AMENDMENT TO THE AMENDED AND RESTATED CUSTODIAN AGREEMENT BETWEEN EACH MANAGEMENT INVESTMENT COMPANY IDENTIFIED ON APPENDIX A OF THE AGREEMENT AND STATE STREET BANK AND TRUST COMPANY
Exhibit j.3
AMENDMENT TO THE
AMENDED AND RESTATED CUSTODIAN AGREEMENT
BETWEEN
EACH MANAGEMENT INVESTMENT COMPANY IDENTIFIED ON APPENDIX A OF
THE AGREEMENT
AND
STATE STREET BANK AND TRUST COMPANY
AMENDMENT to the Amended and Restated Custodian Agreement (the “Agreement”) made as of July 15, 2015 by and between State Street Bank and Trust Company, a Massachusetts trust company (the “Custodian”) and each management investment company identified on Appendix A of the Agreement and each management investment company which becomes a party to this Agreement in accordance with the terms hereof (in each case, a “Fund” or “Funds”), including, if applicable, each series of the Fund identified on Appendix A and each series which becomes a party to this Agreement in accordance with the terms hereof.
WHEREAS, the Agreement provides that it may be amended by agreement between the parties at any time or from time to time in writing; and
WHEREAS, Custodian and the Funds wish to extend the Agreement and to add Funds effective July 31, 2020;
NOW, THEREFORE, the Agreement is hereby amended as follows:
1. | To restate Section 16.1, Term, in its entirety, as follows: |
16.1 Term. This Agreement shall remain in full force and effect until April 1, 2026 (the “Term”), unless either party terminates this Agreement prior to April 1, 2026 by giving the other party not less than 120 days advanced written notice. If this Agreement isn’t terminated prior to the expiration of the Term, this Agreement shall automatically renew for successive one-year terms unless a written notice of non-renewal is delivered by the non-renewing party no later than ninety (90) days prior to the expiration of the Term, or any renewal term, as the case may be. A written notice of non-renewal maybe given as to a Fund or a Portfolio.
2. | To restate Section 20.8, Notices, in its entirety, as follows: |
20.8 Notices. Any notice, instruction or other communication required to be given hereunder will, unless otherwise provided in this Agreement, be in writing and may be sent by hand, or by facsimile transmission, or overnight delivery by any recognized delivery service, to the parties at the following addresses or such other addresses as may be notified by any party from time to time.
To Any Fund:
Nuveen Investments
0000 Xxxxxx Xxxxxxxx Xxxx.
Xxxxxxxxx, XX 00000
Attn: Xxxxxxx Xxxxxxxx
Phone: 000-000-0000
with a copy to:
Nuveen Investments
000 Xxxx Xxxxxx Xxxxx
Xxxxxxx, XX 00000
Attn: Nuveen Legal, Associate General Counsel
To the Custodian:
STATE STREET BANK AND TRUST COMPANY
Xxx Xxxxxxx Xxxxxx
Xxxxxx, XX 00000
Attention: Xxxxx Xxxxxxx
Telephone: 000-000-0000
with a copy to:
STATE STREET BANK AND TRUST COMPANY
Legal Division – Global Services Americas
Xxx Xxxxxxx Xxxxxx
Xxxxxx, XX 00000
Attention: Senior Vice President and Senior Managing Counsel
3. | To add a new Section 20.18, Information Security, as follows: |
20.18 Information Security. Custodian represents that it currently maintains and shall continue to maintain throughout the term of this Agreement physical, electronic and procedural safeguards as described in the State Street Client Information Security Addendum attached hereto.
4. | To add a new Section 20.19, Business Continuity, as follows: |
20.19 Business Continuity. Custodian shall maintain throughout the term of this Agreement business continuity, disaster recovery, and backup capabilities (the “Plan(s)”) that permit Custodian to perform its obligations hereunder with minimal disruptions or delays. The Plans shall provide for the recovery from disruptions to suppliers, sites, technology and staff, including pandemic planning or other impacts that could result in mass protracted absenteeism. Custodian shall also maintain recovery time objectives (“RTOs”) for all business critical functions used to perform the services. Custodian’s current RTOs priority levels for critical functions, which are objectives, do not exceed seven (7) business days. RTOs are Custodian’s internal guidelines only and may be updated from time to time by Custodian. Upon request, Custodian will provide to the Funds updates, if any, on RTOs.
