AMENDMENT NO. 8 To Transfer Agency and Service Agreement between Each of the Entities, Individually and not Jointly, As Listed on Schedule A And DST Asset Manager Solutions, Inc.
Exhibit (h)(4)(viii)
AMENDMENT NO. 8
To
Transfer Agency and Service Agreement
between
Each of the Entities, Individually and not Jointly,
As Listed on Schedule A
And
DST Asset Manager Solutions, Inc.
THIS AMENDMENT (this “Amendment”) is entered into as of July 1, 2021 by and between EACH OF THE ENTITIES, INDIVIDUALLY AND NOT JOINTLY, AS LISTED ON SCHEDULE A (together, the “Clients”) and DST ASSET MANAGER SOLUTIONS, INC. f/k/a Boston Financial Data Services, Inc. (referred to herein as, “DST AMS” or “Service Provider”).
WHEREAS, the 1290 Funds, on behalf of each of its series as reflected on Schedule A, and DST AMS are parties to the Transfer Agency and Service Agreement dated October 29, 2014, as amended (the “Agreement”);
WHEREAS, the EQ Advisors Trust, on behalf of each of its series reflected on Schedule A, and DST AMS became parties to the Agreement pursuant to an amendment to the Agreement dated January 24, 2019; and
WHEREAS, in accordance with Section 16.1 (Amendment) of the Agreement, the parties wish to amend the terms of the Agreement as outlined below.
NOW, THEREFORE, in consideration of the mutual promises, undertakings, covenants and conditions set forth herein, the parties agree as follows:
1. Amendment to Agreement. The Agreement is hereby modified to include and incorporate Exhibit A, Information Security Addendum. To the extent the Agreement already contains an Information Security Addendum or similar document, it is superseded by Exhibit A attached hereto.
2. Effect on Agreement. As of the Effective Date, this Amendment shall be effective to amend the Agreements and to the extent of any conflict between the Agreements and this Amendment, this Amendment shall control. This Amendment shall be binding on the parties hereto and their respective personal and legal representatives, successors, and permitted assigns.
3. Execution in Counterparts/Facsimile Transmission. This Amendment may be executed in separate counterparts, each of which will be deemed to be an original and all of which, collectively, will be deemed to constitute one and the same Amendment. This Amendment may also be signed by exchanging facsimile copies of this Amendment, duly executed, in which event the parties hereto will promptly thereafter exchange original counterpart signed copies hereof.
4. Agreements in Full Force and Effect. Except as specifically modified by this Amendment, the terms and conditions of the Agreements shall remain in full force and effect, and the Agreements, as amended by this Amendment, and all of the terms thereof, including, but not limited to any warranties and representations set forth therein, if any, are hereby ratified and confirmed by the appropriate parties as of the Effective Date.
5. Capitalized Terms. All capitalized terms used but not defined in this Amendment will be deemed to be defined as set forth in the Agreements.
6. Authorization. Each party hereby represents and warrants to the other that the person or entity signing this Amendment on behalf of such party is duly authorized to execute and deliver this Amendment and to legally bind the party on whose behalf this Amendment is signed to all of the terms, covenants and conditions contained in this Amendment.
IN WITNESS WHEREOF, the parties hereto have caused this Agreement to be executed in their names and on their behalf by and through their duly authorized officers as of the day and year first above written.
