AMENDMENT TO FUND ADMINISTRATION AND ACCOUNTING AGREEMENT
AMENDMENT
TO
FUND ADMINISTRATION AND ACCOUNTING AGREEMENT
This Amendment (“Amendment”) is made as of April 16, 2021 (“Effective Date”), by and between each of AMG PANTHEON FUND, LLC, AMG PANTHEON MASTER FUND, LLC and AMG PANTHEON SUBSIDIARY FUND, LLC (each, a “Fund”, collectively, the “Funds”) and THE BANK OF NEW YORK MELLON (“BNY Mellon”).
BACKGROUND:
| A. | BNY Mellon and each Fund are parties to a Fund Administration and Accounting Agreement made as of September 30, 2014, as amended to date (the “Agreement”) relating to BNY Mellon’s provision of services to each Fund. |
| B. | The parties desire to amend the Agreement as set forth herein. |
TERMS:
The parties hereby agree that:
| 1. | Sections 5(d), (g), (i) and (p) of the Agreement are hereby amended by replacing “negligence” in each instance it appears with “gross negligence”. |
| 2. | Section 7(c) of the Agreement is hereby amended by replacing “negligence” in each instance it appears with “gross negligence”. |
| 3. | Section 9(a) of the Agreement is hereby amended by replacing “negligence” in each instance it appears with “gross negligence”. |
| 4. | Section 9(b) of the Agreement is hereby amended and restated as follows: |
“9(b) RESERVED.”
| 5. | Section 9(c) of the Agreement is hereby amended by replacing “negligence” in each instance it appears with “gross negligence”. |
| 6. | Section 12(a) of the Agreement is hereby amended and restated as follows: |
“(a) As between a Fund and BNY Mellon, either party may terminate this Agreement by giving to the other party a notice in writing specifying the date of such termination, which shall be not less than ninety (90) days after the date of such notice. If any of a Fund’s assets serviced by BNY Mellon under this Agreement are removed from the coverage of this
Agreement and are subsequently serviced by another service provider, without BNY Mellon having received at least ninety (90) days’ written notice of such removal, the Fund will be deemed to have caused an improper early termination of this Agreement with respect to such removed assets; provided that the terms of this sentence shall not apply with respect to any termination pursuant to Section 12(c) below. For the avoidance of doubt, any termination of this Agreement by a Fund shall only be a termination of this Agreement with respect to that Fund.”
| 7. | Section 12(b) of the Agreement is hereby amended and restated as follows: |
“12(b) RESERVED.”
| 8. | Section 12(c) of the Agreement is hereby amended by adding “As between a Fund and BNY Mellon,” to the beginning of the first sentence. |
| 9. | Section 12(d) of the Agreement is hereby amended and restated as follows: |
“12(d) RESERVED.”
| 10. | A new Section 25 is hereby added to the Agreement as follows: |
“25. Information Security. The terms set forth in Appendix II (Information Security) hereto shall apply with respect to the services provided by BNY Mellon pursuant to this Agreement.”
| 11. | Appendix II attached hereto is hereby made a part of the Agreement as Appendix II thereto. |
| 12. | Miscellaneous. |
| (a) | Capitalized terms not defined in this Amendment shall have the same meanings as set forth in the Agreement. In the event of a conflict between the terms hereof and the Agreement, this Amendment shall control. |
| (b) | As hereby amended and supplemented, the Agreement shall remain in full force and effect. |
| (c) | The Agreement, as amended hereby, constitutes the complete understanding and agreement of the parties with respect to the subject matter thereof and supersedes all prior communications with respect thereto. |
| (d) | The parties expressly agree that this Amendment may be executed in one or more counterparts and expressly agree that such execution may occur by manual signature on a physically delivered copy of this Amendment, by a manual signature on a copy of this Amendment transmitted by facsimile transmission, by a manual signature on a copy of this Amendment transmitted as an imaged document attached to an email, or by “Electronic Signature”, which is hereby defined to mean inserting an image, representation or symbol of a signature into an electronic copy of this Amendment by electronic, digital or other technological methods. Each counterpart executed in accordance with the foregoing shall be deemed an original, with all such counterparts together constituting one and the same instrument. The exchange of executed counterparts of this Amendment or of executed signature pages to counterparts of this Amendment, in either case by facsimile transmission or as an imaged document attached to an email transmission, shall constitute effective execution and delivery of this Amendment and may be used for all purposes in lieu of a manually executed and physically delivered copy of this Amendment. |
| (e) | This Amendment shall be governed by the laws of the State of New York, without regard to its principles of conflicts of laws. |
[Signature page follows.]