5. | Effective July 31, 2020, restating Appendix A, in its entirety, as attached. |
6. | To add the “State Street Client Information Security Addendum” as attached hereto. |
7. | All other provisions, terms and conditions contained in the Agreement, as amended, shall remain in full force and effect. |
IN WITNESS WHEREOF, the parties hereto have executed this Amendment as of the 31st day of July 0000.
XXXXX XXXXXX BANK AND TRUST COMPANY | EACH OF THE MANAGEMENT INVESTMENT COMPANIES AND SERIES SET FORTH ON APPENDIX A HERETO | |||
Signed on its behalf:
By: /s/ Xxxxxx Xxxxxxxx |
Signed on its behalf:
By: /s/ E. Xxxxx Xxxxxxxxx | |||
(Authorized Signatory)
Name: Xxxxxx Xxxxxxxx |
(Authorized Signatory)
Name: E. Xxxxx Xxxxxxxxx | |||
Title: Executive Vice President |
Title: SMD, Head of Fund Admnin, VP & Controller of the Funds |
APPENDIX A
TO
AMENDED AND RESTATED MASTER CUSTODIAN AGREEMENT
July 15, 2015
(Updated as of July 31, 2020)
NUVEEN CLOSED-END MANAGEMENT INVESTMENT COMPANIES
Nuveen All Cap Energy MLP Opportunities Fund
Nuveen AMT-Free Municipal Credit Income Fund f/k/a Nuveen Enhanced AMT-Free Municipal Credit Opportunities Fund
Nuveen AMT-Free Municipal Value Fund
Nuveen AMT-Free Quality Municipal Income Fund f/k/a Nuveen AMT-Free Municipal Income Fund
Nuveen Arizona Quality Municipal Income Fund f/k/a Nuveen Arizona Premium Income Municipal Fund
Nuveen Build America Bond Opportunity Fund
Nuveen California AMT-Free Quality Municipal Income Fund f/k/a Nuveen California AMT-Free Municipal Income Fund
Nuveen California Dividend Advantage Municipal Fund 2
Nuveen California Dividend Advantage Municipal Fund 3
Nuveen California Municipal Value Fund 2
Nuveen California Municipal Value Fund, Inc.
Nuveen California Quality Municipal Income Fund f/k/a Nuveen California Dividend Advantage Municipal Fund
Nuveen California Select Tax-Free Income Portfolio
Nuveen Connecticut Quality Municipal Income Fund f/k/a Nuveen Connecticut Premium Income Municipal Fund
Nuveen Core Equity Alpha Fund
Nuveen Credit Opportunities 2020 Target Term Fund
Nuveen Credit Opportunities 2022 Target Term Fund
Nuveen Credit Opportunities 2024 Target Term Fund
Nuveen Credit Strategies Income Fund
Nuveen Diversified Dividend and Income Fund
Nuveen Dow 30SM Dynamic Overwrite Fund
Nuveen Dynamic Municipal Opportunities Fund
Nuveen Emerging Markets Debt 2022 Target Term Fund
Nuveen Emerging Markets Debt 2025 Term Fund
Nuveen Energy MLP Total Return Fund
Nuveen Enhanced Municipal Value Fund
Nuveen Floating Rate Income Fund
Nuveen Floating Rate Income Opportunity Fund
Nuveen Georgia Quality Municipal Income Fund f/k/a Nuveen Georgia Dividend Advantage Municipal Fund 2
Nuveen Global Equity Income Fund
Nuveen Global High Income Fund
Nuveen High Income 2020 Target Term Fund
Nuveen High Income 2023 Target Term Fund
Nuveen High Income December 2018 Target Term Fund
Nuveen High Income December 2019 Target Term Fund
Nuveen High Income November 2021 Target Term Fund
Nuveen Intermediate Duration Municipal Term Fund
Nuveen Intermediate Duration Quality Municipal Term Fund
Nuveen Maryland Quality Municipal Income Fund f/k/a Nuveen Maryland Premium Income Municipal Fund
Nuveen Massachusetts Quality Municipal Income Fund f/k/a Nuveen Massachusetts Premium Income Municipal Fund
Nuveen Michigan Quality Municipal Income Fund f/k/a Nuveen Michigan Quality Income Municipal Fund
Nuveen Minnesota Quality Municipal Income Fund f/k/a Nuveen Minnesota Municipal Income Fund
