AMENDMENT TO THE TRANSFER AGENCY AND SHAREHOLDER SERVICES AGREEMENT
EXHIBIT (h)(3)(c)
AMENDMENT TO THE TRANSFER AGENCY AND SHAREHOLDER SERVICES AGREEMENT
This Amendment is entered into as of June 20, 2024 by and between each investment company listed on the signature page to this Amendment (“Investment Company”) and each portfolio or each such Investment Company contained in Schedule B of the Agreement (each Investment Company and Portfolio in its individual and separate capacity being a "Fund") and BNY Mellon Investment Servicing (US) Inc. (“BNYM”), and amends the Transfer Agency and Shareholder Services Agreement dated September 1, 2016, by and between the parties (the “Agreement”).
Unless separately defined in this Amendment, capitalized terms have the same meanings as in the Agreement. References to a Paragraph or Schedule are to a paragraph of, or a schedule to, the Agreement.
WHEREAS, the Parties originally entered into the Agreement, wherein BNYM agreed to provide certain transfer agency and shareholder services to certain series of the Investment Companies. and the parties now wish to amend the Agreement.
NOW, THEREFORE, in consideration of the premises and mutual covenants herein contained and other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the Investment Companies and BNYM, intending to be legally bound, hereby agree to the statements made in the preceding paragraphs and as follows:
1.VARIATIONS TO AGREEMENT
Fund and BNYM agree that the terms of the Agreement shall be varied as follows:
1.1The following wording shall be added at the end of Section 1:
“BNYM shall conduct background checks on all BNYM personnel involved in the provision of the services as required by its standard policies and procedures (and such background checks shall, to the extent permitted by applicable law, include at least criminal offences and credit history). BNYM currently provides the services from one or more locations in the United States and in global locations including India and Poland. These service locations may change and such changes will be communicated to the Fund as part of ongoing relationship management communications with BNYM.”
1.2Section 2 shall be renumbered Section 2(a) and a new Section 2(b) shall be inserted immediately after and shall read as follows:
“(b) Without prejudice to Section 2(a) and BNYM's other record retention obligations under this Agreement, BNYM shall throughout the term of this Agreement, subject to applicable laws, maintain complete and accurate records in accordance with generally accepted industry standards, so as to permit the Fund to monitor BNYM's compliance with this Agreement.”
1.3The wording in Section 5(a) “BNYM agreed to implement and maintain appropriate security measures to protect “personal information”, as that term is defined in 201 CMR 17.00: Standards For The Protection Of Personal Information Of Residents Of The Commonwealth (“Massachusetts Privacy Regulation”), consistent with the Massachusetts Privacy Regulation and any applicable federal regulations.” shall be deleted and replaced with the following wording:
“BNYM shall at all times comply with the data protection obligations set out at Schedule E.”
1.4The first sentence of Section 5(b) shall be deleted and replaced with the following:
“(b)BNYM agrees that it shall promptly notify the Fund at xxxxxxxxxxxxxxxxx@xxxxxxxxxxxxx.xxx once it has determined that any security incident has occurred, where security incident shall mean that:
(i) Confidential Information of the Fund or any of its affiliates has been lost, misplaced, disclosed to or accessed by an unauthorized party or BNYM has reasonable suspicion that such is the case; or (ii) there has been any non-compliance with BNYM's information security program which could reasonably be expected to allow unauthorized access to the Fund's Confidential Information or that of any of its affiliates. BNYM shall make available suitably qualified and experienced security contacts at BNYM as required to provide additional material information relating to the security incident, as it becomes available, at a cadence reasonably agreed to by the parties until remediation has been completed.”
1.5Section 6 shall be renamed “Audit” and shall be renumbered Section 6(a).
