FIRST AMENDMENT
Exhibit (h)(3)
EXECUTION
FIRST AMENDMENT
TO THE FUND ADMINISTRATION AND ACCOUNTING AGREEMENT
This FIRST AMENDMENT (‘‘First Amendment”) is entered into as of the date of the last signature below (the “First Amendment Effective Date”), between DBX ETF Trust, a Delaware statutory trust, (on behalf of each “Fund” listed on Exhibit A to the Agreement), and the Bank of New York Mellon, a bank organized under the laws of the state of New York (the “BNYM”).
WHEREAS, the Fund and BNYM are parties to that certain Custody Agreement, dated January 31, 2011 (the “Agreement”); and
WHEREAS, the Fund and BNYM desire to amend the Agreement, with effect from the First Amendment Effective Date.
NOW, THEREFORE, in consideration of the promises made here in, and the exchange of good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the Fund and BNYM agree to amend the Agreement as follows:
1. | Amendments. The Agreement is hereby amended as follows: |
1.1 | The following language is hereby inserted as new Section 22 of the Agreement: |
“22. BNYM shall perform its obligations under this Agreement in compliance with the policies listed in Exhibit C to the Agreement as such policies may, subject to this Section 22, change from time to lime (“BNY Mellon Policies”). BNYM and the Fund will participate in a conference call or meeting held at least on a quarterly basis (or on a more frequent basis if reasonably required by either party) to discuss, among other matters, any changes to the BNY Mellon Policies or substance testing or background standards, and will permit the Fund to conduct, at BNYM’s offices and subject to BNYM’s reasonable security requirements, a review of such changed policies and/or standards. In the event that the Fund reasonably determines that such change in the BNY Mellon Policies (i) represents a significant negative deviation from market standard and the Fund provides reasonable evidence thereof, or (ii) is reasonably likely to cause the Fund to be in violation of law or the requirements of governmental authorities, then the Fund and BNYM will work together in good faith to remediate. If the Fund is not reasonably satisfied that such remediation has occurred ninety (90) days after the applicable remediation meeting, then the Fund shall have the ability to terminate the Agreement without cause by giving BNYM at least thirty (30) days prior written notice. In the event of a change in the substance testing or background standards that re moves or lessens any substance testing or background screening requirements , the parties shall promptly meet and agree on a solution.”
EXECUTION
1.2 | The following language is hereby inserted as new Section 23 of the Agreement: |
“23. The Fund and BNYM shall comply with their respective obligations under Exhibit D to the Agreement.”
1.3 | The following language is hereby inserted as a new Section 24 of the Agreement: |
“24. Subcontracting
(a) | Subject to the remainder of this Section 24, BNYM may subcontract the provision of the services. BNYM shall obtain the written agreement of its subcontractors to protect the confidentiality of any of the Fund’s confidential information in a manner substantially equivalent to that required of BNYM under this Agreement. No subcontractor may be permitted to further subcontract the provision of the services without prior written consent of BNYM. |
(b) | Notwithstanding anything to the contrary in this Agreement, the following activities shall not constitute subcontracting nor shall any third party performing such activities be deemed to be a subcontractor: (i) BNYM’s or its affiliates’ or subsidiaries’ use of third party vendors that provide data, information, and its other underlying technological infrastructure only required to facilitate the support of its provision of the services; or (ii) BNYM’s or its affiliates’ or subsidiaries’ use of individual independent contractors (for staff augmentation purposes) to perform functions under the supervision of employees of BNYM or its affiliates or subsidiaries so long as BNYM remains fully responsible for the work performed by such individuals as if performed by BNYM. |
(c) | BNYM shall remain responsible for all activities of subcontractors, including for all acts and omissions of such subcontractors, to the same extent as if such activities were performed by BNYM, and for purposes of this Agreement such activities shall be deemed work performed by BNYM. BNYM shall be the Fund’s sole point of contact regarding the subcontractors. For avoidance of doubt, where the Fund has a relationship with the party acting as a subcontractor under this Agreement independent of the services, BNYM is not responsible for such party’s acts or omissions under such independent relationship. |
2 |
EXECUTION
