Nothing in this Agreement shall be construed to create the relationship between Company and Producer or Subproducer of employer and employee; a partnership or joint venture; or principal and agent, except to the extent expressly provided herein.
(f) Any notice hereunder shall be (i) in writing, and (ii) personally delivered; delivered by a third party courier; mailed by registered or certified mail, postage prepaid; or transmitted by facsimile or other electronic means. Notice to Insurer or Underwriter shall be deemed sufficiently given if addressed as set forth on Schedule A, with a copy at the same address to Division General Counsel. Notice to Broker-Dealer or Agency or Producer by Company under General Provision subsection (b) above shall be deemed sufficiently given if transmitted by facsimile or other electronic means. Notice to Producer shall be deemed sufficiently given if addressed as set forth on Schedule A. A party may designate a different address with notice to the other party in accordance with this subsection. All notices sent in accordance with the requirements of this subsection shall be deemed to have been received: (i) if personally delivered, on the date of receipt; (ii) if by facsimile or other electronic means, on the date of transmission if received; (ii) if by courier, one day after receipt is confirmed, or (iii) if by mail, on the fifth day following the day of posting.
(g) In the event any term, phrase, clause, paragraph, restriction, covenant, or agreement contained in this Agreement or the attached Exhibits, Schedules, or Addenda shall be held to be invalid or unenforceable by a court of competent jurisdiction, the same shall be severable and shall not affect the enforceability of the remaining provisions thereof.
(h) A waiver by any party of the breach of any provision of this Agreement by another party shall not operate or be construed as a waiver of any other or subsequent breach by any party.
(i) This Agreement shall be construed and enforced in accordance with the procedural and substantive laws of the State of Iowa, without regard to its conflicts of laws provisions. The exclusive forum and venue for all disputes shall be the state and federal courts having jurisdiction in Linn County, Iowa, and each party hereto consents to personal jurisdiction in such courts.
(j) For purposes of this Agreement, a document (or signature page thereto) signed and transmitted electronically or by facsimile machine is to be treated as an original document. Upon Company request, Producer shall provide Company with the original document. Company will consider information received via electronic transmission to be controlling. Producer is responsible for remedying any inaccurate information electronically transmitted and is responsible for any resulting ramifications.
(k) This Agreement may be executed by the parties hereto on any number of separate counterparts, and all such counterparts so executed constitute one agreement binding on all parties hereto.
(l) Sections of this Agreement titled Prohibitions, Suitability Determination and Supervision, Commissions, Chargebacks and Disclosure, Indemnification, Confidentiality and Privacy, Complaints and Investigations, Anti-Money Laundering, Market Timing, Books and Records, Producer’s Termination of Servicing Duties, and General Provisions shall survive the termination of this Agreement to the maximum extent permitted by law.
[SCHEDULE A—SIGNATURE PAGE FOLLOWS]
SCHEDULE A—SIGNATURE PAGE
LIFE INSURANCE COMPANY PRODUCT SALES
AGREEMENT
Complete and attach additional copies of this Schedule as needed. Include tax ID number where indicated and sign on page A-2. Attach copies of current Agency licenses for applicable states.
Insurers and Underwriters
The following affiliated Insurers and Underwriters are deemed to be parties to, and bound by all provisions of, the Agreement with respect to Products issued or underwritten by such parties, including each Product’s commission schedules issued to the date of execution hereof by the respective Insurer.