1.6New Sections 6(b), (c) and (d) shall be inserted immediately following Section 6(a), and shall read as follows:
“(b)Provision of BNYM Audit Reports. BNYM shall provide the Fund, annually, with a copy of the report of an independent audit conducted in relation to the systems, procedures and internal controls of BNYM, and BNYM 's compliance with the requirements of this Agreement. Such report shall take the form of: (i) a Statement on Standards for Attestation Engagements (SSAE), System and Organization Controls (SOC1 or SOC2), Type II Report (covering the most recent 12-month period); or (ii) an International Standard on Assurance Engagements (ISAE) No. 3402, Assurance Report on Controls at a Service Organization, Type II Report (covering the most recent 12-month period); or (iii) a current International Organization for Standardization (ISO) 27001, Certificate with Statement of Applicability; or (v) an equivalent of any of the foregoing reports or certificates. Additionally, any regulator of the Fund may request BNYM to provide other information or cooperation and BNYM shall promptly provide such information and/or cooperation to the extent it is legally permitted to do so and subject to the reasonable security and confidentiality requirements of BNYM.
(c)Audit Rights. The Fund may request, with reasonable notice to BNYM, to inspect documents and records kept by and still in the possession of BNYM for the Services provided hereunder and make available all such documents and records in its possession available to the Fund or its auditor during business hours.
(d)Corrective Actions. if, following any audit, the Fund notifies BNYM that BNYM is non compliant with any provisions of this Agreement, BNYM shall promptly make all necessary changes to ensure compliance. BNYM's failure to promptly correct any non-compliance under this Section shall constitute a material breach for the purposes of Section 13(c).”
1.7Section 8 shall be renamed from “Disaster Recovery” to “Disaster Recovery and Security” and renumbered Section 8(a).
1.8The last sentence of Section 8(a) shall be deleted and replaced with the following wording:
“BNYM shall maintain and act in accordance with its business continuity plan, an overview of which it shall make available to the Fund (in full or summary form) upon reasonable request. Such business continuity plan shall be designed, in accordance with appropriate industry standards (for a supplier to the financial services sector), to ensure the continuity of provision of the services, without interruption or deterioration, notwithstanding the occurrence of any crisis and, in the event of any interruption to such continuity, shall ensure service provision is restored in a time period to minimize any such interruption. BNYM shall maintain its information security program to reflect developments in applicable laws. BNYM shall not make any change to the information security program or business continuity plan where such change degrades or compromises the robustness of the security or business continuity measures.”
1.9New Sections 8(b), (c) and (d) shall be inserted immediately after, and shall read as follows:
“(b)Security.
(i)The information security program maintained by BNYM shall be no less protective than the minimum security standards set out in Schedule F and shall meet such standards as may be set out or referenced in BNYM's response to any IT security, risk assessment or due diligence questionnaire(s) (and any follow-up questions) issued, from time to time, by the Fund or any of its affiliates in relation to the Services. BNYM will promptly, fully and accurately respond to all such questionnaires and follow-up questions.
(ii)Any data or information provided by or on behalf of the Fund to BNYM under this Agreement, shall be used in accordance with the terms hereof for the purpose of performing BNYM's obligations under this Agreement.
(iii)BNYM Notification Obligations. In the event that BNYM experiences or becomes aware of (w) any event, service or system interruption that materially impacts or is reasonably likely to materially impact the ability of BNYM to provide the Services; (x) any incident of non-compliance by BNYM or any BNYM personnel with the terms of this Agreement impacting the provision of the Services; (y) any management or staffing change, material change in BNYM's relationship or service teams for the Fund; and/or (z) any complaint from any client of the Fund or any of its affiliates relating to any services or to Fund or any of its affiliates or any of their respective services, then BNYM shall notify the Fund via relationship management communication.
(c)Penetration Testing.
(i)To the extent the services consist of or include technology, BNYM shall: (i) if they are hosted by or on behalf of BNYM and receive or generate any confidential information of the Fund, ensure that security penetration testing (to determine if BNYM is in compliance with its information security program and to identify deficient security controls and vulnerabilities) of such services, and of the systems used in their provision, is performed, at least annually, by an independent expert third party (and BNYM shall, upon request, issue to the Fund a certificate confirming such penetration testing has been completed). The penetration testing methodology may include manual testing, shall be based on the then-current threat landscape.
(ii)If penetration testing reveals deficient security controls or vulnerabilities with respect to the Services BNYM shall remediate all such deficiencies and vulnerabilities within the timelines shared with the Fund as part of BNYM's responses to the Fund's risk assessments and diligence questionnaires referenced in Section 5(a). BNYM's failure to promptly correct any deficiencies under this Section shall constitute a material breach for the purposes of Section 13(c).
