AMENDMENT TO AGENCY AGREEMENT BETWEEN ADVISORS’ INNER CIRCLE FUND III AND DST SYSTEMS, INC.
AMENDMENT
TO
BETWEEN
ADVISORS’ INNER CIRCLE FUND III
AND
DST SYSTEMS, INC.
THIS AMENDMENT (this “Amendment”) to the AGENCY AGREEMENT to be effective as of June 19, 2018 (the “Effective Date”) by and between ADVISORS’ INNER CIRCLE FUND III, a business trust existing under the laws of the Commonwealth of Massachusetts, having its principal place of business at one Freedom Valley Drive, Oaks, Pennsylvania 19456 (the “Trust”) and DST SYSTEMS, INC., a corporation existing under the laws of the State of Delaware, having its principal place of business at 000 Xxxx 00xx Xxxxxx, 0xx Xxxxx, Xxxxxx Xxxx, XX 00000 (“DST”).
WHEREAS, the Trust and DST entered into that certain Agency Agreement on the 12th day of March, 2014 (as previously amended, the “Agreement”); and
WHEREAS, the Parties now desire to amend the terms of the Agreement and each Schedule, Exhibit, or other attachment to the Agreement as outlined below.
NOW, THEREFORE, Trust and DST agree to amend the Agreement upon execution of this Amendment as follows:
| 1. | Section 9 - Certain Covenants of DST and the Trust. |
| 1.1 | Section 9. Section 9 as currently appearing in the Agreement is hereby amended to add a new sub-section I, provided as follows: |
“DST shall comply with Exhibit E (Information Security Program), which is made a part of this Agreement and applies to the Services. With respect to any claims for losses, damages, costs or expenses which may arise directly or indirectly from the Information Security Program as outlined in Exhibit E which DST has implemented or omitted, DST shall be presumed to have fulfilled its obligations if it has followed, in all material respects, at least its obligations as described in the Information Security Program attachment hereto as Exhibit E.”
| 2. | Exhibit E - Information Security Program. |
| 2.1 | Exhibit E. The Agreement is hereby amended and Exhibit E - Information Security Program is hereby added to the Agreement, attached hereto. |
| 3. | Effect on Agreement. As of the Effective Date, this Amendment shall be effective to amend the Agreement and to the extent of any conflict between the Agreement and any prior Amendments, this Amendment supersedes and replaces the Agreement. |
| 4. | Execution in Counterparts/Facsimile Transmission. This Amendment may be executed in separate counterparts, each of which will be deemed to be an original and all of which, collectively, will be deemed to constitute one and the same Amendment. This Amendment may also be signed by exchanging facsimile copies of this Amendment, duly executed, in which event the Parties hereto will promptly thereafter exchange original counterpart signed copies hereof. |
| 5. | Terminology. The words “include”, “includes” and “including” will be deemed to be followed by the phrase “without limitation”. The words “herein”, “hereof’, “hereunder” and similar terms will refer to this Amendment unless the context requires otherwise. |
| 6. | Agreement in Full Force and Effect. Except as specifically modified by this Amendment, the terms and conditions of the Agreement shall remain in full force and effect, and the Agreement, as amended by this Amendment, and all of its terms, including, but not limited to any warranties and representations set forth therein, if any, are hereby ratified and confirmed by Trust and DST as of the Effective Date. |
| 7. | Capitalized Terms. All capitalized terms used but not defined in this Amendment will be deemed to be defined as set forth in the Agreement. |
| 8. | Authorization. Each Party hereby represents and warrants to the other that the person or entity signing this Amendment on behalf of such Party is duly authorized to execute and deliver this Amendment and to legally bind the Party on whose behalf this Amendment is signed to all of the te1ms, covenants and conditions contained in this Amendment. |
IN WITNESS WHEREOF, the Parties hereto have caused this Amendment to be executed by their duly authorized representatives as of the date first written herein above.
| ADVISORS’ INNER CIRCLE FUND III | DST SYSTEMS, INC. | ||||
| By: | /s/ Xxxxx Xxxxxxxxx | By: | /s/ Xxxxxxxxxxx X. Xxxx | ||
| Name: | Xxxxx Xxxxxxxxx | Name: | Xxxxxxxxxxx X. Xxxx | ||
| Title: | Vice President & Assistant Secretary | Title: | Managing Director | ||
| Date: | Date: | ||||
EXHIBIT E
INFORMATION SECURITY PROGRAM
This Exhibit is made subject to the terms of the Agreement, and to the extent the terms hereunder conflict with the terms of the Agreement, the terms of this Exhibit shall prevail. The requirements of this Exhibit are applicable if and to the extent that DST creates, has access to, or receives from or on behalf of T1ust any Trust Confidential Information (as defined in the Agreement) in electronic format.