Name: State of Domicile: |
Transamerica Financial Life Insurance Company Iowa |
Name: Business Address: |
Transamerica Capital Inc 0000 Xxxxxxxx Xx XX Xxxxx Xxxxxx, XX 00000 | |||||
Business Address: |
0000 Xxxxxxxx Xx XX Xxxxx Xxxxxx, XX 00000 |
Broker-Dealers and Agencies
The following affiliated Broker-Dealers and Agencies are deemed to be parties to, and bound by all provisions of, the Agreement with respect to Products distributed by such parties:
|
||||||||
(Print name of Broker-Dealer above) |
Contact Person at Broker-Dealer: | |||||||
Address: |
|
Name: |
| |||||
|
Phone: |
| ||||||
|
Fax: |
| ||||||
Tax ID #: |
|
Email: |
| |||||
|
||||||||
(Print name of Agency above) |
Contact Person at Agency: | |||||||
Address: |
|
Name: |
| |||||
|
Phone: |
| ||||||
|
Fax: |
| ||||||
Tax ID #: |
|
Email: |
|
Please check the appropriate box: | ||
☐ | Corporation | |
☐ | Partnership | |
☐ | Other: |
**Required Information
Broker Dealer/Agency General Counsel: | Mailing address for General Counsel: | |||||||
| ||||||||
| ||||||||
Name: |
|
| ||||||
Phone: |
|
| ||||||
Fax: |
|
Main Office? | Y or N (if yes, please list address here) | |||||
Email: |
|
Branch? | Y or N (if yes, enclose list of branch | |||||
addresses) Broker Dealer/Agency Chief Compliance Officer: | Mailing address for Chief Compliance Officer: | |||||||
| ||||||||
| ||||||||
Name: |
|
| ||||||
Phone: |
|
| ||||||
Fax: |
|
Main Office? | Y or N (if yes, please list address here) | |||||
Email: |
|
Branch? | Y or N (if yes, enclose list of branch addresses) | |||||
Contact for client policy and licensing matters (if different from above or indicate “Same”): | Mailing address for client policy and licensing matters: | |||||||
| ||||||||
| ||||||||
Name: |
|
| ||||||
Phone: |
|
| ||||||
Fax: |
|
Main Office? | Y or N (if yes, please list address here) | |||||
Email: |
|
Branch? | Y or N (if yes, enclose list of branch addresses) | |||||
Contact for commissions matters (if different from above or indicate “Same”): | Mailing address for commission statements and checks: | |||||||
| ||||||||
| ||||||||
Name: |
|
| ||||||
Phone: |
|
| ||||||
Fax: |
|
Main Office? | Y or N (if yes, please list address here) | |||||
Email: |
|
Branch? | Y or N (if yes, enclose list of branch addresses) |
SIGNATURES
IN WITNESS WHEREOF, the parties have caused this Agreement to be duly executed as of the dates written below,
Transamerica Financial Life Insurance Company | Transamerica Capital, Inc. | |||||||
Insurers | Underwriter | |||||||
Signature: |
|
Signature: |
| |||||
Printed Name: |
|
Printed Name: |
| |||||
Title: |
|
Title: |
| |||||
Date: |
|
Date: |
| |||||
| ||||||||
|
| |||||||
Print Name of Broker-Dealer Above | Print Name of *Agency Above (Broker-Dealer should sign here also if life insurance-licensed) | |||||||
Signature: |
|
Signature: |
| |||||
Printed Name: |
|
Printed Name: |
| |||||
Title: |
|
Title: |
| |||||
Date: |
|
Date: |
| |||||
|
| |||||||
Print Name of *Agency Above (Broker-Dealer should sign here also if life insurance-licensed) | Print Name of *Agency Above (Broker-Dealer should sign here also if life insurance-licensed) | |||||||
Signature: |
|
Signature: |
| |||||
Printed Name: |
|
Printed Name: |
| |||||
Title: |
|
Title: |
| |||||
Date: |
|
Date: |
|
* Complete and attach additional copies of this page if needed for more parties.
EXHIBIT A
LIFE INSURANCE COMPANY PRODUCTS SALES
AGREEMENT
General Letter of Recommendation
Producer hereby certifies to Company that all the following requirements will be fulfilled in conjunction with the submission of licensing/appointment papers for all applicants as agents of Company submitted by Producer. Producer will, upon request, forward proof of compliance with same to Company in a timely manner.
(a) | We have made an identity, criminal, and credit investigation of each applicant and declare that each applicant is personally known to us, and we are unaware of any reason why each applicant would not be worthy of a license. |
(b) | When required because the applicant intends to solicit persons to purchase Registered Products, we have on file a U-4 form which was completed (and has been amended, as required) by each applicant. We have fulfilled all the necessary investigative requirements for the registration of each applicant as a registered representative through our FINRA member firm, including but not limited to: (i) checking for and investigating criminal arrest and conviction records available to the Broker-Dealer on the CRD system; and (ii) communicating with each employer of the applicant for 3 years prior to the applicant’s registration with our firm. Each applicant is presently registered as a FINRA registered representative. |
(c) | Producer has been provided with Company’s appointment guidelines. Producer represents and warrants that each applicant meets Company’s guidelines and applicable state and federal licensing, and appointment requirements. |
(d) | At the time of application, in those states required by Company, we shall provide Company with a copy of the entire U-4 form, or designated pages, thereof, completed by each applicant, including any amendments or updates thereto, and we certify those items are true copies of the original. |
(e) | We certify that all educational requirements have been met for the specified state in which each applicant is requesting a license in, and that all such persons have fulfilled the appropriate examination, education, and training requirements. |
(f) | If the applicant is required to submit a picture, a signature, and securities registration in the state in which the applicant is applying for a license, we certify that those items forwarded to Company are those of the applicant and the securities registration is a true copy of the original. |
(g) | We hereby warrant that the applicant is not applying for a license with Company in order to place insurance chiefly and solely on the applicant’s life or property, or lives or property of the applicant’s relatives, or property or liability of the applicant’s associates. |