(d)Testing. BNYM shall, at least annually, test the BNYM's security breach management plan and the business continuity plan and BNYM's compliance with them and provide Fund with a summary of the results of such testing.”
1.10The first sentence of Section 11(b) shall be deleted and replaced with:
“(b)BNYM's maximum aggregate cumulative liability to the Fund and all persons or entities claiming through the Fund, considered as a whole, during the effectiveness of the Agreement, for all loss, cost, expense and damages the recovery of which is not otherwise excluded by another provision of this Agreement shall not exceed lesser of (i) five (5) times the fees actually paid to BNYM by the Fund for services provided hereunder during the twelve (12) months immediately prior to the last Loss Date or (ii) jive million US Dollars ($5,000,000).”
1.11The following sentence shall be added to the end of Section 11(b):
“In addition to the maximum aggregate cumulative liability limit set forth above in this Section 11(b), BNYM's maximum cumulative aggregate liability with respect to any claims arising out of or relating to Section 4 (Confidentiality), Section 5 (Privacy) and Section 8 (Disaster Recovery and Security) of this Agreement during the term of this Agreement shall be limited to ten million US Dollars ($10,000,000).”
1.12The following sentence shall be added to the end of Section 11(i):
“(i)No limitation or exclusion shall apply to either BNYM's or the Fund's liability for any matter for which liability may not be lawfully excluded or limited.”
1.13The following wording shall be added to the end of Section 13(f):
"The Fund may, on written notice, terminate this Agreement and/or any order if BNYM undergoes an insolvency event (including as described in this Section 13(f))."
1.14New Sections 13(h) and (i) shall be inserted immediately following Section 13(g) and shall read as follows:
“(h)Notwithstanding anything to the contrary in this Agreement, the Fund may, on 30 days' written notice or shorter timeframe required by the relevant regulator, terminate this Agreement, without any penalty or termination fee or any other liability, in the even/ any regulator so requires or orders such termination or if receipt of services hereunder would cause the Fund and/or any of its affiliates to be in violation of applicable laws.
(i)Upon termination, BNYM shall: (i) cease to use and return all equipment and any other materials provided by or on behalf of the Fund or any of its affiliates and, promptly if requested, confirm that it has done so; and (ii) work with the Fund and/or any replacement provider to ensure a smooth transition of service provision, including using commercially reasonable efforts to provide the exit assistance (if any) pursuant to Section 13(b)(2).”
1.15The following wording shall be inserted at the end of Section 17:
“, and provided always that: (a) BNYM shall, via ordinary course relationship management communications, notify the Investment Company and Fund of each such subcontractor that is not a BNYM affiliate and is to provide all or a portion of the Services in advance of engaging the same; and (b) BNYM shall remain responsible for all acts and omissions of each such subcontractor as if they were their own and any material breach by such subcontractor of the terms of this Agreement, which are required to be flowed down to such subcontractor under Section 17(b), shall constitute a material breach pursuant to Section 13(c) of the Agreement by BNYM.”
1.16A new Section l 7(b) shall be inserted immediately after Section 17, which shall be renumbered to l 7(a), and shall read as follows:
“(b)if Subcontracting all or a portion of the Services, BNYM shall: (i) enter into a written contract that imposes on the subcontractor reasonably equivalent obligations, taking into account the nature of the Services provided by such subcontractor, relating to confidentiality, data protection, security (including compliance with information security program/standards), business continuity, audit, intellectual property, insurance; (ii) monitor all work by such subcontractor and periodically undertake reasonable and appropriate due diligence to be able to ensure such subcontractor's compliance with such terms; and (iii) remain fully liable for the acts and omissions of such subcontractor as if performed by BNYM.”
1.17A new Section 19(x) shall be inserted immediately following Section 19(w) and shall read as follows:
“(x)No Publicity. BNYM agrees not, except with the Fund's prior written consent (in its sole discretion), to disclose or use in advertising, publicity or otherwise: (i) the identity of the Fund or any of its affiliates as a customer or the existence or nature of the relationship of the parties under this Agreement; or (ii) any name or logo of the Fund or any of its affiliates.”
