FOURTH AMENDMENT TO PARTICIPATION AGREEMENT
FOURTH AMENDMENT TO
THIS FOURTH AMENDMENT (“Amendment”) is made as of July 12, 2021 (“Amendment Effective Date”) by and between Equitable Financial Life Insurance Company of America (the “Company”) and ProFunds, a Delaware business trust. Access One Trust, a Delaware business trust (together with ProFunds, the “Fund”), and ProFund Advisors LLC (the “Adviser” or “Service Provider”). The Company, Fund and Adviser are collectively referred to as “Parties” and individually as a “Party”.
WHEREAS, MONY Life Insurance Company of America, the Fund and the Adviser entered into an Agreement with an effective date of May 1, 2003 (together with any prior amendments thereto, the “MLOA Agreement”) and MONY Life Insurance Company, the Fund and the Adviser entered into an Agreement with an effective date of May 1, 2003 (together with any prior amendments thereto, the “MONY Agreement”). The MLOA Agreement and the MONY Agreement hereinafter referred to as the Agreements.
WHEREAS, the Parties incorporated additional terms into the MONY Agreement through amendments with effective dates of October 16, 2009, May 1, 2012, and October 1, 2013;
WHEREAS, on or prior to June 15, 2020, Company changed its registered name from MONY Life Insurance Company of America and MONY Life Insurance Company to Equitable Financial Life Insurance Company of America;
WHEREAS, the Parties desire to further amend the Agreements by updating and / or adding certain information security requirements; and
NOW, THEREFORE, in consideration of the Agreements and the mutual covenants contained herein, the Parties hereto agree as follows:
1. | The Agreements are hereby amended by adding a new ARTICLE XIII as follows: |
ARTICLE XIII Security Requirements. Service Provider represents that it has the following information security policies in place:
13.1. General. The information security (“InfoSec”) policy of the Adviser covers information security and business continuity. These policies and standards are reviewed at least annually to ensure they address new threats, vulnerabilities and risks and are consistent with regulatory requirements. The Adviser has a risk assessment process to identify weaknesses in their InfoSec framework and controls, including the development of remediation plans to address risks identified. The Adviser has periodic internal and/or external audits performed to monitor compliance with, and assess the effectiveness of, the InfoSec policy.
13.2. Organization Information. The Adviser utilizes external vendors as the infrastructure provider for hosted solutions, backup and Disaster Recovery. Contracts such third parties address the following areas: administrative, technical, and physical controls; incident response (including prompt notification); business continuity planning, disaster recovery and crisis management/emergency communications; and a right to audit.
13.3. Human Resources Security. The Adviser has an InfoSec awareness training program. Non-compliance by employees with the InfoSec policies results in disciplinary action. The InfoSec policies reasonably ensure the proper segregation of duties to prevent fraud, theft, illicit or unethical behaviors. Employees access rights are changed with job reassignments in order to comply with rule of Least Privilege. The InfoSec policies and procedures reduce the risk
Page 1 of 4
of unauthorized access or misuse or abuse by former employees by disabling of access accounts and recovering all company property and company information from such former employees.
13.4. Physical and Environmental Security. The InfoSec policies protect Company data from physical and environmental threats. The Adviser limits and controls physical access to their offices. Sensitive areas within the Adviser’s offices (e.g., information processing and other areas containing sensitive information) are secure and access-controlled. Controls include preventing the unauthorized removal of property ( e.g., laptops, confidential information). The Adviser has a process in place to report, replace, and disable ID badges when they are lost or stolen, or when employees are terminated.