IN WITNESS WHEREOF, each of the parties hereto has caused this Amendment to be executed as of the Effective Date by its duly authorized representative indicated below. An authorized representative, if executing this Amendment by Electronic Signature, affirms authorization to execute this Amendment by Electronic Signature and that the Electronic Signature represents an intent to enter into this Amendment and an agreement with its terms.
| AMG PANTHEON FUND, LLC | ||
| By: | /s/ Xxxxxx Xxxxxxx | |
| Name: Xxxxxx Xxxxxxx | ||
| Title: Treasurer and Principal Accounting Officer | ||
| AMG PANTHEON MASTER FUND, LLC | ||
| By: | /s/ Xxxxxx Xxxxxxx | |
| Name: Xxxxxx Xxxxxxx | ||
| Title: Treasurer and Principal Accounting Officer | ||
| AMG PANTHEON SUBSIDIARY FUND, LLC | ||
| By: | /s/ Xxxxxx Xxxxxxx | |
| Name: Xxxxxx Xxxxxxx | ||
| Title: Treasurer and Principal Accounting Officer | ||
| THE BANK OF NEW YORK MELLON | ||
| By: | /s/ Xxxxx-Xx Xxxx | |
| Name: Xxxxx-Xx Xxxx | ||
| Title: Director | ||
APPENDIX II
Information Security
I. Information Security Program Overview.
A. During the term of the Agreement, BNY Mellon will implement and maintain an information security program (“ISP”) with written policies and procedures reasonably designed to protect the confidentiality and integrity of the Funds’ Confidential Information provided to BNY Mellon in accordance with the Agreement and when in BNY Mellon’s possession or under BNY Mellon’s control (“Customer Data”). The ISP will include administrative, technical and physical safeguards, appropriate to the type of Customer Data concerned, reasonably designed to: (i) maintain the integrity, confidentiality and availability of Customer Data; (ii) protect against anticipated threats or hazards to the security or integrity of Customer Data; (iii) protect against unauthorized access to or use of Customer Data that could result in substantial harm or inconvenience to the Funds, (iv) provide for secure disposal of Customer Data, and (v) comply with other privacy and cybersecurity laws applicable to BNY Mellon in connection with the services provided under this Agreement.
B. BNY Mellon’s program is dynamic and may be modified to address technological changes or changes in the threat landscape, BNY Mellon’s business activities or other factors. BNY Mellon reserves the right to modify the ISP at any time, provided that BNY Mellon shall not diminish the overall level of protection this Appendix II is intended to provide.
II. Security Incident Response and Notice.
A. BNY Mellon will maintain a documented incident management process designed to ensure timely detection of security events and response thereto.
B. In the event of a declared Security Incident, BNY Mellon will (i) promptly notify the applicable Fund of the Security Incident and provide information regarding the Security Incident, (ii) provide updates to the Fund regarding BNY Mellon’s response and (iii) use reasonable efforts to implement measures designed to prevent a reoccurrence of Security Incidents of a similar nature.
C. “Security Incident” means any known loss or unauthorized access, disclosure, use, alteration or destruction of Customer Data.
III. Governance. BNY Mellon shall, (i) no more than once in a 12 month period, and upon request, provide a copy of its most recent SSAE-18 or equivalent external audit report to the Funds, which the Funds may disclose solely to their internal or external auditors that are subject to written confidentiality obligations to use reasonable care to safeguard the report and not to disclose the report to any third party or use the report for any purpose other than evaluating BNY Mellon’s security controls; (ii) at least once in a 12 month period, engage a third party provider to perform penetration testing of BNY Mellon systems used to provide the services under the Agreement and provide the Funds confirmation of such testing, upon request and (iii) no more than once in a 12 month period, participate in the Funds’ reasonable information security due diligence questionnaire process, upon request.
IV. Network and Communications Security.
A. Asset Management. BNY Mellon will maintain an inventory of its (i) system components, hardware and software used to provide the services under the Agreement and (ii) information assets, including data, information and vendors, and will review and update each such inventory in accordance with the ISP.
B. Change Management. BNY Mellon shall require that changes to its network or software used to provide the services under the Agreement are tested and applied pursuant to a documented change management process.
C. Security Monitoring. BNY Mellon will monitor cyber threat intelligence feeds daily. BNY Mellon will deploy Denial of Service (DoS) and Distributed DoS solutions.
D. Network Segmentation. BNY Mellon’s infrastructure utilizes a multi-tier architecture, including a DMZ, to isolate the internal infrastructure from external networks. Traffic from external sources will traverse firewalls and pass through multiple layers of malware protection prior to processing. BNY Mellon’s production environment used to provide the services under the Agreement will be segregated from pre-production regions and BNY Mellon’s internal segment.