1.18A new Section 20 shall be inserted immediately after Section 19 and shall read as follows:
“00.Xxxxxxxxx
(a)insurance Coverage. BNYM shall, throughout the term of this Agreement, obtain and maintain in full force and effect such policies of insurance as are sufficient for a business of BNYM's type, including at least the policies, in at least the minimum coverage amounts and on the terms, set out in Schedule H BNYM shall ensure that all insurance required to be carried by BNYM is with sound and reputable insurers that maintain a minimum rating of A-VII by the A.M. Best Company or its equivalent. BNYM shall send a copy of the insurance certificate for each of the above policies to the Fund on request.”
1.19A new Schedule E (Data Protection) shall be incorporated into the Agreement as set out in Exhibit 1 to this Amendment.
1.20A new Schedule F (Security Standards) shall be incorporated into the Agreement as set out in Exhibit 2 to this Amendment.
1.21A new Schedule G (Insurance) shall be incorporated into the Agreement as set out in Exhibit 3 to this Amendment.
1.22Except as expressly revised by this Amendment, the Agreement shall continue in full force and effect in accordance with its terms.
2.GENERAL
2.1Other than each of Fund's affiliates, any party that is not a party to this Amendment shall not be entitled to any benefit from or to enforce any benefit under this Amendment.
2.2This Amendment shall be governed by, and construed in accordance with, the governing law specified in the Agreement and any dispute arising from or in connection with this Amendment shall be subject to the dispute resolution provisions set out in the Agreement.
This Amendment has been entered into by signature of the parties' respective duly authorized representatives below:
Signed for and on behalf of | Signed for and on behalf of | ||
XXXXX XXXXX GROWTH TRUST | BNY Mellon Investment Servicing (US) Inc. | ||
XXXXX XXXXX INVESTMENT TRUST |
| ||
XXXXX XXXXX MUNICIPALS TRUST | /s/ Xxxxxxx Xxxxxxx |
| |
XXXXX XXXXX MUNICIPALS TRUST II | (signature) | ||
XXXXX XXXXX MUTUAL FUNDS TRUST |
| ||
XXXXX XXXXX SERIES FUND, INC. | Xxxxxxx Xxxxxxx |
| |
XXXXX XXXXX SERIES TRUST | (print name & position) | ||
XXXXX XXXXX SERIES TRUST II |
| ||
XXXXX XXXXX SPECIAL INVESTMENT TRUST | June 20, 2024 |
| |
| (date) | ||
/s/ Xxxxx Xxxxxxxx |
|
|
|
(signature) |
| ||
|
| ||
Xxxxx Xxxxxxxx - Treasurer |
|
|
|
(print name & position) |
| ||
|
| ||
6/20/2024 |
|
|
|
(date) |
| ||
Exhibit 1
SCHEDULE E
COMPLIANCE WITH PRIVACY AND DATA PROTECTION LAWS AND REGULA TIONS
1.General Privacy and Data Protection
1.1In this Agreement, “DP Laws” means applicable data protection and/or privacy laws; “Personal Information” means, collectively, “personally identifiable information”, “non-public personal information”, “personal data”, “personal information” and any other similar terms defined by DP Laws; and “processing” shall have the meaning ascribed to it under DP Laws, and the terms “process” and “processed” shall be construed accordingly.
