Amendment no 3 to Amended and restated master custodian agreement
Exhibit (g)(19)
Amendment no 3 to
Xxxxxxx and restated master custodian agreement
This Amendment No 3 to the Amended and Restated Master Custodian Agreement (the “Amendment”), effective as of December 11, 2024 (“Amendment Effective Date”), is by and among each Fund (as defined below) and State Street Bank and Trust Company, a Massachusetts trust company (the “Custodian”). Capitalized terms used but not defined herein shall have the meaning ascribed to them in the Custodian Agreement (as defined below).
Whereas, the investment companies identified on Appendix A hereto (the “Fund”) and the Custodian entered into that certain Amended and Restated Master Custodian Agreement dated as of October 17, 2005 (as amended, the “Custodian Agreement”), pursuant to which the Custodian provides certain custodial services to the Fund; and
Whereas, the Fund and the Custodian desire to amend the Custodian Agreement as more particularly set forth below.
Whereas, the Fund and the Custodian acknowledge that the previous Amendment dated April 30, 2021 applies to Xxxxxx Strategic Trust and its series.
Now Therefore, in consideration of the mutual covenants and agreements hereinafter contained, the parties hereto agree as follows:
1. | Information Security. The following new Section is hereby added to the Custodian Agreement: |
“SECTION 18.18. INFORMATION SECURITY. Custodian shall comply with the provisions described in Schedule D (Custodian Information Security Schedule) attached hereto.”
2. | Schedule D: Attachment No 1 to Amendment No 3 attached hereto shall be added to the Agreement as Schedule D (Custodian Information Security Schedule). |
3. | Except as modified hereby, all other terms and conditions of each Custodian Agreement shall remain in full force and effect. |
4. | This Amendment may be executed in multiple counterparts, which together shall constitute one instrument. |
[SIGNATURE PAGE FOLLOWS]
-1-
Signature Page
IN WITNESS WHEREOF, each of the parties has caused this instrument to be executed in its name and behalf by its duly authorized representative and its seal to be hereunder affixed as of the date first above-written.
EACH OF THE ENTITIES SET FORTH ON APPENDIX A HERETO | ||
By: | /s/ Xxxx X Xxxxx | |
Name: Xxxx X Xxxxx | ||
Title: CFO Xxxxxx Funds and ETFs | ||
STATE STREET BANK AND TRUST COMPANY | ||
By: | /s/ Xxxxx XxxXxxxxx | |
Name: Xxxxx XxxXxxxxx | ||
Title: Senior Vice President |
-2-
APPENDIX A
TO
Custodian | Fund |
Xxxxxx Investments (a Massachusetts business trust) | Xxxxxx 1000 Index Fund |
Xxxxxx California Tax-Free Bond Fund | |
Xxxxxx Opportunistic Municipal Bond Fund | |
Xxxxxx Short-Term Bond Index Fund | |
Xxxxxx Tax-Free Bond Fund | |
Xxxxxx Treasury Inflation Protected Securities Index Fund | |
Xxxxxx U.S. Aggregate Bond Index Fund | |
Xxxxxx Capital Trust (a Massachusetts business trust) | Xxxxxx International Opportunities Fund |
Xxxxxx Balanced Fund | |
Xxxxxx Core Equity Fund | |
Xxxxxx Fundamental U.S. Large Company Index Fund | |
Xxxxxx Fundamental U.S. Small Company Index Fund | |
Xxxxxx International Core Equity Fund | |
Xxxxxx Monthly Income Fund - Flexible Payout | |
Xxxxxx Monthly Income Fund - Income Payout | |
Xxxxxx Monthly Income Fund - Target Payout | |
Xxxxxx U.S. Large-Cap Growth Index Fund | |
Xxxxxx U.S. Large-Cap Value Index Fund | |
Xxxxxx U.S. Mid-Cap Index Fund | |
The Xxxxxxx Xxxxxx Family of Funds (a Massachusetts business trust) | Xxxxxx AMT Tax-Free Money Fund |
Xxxxxx California Municipal Money Fund | |
Xxxxxx Government Money Fund | |
Xxxxxx Municipal Money Fund | |
Xxxxxx New York Municipal Money Fund | |
Schwab Retirement Government Money Fund | |
Xxxxxx Treasury Obligations Money Fund | |
Xxxxxx U.S. Treasury Money Fund | |
Schwab Value Advantage Money Fund | |
Xxxxxx Annuity Portfolios (a Massachusetts business trust) | Xxxxxx Government Money Market Portfolio |
Xxxxxx Strategic Trust | Xxxxxx U.S. Broad Market ETF |
Xxxxxx U.S. Large-Cap ETF | |
Xxxxxx U.S. Large-Cap Growth ETF | |
Xxxxxx U.S. Large-Cap Value ETF | |
Xxxxxx U.S. Mid-Cap ETF | |
Xxxxxx U.S. Small-Cap ETF |
-3-
Xxxxxx U.S. Dividend Equity ETF | |
Xxxxxx U.S. REIT ETF | |
Xxxxxx International Equity ETF | |
Xxxxxx International Small-Cap Equity ETF | |
Xxxxxx International Dividend Equity ETF | |
Xxxxxx Emerging Markets Equity ETF | |
Xxxxxx U.S. TIPS ETF | |
Xxxxxx Short-Term U.S. Treasury ETF | |
Xxxxxx Intermediate-Term U.S. Treasury ETF | |
Xxxxxx U.S. Aggregate Bond ETF | |