(d) | Where BNYM or any of its subcontractors wishes to subcontract (or further subcontract, as the case may be) the provision of the services under this Agreement, BNYM shall provide the Fund with at least ninety (90) days prior written notice of that proposal together with the following details: (i) the name and address of the proposed subcontractor; (ii) the subject matter of the proposed subcontract ; (iii) with respect to any subcontractor that is not an affiliate or subsidiary of BNYM, the results of BNYM’s due diligence on such proposed subcontractor and whether such subcontractor personnel will be screened in the same manner as BNYM’s personnel; and (iv) any additional information reasonably required by the Fund. |
(e) | If the Fund objects to BNYM’s or its subcontractors’ use of a subcontractor (that is not a BNYM affiliate or subsidiary), the Fund shall provide written notice thereof to BNYM, together with sufficient details as to the reasons for such objection. Upon receipt of such notice, BNYM shall work with the Fund in good faith to resolve the issue. In the event that the parties are unable to resolve the issue and the Fund reasonably believes that BNYM’s (or its subcontractors’) use of such subcontractor poses an unreasonable risk to BNYM’s performance of the services, then the Fund may terminate the Agreement without cause by giving BNYM at least thirty (30) days prior written notice. |
(f) | With respect to any subcontractor that is not a BNYM affiliate or subsidiary, prior to using such a subcontractor: (i) BNYM and the Fund shall agree in good faith as to which of the terms and conditions of this Agreement or other terms BNYM must impose on such subcontractor (based on the facts and circumstances of the services that such subcontractor will be performing); and (ii) following such discussion BNYM shall impose such agreed-upon relevant terms on such subcontractor. BNYM will take appropriate measures to monitor its subcontractors’ duties and, in its sole discretion reasonably exercised, enforce such duties against its subcontractors. |
(g) | Notwithstanding the other provisions herein, the Fund shall have the right to notify BNYM where, because of documented bona fide performance issues in respect of a subcontractor, the Fund reasonably believes that the continued use of such subcontractor poses an unreasonable risk to BNYM’s performance of the services. Upon receipt of such notice, BNYM shall work with the Fund in good faith to resolve the issue. |
3 |
EXECUTION
1.4 | Exhibits A, B and C to this Amendment shall be added as “Exhibit C,” “Exhibit D,” and “Attachment D-1 to Exhibit D” to the Agreement, respectively. |
2. | Each party hereto represents and warrants to the other party as follows: (i) it has full power and authority to execute and deliver this First Amendment and to perform and observe the provisions hereof; (ii) the execution, delivery and performance of this First Amendment have been duly authorized by all necessary corporate action and do not and will not contravene any requirement of law or any restriction or agreement binding on or affecting such party or its assets; and (iii) this First Amendment has been duly executed and delivered by such party and constitutes the legal, valid and binding obligation of such party enforceable in accordance with its terms. |
3. | As of and following the First Amendment Effective Date, all references to the Agreement shall mean the Agreement as hereby amended. Except as expressly set forth in this First Amendment, the Agreement shall remain unchanged and in full force and effect. Terms not defined herein shall have the meanings set forth in the Agreement. In the event of a conflict between the terms of this First Amendment and the terms of the Agreement, the terms of this First Amendment shall control. This First Amendment may be executed in any number of counterparts, each of which, when delivered, shall be an original and enforceable against any party whose signature appears on such counterpart, and all of which together shall constitute one and the same instrument, and signatures may be exchanged via facsimile or electronic mail. This First Amendment constitutes the entire understanding and agreement of the parties with respect to the subject matter hereof and supersedes all prior and contemporaneous agreements or understandings. |
4. | This First Amendment shall be construed in accordance with and governed by the substantive laws of the state of New York without regard to conflicts of laws provisions. The parties hereby expressly waive, to the full extent permitted by applicable law, any right to trial by jury with respect to any judicial proceeding arising from or related to this First Amendment. |
* * *
4 |
EXECUTION
IN WITNESS WHEREOF, the parties here to have executed this First Amendment as of the First Amendment Effective Date.