| DST ASSET MANAGER SOLUTIONS, INC. | ||
| By: |
| |
| Name: | Xxxx Xxxxxx | |
| Date: |
September 17, 2021 | |
| EQ ADVISORS TRUST | 1290 FUNDS | |||||||
| By: |
|
By: |
| |||||
| Name: | Xxxxxx Xxxx | Name: | Xxxxxx Xxxx | |||||
| Date: | Senior Vice President | Date: | President | |||||
| As an Authorized Officer on behalf of each of the Entities Individually and not Jointly as listed on Schedule A | As an Authorized Officer on behalf of each of the Entities Individually and not Jointly as listed on Schedule A | |||||||
SCHEDULE A
Dated: March __, 2021
| Fund |
Type of Entity | Jurisdiction | ||||||
| Statutory Trust | Delaware | |||||||
| 1290 Diversified Bond Fund |
||||||||
| 1290 DoubleLine Dynamic Allocation Fund |
||||||||
| 1290 GAMCO Small/Mid Cap Value Fund |
||||||||
| 1290 High Yield Bond Fund |
||||||||
| 1290 Multi-Alternative Strategies Fund |
||||||||
| 1290 Retirement 2020 Fund |
||||||||
| 1290 Retirement 2025 Fund |
||||||||
| 1290 Retirement 2030 Fund |
||||||||
| 1290 Retirement 2035 Fund |
||||||||
| 1290 Retirement 2040 Fund |
||||||||
| 1290 Retirement 2045 Fund |
||||||||
| 1290 Retirement 2050 Fund |
||||||||
| 1290 Retirement 2055 Fund |
||||||||
| 1290 Retirement 2060 Fund |
||||||||
| 1290 SmartBeta Equity Fund |
||||||||
| EQ Advisors Trust |
Statutory Trust | Delaware | ||||||
| 1290VT Convertible Securities Portfolio, Class IB |
||||||||
| 1290VT GAMCO Small Company Value |
||||||||
| Portfolio, Class IB |
||||||||
| 1290VT Micro Cap Portfolio, Class IB |
||||||||
| 1290VT SmartBeta Equity Portfolio, Class IB |
||||||||
| 1290VT Socially Responsible Portfolio, Class IB |
EXHIBIT A
| 1. | Information Security: |
Service Provider warrants and represents that it has adopted and implemented, and covenants that it will maintain, a commercially reasonable information security program (“Service Provider’s Information Security Program”) incorporating administrative, technical, and physical safeguards designed (a) to ensure the confidentiality of Client Confidential Information in its possession or control; (b) to protect against any reasonably anticipated threats or hazards to the security or integrity of Client Confidential Information; (c) to protect against unauthorized access to or use of Client Confidential Information, including without limitation programs to train Service Provider’s Personnel in safeguarding the same, (d) to prevent the unauthorized loss, destruction or alteration of Client Confidential Information, (e) to destroy all electronic and hardcopy materials containing Client Confidential Information which Service Provider is permitted or required to destroy hereunder in a safe and secure manner, and (f) to comply with laws applicable to Service Provider.
Service Provider shall regularly review Service Provider’s Information Security Program in its efforts to ensure its continued effectiveness to safeguard Client Confidential Information as required herein and determine whether adjustments are reasonably necessary in light of circumstances including, without limitation, changes in technology, information systems, new or revised regulations applicable to Service Provider, or changing threats or hazards to Client Confidential Information. In the event Service Provider determines such adjustments are reasonably necessary, Service Provider shall implement such adjustments in a timeframe commensurate with the risk of the failure to so implement. The policies and procedures specified in Service Provider’s Information Security Program are subject to change at any time provided that the protections afforded thereby will not be diminished in comparison with those provided by Service Provider to Client prior to the execution of this Agreement. Service Provider will be reasonably available to meet with and provide reasonable assurances to Client concerning its data security procedures.
Service Provider shall maintain change control procedures for changes in the Service Provider Systems and the Services that are designed to ensure Service Provider’s compliance with its obligations in this Agreement.
As part of the Service Provider Information Security Program, Service Provider shall implement and maintain practices, processes and guidelines to protect Client Confidential Information in accordance with, but not limited to, the Security Datasheet included as Exhibit 1.
| 2. | Client Review Rights: |
Upon reasonable written request by Client, Service Provider shall permit Client or its representative who are not Service Provider Competitors the right to review Service Provider compliance with (i) Service Provider’s data protection and information security obligations set forth in this Agreement and Service Provider’s own internal controls as they relate to the Services that are not addressed in already existing controls reports prepared by an independent third party such as the SOC Report and/or other information provided by Service Provider (e.g. BITS Full SIG) and (ii) the terms of this Agreement, and shall grant Client or its representative such reasonable access to its offices and facilities to understand Service Provider policies and procedures as Client or such representative may reasonably request on reasonable advance written notice, solely to the extent that such policies and procedures directly pertain to or otherwise directly relate to the performance of this Schedule by Service Provider. Such review will be during Service Provider’s normal business hours and upon mutually agreed upon dates, to occur no more than once per calendar year, as requested by Client. Client understands that access to Service Provider’s offices and facilities shall be subject to Service Provider’s
reasonable access requirements and security policies that are provided to Client in writing. Service Provider will have right to deny access to Client or its representative to data of other Clients, any proprietary information. Client should leverage the SIG, SOC reports shared by Service Provider before performing the audit to avoid any duplicate requests. In the event the Client uses a third-party representative to participate in the review, Client will assist Service Provider in getting a non-disclosure agreement on standard terms directly between Service Provider and such third party representative.