(h) | We will not permit any applicant to transact insurance in a state as an agent until duly licensed and appointed therefore with the appropriate state insurance regulatory authority. No applicants have been given a contract or furnished supplies, nor have any applicants been permitted to write, solicit business, or act as an agent in any capacity, and they will not be so permitted until the certificate of authority or license applied for is received. |
EXHIBIT C
LIFE INSURANCE COMPANY PRODUCT SALES
AGREEMENT
Company Information Security Requirements
1. | Overview. The purpose of this Exhibit is to define the Information Security practices that Vendor is required to establish, administer and maintain to protect Customer Information Assets. |
2. | Policy. It is Customer’s policy that the following Information Security practices be established, administered and maintained by any third party having access to Customer Information Assets, without exception. |
3. | Definitions. |
a. | “Agent” means anyone who, through either an agency or contractual relationship, has authority to view, host, store, process, transmit, print, back-up or destroy Customer Information Assets. |
b. | “Agreement” means the contract entered into between the Customer and the Vendor, and to which this document is attached as an Exhibit. |
c. | “Customer” is defined as the party(s) referred to as Insurer in the Agreement. |
d. | “Customer Information Assets” are Information Assets belonging to or under the control of Customer, including without limitation, all information and data provided by Customer to Vendor in any form, and any information or data generated as a result thereof (excluding any information that is properly of public record or that Customer provides written permission for its disclosure). |
e. | “Information Assets” is defined as information and data in any form, whether electronic, hardcopy, photographic image, microfiche or microfilm or in digital, magnetic, optical or electronic form, including non-public personal information. It also includes all computing, network, and telecommunications systems and equipment which view, host, store, process, transmit, print, back-up or destroy information and data (e.g. personal computers, laptops, workstations, servers, network devices, software, portable storage devices, electronic storage media, cabling, and other computing and infrastructure equipment). |
f. | “Information Security” is defined as the protection against the loss of Information Assets’ confidentiality, integrity and availability. |
g. | “Information Security Breach” is defined as any unauthorized act that bypasses or contravenes Customer’s information security measures as defined herein. It also encompasses the unauthorized use or disclosure of, or unauthorized access to or acquisition of, Customer Information Assets. |
h. | “Information Security Program” is defined as the collection of policies, standards, procedures and controls, taken as a whole and implemented by Customer or Vendor, that are designed to protect the confidentiality, integrity, and availability of Information Assets. |
i. | “Information Security Vulnerability” is defined as a weakness in information security controls which could be exploited to gain unauthorized access to Customer Information Assets. |
j. | “Physical Security” or “Physically Secured” is defined as the protection of information in hardcopy form against loss or unauthorized acquisition, access or disclosure during its production, storage, distribution, use or destruction. It also encompasses the protection of information technology hardware, infrastructure and facilities, as well as power or environmental control utilities used in data processing operations to protect against damage, destruction, or misuse of Information Assets. |
k. | “Vendor” is defined as any third party who views, hosts, stores, processes, transmits, prints, backs-up or destroys any Customer Information Assets. It includes all parties including Agents that the Vendor may hire or contract with to store, transmit, process or destroy any Customer Information Assets acting on behalf of the Vendor. |
4. | Organizational Roles and Responsibilities. Vendor organizational roles and responsibilities must include a chief information security officer, or comparable role assigned to one of Vendor’s officers or senior management, |
to be responsible for the establishment, administration, and maintenance of a comprehensive written Information Security Program. The Information Security Program must include, at a minimum, the practices described in this Exhibit. |
5. | Non-Disclosure of Customer Information Assets. Vendor acknowledges that the unauthorized release or misuse of the Information Assets could cause harm to the business reputation of either or both Vendor and Customer. Vendor will not, and will cause its employees and Agents engaged in providing services to Customer to not, take any action or omission which would result in the unauthorized release or misuse of the Information Assets of Customer. Any actual or suspected Information Security Breach experienced by Vendor involving Customer Information Assets, must be reported in writing by Vendor to Customer within twenty-four (24) hours of its detection. |
6. | Information Security Framework and Right to Audit. |
a. | The Vendor’s Information Security Program shall conform to the framework set forth by the International Standards Organization in a standards document entitled “Code of practice for information security management” (ISO/IEC 27002:2005, and as may be amended from time to time.). In addition to the standards outlined therein, Vendor’s Information Security Program must include the practices described in this Exhibit. Vendor’s Information Security Program must be reviewed annually or whenever there is a material change in business practices that may implicate the security program. |