Xxxxxx Fundamental U.S. Broad Market ETF | |
Xxxxxx Fundamental U.S. Large Company ETF | |
Xxxxxx Fundamental U.S. Small Company ETF | |
Xxxxxx Fundamental International Equity ETF | |
Xxxxxx Fundamental International Small Equity ETF | |
Xxxxxx Fundamental Emerging Markets Equity ETF | |
Xxxxxx 1000 Index ETF | |
Xxxxxx 1-5 Year Corporate Bond ETF | |
Xxxxxx 5-10 Year Corporate Bond ETF | |
Xxxxxx Long-Term U.S. Treasury ETF | |
Xxxxxx Xxxxx ESG ETF | |
Xxxxxx Crypto Thematic ETF | |
Xxxxxx Municipal Bond ETF | |
Xxxxxx Ultra-Short Income ETF | |
Xxxxxx Mortgage-Backed Securities ETF |
-4-
ATTACHMENT NO 1 TO AMENDMENT NO 3
SCHEDULE D
Custodian Information Security Schedule
All capitalized terms not defined in this Custodian Information Security Schedule (this “Security Schedule”) will have the meanings given to them in each Agreement, as applicable.
Custodian implements data security measures consistent in all material respects with applicable prevailing industry practices and standards as well as laws, rules and regulations applicable to Custodian. As of the Amendment Effective Date, Custodian aligns with the National Institute for Standards and Technology (NIST) cybersecurity framework. However, as information security is a highly dynamic space where threats are constantly changing, Custodian reserves the right to make changes to its information security controls and/or to align with one or more recognized industry standards, other than NIST, at any time in a manner that does not materially reduce its protection of Fund Confidential Information.
Custodian will use commercially reasonable efforts to cause any delegates and other third parties to whom Custodian provides Fund Confidential Information to implement and maintain security measures that Custodian reasonably believes are at least as protective as those described in this Security Schedule. For delegates or other third parties who collect, transmit, share, store, control, process or manage Fund Confidential Information, Custodian is responsible for assessing their control environments. Notwithstanding the foregoing, Custodian shall be responsible for any such delegate’s or other third party’s protection of Fund Confidential Information, which if done by Custodian, would be a breach of its commitment under this Security Schedule.
1. | Security Objectives. Custodian uses commercially reasonable efforts to: |
a. protect the privacy, confidentiality, integrity, and availability of Fund Confidential Information;
b. protect against accidental, unauthorized, unauthenticated or unlawful access, copying, use, processing, disclosure, alteration, corruption, transfer, loss or destruction of Fund Confidential Information;
c. comply with applicable governmental laws, rules and regulations that are relevant to the handling, processing and use of Fund Confidential Information by Custodian in accordance with each Agreement; and
d. implement customary administrative, physical, technical, procedural and organizational safeguards.
2. Risk Assessments. The results of Custodian’s risk assessments are internal to Custodian and will not be provided to Fund.
a. Risk Assessment - Custodian will perform risk assessments annually that are designed to identify material threats (both internal and external), the likelihood of those threats occurring and the impact of those threats upon the Custodian organization to evaluate and analyze the appropriate level of information security safeguards (“Risk Assessments”).
b. Risk Mitigation - Custodian will use commercially reasonable efforts to manage, control and remediate any threats identified in the Risk Assessments that are likely to result in material
- 5 -
unauthorized access, copying, use, processing, disclosure, alteration, transfer, loss or destruction of Fund Confidential Information, consistent with the Objective, and commensurate with the sensitivity of the Fund Confidential Information and the complexity and scope of the activities of Custodian pursuant to the Agreement.
c. Vulnerability Management Program – Custodian maintains a vulnerability management program that includes processes for: being made aware of newly announced vulnerabilities; discovering vulnerabilities within the infrastructure and applications; risk rating vulnerabilities consistent with industry standards; and defining timeframes for remediating vulnerabilities (other than medium or low risk vulnerabilities) consistent with industry standards and taking into account any mitigation efforts taken by Custodian with respect to such vulnerabilities.