Notwithstanding the above, (i) any such review will be conducted in a manner that is not unreasonably disruptive to the business operations of Service Provider, (ii) shall not interfere with Service Provider’s ability to perform Services, (iii) shall access only Client data, the services rendered by Service Provider to Client and information related to Service Provider’s operations providing such services to Client, and (iii) shall not, in Service Provider’s sole reasonable discretion, interfere or disrupt or access in any way Service Provider’s performance of services for Service Provider’s other clients or data or records made or maintained by Service Provider on behalf of its other clients. Service Provider reserves, and shall have, the right to immediately suspend any review where other Service Provider clients’ data, agreements, fees or operations (whether those of such client or of Service Provider on behalf of such client) are accessed or viewed or which interfere with Service Provider’s ability to conduct its operations or to perform its obligations under any of its agreements, whether with Client or with another Service Provider client.Service Provider will provide up to 40 hours of support per year combined for (i) the review specified in this Section, and (ii) provision of additional information and assistance with respect to the SOC Report in Section 3 below and the provision of additional information with respect to Client requests in section 1 above at no additional cost to Client in order to assist Client with their compliance, however, Client shall be solely responsible for all the costs incurred by such governmental entity or any third party and Service Provider will be recompensed for any costs incurred to cooperate in any such review above and beyond the above provided service hours at a rate of $500/hour. In performing a review, Client and its designee shall access only Client data, the Services and Service Provider’s operations providing the Services In addition, if Service Provider is not a publicly held entity, upon Client’s request, Service Provider will provide a completed audited statement of the financial condition of Service Provider’s organization, including (i) audited year-end results for the three (3) previous years, including revenues, expenses, net income, total assets, liabilities and footnotes; and (ii) the most recent financial interim statement. All such information obtained by Client under this Section shall be deemed to be Service Provider’s Confidential Information.
| 3. | SSAE 18/SOC I Type II: |
Service Provider shall furnish Client, upon Client’s request, on an annual basis for as long as this agreement is in effect, whether in electronic form or paper form a Statements on Standards for Attestation Engagements No. 18 Type II, an AICPA Professional Standards AT Section 101 – Type II, covering its business operations, certain information technology applications and information technology architecture as they relate to this Agreement (the “Service Organization Controls Report” or the “SOC Report”). The following parameters must be followed:
| a. | The report must be prepared by a nationally recognized accounting firms. |
| b. | The SOC Report shall for each year, until further notice from Service Provider, be dated as of September 30 and delivered in December. |
| c. | Service Provider agrees to cooperate with Client regarding the information provided in the SOC Report and any issues related to its information security program, where Client reasonably determines in good faith that such SOC Report and information security program contains material omissions regarding the adequacy of controls pertaining to Service Provider’s performance of the Subscription Service under this Agreement. |
| d. | If the SOC Report identifies any significant control deficiency, Service Provider will include a management response within the SOC Report and will address the deficiencies in a manner and time frame reasonably commensurate with the severity of the deficiency at no additional cost to Client. |
| e. | Service Provider to provide copy of Bridge Letter for the audit period beyond the duration of SSAE18 report provided to Client in the form and through the process as commonly provided for other clients of DST similarly situated, a current copy of which is attached hereto as Exhibit 2. |
| 4. | Quarterly Management Representation Letter: |
Commencing on the Order Form Start Date and for as long as this Agreement is in effect, Service Provider shall make available to Client a completed quarterly management representation letter signed by an authorized officer of Service Provider to Client’s Relationship Manager in the form and through the process as commonly provided for other clients of DST similarly situated a current copy of which is attached hereto as Exhibit 2.