Nuveen Missouri Quality Municipal Income Fund f/k/a Nuveen Missouri Premium Income Municipal Fund
Nuveen Mortgage and Income Fund f/k/a Nuveen Mortgage Opportunity Term Fund
Nuveen Mortgage Opportunity Term Fund 2
Nuveen Multi-Market Income Fund
Nuveen Municipal 2021 Target Term Fund
Nuveen Municipal Credit Income Fund f/k/a Nuveen Enhanced Municipal Credit Opportunities Fund
Nuveen Municipal Credit Opportunities Fund
Nuveen Municipal High Income Opportunity Fund
Nuveen Municipal Income Fund, Inc.
Nuveen Municipal Value Fund, Inc.
Nuveen NASDAQ 100 Dynamic Overwrite Fund
Nuveen New Jersey Municipal Value Fund
Nuveen New Jersey Quality Municipal Income Fund f/k/a Nuveen New Jersey Dividend Advantage Municipal Fund
Nuveen New York AMT-Free Quality Municipal Income Fund f/k/a Nuveen New York AMT-Free Municipal Income Fund
Nuveen New York Municipal Value Fund 2
Nuveen New York Municipal Value Fund, Inc.
Nuveen New York Quality Municipal Income Fund f/k/a Nuveen New York Dividend Advantage Municipal Fund
Nuveen New York Select Tax-Free Income Portfolio
Nuveen North Carolina Quality Municipal Income Fund f/k/a Nuveen North Carolina Premium Income Municipal Fund
Nuveen Ohio Quality Municipal Income Fund f/k/a Nuveen Ohio Quality Income Municipal Fund
Nuveen Pennsylvania Quality Municipal Income Fund f/k/a Nuveen Pennsylvania Investment Quality Municipal Fund
Nuveen Pennsylvania Municipal Value Fund
Nuveen Preferred and Income 2022 Term Fund
Nuveen Preferred and Income Term Fund
Nuveen Preferred & Income Opportunities Fund f/k/a Nuveen Preferred Income Opportunities Fund
Nuveen Preferred & Income Securities Fund f/k/a Nuveen Preferred Securities Income Fund
Nuveen Quality Municipal Income Fund f/k/a Nuveen Dividend Advantage Municipal Fund
Nuveen Real Asset Income and Growth Fund
Nuveen Real Estate Income Fund
Nuveen S&P 500 Buy-Write Income Fund
Nuveen S&P 500 Dynamic Overwrite Fund
Nuveen Select Maturities Municipal Fund
Nuveen Select Tax-Free Income Portfolio
Nuveen Select Tax-Free Income Portfolio 2
Nuveen Select Tax-Free Income Portfolio 3
Nuveen Senior Income Fund
Nuveen Short Duration Credit Opportunities Fund
Nuveen Strategic Municipal Credit Fund f/k/a Nuveen Municipal High Yield & Special Situations Fund
Nuveen Tax-Advantaged Dividend Growth Fund
Nuveen Tax-Advantaged Total Return Strategy Fund
Nuveen Taxable Municipal Income Fund f/k/a Nuveen Build America Bond Fund
Nuveen Texas Quality Municipal Income Fund f/k/a Nuveen Texas Quality Income Municipal Fund
Nuveen Virginia Quality Municipal Income Fund f/k/a Nuveen Virginia Premium Income Municipal Fund
NUVEEN OPEN-END MANAGEMENT INVESTMENT COMPANIES
NUVEEN MUNICIPAL TRUST, on behalf of:
Nuveen All-American Municipal Bond Fund
Nuveen High Yield Municipal Bond Fund
Nuveen Inflation Protected Municipal Bond Fund
Nuveen Intermediate Duration Municipal Bond Fund
Nuveen Limited Term Municipal Bond Fund
Nuveen Short Duration High Yield Municipal Bond Fund
Nuveen Strategic Municipal Opportunities Fund
NUVEEN MULTISTATE TRUST I, on behalf of:
Nuveen Arizona Municipal Bond Fund
Nuveen Colorado Municipal Bond Fund
Nuveen Maryland Municipal Bond Fund
Nuveen New Mexico Municipal Bond Fund
Nuveen Pennsylvania Municipal Bond Fund
Nuveen Virginia Municipal Bond Fund
NUVEEN MULTISTATE TRUST II, on behalf of:
Nuveen California High Yield Municipal Bond Fund
Nuveen California Intermediate Municipal Bond Fund
Nuveen California Municipal Bond Fund