DBX ETF Trust | THE BANK OF NEW YORK MELLON |
By: /s/ Xxxxx Xxxxxxx | By: /s/ Xxxxxx Xxxxxxxx |
Name: Xxxxx Xxxxxxx | Name: Xxxxxx Xxxxxxxx |
Title: Managing Director | Title: Managing Director |
Date: 08/30/16 | Date: 8/30/2016 |
DBX ETF Trust | |
By: /s/ Xxxx Xxxxxxxx | |
Name: Xxxx Xxxxxxxx | |
Title: Director | |
Date: 8/30/16 |
M \Bcllcvuc\Group\GIS DEL_ LGL_FFLEGALIAGREEMENTS\DBX ITF Trust\Amcndmcnts\DBX Fund Admm and Accounung Agmt . Amendment FIN AL docx
5
EXHIBIT A TO FIRST AMENDMENT
Exhibit
C to
Fund Administration and Accounting Xxxxxxxxx
XXX XXXXXX XXXXXXXX
X-X-000: Code of Conduct (June 20I3)
I-A-035: Business Conflicts of Interest (Oct I, 2014)
I-A-045: Personal Securities Trading Policy (March 2014) I-A-046: Securities Firewall Policy (Sept 29, 2014)
I-A-065: Gifts, Entertainment and Other Expenses to Commercial Clients, Suppliers or Vendor (March 2014)
I-A-075: Gifts, Entertainment and Payments to Governments (August 28, 2014)
1-A-085: Outside Affiliations, Outside Employment, and Certain Outside Compensation (Sept 29, 2014)
I-A-095: Political Contributions (Jan 2014)
I-A-125: Information Privacy Policy (Aug 19, 2014) I-A-145: Anti-Corruption Policy (Oct 17, 2014)
I-A- 150: Economic Sanctions Policy (August 2013)
I-A-170: Federal Reserve Board Regulation W-23A and 23B (August 26, 2014)
I-A-185: Customer Complaints Corporate Policy (April 15, 2014) I-A-200: Compliance Training Policy (April 17, 2014)
I-A-250: Global AML and Know Your Customer Policy Global AML/KYC Manual (Oct I,
2014)
I-A-260: Policy on Identifying, Investigating and Reporting Suspicious Activity of US Based Employees (August 15, 2014)
I-A-270: AML Training Policy (April 23, 2014)
II-A-20: Suspicious Activity Reporting for Non-US Based Employees (May 13, 2014) I-D-200: Global Records Management Policy (Sept 30 2014)
I-L-010: Business Continuity Policy (Jan 2014)
I-N-310: Information Protection Policy (Dec 31, 2013)
I-N-320: Information Classification Policy (Feb 28, 2014)
I-N-320.001: Information Classification Standards (Feb 28, 2014)
EXHIBIT B TO FIRST AMENDMENT
Exhibit
D to
Fund Administration and Accounting Agreement
PHYSICAL AND LOGICAL SECURITY
l. TECHNOLOGY SECURITY MEASURES
1.1. | BNYM will establish and maintain safeguards against the improper access to, destruction, loss or alteration of its and any Fund Data. For clarity, improper access does not include access in accordance with the Agreement by only those members of the BNYM personnel and BNYM authorized third parties/agents who need access to perform the services. |
1.2. | Services provided by BNYM are governed by the BNYM Policies. BNYM acknowledges receipt of the Fund’s Information Security Requirements for Vendors of Deutsche Bank, Version 1.1 (the “ISRV”), and subject to the exceptions listed in Attachment D-1 attached hereto, represents, warrants and covenants to the Fund that its information security program (including the BNYM Policies), requires a level of security and controls that are not materially different from those required in the ISRV. The information security program will contain administrative technical and physical safeguards, appropriate to the type of information concerned, designed to: (i) protect the security and confidentiality of such information; (ii) protect against any anticipated threats or hazards to the security or integrity of such information; (iii) protect against unauthorized access to or use of such information that could result in harm or inconvenience to the Fund or the Account Parties, and (iv) appropriately dispose of such information. On a quarterly basis, at the Fund’ s request , BNYM shall notify the Fund whether any material changes to BNYM’ s information security program (including the applicable BNYM Policies) applicable to the services have occurred since the Fund’s prior request that would effectively lower the level of protection of any Fund Data. Such notice shall also identify any exceptions to the ISRV in addition to those listed in Attachment D-1 attached hereto. Within a reasonable period of time following the Fund’s receipt of such notice , the parties shall meet to discuss the contents of such notice and take reasonable and appropriate action to address the Fund’ s concerns on a mutually agreeable basis. |
1.3. | BNYM will implement and apply adequate technology security measures (“Security Measures”) in providing the services. Such Security Measures will at the minimum address: |
1.3.1. | BNYM will ensure that all BNYM IT systems are protected by firewalls at the network perimeter and have up-to-date anti-malware software installed; if no adequate anti-malware software is available for a system, BNYM must agree to IT security requirements for usage in accordance with BNYM’s current |
processes for granting exceptions to BNYM policy. BNYM will ensure that all servers containing Fund Data are updated to the approved patch level as offered by the vendor of the hardware, operating system, middleware (such as databases, run-time environments) and application software in accordance with BNYM patch management and policy exception management processes. Before an update is deployed to a production server, it needs to be tested and approved by the owner of the system.