| 5. | Third-Party Suppliers, Sub-contractors, Sub-servicers and/or Hosting Providers: |
Service Provider agrees that it will require its third-party suppliers, sub-contractors, sub-servicers and/or Hosting provider (each, a “Vendor”) to adhere to the Service Provider’s obligations related to safeguarding Client Confidential Information and maintenance of a comprehensive security program, including incorporation of administrative, technical and physical safeguards substantially similar to those provided herein, to the extent applicable to the services provided by such Vendor. Service Provider shall regularly audit and review their Vendor’s controls in an effort to ensure effectiveness of their internal control environment, including the design and implementation of their programs to reasonably prevent a cyber breach or fraud. This may include, depending on the services provided by such Vendor in accordance with the requirements of the Service Provider Supplier Risk Governance Program, a review of their application and/or infrastructure security, penetration test reviews, access controls & management (e.g. use of Multi-Factor Authentication), data protection (e.g. encryption at rest and in-transit), incident response, change management, logging, monitoring and reporting.
| 6. | Risk Remediation Timelines: |
Service Provider shall Remediate or Mitigate Significant Exposures in the Software and Systems identified as part of audits, assessments, penetration testing, scanning etc. according to Service Provider’s policies, at Service Provider’s expense and in a timeframe commensurate with the risk. Current timeframes are 3 days for Xxxxxx, 00 days for Critical and 90 days for High. These timeframes would be extended in cases in which Service Provider (and other firms) are waiting for a fix to be provided by a third-party vendor. In the event that Service Provider is unable to Mitigate or Remediate any Significant Exposure within the time frames specified above, Service Provider will provide Clients an attestation of Risk Acceptance, if applicable, and share a high-level summary report of such Significant Exposure along with Service Provider’s plan to mitigate or remediate such Significant Exposure with an updated due date (the “Summary Report”).
| 7. | Penetration Testing: |
| a. | Web Application Penetration Test: |
| i. | Service Provider will regularly (no less than once annually and at Service Provider’s expense) engage a recognized third party to conduct application penetration testing. |
| ii. | At a minimum, such third party will perform: i) application penetration test for internet facing web enabled applications used by Client; ii) OWASP Testing Guide (both credentialed and non-credentialed) penetration test; and iii) security related business logic penetration test; and to provide Client a summarized report prepared by the third party relevant to the applications used by Client that addresses the results of such testing. |
| iii. | Upon request by Client, Service Provider to provide a letter of attestation including scope, date and methodology of assessment. Service Provider will follow its mitigation and remediation process in #6-Risk Remediation Timelines above. |
| b. | Network Penetration Test: |
| i. | Service Provider will regularly (no less than once annually and at Service Provider’s expense) engage a recognized third party to conduct external network penetration testing. |
| ii. | At the test’s conclusion Service Provider will provide Client a confirmation that such test was conducted including scope of testing and will remediate vulnerabilities in the scope of the test according to Service Provider’s policies, at Service Provider’s expense and in a timeframe commensurate with the risk by following its mitigation and remediation process in #6-Risk Remediation Timelines above. |
| 8. | Application Security: |
Service Provider’s cybersecurity program shall include written procedures, guidelines and standards designed to ensure the use of secure development practices for in-house developed applications, and procedures for evaluating, assessing or testing the security of Software that contains any software code provided by or through a third party (Third Party Software). All such procedures, guidelines and standards shall be periodically reviewed, assessed and updated as necessary by the CISO (or a qualified designee) of Service Provider. Service Provider shall comply with the vulnerability scanning and related requirements set forth in this Exhibit. For purposes of this Section, the term “Software” means any Service Provider hosted internet-facing web site or web application that presents, transmits or processes Client Confidential Information.