1.2In respect of all Personal Information of which Fund and/or any of its affiliates is a data controller (as defined by applicable DP Laws), BNYM represents and warrants that:
(a)it shall process, use, maintain and disclose Personal Information only as necessary for the specific purpose for which that Personal Information was disclosed to it and only in accordance with the express instructions of the Fund and this Agreement, and it shall take steps to ensure that any natural person acting under its authority who has access to Personal Information does not process them except on instruction from the Fund, unless he or she is required to do so by DP Laws. Where required by DP Laws, BNYM shall notify Fund prior to engaging any new sub-processors that process Personal Information and allow Fund ten (10) days to object. If Fund has legitimate objections to the appointment related to data protection concerns, BNYM shall not engage the sub-processor pending resolution of the objections. The parties shall work together in good faith to resolve the grounds for objection. Prior to appointing new sub processors, BNYM shall enter into written agreements that impose on such sub-processor(s) obligations that are substantially equivalent to the terms of this Agreement, including provisions substantially equivalent to the provisions of this Schedule;
(b)it shall, and shall procure that each of its subcontractors shall, put in place appropriate technical, physical, administrative and organisational measures against unauthorised or unlawful processing of Personal Information and against accidental destruction or loss of, or damage to, Personal Information processed pursuant to this Agreement, taking into account the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such measures shall include but are not limited to the following:
(i)the pseudonymisation and encryption of Personal Information;
(ii)the ability to ensure the ongoing confidentiality, integrity, availability and resilience of the services;
(iii)the ability to restore the availability and access to Personal Information in a timely manner in the event of a physical or technical incident;
(iv)implementing a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. In the event any of BNYM's security measures are found to be inadequate by the Fund, BNYM shall take steps to remedy such inadequacy upon BNYM's request; and
(v)the requirements regarding business continuity and data security as set forth in this Agreement;
(c)it shall promptly (within 72 hours) notify the Fund in writing if it becomes aware of: (i) any accidental or unauthorised access, unlawful processing, accidental destruction or loss of, or damage to any Personal Information; or (ii) any disclosure of any Personal Information to it or its Personnel in connection with the Funds where the purpose of such disclosure is not known or (iii) any request for disclosure or inquiry regarding Personal Information from a third party;
(d)if it learns or has reason to believe there has been any unauthorized access to or acquisition of Personal Information and if the law requires that BNYM notify, or BNYM voluntarily intends to notify, the individuals whose Personal Information was accessed or acquired, BNYM shall not, except to the extent prohibited by mandatory DP Laws, notify any such individual until BNYM first consults with the Fund and the Fund has had an opportunity to review the notification BNYM proposes to issue to individuals and given its express written consent to the same;
(e)it shall reasonably cooperate with the Fund and the relevant supervisory authority in the event of litigation or a regulatory inquiry concerning Personal Information and shall abide by the advice of the relevant supervisory authority with regard to the processing of such Personal Information;
(f)it shall comply with all DP Laws, regulations and guidance concerning Personal Information which apply to BNYM and/or BNYM Personnel and it shall enter into further agreements as reasonably requested by the Fund which are required to comply with DP Laws applicable to the Fund or BNYM from time to time;
(g)it shall reasonably assist the Fund in its efforts to comply with its obligations under DP Laws, including in relation to conducting privacy impact assessments, taking into account the nature of the processing and the information available to BNYM, and participating in any consultation with the relevant supervisory authority where requested and it shall take such steps necessary to mitigate any risks identified in connection with the processing of information by BNYM as a result of such consultation as instructed by the Fund to ensure compliance with DP Laws, prior to any processing of any Personal Information;
(h)it shall maintain complete and accurate records of, and adequate supporting documents in relation to, its provision of the services and provide the Fund and/or its authorized representative (including by way of audit) with full access to such records, supporting documents and information necessary to demonstrate compliance with DP Laws and this Schedule;
(i)it shall promptly notify, reasonably co-operate and assist (with appropriate technical and organizational measures) the Fund, fully and in a timely manner, to enable the Fund and/or its affiliates to assess and respond to any requests of individuals wishing to exercise their rights under DP Laws;