Nuveen Connecticut Municipal Bond Fund
Nuveen Massachusetts Municipal Bond Fund
Nuveen New Jersey Municipal Bond Fund
Nuveen New York Municipal Bond Fund
NUVEEN MULTISTATE TRUST III, on behalf of:
Nuveen Georgia Municipal Bond Fund
Nuveen Louisiana Municipal Bond Fund
Nuveen North Carolina Municipal Bond Fund
Nuveen Tennessee Municipal Bond Fund
NUVEEN MULTISTATE TRUST IV, on behalf of:
Nuveen Kansas Municipal Bond Fund
Nuveen Kentucky Municipal Bond Fund
Nuveen Michigan Municipal Bond Fund
Nuveen Missouri Municipal Bond Fund
Nuveen Ohio Municipal Bond Fund
Nuveen Wisconsin Municipal Bond Fund
NUVEEN INVESTMENT TRUST, on behalf of:
Nuveen Equity Market Neutral Fund
Nuveen Global Total Return Bond Fund
Nuveen Large Cap Core Fund
Nuveen Large Cap Growth Fund
Nuveen Large Cap Value Fund
Nuveen NWQ Global All-Cap Fund
Nuveen NWQ Global Equity Income Fund
Nuveen NWQ Multi-Cap Value Fund
Nuveen NWQ Large-Cap Value Fund
Nuveen NWQ Small-Cap Value Fund
Nuveen NWQ Small/Mid-Cap Value Fund
Nuveen U.S. Infrastructure Bond Fund
NUVEEN INVESTMENT TRUST II, on behalf of:
Nuveen Emerging Markets Equity Fund
Nuveen Equity Long/Short Fund
Nuveen Global Growth Fund
Nuveen International Growth Fund
Nuveen NWQ International Value Fund
Nuveen NWQ Japan Fund
Nuveen Santa Xxxxxxx Dividend Growth Fund
Nuveen Santa Xxxxxxx Global Dividend Growth Fund
Nuveen Santa Xxxxxxx International Dividend Growth Fund
Nuveen Symphony Dynamic Equity Fund
Nuveen Symphony International Equity Fund
Nuveen Symphony Mid-Cap Core Fund
Nuveen Symphony Small Cap Core Fund
Nuveen Tradewinds Emerging Markets Fund
Nuveen Xxxxxxx International Large Cap Fund
Nuveen Xxxxxxx International Small Cap Fund
Nuveen Xxxxxxx Large-Cap Growth ESG Fund f/k/a Nuveen Xxxxxxx Large-Cap Growth Fund
Nuveen Xxxxxxx Managed Volatility Equity Fund
NUVEEN INVESTMENT TRUST III, on behalf of:
Nuveen Symphony Dynamic Credit Fund
Nuveen Symphony Floating Rate Income Fund
Nuveen Symphony High Yield Bond Fund
Nuveen Symphony High Yield Income Fund f/k/a Nuveen Symphony Credit Opportunities Fund
NUVEEN INVESTMENT TRUST V, on behalf of:
Nuveen Global Real Estate Securities Fund
Nuveen Xxxxxxx Diversified Commodity Strategy Fund
Nuveen Xxxxxxx Long/Short Commodity Strategy Fund
Nuveen Xxxxxxx Managed Futures Strategy Fund
Nuveen Multi-Asset Income Fund
Nuveen Multi-Asset Income Tax-Aware Fund
Nuveen NWQ Flexible Income Fund
Nuveen Preferred Securities and Income Fund f/k/a Nuveen Preferred Securities Fund
NUVEEN MANAGED ACCOUNTS PORTFOLIOS TRUST, on behalf of
Nuveen Core Impact Bond Managed Accounts Portfolio
Municipal Total Return Managed Accounts Portfolio
NUVEEN INVESTMENT FUNDS, INC., on behalf of
Nuveen Dividend Value Fund
Nuveen Global Infrastructure Fund
Nuveen Credit Income Fund f/k/a Nuveen High Income Bond Fund
Nuveen Large Cap Select Fund
Nuveen Mid Cap Growth Opportunities Fund
Nuveen Mid Cap Growth Value Fund
Nuveen Minnesota Intermediate Municipal Bond Fund
Nuveen Minnesota Municipal Bond Fund
Nuveen Nebraska Municipal Bond Fund
Nuveen Oregon Intermediate Municipal Bond Fund
Nuveen Real Asset Income Fund
Nuveen Real Estate Securities Fund
Nuveen Short Term Municipal Bond Fund
Nuveen Small Cap Growth Opportunities Fund
Nuveen Small Cap Select Fund
Nuveen Small Cap Value Fund
Nuveen Strategic Income Fund
State Street Client Information Security Addendum