| a. | Service Provider shall (i) scan such Software for the OWASP Top 10 before production deployment and at least every ninety (90) days thereafter using an industry standard vulnerability scanning tool. |
| b. | Service Provider shall remediate vulnerabilities in the Software according to Service Provider’s policies, at Service Provider’s expense and in a timeframe commensurate with the risk. |
| 9. | Encryption: |
Service Provider must use industry accepted encryption to protect:
| a. | Client Confidential Information in transit |
| b. | Communications during transmissions between Client’s network and the Service Provider. |
| c. | Encryption keys |
Encryption standards should be reviewed periodically (at least annually) to ensure they meet industry accepted standards and are able to protect data provided by Client and communications using the following:
| a. | Encryption in removable media: |
Service Provider should utilize latest industry recognized and utilized encryption technologies (encryption consistent with NIST (National Institute of Standards and Technology) such as Advanced Encryption Standard (AES-256 or above) (FIPS PUB 197) to protect data integrity and security along with the latest industry recognized and utilized hashing standard such as SHA2, etc. of all system passwords for the Service Provider Systems for all removable media except any such media that never leaves Service Provider secure locations (i.e., back-ups kept within DST’s secure data centers).
| b. | Encryption in Transit: |
Service Provider should utilize latest industry recognized and utilized encryption technologies (encryption consistent with NIST (National Institute of Standards and Technology) such as 256-bit TLS (1.2 or above) Certification and 0000-xxx XXX public keys for internet transactions, secure FTP for transfer of files, encrypted e-mail and any other communications.
| c. | Encryption keys: |
Encryption keys must be protected. Encryption key length must be a minimum of the latest industry recognized, and a maximum of the length authorized under applicable law and/or regulation. A log of keys must be kept for each user. Keys must be protected through a strong password (chosen by the end-user) and must be only accessible for the respective end-user where applicable. Access control for system keys must be configured as restrictive as possible. If the key is no longer needed or life-time exceeded the key must securely deleted (unrecoverable) from all storage medias.
| 10. | Multi-Factor Authentication: |
| a. | Service Provider must utilize industry standard multi-factor authentication for any individuals accessing the Service Provider’s internal network from outside. |
| b. | Based on the risk assessment, Service Provider must secure sensitive assets using multi-factor or risk-based authentication to protect against unauthorized access to data provided by Client. |
| 11. | Incident Management: |
Service Provider shall:
| a. | Provide Client with the name and contact information for an employee of Service Provider who shall serve as Client’s primary contact and shall be available to assist Client twenty-four (24) hours per day, seven (7) days per week as a contact in resolving obligations, including those associated with a Data breach.Such person will be responsible to engage applicable subject matter experts within Service Provider to address any Data breach. |
| b. | Notify Client of a Data Breach as soon as practicable, once Service Provider becomes aware of any such breach but in no event later than in the time required by applicable state and federal laws and regulations; and |
| c. | Notify Client’s Chief Privacy Officer of any Data Breaches or unauthorized data exposures by e-mailing Client with a read receipt at XxxxxxxXxxxxx@xxx-xxxxxxxxx.xxx, and with a copy by e-mail to Service Provider’s primary business contact within Client. |
| 12. | Definitions. For the purposes of this Agreement, the following terms have the following meaning: |
“Client Confidential Information” means information or materials about Client or any of its affiliates, any of its other service providers, agents or representatives or any director, officer, employee, or other personnel or agents of any of the foregoing, whether or not proprietary to any of the foregoing, whether disclosed intentionally or acquired unintentionally, whether in written, electronic, visual or oral form, regardless of how transmitted, received, processed, stored, archived or maintained, and whether or not marked “confidential” or “proprietary”, including, without limitation, information concerning past, present or prospective products, assets, services, systems, customers, employees, financial professionals, shareholders, agents, representatives, finances, books and/or records, business affairs and/or relationships, business plans, trade secrets, methods of operations, processes, distribution and/or marketing strategies and/or procedures or other internal matters, internal or external audits, lawsuits, arbitrations, mediations, investigations, regulatory actions, mergers, acquisitions, divestitures or other similar corporate plans obtained by Service Provider as a result of providing Services hereunder. Client’s Confidential Information also includes any personal, financial or identifying information of an individual person including, without limitation, name, address, telephone numbers, sex, age, social security number, account numbers, including credit card, debit card and/or any other financial account number and/or employee numbers, driver’s license number or non-driver identification card number, finances, passwords or codes to access financial or other accounts, business, health, employment, credit standing, history, political affiliations, hobbies and personal relations and any list, description or other grouping directly or indirectly derived in whole or part therefrom, in all cases pertaining to any individuals who are, or were in the past, customers, prospective customers, directors, officers, employees, prospective employees, financial professionals, shareholders, agents or representatives of Client or any of its affiliates (such information individually and collectively, the “Personally Identifiable Information”) to the extent obtained by Service Provider as a result of providing Services to Client hereunder. Client’s Confidential Information includes information, directly or indirectly, derived by or on behalf of Service Provider from Client’s Confidential Information, using Client’s Confidential Information exclusively or combined with other information, and information obtained by Service Provider from third parties to expand upon, support or elucidate Client’s Confidential Information and summaries and analyses of or involving Client’s Confidential Information.