13.5. Communications & Operations Management. The systems that host, transmit, store, process or otherwise manage Company data are hosted externally through a third-party vendor. The Adviser has guides/security baselines to reasonably ensure proper and consistent configuration of key infrastructure components (e.g., servers/operating systems, databases, network devices, web server software). The Adviser has standard, up-to-date anti-virus/anti-malware software installed on all company information systems. The Adviser is, if necessary, able to limit the hosting, transmission, storage, processing or managing of Company data to specific data centers or locations. Critical information assets (e.g., system, applications, databases, etc.) have logging and monitoring in place. Significant events identified from log reviews are managed according to documented event handling procedures. Such logs are secured and configured to prevent unauthorized modification. The Adviser performs backup of critical information assets according to a schedule that meets predetermined recovery requirements. Backup media is stored and transmitted securely, with appropriate environmental controls. The Adviser stores at least one generation of backups at multiple off-site locations. Backup tapes/media are encrypted. The Adviser has controls in place to protect the confidentiality and integrity of data transmitted over public networks and via email. The Adviser employs and maintains working firewalls in order to restrict/manage all access to and from the internal network. The Adviser uses authentication methods for remote access users and has controls in place to ensure only authorized computers can connect to the internal network.
13.6. Access Controls. The Adviser has a documented process for the creation, suspension, cancellation, modification and deletion of user accounts. The Adviser regularly reviews user access rights to sensitive information (i.e., entitlement reviews). The Adviser has clear desk and clear screen policies. The Adviser requires portable devices (e.g., laptops, USB drives, zip drives, tapes) to be encrypted or password protected, often with multifactor authentication.
13.7. Information Systems Acquisition, Development, & Maintenance. The Adviser periodically tests internet facing applications for security weaknesses such as unnecessary features or services, and excessive or unnecessary privileges. The Adviser has a process to regularly plan, test, implement and activate patches for technical vulnerabilities in operating systems, applications and technical infrastructure such as firewalls, routers and switches.
13.8. Information Security Incident Management. The incident response program of the Adviser addresses computer and non-computer security events, and notification to affected internal and external parties and applicable regulatory authorities. Documentation of security incidents is maintained in accordance with a document retention policy.
13.9. Business Continuity Management. The business continuity, disaster recovery and crisis management/emergency communications plans of the Adviser addresses the recovery requirements for Company data. These plans: govern and define the objectives and actions
Page 2 of 4
required during an event; define and document processes and procedures to perform such actions; and prioritize activities in accordance with recovery point and recovery time objectives.
13.10. Compliance. The Adviser has a process to ensure ongoing compliance with all applicable legal, regulatory and statutory requirements.
13.11. Reviews. The Adviser shall periodically audit and review its InfoSec policy to ensure its continued effectiveness. Upon reasonable request by the Company, the Adviser shall, on reasonable advance notice during normal business hours, make its representatives available to discuss with representatives of the Company the Adviser’s InfoSec policy.
13.12. Incident Management. The Adviser shall notify the Company at XxxxxxxXxxxxx@xxxxxxxxx.xxx of a security breach involving the names and addresses of the owners of the Contracts as soon as practicable once the Adviser becomes aware of any such breach.
2. | The remaining terms and conditions of the Agreements not modified herein shall remain in full force and effect. In the event of a conflict between the terms of the Agreements and this Amendment, the terms of this Amendment shall govern and control for purposes of such conflict. Except as amended by this Amendment, all terms used and not otherwise defined herein shall have the meanings assigned to them in the Agreements. |
3. | This Amendment may be executed in two or more counterparts (which may be exchanged by facsimile and/or electronic means), each of which shall be deemed an original, but all of which together shall constitute only one instrument. Facsimile, scanned image or electronic signatures are as valid as originals. |
[Remainder of page left intentionally blank. Signatures on following page]
Page 3 of 4
IN WITNESS WHEREOF, the Parties hereto, through their duly authorized officers, have executed this Amendment.
EQUITABLE FINANCIAL LIFE INSURANCE COMPANY OF AMERICA | PROFUNDS | |||||
By: | By: | |||||
Name: | Xxxxxxx Xxxxxxxxx | Name: | Xxxx X. Xxxxxxx | |||
Title: | Senior Vice President | Title: | President | |||
ACCESS ONE TRUST | PROFUND ADVISORS LLC | |||||
By: | By: | |||||
Name: | Xxxx X. Xxxxxxx | Name: | Xxxxxxx X. Xxxxx | |||
Title: | President | Title: | Chief Executive Officer |
Page 4 of 4