1.3.2. | BNYM will have a dedicated 24 x 7 IT team to respond when reasonably needed to deal with breaches (or suspected breaches) of security. BNYM will ensure that this team cooperates with the Fund’s IT security team, especially in the case of an emergency. |
1.3.3. | If BNYM or any BNYM personnel becomes aware of an Information Security Incident, then BNYM will without undue delay notify the Fund. For purposes of this provision, an “Information Security Incident” means any incident that results in a loss, unauthorized change or unauthorized disclosure of Fund Data. |
1.3.4. | BNYM will separate all Fund Data from other data as agreed by the parties, including physical separation or, where appropriate, logical separation, by assigning access rights in accordance with the specific responsibilities of individuals. Exceptions will be considered via BNYM’s risk acceptance processes. |
1.3.5. | BNYM must run a daily backup, which allows a restore of all Fund Data according to the backup procedures contained in the BNY Policies, or as otherwise requested and agreed. BNYM must store backups according to the relevant BNYM policies and procedures. |
1.3.6. | BNYM will affect daily local backup of all Fund Data. Storage media will be securely stored in a separate building and will be identifiable to ensure that the Fund’s contents can be identified without an actual reading of the storage media. BNYM will handle all storage media in compliance with BNYM policy and procedures. |
1.3.7. | BNYM will ensure adequate service continuity, including disaster recovery planning and regular testing. |
1.3.8. | IT operations procedures (e.g., ITIL) must incorporate IT security management processes. |
1.4. | BNYM will ensure that the Security Measures will comply with: |
1.4.1. | the BNYM Policies; and |
1.4.2. | any other specific security requirements that BNYM is notified of by the Fund and upon which the parties mutually agree. |
1.5. | BNYM will ensure that the BNYM personnel associated with the provision of the services: (i) are familiar with the Security Measures and BNYM Policies and (ii) comply with the Security Measures and BNYM Policies. BNYM will ensure that any third parties working on their behalf with access to systems associated with the provision of the services are familiar with and comply with the Security Measures and the BNYM Policies. |
2. | SYSTEM ACCESS CONTROL |
2.1. | BNYM is responsible for all access to BNYM systems containing Fund Data, pertaining to information and data by BNYM personnel and any third parties that are working on their behalf. BNYM will manage and administer access to BNYM-operated systems, networks, software and Fund Data, and BNYM will implement access authorizations in compliance with the BNYM Policies and BNYM entitlement access provisioning and removal processes. |
2.2. | “System Access” means direct access to BNYM systems containing Fund Data. |
2.3. | BNYM shall maintain records (including descriptions of roles and responsibilities) concerning all BNYM personnel who have been given System Access (including historical records of all BNYM personnel who have been given System Access in the past but who no longer have System Access) (the “Access Data”) to any Fund Data. If an Information Security Incident occurs, BNYM will provide the Fund, upon request and mutual agreement with the Fund, with such Access Data as well as audit trails for any System Access by BNYM personnel, and shall store and handle all Access Data as securely as reasonably possible (the degree of security required for storage will reflect the sensitivity and confidential nature of the information recorded). Such records shall be maintained in accordance with BNYM Policies. |
3. | COORDINATED SECURITY |
3.1. | The BNYM Client Service Officer will coordinate and manage technology security issues with respect to the services. |
3.2. | The parties shall discuss security as a recurring topic during regular meetings between the parties. |
3.3. | BNYM will perform regular security testing of Internet facing applications relevant to the services provided and in compliance with the BNYM Policies. BNYM will engage in discussions with the Fund as part of the governance meetings and provide a written summary which the Fund shall treat such summaries as confidential information per the terms of the Agreement. A written summary shall comprise of the following: |
• | Who performed the test (name of the vendor or BNYM) |
• | A description of which object was tested |
• | A description of the scope of the test (e.g., infrastructure , authentication, authorization, session handling, use of cryptography, information leakage, input validation and output encoding, application logic, error handling and logging and/or availability) |
• | When the test was conducted |
• | Summary number of findings per BNYM ratings (critical, high, medium, low) detected by the penetration test (or, in case of a re-test whether or not the previously raised finding could be closed) and summary status (number closed, open} |
4. | IDENTIFIED SECURITY RISK |