b. | Vendor shall grant Customer, or a third party on Customer’s behalf, permission to perform an audit or assessment of Vendor’s compliance with the Information Security Program requirements at least annually, and following any Information Security Breach of Vendor involving Customer Information Assets. The audits or assessments may be written or physical or as otherwise determined by Customer. At Customer’s request at any time during the term of this Agreement, Vendor agrees to certify in writing to Customer Vendor’s compliance with the terms of this Exhibit. |
c. | Customer may audit Vendor’s Business Continuity Plan (“BCP”) and Disaster Recovery (“DR”) materials which pertain to or affect Customer Information Assets, including BCP and DR plans and test results, at least annually, and following any man-made or natural disaster. |
7. | General Information Security Requirements. |
a. | Vendor must ensure appropriate segregation of duties exist for all job functions and roles performed by its employees and Agents to ensure that no individual, within or external to Vendor’s organization, has conflicting duties that could jeopardize Customer Information Assets. |
b. | Customer Information Assets should not be divulged in any way to anyone without a specific valid business “need to know” and Customer written authorization. |
c. | Access to all Customer Information Assets must: |
1. | adhere to the principle of “least privilege,” ensuring that only the most minimal level of access needed for a given job function of access is granted to Vendor’s employees and its Agents; |
2. | be restricted to only authorized personnel who have a specific business “need to know.” |
d. | Computer services employed to view, host, store, process, transmit, print, back-up or destroy Customer Information Assets must adhere to the principle of “least privilege,” ensuring that only the most minimal level of access needed to perform processing is granted to these computer services. |
e. | Hardware and software owned by Vendor personnel must not be allowed to connect to or interact with the Customer’s company network without: |
1. | an appropriately scoped risk assessment, including the identification of existing and compensating controls based upon the requirements within this Exhibit; |
2. | verification of the implementation of controls identified within the risk assessment; |
3. | obtained approvals of Customer IT Network Management and the appropriate Chief Information Officer of the enterprise or division of Customer involved. |
f. | Vendor’s users should not be allowed to install their own personal software on Vendor Information Assets. |
Vendor portable devices that store, process, transmit or destroy Customer Information Assets, such as
laptops, personal digital assistants, Blackberries®, smart phones, hand-held or palmtop computers, portable memory drives, and other similar portable devices must be configured to make use of industry standard encryption technology that fully protects these devices’ storage and transmission capabilities from unauthorized access.
8. | Information Asset Classification and Management. Vendor must classify and control its Information Assets to indicate the ownership, custodianship, and degree of sensitivity consistent with Customer’s Information Asset classification in order to ensure that Customer Information Assets receive an appropriate level of protection by Vendor. The inventory of Vendor’s Information Asset classification repository must be maintained and kept current. Recommended classifications are as follows: |
a. | Non-sensitive Business Data and Public Information Assets |
1. | “Non-sensitive Business Data” refers to all Information Assets determined by Customer to not be sensitive or confidential as defined below; |
2. | “Public Information” refers to all Information Assets that comes from public sources or is provided by Customer to the general public; examples include periodicals, public bulletins, published company information, published press releases, etc. |
b. | Confidential and Proprietary Customer Information Assets |
1. | “Confidential” or “Proprietary Information Assets” refers to Information Assets that are internal to Customer, though it may be shared with Vendor under the terms of the Agreement, and are not considered by Customer to be Public Information; examples include unpublished corporate financial information, information about impending mergers and acquisitions, dormant account information, marketing plans, passwords and encryption keys, employee and customer non-public personal information (such as personally identifiable information, personal financial information or personal protected health information), product designs, customer records and correspondence, and other information or data which if disclosed without appropriate authorization could result in a competitive disadvantage or liability or loss to the Customer. |
c. | Record retention periods that meet federal and state retention requirements must be established and maintained by Vendor. In addition, Customer may provide specific retention requirements that Vendor will apply, including but not limited to, retention for compliance, litigation, legal or regulatory purposes. |
d. | Destruction of Customer Information Assets must not occur without authorization from Customer management. The destruction methodologies must be performed in a secure manner such that the information cannot be read or re-created after disposal. Vendor is encouraged to adhere to the guidelines provided by the National Association for Information Destruction, which can be found at xxxx://xxx.xxxxxxxxxx.xxx. Vendor must also take into consideration the impact of disposal on the environment. |
9. | Human Resources Management. The following administrative requirements must be implemented by Vendor where Customer Information Assets are stored, processed, transmitted, or destroyed; except as may be otherwise required for compliance, litigation or legal or regulatory purposes. |