(j)it shall not provide access to any Personal Information to any authority, agency, body or department, whether on a voluntary or mandatory basis, in breach of the relevant individuals' rights of privacy and data protection under DP Laws or this Agreement, unless such access is required under DP Laws;
(k)in the event that BNYM and/or any of its subcontractors is requested or ordered to provide access to Personal Information to any authority, agency, body or department, or BNYM and/or any of its subcontractors has any reason to believe that any such request or order has been or may be made to BNYM and/or any of its subcontractors during the Term, BNYM shall, to the extent permitted by law or BNYM's regulator:
(i)promptly (within 72 hours) notify the Fund in writing and, upon request, suspend or cease processing, and ensure that its subcontractors suspend or cease processing, any further Personal Information provided to BNYM and/or any of its subcontractors by or on behalf of the Fund or otherwise accessed or acquired in connection with the provision of services with immediate effect and without penalty or termination fee or other liability;
(ii)review, under DP Laws, the legality of such request or order before responding and providing access to Personal Information to the authority, agency, body or department making such request or order;
(iii)reasonably challenge such request or order if, after review, it concludes that there are grounds under DP Laws to do so, inter alia seeking interim measures to suspend the effects of such request or order; and
(iv)provide the minimum amount of Personal Information permissible and necessary for the purposes when responding to such request or order;
(l)notwithstanding the foregoing, to the extent any Personal Information is disclosed by BNYM to any authority, agency, body or department, whether on a voluntary or mandatory basis, BNYM shall be deemed to be the controller (as defined under DP Laws) of such Personal Information and accordingly shall be responsible for compliance with the obligations imposed on controllers by such laws in respect of BNYM's processing of such Personal Information; and
(m)it has no reason to believe that any applicable laws would prevent it from fulfilling the Fund's instructions in relation to the processing of Personal Information, as specified under this Agreement and any applicable order. BNYM shall promptly inform the Fund if, in its reasonable opinion, an instruction relating to such order infringes DP Laws. In such circumstances, BNYM shall provide the Fund in writing the rationale for determining that an instruction relating to such order infringes DP Laws.
1.3If BNYM, to the extent strictly permitted by this Agreement, retains beyond the termination of expiration of this Agreement any Personal Information of which the Fund and/or any of its affiliates was a data controller, BNYM acknowledges that it shall then be the data controller of such Personal Information from that point onwards.
Exhibit 2
SCHEDULE F
SECURITY STANDARDS - MINIMUM IT AND CYBER SECURITY CONTROLS
Control | Requirements |
1. Encryption Algorithms | BNYM must encrypt the Fund's Confidential Information in transit and at rest, using one or more of the following approved protocols and cryptographic algorithms, provided that BNY Mellon may use protocols and cryptographic algorithms not listed below as long as they offer equivalent or higher levels of protection: •Encryption in transit: TLS 1.2 or above. •Encryption at rest: Symmetric Encryption using AES256. Implementation notes: •If public key is used, it must be RSA-2048 or ECC 256. •If digital signature is used, it must be DSA-2048, RSA-2048, or ECDSA-256. •If hashing algorithm is used, it must be SHA-256 or SHA3-256. BNYM reserves the right to change its encryption standards without notice but agrees not to move below these minimum requirements. |
2. Application Level Encryption | •BNYM must use application level encryption to encrypt the Fund's Confidential Information at rest (rather than, e.g., self-encrypting drives, volume encryption or database encryption). •BNYM agrees to encrypt data classified as Highly Confidential Information, at rest either at the field, file, or device level depending on the technology the data resides on. |
3. Key Management | BNYM must ensure that: •all such encryption keys must be rotated at least once every two years; and •all such encryption keys must be stored in a designated vault or key management service, following industry best practices (e.g. NIST 800-57, FIPS140-2 level 2). |
4. Authentication | BNYM must use only one or more of the following methods for authenticating the Fund's Personnel or other authorized users attempting to access the services: •XXXX / OIDC SSO •Password + source IP validation |
5. Identity and Access Management | BNYM must ensure that the following identity and access management operations in respect of the Fund's Personnel or other authorized users accessing the services can be controlled by the Fund (and not solely by BNYM, except that BNYM may exercise sole control in order to ensure the security and integrity of its systems and services, including in a security event): •User provisioning operations (e.g. create, modify, terminate, delete); •Entitlement management (e.g. create, modify, delete, assign and revoke roles and privileges); •Reporting for identity and access management operations (for the purpose of auditing and periodic reviews). |
