THIRD AMENDMENT TO THE AMENDED AND RESTATED CUSTODY AGREEMENT
THIRD AMENDMENT TO THE AMENDED AND RESTATED CUSTODY AGREEMENT
THIS THIRD AMENDMENT to the Amended and Restated Custody Agreement (this “Amendment”) is entered into as of April 1, 2024 with an effective date as of April 1, 2024 (the “Effective Date”) by and between GUIDESTONE FUNDS, a Delaware statutory trust (the “Fund”) on behalf of each series of the Fund listed on Schedule B to the Agreement (as defined below) (each, a “Portfolio” and, collectively, the “Portfolios”) and THE NORTHERN TRUST COMPANY (the “Custodian”), an Illinois corporation.
WHEREAS, the Custodian provides certain services to the Fund pursuant to the Amended and Restated Custody Agreement, dated as of April 1, 2021 (as amended, restated or otherwise modified from time to time prior to the date hereof, the “Agreement”); and
WHEREAS, in addition to the provisions contained in the Agreement, effective as of the date hereof, the Fund and the Custodian wish to make certain amendments to the Agreement.
NOW THEREFORE, in consideration of the mutual agreements herein contained, the receipt and sufficiency of which are hereby acknowledged, the parties hereto agree as follows:
1. DEFINITIONS; INTERPRETATION. Capitalized terms used herein but not otherwise defined shall have the meanings set forth in the Agreement. The headings to the clauses of this Amendment shall not affect its interpretation.
2. AMENDMENTS.
| (a) | Effective as of the Effective Date, Section 3A(b)(3) of the Agreement shall be amended by replacing such section in its entirety with the following: |
(3) establish a system to monitor the appropriateness of maintaining the Fund’s assets with such Foreign Custodian and the performance of the contract governing the Funds’ foreign custody arrangements and the custody risks of maintaining each Fund’s assets with such Foreign Custodian;
| (b) | Effective as of the Effective Date, Section 3A(b)(5) of the Agreement shall be amended by replacing such section in its entirety with the following: |
(5) promptly withdraw the Funds’ assets from any Foreign Custodian as soon as reasonably practicable, if the foreign custody arrangement no longer meets the requirements of Rule 17f-5.
| (c) | Effective as of the Effective Date, Section 18(b) of the Agreement shall be amended by replacing such section in its entirety with the following: |
(b) At any time after March 31, 2027, either of the parties hereto may terminate this Agreement with respect to any Portfolio by giving to the other party a notice in writing specifying the date of such termination, which, in case the Fund is the terminating party, shall be not less than 60 days after the date of Custodian receives such notice or, in case the Custodian is the terminating party, shall be not less than 90 days after the date the Fund receives such notice.
| NTAC:3NS-20 | 1 |
| (d) | Effective as of the Effective Date, Section 17 of the Agreement shall be amended to include the following new clause (n) at the end of such Section: |
(n) Business Continuity Plan. The Custodian shall, at no additional expense to the Fund, take reasonable steps to minimize service interruptions in the event of power or other mechanical failure, work stoppage, computer virus, national state or local disaster, governmental action, communication disruption or other event that may impair the Custodian’s performance of services hereunder and that is beyond the Custodian’s control. The Custodian will maintain a business continuity plan and will provide an executive summary of such plan upon reasonable request of the Fund. The Custodian will test the adequacy of its business continuity plan at least annually. Upon request by the Fund, the Custodian will provide the Fund with a letter assessing the most recent business continuity test results. In the event of a business disruption that materially impacts the Custodian’s provision of services under this Agreement, the Custodian will promptly notify the Fund of the disruption and the steps being implemented under the business continuity plan. The Custodian represents that its business continuity plan is appropriate for its business as a provider of fund administration services to investment companies registered under the 1940 Act. The Custodian shall also enter into and shall maintain in effect at all times during the term of this Agreement with appropriate parties one or more agreements making reasonable provision, at a level the Custodian believes consistent with other similarly situated providers of administration and accounting services, for (i) periodic back-up of the computer files and data with respect to the Fund and (ii) emergency use of electronic data processing equipment to provide services under this Agreement. If access or use of the Custodian’s services is interrupted, the appropriate backup shall be activated within a commercially reasonable time to minimize disruptions. In the event of a service disruption due to reasons beyond the Custodian’s control, the Custodian will use commercially reasonable efforts to mitigate the effects of such a disruption. Upon reasonable request, the Custodian shall discuss with the Fund any business continuity plan of the Custodian and/or provide a high-level presentation summarizing such business continuity plan.