a. | Vendor employees and Agents must be subject to a sufficient criminal background check prior to employment to ensure people with a criminal history do not have access to Customer Information Assets. The Vendor agrees it will provide no employees or Agents who have been convicted of a felony involving theft, dishonesty, or breach of trust, or any other crime that disqualifies someone from working in the business of insurance as set forth in the Federal Crime Bill. Further, Vendor will conduct a background check on each employee or Agent that is sufficient to screen out those who have been convicted of crimes involving behavior that, if it occurred on the Customer’s site, could result in injury to people or impairment of assets. |
b. | Vendor must follow a documented method or procedure that governs the creation, suspension, cancellation, modification, and deletion of user accounts for its employees and Agents. These methods or procedures must include, at a minimum, the following: |
1. | Employees and Agents with valid user accounts must have their user accounts disabled immediately upon termination of employment or business engagement; |
2. | Employees and Agents who experience an absence longer than sixty (60) days must have their user accounts disabled. These user accounts may be re-enabled upon their return to work; otherwise, these accounts shall be deleted upon termination of the Employee or Agent; |
3. | Employees and Agents whose job responsibilities change must have their access levels reviewed to determine if changes need to be made in order to ensure they do not have access to Information Assets for which they do not have a specific business need. |
c. | During employment or when under contract: |
1. | Vendor must include Information Security requirements within job descriptions or other written documentation for Vendor employees and Agents whose job roles will have access to Customer Information Assets; |
2. | Vendor must maintain an Information Security awareness and training program for its employees and Agents to ensure the employees and Agents are aware of their responsibility to protect and maintain the confidentiality and security of Vendor and Customer Information Assets; |
3. | Vendor shall impose disciplinary measures for violations of its Information Security Program. |
d. | Upon termination of employment or contract: |
1. | Vendor shall notify Customer in writing within 24 hours when Vendor’s employees and Agents who have access to Customer’s network and internal systems are reassigned and no longer need access, or are no longer working for Vendor, thereby enabling Customer to remove access in a timely manner; |
2. | Vendors must secure all Customer Information Assets within their custody from employees and Agents upon termination of employment or contract. |
10. | Physical Security. |
a. | Access to Customer Confidential Information Assets must be controlled to protect the confidentiality, integrity, and availability of Customer Confidential Information Assets with appropriate administrative, logical, and physical safeguards, including but not limited to: |
1. | locking office doors; |
2. | securing storage containers; |
3. | shredding or otherwise securely destroying Information Assets at appropriate times. |
b. | Physical entry to Vendor’s premises must be controlled such that unauthorized entry is prevented, detected and reported to appropriate Vendor personnel immediately. All entry and exit points must be secured, logged and monitored to ensure only authorized personnel may gain entry to Vendor’s buildings and secured areas. |
c. | Where Vendor has utilized identification badges or similar tokens for its employees and Agents, a documented process must exist, along with supporting procedures, to ensure lost badges and tokens are disabled immediately upon notification of the loss. |
d. | When a Vendor employee or other Agent is terminated, procedures must exist to ensure the identification badges are immediately disabled. |
e. | All Customer Information Assets in Vendor’s possession must be physically secured in an access- controlled area, in a locked room, or secured storage container or file cabinet. |
f. | Customer Information Assets must not be removed from Vendor’s premises without written consent from Customer and written authorization from Vendor management. |
g. | All Customer Information Assets, together with Vendor Information Assets used to provide services to Customer, must be protected to minimize the risk of physical and environmental threats that could jeopardize Information Asset confidentiality, integrity, and availability. |
h. | Physical access to computer sessions must be secured when a user who is actively logged into session is not physically present to monitor activity and viewing of Information Assets displayed within that session. Examples of physical controls include, but are not limited to: |
1. | utilizing screen savers which lock the screen and keyboard access after a short period of inactivity; |
2. | manually locking the keyboard; |
3. | physically securing the office where the computer resides; |
4. | positioning the monitor away from an unauthorized view. |
11. | Information Back-up. |
a. | Adequate backup facilities should be provided to support the recovery of Customer Information Assets in accordance with Customer disaster recovery requirements and record retention schedules. Minimal requirements include: |
1. | Media containing back-up copies of Confidential and Proprietary Customer Information Assets should be encrypted using industry standard methods to conceal these Information Assets from unauthorized access; |
2. | The back-up storage media used to store Customer Information Assets must be of a type that has been determined by Vendor to be appropriate for the confidentiality and retention requirements of the data it will contain; |
3. | As it is critical that the back-up storage media be machine readable in the event it is needed for restore and recovery operations, random controlled testing of the restoration process must occur; |
4. | Back-up copies of Customer Information Assets, together with complete and accurate records of the back-up copies, must be stored at a physically secured offsite location as a measure of protection against total loss of Information Assets in the event of a system failure or disaster; |