4.1. | BNYM shall monitor and investigate (which may include intrusion detection, IT operations and security monitoring systems) risks which could adversely affect the integrity, confidentiality or availability of the systems or networks used in connection with the provision of the services (a “Security Risk”). This also includes cases of lost or stolen IT equipment (including servers, desktop/note book PC clients or portable storage media, including hard drives, memory cards and CDs/DVDS/BlueRay Disks) which contains, or might contain, any Fund Data. |
4.2. | If BNYM identifies a Security Risk it will, to the reasonable extent possible, immediately take appropriate steps to prevent or mitigate damage to the services, the systems or networks associated with the provision of the services, and it will communicate the existence of significant Security Risk to the Fund’s agreed point of contact within a suitable timeframe which will endeavor to be within twenty-four (24) hours of the confirmation of a significant risk. |
4.3. | If the Fund becomes aware of a Security Risk then the Fund may take any action necessary to mitigate the Security Risk including informing the BNYM Client Service Officer of the Security Risk and obtain assistance to mitigate the Security Risk. |
4.4. | If, after investigation of a Security Risk, the Fund reasonably determines that the Security Measures need to be amended, BNYM will mutually agree on any actions reasonably required by the Fund directed at mitigating the Security Risk to an acceptable level. If they cannot agree on a plan, the matter shall be escalated to senior management for further discussion and review. |
5. PHYSICAL SECURITY ADMINISTRATION
5.1. | Where BNYM uses or visits locations and facilities at the Fund’s premises, BNYM will comply, and will procure BNYM personnel’s compliance, with the requirements of this Schedule III in relation to physical security and the relevant policies in place in relation to such premises. |
5.2. | Where BNYM uses other locations and facilities to support the provision of services to the Fund, BNYM’ s responsibilities include: |
5.2.1. | providing security processes, facilities, equipment and software that will meet or exceed the requirements or standards set out in the BNYM Policies ; and |
5.2.2. | upon request, providing any relevant assurance to the Fund, its representative(s) and/or regulatory agencies, in the form and substance requested, that all facilities operate to the standard expected in accordance with the BNYM Policies. |
6. | SECURITY ADMINISTRATION |
6.1. | BNYM will, in connection with the BNYM systems used to provide the services : |
6.1.1. | review all documented information security procedures with the Fund pertaining to BNYM-operated systems; |
6.1.2. | develop, maintain, update and implement security procedures in accordance with BNYM’s change management processes; |
6.1.3. | monitor users of BNYM‘ s systems and services for authorized access, and monitor, review and respond in a timely and appropriate manner to access violations according to BNYM processes; |
6.1.4. | conduct periodic reviews, as appropriate, to validate individual employee access to programs and libraries following BNYM processes; |
6.1.5. | capture data regarding routine access and exceptions for audit trail purposes in accordance with the BNYM Policies, at a minimum; |
6.1.6. | perform security audits, provide incident investigation support and initiate corrective actions to minimize and prevent security breaches; |
6.1.7. | maintain reasonable summary reports on relevant violation and access attempts, and retain documentation of the investigation; |
6.1.8. | install, update and maintain software that will provide security monitoring , alarming and access tracking functionality for BNYM-operated systems and software following BNYM change control and management procedures ; |
6.1.9. | provide security access control tools for data, software and networks in compliance with the BNYM Policies, at a minimum, and maintain such security and access control devices in proper working order; |
6.1.10. | establish and administer procedures to monitor and control remote data communication access to Fund Data; |
6.1. 11. | establish and administer procedures and mechanisms to monitor and control secure Internet/Intranet access to Fund Data, including firewall servers and |
Internet/Intranet development controls designed to produce secure architectures;
6.1.12. | develop, implement and maintain a set of automated and manual processes designed to enforce BNYM data access and security policies and the BNYM Policies; |
6.1.13. | establish procedures, forms and approval levels for assigning, resetting and disabling IDs and passwords used for data or system access by authorized BNYM personnel, and execute all related administration for user identification (IDs) and passwords in compliance with the BNYM Policies. BNYM is responsible for all related administration for user IDs and passwords; |
6.1.14. | via periodic IT processes, identify accounts that should be removed and instances where capacity management needs to be performed; |
6.1.15. | ensure system password changes occur in accordance with the BNYM Policies; |
6.1.16. | perform backup and recovery procedures in response to security violations that result in lost/damaged information; |