All capitalized terms not defined in this State Street Client Information Security Addendum (this “Security Addendum”) shall have the meanings ascribed to them in Amended and Restated Master Custodian Agreement by and between State Street Bank and Trust Company (“State Street”) and each management investment company identified on Appendix A of the Agreement (“Client”) dated July 15, 2015 (the “Agreement”).
State Street and Client hereby agree that State Street shall maintain an information security policy (“Security Policy”) that satisfies the requirements set forth below; provided, that, because information security is a highly dynamic space (where laws, regulations and threats are constantly changing), State Street reserves the right to make changes to its information security controls at any time and at the sole discretion of State Street in a manner that it believes does not materially reduce the protection it applies to Client Data. State Street will review the policy on an annual basis.
From time to time, State Street may subcontract services performed under the Agreement (to the extent provided for under the Agreement) or provide access to Client’s Confidential Information (“Client Data”) its network to a subcontractor or other third party; provided, that, such subcontractor or third party implements and maintains security measures that State Street believes are at least as stringent as those described in this Security Addendum. State Street must maintain an up-to-date list of subcontractors that access, store, transmit, or use Client Data, and must provide the list to Client upon request.
For subcontractors who collect, transmit, share, store, control, process, manage or access Client Data, State Street is responsible for assessing and monitoring subcontractor control environments.
1. | Objective. |
The objective of State Street’s Security Policy and related information security program is to implement data security measures consistent in all material respects with applicable prevailing industry practices and standards (“Objective”). State Street must define job responsibilities to ensure effective management of information security and appropriate separation of duties within the organization. State Street will use utilize qualified information security personnel sufficient to manage State Street’s cybersecurity risks. In order to meet such Objective, State Street uses commercially reasonable efforts to:
a. Protect the privacy, confidentiality, integrity, and availability of all confidential data and information disclosed by or on behalf of Client to, or otherwise comes into the possession of State Street, in connection with the provision of Services under the Agreement and to the extent the same is deemed Client Data;
b. protect against accidental, unauthorized, unauthenticated or unlawful access, copying, use, processing, disclosure, alteration, transfer, loss or destruction of the Client Data;
c. comply with applicable governmental laws, rules and regulations that are relevant to the handling, processing and use of Client Data by State Street in accordance with the Agreement;
d. implement customary administrative, physical, technical, procedural and organizational safeguards; and
e. limit the amount of Client Data collected to that reasonably necessary to accomplish the Services, limit the time such information is retained to that reasonably necessary to perform the Services, and limit access to those persons who are reasonably required to access or handle the Client Data in order to perform the Services.