| (e) | Effective as of the Effective Date, Section 20 of the Agreement shall be amended by replacing such section in its entirety with the following: |
20 INFORMATION SECURITY.
The Custodian will take commercially reasonable steps to safeguard sensitive or confidential Fund information, including Confidential Information as provided in Section 19 of this Agreement, to protect it from unauthorized disclosure, and to comply with state and federal laws and regulations regarding confidentiality, privacy, and security applicable to the Custodian (“Privacy and Security Laws”), including the following:
| (a) | The Custodian will assign system access rights to its employees on a “need to know” or “least privilege” basis such that only employees that need access to certain information to perform their job are granted such access. The Custodian will cause entitlement reviews to be conducted annually, and access right controls to be tested as part of its external auditor’s report on internal controls (e.g. SSAE-16 Type II SOC1 or similar report and any applicable successors thereto). |
| (b) | The Custodian will require its employees to participate in annual security awareness training appropriate to their job function. |
| NTAC:3NS-20 | 2 |
| (c) | The Custodian will develop, maintain and adhere to commercially reasonable internal control standards defining requirements for access control, application and system development, authentication, remote access, data classification, operational security, network security and physical security. Such policies and control standards will be closely aligned with generally recognized regulatory and security frameworks such as ISO, FFIEC, NIST and COBIT. The Custodian will cause such internal control standards to be regularly examined by its internal audit department and validated at least annually by both its internal audit department and an independent firm with the results outlined in an SSAE-16 Type II SOC1 or similar report and any applicable successors thereto. |
| (d) | The Custodian will use encryption technology that provides a commercially reasonable level of security that complies with applicable regulatory requirements for the electronic transmission of Fund data over public networks. |
| (e) | The Custodian will employ a commercially reasonable process for vulnerability management, including: (i) Internal and external network vulnerability scans conducted at least quarterly; (ii) Network and application layer penetration test conducted at least annually; (iii) System, application and source code scanning and analysis processes; (iv) A framework for remediation of findings is performed by a risk-based ranking of vulnerabilities and prioritization of critical and high patches; and (v) A process to identify newly discovered security vulnerabilities and update system and application standards to address new vulnerability issues. |
| (f) | The Custodian will deploy firewalls, filtering routers or other similar network segmentation devices between networks providing services anticipated by this Agreement and other networks to control network traffic and minimize exposure to a network compromise and will configure its firewalls, network routers, switches, load balancers, name servers, mail servers, and other network components in accordance with industry standard practices. |
| (g) | The Custodian will test the implementation of its information security measures by using an industry recognized third party that employs industry standard network, system, and application vulnerability scanning tools and/or penetration testing. The Custodian will also obtain, test, and apply relevant service packs, patches, and upgrades to the software and hardware components used to provide services under this Agreement. Vulnerability management will include, at a minimum, full application penetration tests by a qualified party, patch management to apply the latest security patches on a regular basis. |
| (h) | The Custodian will implement and maintain up-to-date commercially available virus and malicious code detection and protection product(s) capable of detecting, removing, and protecting against viruses and other forms of malicious software, including spyware and adware on its network used to provide services under this Agreement. |
| NTAC:3NS-20 | 3 |
| (i) | The Custodian will use commercially reasonable storage and disposal methods for Fund information/data, including paper shredders, CD/DVD shredders, and NIST standard multi-pass wipe magnetic disk software. |
| (j) | With respect to Fund data residing on the Custodian’s systems, the Custodian will: (i)Employ commercially reasonable security controls and tools to monitor information processing systems and log key events such as user activities (including root or administrative access), exceptions, successful and unsuccessful logins, access to audit logs, unauthorized information processing activities, suspicious activities and information security events; (ii) Regularly back up security logs to a central location, protected against tampering and unauthorized access; (iii) Retain security logs for at least one year; (iv) Perform frequent reviews of security logs associated with the Custodian’s network used to provide services under this Agreement and take necessary actions to protect against unauthorized access or misuse of Fund data; (v) Synchronize the clocks of all relevant information processing systems using an authoritative national or international time source; (vi) Incorporate date and time stamp into security log entries; (vii) Employ, monitor and keep up to date network intrusion detection systems, host-based intrusion detection systems, or intrusion prevention systems to monitor all network traffic and alert personnel to suspected compromises; and (viii) Respond appropriately to alerts reported by intrusion detection systems, host-based intrusion detection systems, or intrusion prevention systems. |
| (k) | The Custodian will adopt and implement commercially reasonable control standards to manage the information security and technology risks associated with its use of third-party service providers to store, transmit or process Fund data. Such standards will be designed to satisfy requirements of the FFIEC and other applicable regulatory bodies. |