5. | Customer Information Assets should be backed up on a schedule that aligns with disaster recovery requirements. This schedule includes requirements for weekly full backups, daily incremental backups, quarter end backups and year end backups; |
6. | No more than no more than one (1) full back-up and six (6) days of subsequent incremental back-ups may be stored on Vendor premises at any time. |
12. | Network Security. |
a. | Customer may terminate any network or other Remote Connection with Vendor at any time without warning if it is suspected or confirmed that any such connection is not secure. |
b. | Customer Information Assets must not exist on any computer or device that is directly exposed to the Internet or other non-Vendor network, unless specifically authorized by Customer in writing. |
c. | Vendor shall establish and maintain appropriate controls for its electronic interfaces and connections between its own systems and those of others (“Remote Connections”) utilizing industry best practices. |
d. | Devices must be verified prior to connecting to the Customer or Vendor network segments where Customer Information Asserts reside to comply with the following hardening requirements to protect from compromise: |
1. | Devices must employ an antivirus and file integrity checking system with: |
(1) | A method for updating antivirus definition information to be current at all times; |
(2) | Enabled real-time antivirus scanning of system activity, including all accessed files and memory; |
(3) | Scheduled weekly full directory and file antivirus scan; |
2. | Devices must employ up-to-date system software, including but not limited to, up-to-date system software patches and security updates. |
3. | Devices must employ a firewall, proxy or other network traffic filtering technology to deny invalid in- bound traffic to and reasonably protect out-bound traffic from that device; |
4. | System logs or equivalent tracking software must be configured to reasonably capture common errors and invalid access attempts; |
5. | The integration of new software on devices granted connectivity permission must be preceded by a risk assessment and incorporate formal change control procedures to determine and protect the impact to the Customer network. |
e. | Permission to connect any device to the Customer network shall be proceeded by: |
1. | A Customer risk assessment to determine the impact to the Customer network; |
2. | Approvals from Customer, including its IT Network Manager, impacted technical IT managers, and a divisional Chief Information Officer or his/her designee. |
f. | Vendor networks must have firewalls deployed at the network perimeter to deny unauthorized in-bound and appropriate out-bound network traffic from the Internet and other non-Vendor networks. |
g. | Vendor applications and systems that view, host, store, process, transmit, print, back-up or destroy Customer Information Assets must be logically segregated from other systems on the Vendor internal network by an appropriate firewall- or proxy-based, or similar, architecture that will disallow unauthorized in-bound and out-bound connections to Customer Information Assets. |
h. | Intrusion detection systems or intrusion prevention systems must be in place to provide reasonable logging and protection against malicious network activity. These systems should be configured to alert appropriate information security and information technology personnel who will then bear the responsibility to take action to disallow said network activity from affecting Customer Information Assets. |
i. | Unattended network ports must be secured or disabled when not in use. Where business requirements justify the need, network ports may remain active provided that Vendor management has reviewed the business need and there is documented approval. Examples of such need would include network ports in conference rooms, shared work areas, etc. |
j. | Wireless network access points must be configured to ensure that only authorized Vendor devices may establish a connection to the Vendor internal network where Customer Information Assets are viewed, hosted, stored, processed, transmitted, printed, backed-up or destroyed. Further, the wireless network connections established must utilize industry best practices for encryption and other appropriate safeguards designed to protect against unauthorized access and use. |
13. | System Event Logging, Monitoring, and Reporting. |
a. | Vendor computer and network systems used to provide services to Customer must log significant events including, but not limited to, the following: |
1. | Unauthorized attempts to access Vendor network or Customer Information Assets must be captured and securely logged in such a way to support error handling and forensic needs. |
2. | Logs must be configured or secured such that they cannot be viewed or altered by anyone without authorization, including those with administrative privileges, unless such access is also logged in a tamper-evident manner; |
3. | Logs of unsuccessful login attempts to network and unsuccessful access to Information Assets must be reviewed on a regular basis to detect and appropriately act upon anomalous and suspicious system access attempts; |
4. | When suspicious or anomalous activity is detected during a review of the aforementioned logs, it should be reported as directed by approved event handling procedures aligning with ISIRP plans. |
14. | Logical Access. |
a. | All computer-based information systems connected to any portion of the Vendor network where Customer Information Assets are located or processed must employ, at a minimum, the following requirements: |
1. | Vendor shall grant access to each user on a personally identifiable unique user account; |
2. | Wherever technically possible, the password settings for each user account must be configured using the following minimal configuration: |