6. Privileged Access | BNYM must ensure that privilege access by BNYM engineering or production support Personnel to the Fund's account(s) with BNYM (i.e. ability of a user to modify asset configuration or controls (e.g. access management, logging etc.) beyond normal daily business use) is provided just in time, as needed, instead of persistently available. |
Control | Requirements |
7. Access Privilege Management | BNYM must ensure that access privileges of all BNYM Personnel accessing the Fund's account(s) with BNYM are assigned on a 'need-to-know' basis (i.e. users granted minimum access rights that are strictly required to execute their duties) and, in all cases, are reviewed regularly and promptly modified or withdrawn (whenever appropriate) |
8. Password Updating | BNYM must ensure that: (i) BNYM Personnel accessing the Fund's account(s) with BNYM are regularly required to update their passwords; and (ii) the Fund's Personnel or other authorized users attempting to access the services are regularly required to update their passwords, or else that the Fund's administrative user(s) have the ability to configure the services settings so that such updating is required. |
9. User activity logs | BNYM must ensure that all financial and maintenance activities by BNYM Personnel accessing the Fund's account(s) with BNYM are logged (such that the individual users who performed them are identifiable), that such logs are monitored, are secured to prevent unauthorized modification or deletion and retained for a period commensurate with the criticality of the operations concerned (without prejudice to BNYM's record retention obligations under the Agreement). |
10. Patch Management | BNYM must ensure that the latest available security updates and patches to all software used in the provision and/or support of the services are promptly applied, save to the extent that the patches will adversely impact the service or the infrastructure supporting the service. |
11. Anti-Virus Software | BNYM must: (i) continuously screen the services using a leading, commercially available software security program to detect the presence of any Virus and, upon detection, immediately eradicate or quarantine such Virus; and (ii) defend against any code or protocol that would: (a) permit the gaining of unauthorized access to, or surreptitious monitoring of the use or operation of, the services or any System; or (b) disable or impair the services or any System, in any way, based on the elapsing of a period of time, the exceeding of an authorized number of copies or scope of use or the advancement to a particular date or other numeral. |
12. Firewall
| BNYM must ensure that a firewall is maintained in defence of all internet-facing systems used in the provision and/or support of the services. |
Exhibit 3
SCHEDULER
INSURANCE COVERAGE
Type of Insurance | Minimum Coverage Amount |
Workers’ Compensation and/or Employer’s Liability Insurance in such form, including such coverage and in such amounts, as may be required by law, but if not required by law, then at least adequate medical insurance covering BNYM Personnel. | As required by law, but if not required by law, minimum coverage amount to be no less than $1,000,000 (USD)* per disease, accident, employee and/or occurrence. |
Broad Form Commercial General Liability or Public Liability Insurance written on an occurrence basis, with a duty to defend, and including coverage in respect of: death, bodily or personal injury, property damage, advertising injury, products and completed hazards, and contractual liability, directly or indirectly related to the performance (or failure to perform), activities or services and/or Products provided and operations of BNYM, its employees, agents and contractors. | $3,000,000 (USD)* (or, if the Fund deems BNYM to be providing construction works or services, $5,000,000 (USD)*), per occurrence and in the aggregate. This minimum limit requirement may be met by any combination of primary and/or umbrella/excess coverage. |
Comprehensive Crime, Employee Dishonesty or Fidelity Insurance including coverage in respect of: employee theft, forgery, fraud and computer crime. | $3,000,000 (USD)*, per occurrence and in the aggregate. |
Errors and Omissions Insurance or Professional Indemnity Insurance including coverage in respect of: any and all work performed in connection with this Agreement, including technology (both products and services) errors and omissions and liability for third party intellectual property infringement. | $I 0,000,000 (USD)*, per occurrence and in the aggregate. This coverage may be combined with the Cyber Insurance listed below. |
Cyber Insurance including coverage in respect of: technology errors and omissions (unless covered by the E&O Insurance listed above) and cyber security events, network security failures, system failures and/or data protection or privacy breaches and associated losses, liabilities and costs (including the costs of investigating, managing, responding and remediating, third party liability, business interruption costs, digital asset loss, regulatory investigation costs, regulatory fines and penalties, ransomware and cyber extortion costs). | $10,000,000 (USD)*, per occurrence and in the aggregate. |
*Or, if higher, the amount required by Applicable Laws. Amounts are expressed here in United States Dollars but may be satisfied by an equivalent amount in the local currency in which the relevant policy is denominated, applying the foreign exchange conversion rate (as quoted by a recognised exchange) in force as at the date that cover under such policy is commenced or renewed (as the case may be).