| (l) | The Custodian shall (1) conduct reasonable due diligence to select and retain third party service providers and subcontractors that are capable of maintaining security consistent with this Agreement and complying with Privacy and Security Laws and other applicable legal requirements; (2) contractually require such service providers and subcontractors to maintain such security; and (3) regularly assess and monitor third party service provider’s and subcontractor’s compliance with the applicable security required in this Agreement and by law, including, without limitation Privacy and Security Laws. |
| (m) | As permitted by applicable law and in accordance with the Custodian’s policies, prior to hire, the Custodian shall conduct, or cause to be conducted, reasonable background checks of any Custodian employee or contractor that will have access to PII or Fund Confidential Information. The Custodian shall not permit any employee or contractor to have access to PII or Fund Confidential Information if such employee or contractor has been convicted of a crime that would bar such employee from working for a financial institution. |
| NTAC:3NS-20 | 4 |
| (n) | Upon notice to the Custodian, not more than once per year during the term of the Agreement or any time after a Security Breach, the Fund may undertake a due diligence of the Custodian’s information security controls, as it relates to this Agreement. Such due diligence shall be performed during regular business hours and at a time mutually agreed upon between the parties, no later than fifteen (15) days after the Fund’s initial request of such due diligence. Such due diligence may include requesting to view policies (which may be summaries thereof) or other relevant documentation, including any available and relevant third-party audit reports (e.g. SSAE 16 SOC2 reports), and conducting interviews with key security personnel. |
| (o) | In the event that the Custodian comes into possession of personally identifiable information of the Fund’s shareholders (“PII”) in the provision of services contemplated under this Agreement: (i) the Custodian will use PII only to provide such services; (ii) the Custodian will implement industry standard commercially reasonable measures that are designed to: (w) ensure the security and confidentiality of PII in its possession or control; (x) protect against any anticipated threat or hazards to the security or integrity of PII; (y) protect against unauthorized access to or use of PII that could result in substantial harm or inconvenience to the Fund or any of the Fund’s shareholders; and (z) ensure that PII is disposed of properly; (iii) the Custodian will implement and maintain a formally documented security incident response plan that includes formation of an incident response team, categorization of incidents, and responsibility for receiving alerts and investigations; (iv) if the Custodian confirms that there has been an unauthorized use, exposure, access, disclosure, or loss of PII or other Confidential Information of the Fund or any of the Fund’s shareholders through a breach of the Custodian’s firewall or similar event through which a third party gains unauthorized access to the Custodian’s electronic systems (“Security Breach”), the Custodian will provide notice of such Security Breach to the Fund as soon as reasonably possible if required by law or regulation or if the Custodian reasonably determines that the Security Breach is likely to result in harm to the Fund or the Fund’s shareholders, and such notice shall be provided as required by law and without undue delay; (v) except as may be required by law or as may reasonably be deemed necessary by the Custodian, the Custodian will use commercially reasonable efforts to remedy any Security Breach as soon as possible; and (vi) as to any Security Breach for which the Custodian provides or is required to provide notice as set forth above, the Custodian (i) will provide the Fund with regular updates at agreed upon intervals regarding its investigation of such Security Breach, including what is known at that time, the cause, remedial steps and future plans to prevent a recurrence of the same or similar breach or suspicious activity and (ii) will reasonably cooperate with the Fund security investigation activities and with the preparation and transmittal of any notice or any action required by law, to be sent or done for customers or other affected third parties regarding such Security Breach. |
| (f) | Effective as of the Effective Date, Schedule C (Fee Schedule) of the Agreement shall be replaced in its entirety by the amended Schedule C (Fee Schedule), attached hereto. |
| NTAC:3NS-20 | 5 |
3. GOVERNING LAW. This Amendment shall be construed and the substantive provisions hereof interpreted under and in accordance with the laws of the State of Illinois.
4. MISCELLANEOUS. This Amendment may be executed in any number of counterparts, each of which will be deemed an original, but all of which taken together shall constitute one single agreement between the parties. Any such counterpart, to the extent delivered by means of a facsimile machine or by .pdf, .tif, .gif, ..jpg or similar attachment to electronic mail or by means of DocuSign® or other electronic signature, shall be treated in all manner and respects as an original executed counterpart. Each DocuSign® or other electronic, faxed, scanned or photocopied manual signature shall for all purposes have the same validity, legal effect and admissibility in evidence as an original manual signature and the parties hereby waive any objection to the contrary. Except as provided herein, this Amendment may not be amended or otherwise modified except in writing signed by all the parties hereto.
5. EFFECT OF AMENDMENT. All other terms and conditions set forth in the Agreement shall remain unchanged and in full force and effect. On and after the Effective Date, each reference to the Agreement in the Agreement and all schedules thereto shall mean and be a reference to the Agreement as amended by this Amendment.
[Signature Pages Follow]
| NTAC:3NS-20 | 6 |
IN WITNESS WHEREOF, the parties hereto have caused this Amendment to be executed by a duly authorized officer on one or more counterparts as of the date and year written above.
| By: |
||
| Name: Xxxxxxx Xxxxxxxx Title: Vice President – Fund Operations and Secretary | ||
| THE NORTHERN TRUST COMPANY | ||
| By: |
||
| Name: Xxxxx Xxxx-Xxxxx Title: Vice President | ||
| NTAC:3NS-20 | 7 |
SCHEDULE C
FEE SCHEDULE
[See Attached]
| NTAC:3NS-20 | 8 |