6.1.17. respond to all security audit requests from any relevant regulators;
6.1.18. | cooperate and assist the Fund and/or representatives of the Fund with reasonable and relevant tests subject to mutual agreement; |
6.1.19. | BNYM will use encryption mechanisms in accordance with the BNYM Policies; |
6.1.20. | BNYM will ensure that wireless access to their network infrastructure is only available for authorized devices and that procedures exist to identify any unauthorized network access points; and |
6.1.21 | in case BNYM will use any non-anonymized Fund Data for testing, the test environment will be treated with the same security features as the production environment. This applies especially, but is not limited to, technical and organizational access control, access logging and monitoring, and data encryption. |
EXHIBIT C TO FIRST AMENDMENT
Attachment D-1
ISRV Exception List
ISRV Reference |
BNYM Exception |
VG-0601-01 | BNYM policy and standard controls are based upon industry best practice. Personal computing devices can be utilized (for example; Laptops, iPads, mobile devices, BYOD solutions) providing authorized and with a business justification. Security is provided in accordance with BNYM Policy and Standards including, but not limited to, secure container solutions (e.g. GOOD); Citrix remote access; Internet based secure solutions (e.g. NETx360, WB, Connect). |
VE-0701-01 |
BNYM confirms locations of relevant system locations and provides control verification within, relevant SOCI and CMITs SSAEl6 documents. Accordingly BNYM consider themselves compliant to the spirit of this control. However, BNYM has slated ‘Partial’ compliance to draw attention to the Fund that the locations of BNYM application infrastructure is defined by BNYM and not by agreement with BNYM clients. |
VG-I001-01 | BNYM has logical access control separation in place and segregation is inherent to our system design. BNYM has implemented an access methodology which is based on “need to know” and least privilege which is approved by management. BNYM clients using the same application are logically separated. BNYM program is enterprise wide and not client specific and therefore, not open to individual client agreement. |
VG-1008-03
|
‘Partial’ compliance has been stated as in formation will not be transferred by fax unless otherwise contemplated in any contractual arrangements between BNYM and the Fund. |
VE-1105-02 | BNYM does display last log in date and time, however BNYM does not display ‘Contact your administrator if incorrect’. As a mitigating control BNYM has regular security and risk management education training and awareness which minds all employees to act upon their, suspicions and report anomalies. This is further supported within formal business Incident Reporting procedures. |
ISRV Reference |
BNYM Exception |
VG-1105-09
|
BNYM policies are based on industry best practices. Password complexity has been implemented per policy. Our current password policy for application used by DB (AccessEdge) includes the following criteria: 1. Password may not contain significant portion of UID or UID in reverse 2. Password may not contain significant portion of First Name: or First name in reverse 3. Password may not contain significant portion of Last Name· or Last name in reverse 4. Password may not contain significant portion of Common Name or Common name in reverse 5. Password may not contain a sequence of 3 identical character 6. Password must be at least 8 characters in length 7. Password must not be reused 8. Password must contain at least 1 alpha character 9. Password must contain at least 1 numeric character
Partial compliance is stated as BNYM does not require ‘Special Characters’ by policy mandate. |
VE-1204-02 |
BNYM has policy and standard controls stated in regard to production data in non-production environments. As per production, BNYM implements logical access controls in test systems based on need to know and least privilege. Please note that Pershing UK and US do comply with this control as they obfuscate data in non-production environments. In regard to providing copies of data to third parties, BNYM will comply with the relevant non-disclosure and other related contractual requirements agreed by BNYM and the Fund. BNYM program is enterprise wide and not client specific and therefore, not open to individual client agreement. |
VE-1206-01
|
BNYM has policy and standard controls stated in regard to vulnerability scanning. The CMITS SSAEl6 provides annua1 control testing and BNYM ISO27001:2013 ISMS certification covers vulnerability and patch management. Partial compliance is stated as BNYM program is enterprise wide and not client specific and therefore we do not permit clients to request on-demand vulnerability scans |
VE-1502-01
|
BNYM has policy and standard controls stated in regard to penetration testing of internet facing applications and infrastructure. The CMITS SSAE16 provides annual control testing. Partial compliance is stated as BNYM program is enterprise w, ide and not client specific and therefore not open to individual client agreement. Details of BNYM Ethical Hack testing results including potential remediation dates are not shared outside of BNYM. |