(1) | Minimum of eight (8) characters in length and contain characters from at least three (3) of the following four (4) character types: |
(a) | upper case alpha characters; |
(b) | lower case alpha characters; |
(c) | numeric characters; |
(d) | special characters (e.g., !, $, @, etc.). |
(2) | Expiration of password must be minimally set as follows: |
(a) | Set to automatically require password changes, at a maximum, every sixty (60) days, for user accounts and any system account where the setting will not hinder production processing; |
(b) | If the automatic expiration of a system account would potentially cause the risk of interruption of production processing, password changes may occur manually with the following alternate controls in place: |
(i) | The system account is assigned a unique owner who is ultimately responsible for the disposition and usage of the account and password; |
(ii) | The system account is configured with advanced complex password creation rules (e.g., extended password length, hashing algorithms, etc.); |
(iii) | The system account is limited wherever possible to allow log on capabilities only to required computers and/or services; |
(iv) | The system account is changed manually at least once a year and upon turnover of staff at the earliest time available so as not to affect processing; |
(v) | The system account complies with all other requirements within this Exhibit. |
3. | The password settings for each vendor-supplied default account must be changed and configured using the minimal configuration outlined in this 14. a. ii. |
4. | Accounts with any access to Customer Information Assets must be configured wherever technically possible to disallow login capability after a maximum of seven (7), unless otherwise required to be a lesser number (e.g., PCI, etc.), consecutive unsuccessful login attempts. |
b. | Stored password text must be stored in an encrypted form in the user identity database, and they must be rendered unreadable during transmission and storage (e.g., appropriately concealed within strongly restricted directories, etc.) if embedded within batch files, automatic login scripts, software macros, terminal function keys, on computers where access controls are otherwise disabled, or any location where unauthorized individuals might discover them. |
c. | Passwords must be changed immediately if it is discovered that they are disclosed to or discovered by unauthorized parties. |
d. | Vendor systems must be configured wherever technically possible to disable user sessions after a reasonable period of inactivity, based upon business risk. |
e. | Additional and/or stronger logical access safeguards may be implemented by Vendor at its discretion, so long as such additional controls do not neutralize nor negate the effectiveness of existing controls for Customer Information Assets as outlined within this Exhibit. |
15. | System Development. |
Application and system development must follow a defined and documented systems development life cycle (“SDLC”) methodology that includes a preliminary review of information security requirements to ensure, at a minimum, the following:
1. | Vulnerability testing must be performed to ensure common security weaknesses are detected and corrected prior to being implemented; |
2. | There must be separate physical or logical environmental partitions separating development, test, staging and production environments; |
3. | The use of data within non-production environments must adhere to the following at a minimum: |
(1) | Wherever possible, fictitious data based upon real data cases must be employed in test environments; |
(2) | If Customer Information Assets are used, the same controls must exist as within the production environment; |
(3) | If Customer Information Assets are used, it must be immediately removed from all non-production environments upon the completion of is use; |
(4) | Handling and destruction of sensitive non-production data and output must be treated as the same level of confidentiality as if it were production; |
4. | Logical access controls must be defined, tested and incorporated to ensure they work as designed and support the ability to restrict access to only those Customer Information Assets required for Vendor and Customer business requirements, while also supporting the principle of least privilege; |
5. | Segregation of duties must be incorporated into the design of applications and systems to prevent the ability of a single person to perform multiple functions that could lead to fraud, theft, or other illicit or unethical activity through the use of the functions of the applications and systems where Customer Information Assets are stored, processed, transmitted, or destroyed; |
6. | Web-based applications exposed to the Internet must ensure vulnerability testing is performed to ensure the most common vulnerability weaknesses based upon industry best practices are identified and remediated to prevent them from being exploited in a way that could lead to unauthorized access to or disclosure of Customer Information Assets; |
7. | A formal, documented change management process must be used when making changes to applications and systems that view, host, store, process, transmit, print, back-up or destroy Customer Information Assets. This change management process must, at a minimum, include the following: |
(1) | Each change must be reviewed and approved by appropriate Vendor and Customer management; |
(2) | Changes to applications and systems must not be deployed into production environments by the same people who do the development and quality assurance of applications and systems; |
(3) | A record of all changes to applications and systems must be maintained that identifies: |
(a) | a brief description of each change that was made; |
(b) | who made each change; |
(c) | test plans and results for each change; |
(d) | who approved each change; |
(e) | when each change was made. |
16. | Information Security Incident Response and Breach Notification. |