1. Definitions. Capitalized terms have the same meaning as set forth in the Agreement unless specifically defined below:
| 1.1 | “DST Security Assessment” has the meaning set forth in Section 3.2. |
| 1.2 | “Mitigate” means DST’s deployment of security controls as necessary, in its discretion, which are reasonably designed to reduce the adverse effects of threats and reduce risk exposure. |
| 1.3 | “Remediation” or “Remediate” means that DST has resolved a Security Exposure or Security Incident, such that the vulnerability no longer poses a risk to Trust Confidential Information. |
| 1.4 | “Security Exposure” means an identified vulnerability that may be utilized to compromise Trust Confidential Information. |
| 1.5 | “Security Incident” means any confirmed breach, misuse, misappropriation of, or unauthorized disclosure of or access to Trust Confidential Information. |
2. General Requirements.
2.1 Security Program. DST shall maintain a comprehensive information security program under which DST documents, implements and maintains the physical, administrative, and technical safeguards reasonably designed and implemented to: (a) comply with U.S. laws applicable to DST’s business and (b) protect the confidentiality, integrity, availability, and security of Trust Confidential Information.
2.2 Policies and Procedures. DST shall maintain written information security management policies and procedures reasonably designed and implemented to identify, prevent, detect, contain, and correct violations of measures taken to protect the confidentiality, integrity, availability, or security of Trust Confidential Information. Such policies and procedures will, at a minimum:
(i) assign specific data security responsibilities and accountabilities to specific individual(s);
(ii) describe acceptable use of DST’s assets, including computing systems, networks, and messaging;
(iii) provide authentication rules for the format, content and usage of passwords for end users, administrators, and systems;
(iv) describe logging and monitoring of DST’s production environment, including logging and monitoring of physical and logical access to DST’s networks and systems that process or store Trust Confidential Information;
(v) include an incident response process;
(vi) enforce commercially reasonable practices for user authentication;
(vii) include a formal risk management program which includes periodic risk assessments; and
(viii) provide an adequate framework of controls reasonably designed to safeguard Trust Confidential Information.
2.3 Subcontractors. To the extent that any subcontractor engaged by DST to provide services under the Agreement has access to, or receives from or on behalf of Trust any Trust Confidential Information in electronic format, DST shall enter into a written agreement with such subcontractor, which agreement shall contain provisions regarding maintaining the confidentiality of the Trust Confidential Information which are substantially compliant with, and at least as protective as, those terms set forth in the Agreement (including this Exhibit), to the extent the terms of the Agreement and this Exhibit would be relevant to the subcontractor’s services provided.
2.4 IT Change and Configuration Management. DST shall employ its own reasonable processes, for change management, code inspection, repeatable builds, separation of development and production environments, and testing plans. Code inspections will include a comprehensive process reasonably designed and implemented to identify vulnerabilities and malicious code. In addition, DST shall ensure that processes are documented and implemented for purposes of vulnerability management, patching, and verification of system security controls prior to their connection to production networks.
2.5 Physical and Environmental Security. DST shall: (i) restrict entry to DST’s area(s) where Trust Confidential Information is stored, accessed, or processed solely to DST’s personnel or DST authorized third party service providers for such access; and (ii) implement commercially reasonable practices for infrastructure systems, including fire extinguishing, cooling, and power, emergency systems and employee safety.
2.6 DST Employee Training. and Access. DST shall: (i) train its employees on the acceptable use and handling of Trust’s Confidential Information; (ii) provide annual security education for its employees and maintain a record of employees that have completed such education; and (iii) implement a formal user registration and de-registration procedure for granting and revoking access to DST’s information systems and services; and upon termination of any of DST’s employees, DST shall revoke such employee’s access to DST’s domain following termination of such individual and revoke such individual’s access to Trust Confidential Information as soon as possible and in accordance with DST’s internal policies and procedures.