2. | Risk Assessments. |
a. Risk Assessment - State Street shall, at least annually, perform risk assessments that are designed to identify material threats (both internal and external) against Client Data, the likelihood of those threats occurring and the impact of those threats upon the State Street organization to evaluate and analyze the appropriate level of information security safeguards (“Risk Assessments”).
b. Risk Mitigation - State Street shall use commercially reasonable efforts to manage, control and remediate any threats identified in the Risk Assessments that it believes are likely to result in
material unauthorized access, copying, use, processing, disclosure, alteration, transfer, loss or destruction of Client Data, consistent with the Objective, and commensurate with the sensitivity of the Client Data and the complexity and scope of the activities of State Street pursuant to the Agreement.
c. Security Controls Testing - State Street shall, on approximately an annual basis, engage an independent external party to conduct periodic reviews of State Street’s information security practices. State Street shall have a process to review and evaluate high risk findings resulting from this testing.
3. Security Controls. Prior to State Street having access to Client Data, then annually and upon Client’s reasonable request, State Street shall provide Client’s Chief Information Security Officer or his or her designee with a copy of its corporate information security controls that form the basis for State Street’s Security Policy and an opportunity to discuss State Street’s information security measures with a qualified member of State Street’s information technology management team.
4. | Organizational Security. |
a. Responsibility - State Street shall assign responsibility for information security management to senior personnel only and will name a State Street employee to be responsible for leading this information security function.
b. Access - State Street shall permit only those personnel performing roles supporting the provision of Services under the Agreement to access Client Data.
c. Confidentiality - State Street personnel who have accessed or otherwise been made known of Client Data shall maintain the confidentiality of such information in accordance with the terms of the Agreement.
d. Policy Exception - As part of the Security Policy State Street shall implement a process by which exceptions to the Security Policy are reviewed and processed. This exception process must be documented.
e. Training - State Street will provide information security training on approximately an annual basis, to its personnel.
5. | Data Protection. |
a. Data Sensitivity - State Street acknowledges that it understands the sensitivity of Client Data.
b. Data Flow - State Street must document data flows and associated protections for data which is sent or received between Client systems and State Street systems.
c. External Hosting Facilities – State Street shall implement controls, consistent with applicable prevailing industry practices and standards, regarding the collection, use, storage and/or disclosure of Client Data by an external hosting provider.
d. Segregation of Client Data - State Street shall use generally accepted security management controls designed to ensure that none of State Street’s other clients have access to Client Data.
6. | Physical Security and Data Destruction. |
a. Securing Physical Facilities - State Street shall maintain systems located in State Street facilities that host Client Data or provide Services under the Agreement in an environment that is designed to be physically secure and to allow access only to authorized individuals. A secure environment includes the availability of onsite security personnel on a 24 x 7 basis or equivalent means of monitoring locations supporting the delivery of Services under the Agreement.
b. Physical Security of Media - State Street shall implement controls, consistent with applicable prevailing industry practices and standards that are designed to deter the unauthorized viewing, copying, alteration or removal of any media containing Client Data. Removable media on which Client Data is stored (including thumb drives, CDs, and DVDs, and PDAS) by State Street must be encrypted using at least 256 bit AES (or equivalent).
c. Media Destruction – State Street shall destroy removable media and any mobile device (such as discs, USB drives, DVDs, back-up tapes, laptops and PDAs) containing Client Data or use commercially reasonable efforts to render Client Data on such physical media unintelligible if such
media or mobile device is no longer intended to be used. All backup tapes that are not destroyed must meet the level of protection described in this Security Addendum until destroyed. Electronic media that is not physically destroyed as part of the disposal process must be irrevocably erased or degaussed, such that the media is no longer readable for any purpose. State Street must develop and document information destruction processes that meet industry standards and must be used in all cases when Client Data is no longer needed. State Street shall keep records of all Client Data destruction completed and provide such records to Client upon demand or provide a certification that all such information has been destroyed in accordance with this Security Addendum.
d. Paper Destruction - State Street shall cross shred all paper waste containing Client Data and dispose in a secure and confidential manner.