As between Service Provider and Client, Client shall own all intellectual property rights in and to the Client Confidential Information.
“Data Breach” means the unauthorized disclosure of Client Confidential Information.
“Mitigate” means Service Provider’s deployment of security controls which are reasonably designed to reduce the adverse effects of threats and reduce risk exposure.
“Remediation” or “Remediate”, means that Service Provider has resolved a Security Exposure or Data Breach, such that the vulnerability no longer poses a known risk to Client Confidential Information.
“Security Exposure” means an identified vulnerability that may be utilized to compromise Client Confidential
Information.
“Significant Exposure” means any identified Security Exposures that have been categorized as Urgent, Critical or High, as defined by Service Provider per its policies and procedures
Exhibit 1 – Security Datasheet
Service Provider’s Cybersecurity Program must be comprehensive and should align to industry leading frameworks e.g. NIST Cybersecurity Framework, ISO, etc. to protect the confidentiality, integrity and availability of data. These controls include the following at a minimum, unless there is a documented & tested effective alternative controls:
Security Controls as outlined in the attached Table 1:
Security Procedures, Policies and Logging as outlined in the attached Table 1:
Patch Management:
Service Provider shall ensure that all Service Provider Systems, including operating systems and platform software, are at the supported version and patch levels.
Intrusion Detection:
Service Provider, or an authorized third party, will monitor the Services for unauthorized intrusions using commercially reasonable detection mechanisms (e.g. Network and/or Host based intrusion prevention systems, etc.)
Physical Security:
Service Provider’s production data centers should have a physical access system that controls physical access to the data center. This system is designed to permit only authorized personnel to have access to secure areas. The facility should be designed to withstand adverse weather and other reasonably predictable natural conditions, be secured by guards or other physical access limitations such as biometric access screening and escort-controlled access, and is also supported by on-site backup generators in the event of a power failure.
Anti-Viruses:
The Service Provider’s Systems must be protected by a commercially reasonable anti-virus and anti-spyware software and signatures regularly updated.
| 3270 | TA2000 Desktop |
Fan Web | SmartDesk | PowerSelect | AWD | |||||||
| Xxxx Xxxxxx/Xxxxx Xxxxxxxxxx |
Xxxx Xxxx | Xxxx Xxxxxxxxx |
Xxxxxx Xxxx Xxxxx Xxxxxxx |
Xxxxx Xxxxxxxx Xxxxx Xxxxxxxx |
Xxxx Xxxxxxxxxx Xxxxx Xxxxxxxxx | |||||||
| Security Controls: | ||||||||||||
| a. Unique User identifiers (User IDs) to ensure that activities can be attributed to the responsible individual. | Yes | YES | YES | YES | YES | YES | ||||||
| b. Controls to lock out user access after several consecutive failed login attempts. | Yes | YES | YES | YES | YES | YES | ||||||
| c. Controls to require specific lockout time | Yes | YES | NO | YES | YES | YES | ||||||
| d. Controls to ensure generated initial passwords must be reset on first use. | Yes | YES | N/A | YES | YES (except service accts) |
YES | ||||||
| e. Controls to force a User password to expire after a period of use. | Yes | YES | NO | YES | NO | YES | ||||||
| f. Controls to terminate a User session after a period of inactivity. | Yes | NO | YES | NO (by design) |
NO | YES | ||||||
| g. Password history controls to limit password reuse. | Yes | YES | NO | YES | NO | YES | ||||||
| h. Password length controls. | Yes | YES | YES | YES | YES | YES | ||||||
| i. Password complexity requirements (requires letters and numbers). | Yes | YES | YES | YES | YES | YES | ||||||
| j. Controls surrounding verification before resetting password where DST manages password. | Not as function of 3270 |
YES | N/A (DST does not manage password) |
YES | YES | YES | ||||||
| k. The ability to accept logins to the Service from only certain IP address ranges. | NA | N/A | NO | N/A | N/A | YES | ||||||
| l. Ability to federate authentication via XXXX(SSO). | NA | NO | NO | N/A | NO - N/ A |
NO | ||||||