2.7 Change Notifications. DST may, in its sole discretion, revise DST information security policies and procedures based on internal company security and compliance related risk assessment decisions, provided such revisions do not materially degrade the controls associated with DST’s information security services provided to Trust as of the date of execution of this Exhibit.
2.8 Data Retention. DST shall not retain any Trust Confidential Information following completion of the applicable services provided under the Agreement, except to the extent: (a) required by U.S. law; (b) expressly required or permitted by Trust in writing: (c) required by DST’s document retention policies; (d) to the extent necessary to comply with Trust’s or DST’s legal or regulatory obligations; or (e) as otherwise permitted in accordance with the Agreement.
3. Due Diligence Supporting Materials; Security Assessment.
3.1 Due Diligence Supporting Materials. In response to Trust’s due diligence efforts, DST will provide copies of its: (i) SIG; (ii) if applicable, once annually, the SOC 1, Type II report, prepared in accordance with Statement on Standards for Attestation Engagements (SSAB) No. 16, Reporting on Controls at a Service Organization; (iii) information security policy and control standards summary; and (iv) network penetration vendor attestation letter. DST will be reasonably available to answer any additional questions of Trust, up to forty (40) hours per year, that are not already addressed by providing the documentation set forth within this Section 3.1 and would not require DST, in its sole good faith discretion, to disclose information that it deems highly sensitive.
3.2 DST Security Assessment. As part of DST’s Security Assessment, DST will: (i) conduct regular vulnerability scans on externally-facing applications that may receive, access, process or store Trust Confidential Information at DST’s expense; (ii) evaluate the results of the vulnerability scans and Remediate Security Exposures deemed material by DST’s personnel as reasonably approp1iate, taking into account facts and circumstances surrounding such issues; and (iii) Mitigate Security Exposures discovered and deemed material by DST’s personnel within a reasonably appropriate time period. In addition, DST will at least once per year, perform penetration testing on its externally-facing systems that may receive, access, process or store Trust Confidential Information, and will provide Trust with a letter confirming the testing has been performed. Trust is not permitted to conduct penetration testing or other code scanning on DST’s environment and software.
4. Security Incident Response.
4.1 Mitigation and Remediation of Security Incidents. DST will Mitigate or Remediate any Security Incident in accordance with its internal security policies and procedures.
4.2 Security Incident Response. DST shall maintain formal processes reasonably .designed and implemented to detect, identify, investigate, report, respond to, Mitigate, and Remediate Security Incidents in a timely manner.
4.3 Security Incident Notification. DST shall promptly notify Trust but in no event later than 72 hours following discovery of any Security Incident(s). Such notification shall include the extent and nature of such intrusion, disclosure, or unauthorized access, the identity of the compromised Trust Confidential Information (to the extent it can be ascertained), how DST was affected by the Security Incident, and its response to such Security Incident. DST shall use continuous and diligent efforts to remedy the cause and the effects of such Security Incident in an expeditious manner and deliver to Trust a root cause analysis and future incident Mitigation plan with regard to any such incident. DST shall reasonably cooperate with Trust’s investigation and response to each Security Incident. If Trust reasonably determines in its sole discretion that it may need or be required to notify any individual(s) as a result of a Security Incident, Trust shall have the right to control all such notifications and DST shall bear all direct costs associated with the notification, including printing, mailing, service-center responses, and one-year of credit monitoring per affected individual, to the extent the notification and corresponding actions are required by U.S. law, and subject to the limitation of liability set forth in the Agreement. Without limiting the foregoing, unless otherwise required by U.S. law, no such notifications shall be made by DST without Trust’s prior written consent and Trust shall, together with DST, determine the content and delivery of all such notifications. For the avoidance of doubt, DST shall be solely responsible for all costs and expenses, subject to the limitations of liability under the Agreement that Trust and/or DST may incur to the extent that they are attributable to or arise from DST’s breach of its confidentiality obligations under the Agreement.
4.4 Cooperation With Regulators. DST shall promptly cooperate with the Trust and any of the Trust affiliates’ regulators at DST’s expense (only if DST is determined to be responsible for a Security Incident) to prevent, investigate, cease, Remediate, or Mitigate any Security Incident, including, but not limited to, investigating, bringing claims or actions, and giving information and testimony.
5. Miscellaneous. This Exhibit cannot be modified except by written instrument executed by both parties. This Exhibit may be executed in two or more counterparts, each of which shall be deemed an original but all of which together shall constitute one and the same instrument.