E. Vulnerability Management. BNY Mellon will maintain a documented process to identify and remediate security vulnerabilities affecting its systems used to provide the services under the Agreement. BNY Mellon will classify security vulnerabilities using industry recognized standards and conduct continuous monitoring and testing of its networks, hardware and software including regular penetration testing and ethical hack assessments. BNY Mellon will remediate identified security vulnerabilities in accordance with its process.
F. Malicious Code. BNY Mellon will deploy industry standard malicious code protection and identification tools across its systems and software used to provide the services under the Agreement.
G. Communications. BNY Mellon will protect electronic communications used in the provision of services under the Agreement, including instant messaging and email services, using industry standard processes and technical controls and in accordance with the ISP.
V. Application Security. The ISP will require that in-house application development be governed by a documented secure software development life cycle methodology, which will include deployment rules for new applications and changes to existing applications in live production environments.
VI. Logging. The ISP will require the maintenance of network and application logs as part of BNY Mellon’s security information and event management processes. Logs are retained in accordance with law applicable to BNY Mellon’s provision of the services under the Agreement as well as BNY Mellon’s applicable policies. BNY Mellon uses various tools in conjunction with such logs, which may include behavioral analytics, security monitoring case management, network traffic monitoring and analysis, IP address management and full packet capture.
VII. Data Security.
A. Identity Access Management. BNY Mellon will implement reasonable and industry recognized user access rules for users accessing Customer Data based on the need to know and the principle of least privilege, and including user ID and password requirements, session timeout and re-authentication requirements, unsuccessful login attempt limits, privileged access limits, multifactor authentication or equivalent safeguard where risk factors indicate that single factor authentication is inadequate, and a system for tracking requests, updates and the termination of such access rights.
B. Data Segregation. The ISP will require that (i) Customer Data is stored in either physically or logically segregated databases from other BNY Mellon data and (ii) different databases are maintained for development, testing, staging and production environments used in the provision of services under the Agreement.
C. Encryption. BNY Mellon will (i) encrypt Customer Data in transit to an external network using commercially reasonable transport layer security or other encryption method and (ii) protect Customer Data at rest, in each case as BNY Mellon determines to be appropriate in accordance with the ISP and law applicable to BNY Mellon’s provision of the services under the Agreement.
D. Remote Access. The ISP will restrict remote access to BNY Mellon systems to authorized users using multifactor authentication or an equivalent safeguard, and will require such access to be logged.
E. Devices. BNY Mellon will restrict the transfer of Customer Data from its network to mass storage devices. BNY Mellon will use a mobile device management system or equivalent tool when mobile computing is used to provide the services under the Agreement. Applications on such authenticated devices will be housed within an encrypted container and BNY Mellon will maintain the ability to remote wipe the contents of the container.
F. Data Leakage Prevention (DLP). BNY Mellon will deploy DLP tools reasonably designed to help detect and prevent unauthorized transfers of Customer Data outside BNY Mellon’s network.
G. Retention and Disposal. BNY Mellon will retain Customer Data no longer than the time it determines to be reasonably necessary to address any purposes contemplated in the Agreement, to comply with applicable legal requirements, or to comply with BNY Mellon’s data retention policies and procedures. BNY Mellon will maintain chain of custody procedures and require that any Customer Data requiring disposal be rendered inaccessible, cleaned or scrubbed from such hardware and/or media using industry recognized methods.
VIII. Personnel. BNY Mellon will undertake background checks during the recruitment process of personnel involved in the provision of the services under the Agreement, subject to applicable laws, and require its personnel involved in the provision of services under the Agreement to undertake annual training on the aspects of the ISP applicable to the personnel’s job function.
IX. Physical Security. BNY Mellon will deploy perimeter security such as barrier access controls around its facilities processing or storing Customer Data. The ISP will include (i) procedures for validating visitor identity and authorization to enter the premises, which may include identification checks, issuance of identification badges and recording of entry purpose of visit and (ii) physical security policies for personnel, such as a “clean desk” policy. In accordance with its ISP and applicable law, BNY Mellon will install closed circuit television (“CCTV”) systems and CCTV recording systems to monitor and record access to controlled areas, such as data centers and server rooms.
X. Subcontracting. BNY Mellon will implement a third party governance program designed to provide oversight over unaffiliated third parties utilized in providing the services under the Agreement and such third parties’ implementation of reasonable information security policies and procedures. Such governance program shall include, to the extent deemed appropriate by BNY Mellon under the circumstances, subcontractor risk assessments, prospective and ongoing due diligence of such subcontractors, and other controls reasonably designed to periodically monitor and review the activities of such subcontractors in connection with performing services under the Agreement.