| m. Answers to questions used for authentication must be encrypted/managed securely (e.g. secret questions). | NA | YES | N/A | N/A | N/A | YES | ||||||
| Security Procedures, Policies and Logging: The Service should be operated in accordance with the following procedures to enhance security: |
||||||||||||
| a. User passwords are stored using an industry standard one-way hashing algorithm (e.g. SHA2, etc.). | Yes | YES | Yes | YES | YES | YES | ||||||
| b. User access log entries should be maintained, containing date, time, User ID, URL executed or entity ID operated on, operation performed (edited, changed, |
Yes | YES | Yes | YES | YES | YES | ||||||
| c. Logging will be kept for a minimum period as required by applicable state and federal laws and regulations. | Yes | YES | Yes | YES | YES | YES | ||||||
| d. Logging will be kept in a secure area to prevent tampering. |
Yes | YES | Yes | YES | YES | YES | ||||||
| e. Passwords are not logged under any circumstances. | Yes | YES | Yes | YES | YES | YES | ||||||
| f. Passwords reset should be a random value (which must be changed on first use) and delivered securely to the recipient. | No | NO | No | NO | YES | YES | ||||||
Exhibit 2:
XX/XX/XXXX
Equitable Financial Life Insurance
Company 000 Xxxxxxxxxx Xxxxxxxxx
Xxxxxx Xxxx, XX 00000
| Re: | Certification Letter for Period Ending Date: Dear Sir or Madam: |
In response to your request regarding our internal controls as to services we provide, the undersigned represents, as of the period ending date above, the following:
| 1. | We have reviewed the internal controls described in the current SOC 1 report issued by PricewaterhouseCoopers LLP with respect to our system and the suitability of the design and operating effectiveness of our controls. We have disclosed to your management any significant deficiencies or material weaknesses in the design or operation of such internal controls that (a) we became aware of after issuance of the SOC 1 and (b) we believe would have been noted in the SOC 1 to adversely affect our ability to record, process, summarize and report share information had they occurred prior to its issuance. |
| 2. | To the best of my knowledge: (a) there have been no significant changes in the internal controls that were described in the SOC 1 that would adversely affect such internal controls subsequent to the date of the SOC 1, nor have there been any corrective actions taken with regard to significant deficiencies and material weaknesses in such internal controls which have not been disclosed to you previously; and (b) there has been no fraud, whether or not material, that involves our management or our other employees who have a significant role in the internal controls described in the SOC 1. |
| 3. | To the best of my knowledge, and subject to the qualifications herein, in connection with the preparation of the shareholder information (the “Master Securityholder Files”) which forms the basis for certain information reported by you or your clients in periodic filings with the Securities and Exchange Commission, we have followed in all material respects the agreed upon procedures with respect to the safekeeping, recordkeeping, processing and reporting of assets and transactions, as set forth in any applicable service agreement. |
| (a) | The foregoing representation is limited to information contained in the Master Securityholder Files which has been entered by us. |
| (b) | Further, in providing the foregoing representation we have relied upon and assumed the accuracy of the information provided to us by other entities providing services to you or your clients, including but not limited to, any other transfer agent, distributor, custodian, investment adviser, administrator or pricing agent, broker-dealers and other intermediaries distributing or providing services to your or your clients’ shareholders or persons reasonably believed by us to represent such shareholders. |
| 4. | This certification relates, and is being made solely to you and may not be relied upon by any other entity. |
| 5. | The foregoing certification does not modify any obligations or limit any of our rights or the rights of our affiliates under applicable service agreements. All of our obligations and those of our affiliates are set forth exclusively in such agreements. |
Sincerely,