a. | Vendor must establish and maintain a documented Information Security Incident Response program (“ISIRP”) that includes, at a minimum, the following: |
1. | Vendor must define and document the roles and responsibilities of its ISIRP team members; |
2. | Vendor ISIRP team members must receive training at least annually to ensure they understand what to do during an Information Security event or incident; |
3. | Vendor must establish and maintain a documented set of procedures and notification requirements to follow that provides guidance to the ISIRP team when responding to an event or incident; |
4. | Procedures and other documentation must provide guidance to the ISIRP team regarding Information Security event and incident records. All relevant event and incident logs, along with any related notes of actions taken in response to these events and incidents, must be secured and retained, based upon an approved retention schedule; |
b. | Customer shall be entitled to audit Vendor’s practices and procedures annually to confirm compliance with this Section. In the event the audit determines that Vendor is in material breach of this Section, Vendor will reimburse Customer for all direct costs associated with such audit. Vendor shall correct any such breach within five (5) days or Customer shall be entitled to terminate the underlying agreement. In addition, in the event Vendor experiences an Information Security Breach, Customer shall have the right to conduct a security audit in addition to any audit allowed for under this Section or the underlying agreement. |
c. | Any unmitigated Information Security Breach experienced by Vendor prior to the execution of the Agreement must be disclosed to Customer. |
d. | Any actual or suspected Information Security Breach experienced by Vendor involving Customer Information Assets must be reported to Customer promptly and without unreasonable delay, but in no event more than twenty-four (24) hours from its detection. Thereafter, Vendor will, at its own cost and expense: |
1. | Promptly furnish Customer with full details of the Information Security Breach; |
2. | Take immediate steps to remedy the Information Security Breach in accordance with applicable privacy rights and laws; |
3. | Cooperate with Customer to determine: (1) whether notice is to be provided to any individuals, regulators, law enforcement agencies, consumer reporting agencies, or others as required by law or regulation, or in Customer’s discretion; and (2) the contents of such notice, whether any type of remediation may be offered to affected persons, and the nature and extent of any such remediation. |
4. | Use its best efforts to prevent a reoccurrence of any such Information Security Breach; |
5. | Assist and cooperate fully with Customer in Customer’s investigation of the Information Security Breach and/or the Vendor, Vendor’s employees, contractors, subcontractors or third parties related to the Information Security Breach, including but not limited to providing Customer with physical access to the facilities and operations affected, facilitating interviews with anyone involved in the Information Security Breach, and making available all relevant records, logs, files, and data; |
6. | Cooperate with Customer in any litigation or other formal action against third parties deemed necessary by Customer to protect its rights, and the rights of its clients and users; and |
7. | Reimburse Customer for actual costs incurred by Customer in responding to/and or mitigating damages caused by an Information Security Breach. |
e. | Nothing herein shall prevent Customer from taking any actions required by law, including the notification to the appropriate law enforcement agencies. |
17. | Business Continuity. |
a. | Business continuity recovery point objectives (“RPO”) and recovery time objectives (“RTO”) must be discussed with Customer and agreed to commensurate with the execution of the Agreement. This is done to ensure Vendor recovery capabilities and subsequent commitments to do so will meet Customer’s business requirements. |
b. | Vendor or Agent shall maintain a documented BCP and DR plan which, at a minimum, must: |
1. | Govern and define the objectives and actions required during a BCP/DR event; |
2. | Secure offsite copies of appropriate business continuity and disaster recovery documentation for retrieval in a reasonable time period by those who will need access to this information following a disaster event; |
3. | Define and document business continuity processes and procedures to enable Vendor to perform the actions necessary to maintain critical business functions following a disaster event; |
4. | Define and document Information Asset disaster recovery procedures to enable Vendor to recover Customer Information Assets in a manner consistent with established and agreed upon RPO and RTO business continuity requirements; |
5. | Prioritize recovery activity based upon a documented inventory of Customer Information Assets in accordance with the established and agreed upon RPO and RTO; |
6. | Define and document a formal communication plan to require that notification of any BCP/DR invocation be provided to Customer within twenty-four (24) hours of its occurrence. |
18. | Compliance. |
a. | Vendor must comply with all applicable international, state, federal, and private industry regulatory and statutory requirements as may be applicable to the services being provided to Customer by Vendor or its Agents. Examples of some of these requirements include adherence to the Health Insurance Portability and Accountability Act (HIPAA), the Xxxxx-Xxxxx-Xxxxxx Act (GLBA) and the Payment Card Industry (PCI) data security requirements. |
b. | Unlicensed and/or unapproved software must not be used on any Customer Information Asset or on Vendor Information Assets. |
c. | All software installed on Vendor Information Assets must be approved by appropriate Vendor management to ensure it satisfies a business need, configured to conform to the principle of “least privilege,” and is in compliance with applicable technical and information security requirements. |