7. | Communications and Operations Management. |
a. Firewall Management – Firewall management processes must be documented and meet industry standards. Any files containing Client Data on a system connected to the internet must be protected with up to date, industry standard, firewall protections and operating system security patches designed to maintain integrity and security of the Client Data.
b. Network Access – State Street must implement controls designed to prevent unauthorized devices from physically connecting to the internal network or to detect and alert an administrator (e.g. Network Access Control device (NAC)).
c. Monitoring Systems - State Street shall monitor its systems (i) security incidents; (ii) unauthorized use of or access to Client Data; and (iii) violations and suspicious activity. This includes suspicious external activity (including unauthorized probes, scans or break-in attempts) and suspicious internal activity (including unauthorized system administrator access, unauthorized changes to its systems or network, system or network misuse or theft or mishandling of Client Data). State Street shall maintain audit and logging capabilities that will enable the State Street to effectively detect, respond to and investigate a data security incident.
d. Intelligence Services - State Street shall monitor industry-standard information channels for newly identified system vulnerabilities and emerging risks regarding the technologies and Services provided to Client.
e. Intrusion Detection and Prevention - State Street shall maintain software, hardware, intrusion detection system, personnel and other resources designed to ascertain whether a penetration attempt is being made against any part of State Street’s network, mainframe, server or other infrastructure used by State Street to process, store or transport Client Data. This may include deploying intrusion detection /intrusion prevention controls to block, monitor, and alert State Street of security incidents that may require escalation to, and response from, State Street’s incident response personnel on a 24 hours per day, 7 days per week, 365 days per year basis.
f. Network Penetration Testing - State Street shall, on approximately an annual basis, contract with an independent third party to conduct network penetration test. State Street shall have a process to review and evaluate high risk findings resulting from this testing. The cost of vulnerability and penetration testing will be assumed by State Street.
g. Data Protection During Transmission - State Street shall encrypt, using an industry recognized encryption algorithm, personally identifiable Client Data when in transit across public networks.
h. Data Loss Prevention - State Street shall implement a data loss prevention program that is designed to identify, detect, monitor and alert on abnormal external data movement.
i. Malicious Code – State Street shall implement controls that are designed to detect the introduction or intrusion of malicious code on information systems handling or holding Client Data and implement a process for removing said malicious code from information systems handling or holding Client Data.
8. | Access Controls. |
a. Authorized Access - State Street shall have controls that are designed to maintain the logical separation such that access to systems hosting Client Data and/or being used to provide Services to Client will uniquely identify each individual requiring access, grant access only to
authorized personnel based on the principle of least privileges, and prevent unauthorized access to Client Data.
b. User Access - State Street shall have a process to promptly disable access to Client Data by any State Street personnel who no longer requires such access, State Street will also promptly remove access of Client personnel upon receipt of notification from Client.
c. Authentication Credential Management - State Street shall communicate authentication credentials to users in a secure manner, with a proof of identity check of the intended users. Initial password must be delivered in a secure manner and are required to be changed upon first logon.
d. Multi-Factor Authentication for Remote Access - State Street shall use multi factor authentication and a secure tunnel when remotely accessing State Street’s internal network.
e. Access Recertification - State Street must document a process to regularly recertify access to those facilities, systems, networks and applications that store, use, or otherwise have access to Client Data. This should include a documented review of access rights to confirm that access is still appropriate based on business needs. This review should occur at least annually or more frequently depending on risk and industry standards.
f. Unique IDs - State Street must assign unique user IDs that are reasonably designed to maintain the integrity of the security of the access control to each person with computer access.
g. Password Standards - State Street must document a password policy with a reasonably secure method of assigning and selecting passwords, or the use of unique identifier technologies, such as biometrics or token devices that cover all systems that store, access, transmit or process Client Data. Where technically feasible, passwords cannot be vendor supplied default passwords. This policy shall define standards for controlling password length, strength and change frequency.
h. Control of Passwords - State Street personnel must maintain the confidentiality of system passwords, keys, and passcodes used for the protection of Client Data must not be hard-coded into any scripts.
i. Account Lockout - State Street must deploy controls to lock accounts when no more than five invalid login attempts are made.
j. Password Reset – State Street must employ a secure and documented process to reset passwords that requires verification of user identity prior to password reset.
9. | Encryption Requirements. |
a. Encryption Standards - State Street will define in its Security Policy minimum standards for encryption methods and strength.
b. Encryption at Rest - State Street shall encrypt any laptops, mobile devices (e.g. Blackberries, PDAs), containing Client Data used by State Street’s personnel using an industry recognized encryption algorithm with at least 256 bit encryption AES (or equivalent).
c. Encryption Key Management - State Street must document procedures for managing encryption keys as well as any salts used to protect one way hashing functions. These procedures must include specifications for key provisioning, distribution, revocation, and expiration.
10. | Use of Laptop and Mobile Devices in connection with the Agreement. |
a. Secure Storage - State Street shall require that all laptops and mobile devices be securely stored whenever out of the personnel’s immediate possession.
b. State Street shall maintain the ability to remotely remove Client Data promptly from mobile phones managed by State Street.
c. Bring Your Own Device - State Street shall ensure security controls, including, mobile device management (MDM), remote wipe capabilities and encryption must be in place if Client Data can be stored, accessed, transmitted to or from, or used on a personal device. State Street must have policies to ensure State Street personnel maintain the security of these devices.
11. | Information Systems Acquisition Development and Maintenance. |
a. Client Data – Client Data shall only be used by State Street for the purposes specified in the Agreement.
b. Virus Management - State Street shall maintain a malware protection program designed to (i) deter malware infections; (ii) detect the presence of malware within the State Street environment; and (iii) recover from any impact caused by malware.
12. | Incident Event and Communications Management. |
a. Incident Management/Notification of Breach - State Street shall develop and implement an incident response plan that specifies actions to be taken when State Street or one of its subcontractors suspects or detects that a party has gained unauthorized access to Client Data or systems or applications containing any Client Data (the “Response Plan”). It must be approved by management, and have an owner to maintain and review the program. Such Response Plan shall include the following:
i. Escalation Procedures - An escalation procedure that includes notification to senior managers and appropriate reporting to regulatory and law enforcement agencies. This procedure shall provide for reporting of incidents that compromise the confidentiality of Client Data (including backed up data) to Client via telephone or email (and provide a confirmatory notice in writing as soon as practicable); provided that the foregoing notice obligation is excused for such period of time as State Street is prohibited by law, rule, regulation or other governmental authority from notifying Client.
ii. Incident Reporting - State Street will use commercially reasonable efforts to promptly furnish to Client information that State Street has regarding the general circumstances and extent of such unauthorized access.
iii. Investigation and Prevention - State Street shall reasonably assist Client in investigating of any such unauthorized access and shall use commercially reasonable efforts to: (A) cooperate with Client in its efforts to comply with statutory notice or other legal obligations applicable to Client or its clients arising out of unauthorized access and to seek injunctive or other equitable relief; (B) cooperate with Client in litigation and investigations against third parties reasonably necessary to protect its proprietary rights; and (C) take reasonable actions necessary to prevent mitigate against loss from any such authorized access.
13. | Client Data Outside the United States. |
a. Storage, access, transmission or use of Client Data from a location outside the U.S. must be conducted from a State Street location designed to promote the security and confidentiality of data. Specific security controls may vary from one location to another, based on local jurisdictional limitations and risk practices, but all locations outside the U.S. are subject to State Street’s minimum security standards which may include:
|
i. ii. iii. iv. |
|
Card key access Access limited to only authorized persons with a business need are granted access Visitor badges and State Street identification tags Closed Circuit TV (CCTV) cameras at site and/or floor entrance and recordings stored and available for thirty (30) to ninety (90) days | |||||
|
v. vi. vii. |
|
Lobby security, alarm, video, packages subject to search. True floor to true ceiling construction. Glass, wood, or steel doors. |