3. Patch Management - Custodian will patch all system end points, such as workstations, and servers with all current operating system, database and application patches deployed in Custodian’s computing environment according to a schedule predicated on the criticality of the patch. Custodian must perform appropriate steps so that patches do not compromise the security of the information resources being patched.
4. Security Controls. Upon Fund’s reasonable request, no more frequently than annually, Custodian will provide Fund’s Chief Information Security Officer or his or her designee with a copy of its Corporate Information Security Controls manual, a completed Standardized Information Gathering (SIG) questionnaire, Custodian’s Global Information Security (GIS) SOC 2 (Type II) report, and an opportunity to discuss Custodian’s Information Security measures with a qualified member of Custodian’s Information Technology management team. In no event will any such discussions require Custodian to reveal any details or information that could reasonably be expected to jeopardize the security or integrity of any Custodian system or the confidentiality or security of any other client’s data. Custodian reviews its Information Security Policy approximately annually and reserves the right to change the frequency to meet regulatory requirements (which in no event will be less frequent than every eighteen (18) months).
a. Responsibility - Custodian will assign responsibility for information security management to senior personnel only.
b. Access - Custodian will have controls designed to permit only those personnel performing roles supporting the provision of services under this Agreement to access Fund Confidential Information.
c. Confidentiality - Custodian personnel who have accessed or otherwise been made known of Fund Confidential Information will maintain the confidentiality of such information in accordance with the terms of this Agreement.
d. Training - Custodian will provide information security training to its personnel on approximately an annual basis.
e. Screening –Custodian employees, and personnel of delegates or other third parties who access Custodian’s facilities, networks or systems, are subject to certain credit and criminal checks conducted by Custodian or its agents applicable to banks pursuant to applicable laws, rules and/or regulations. If any person does not meet the requirements of such Custodian checks, such person may not be permitted to be employed by Custodian or, in the event of a delegate or other third party, Custodian requires that such person be removed from any assignment for Custodian. In addition to the foregoing, Custodian requires its delegates and other third parties to conduct, as part of its standard hiring and vendor due
- 6 -
diligence practices, pre-employment background investigations consistent with industry standards with respect to any personnel that are assigned to perform services for Custodian or otherwise have access to confidential information of Custodian or its clients.
d. Paper Destruction - Custodian will cross shred all paper waste containing Fund Confidential Information and dispose in a secure and confidential manner.
e. Risk based approach: A risk-based approach should be used in determining site security levels as well as periodic site security assessments.
f. Access controls: Custodian personnel are required to use their individually assigned corporate ID badges programmed to provide various levels of access control based on their role. Authorized door access lists are reviewed on a quarterly basis by the authorized area owner(s) to ensure access remains appropriate.
7. Communications and Operations Management.
a. Network Penetration Testing - Custodian will, on approximately an annual basis but in no event less frequently than every eighteen (18) months, contract with an independent third party to conduct a network penetration test on its network having access to or holding or containing Fund Confidential Information. If penetration testing reveals material deficiencies or vulnerabilities, the findings will be risk rated consistent with industry standards and timeframes will be defined for remediating vulnerabilities (other than medium or low risk vulnerabilities) consistent with industry standards and taking into account any mitigation efforts taken by Custodian with respect to such vulnerabilities.
- 7 -
c. Data Loss Prevention - Custodian will maintain a data leakage program that is designed to identify, detect, monitor and document data leaving Custodian’s control without authorization in place.
d. Wireless Security - If Custodian deploys a wireless network, Custodian will maintain written policies governing the use, configuration and management of wireless networks. All wireless network devices shall be protected using appropriate physical controls to minimize the risk of theft, unauthorized use, or damage. Network access to wireless networks shall be restricted only to those authorized.
e. Firewalls. Custodian will maintain current industry appropriate firewall technology in the operation of Custodian’s environments.
f. Source Code Review - Custodian must have a documented program for secure code reviews and maintain documentation of secure code reviews performed for all Internet-facing applications that store or process Xxxxxx Confidential Information.
b. User Access - Custodian will have a process to promptly disable access to Fund Confidential Information by any Custodian personnel who no longer requires such access. Custodian will also promptly remove access of Fund personnel upon receipt of notification from Fund.
9. Use of Laptop and Mobile Devices in connection with this Agreement.
- 8 -
b. Secure Storage - Custodian will require that all laptops and mobile devices be securely stored whenever out of the personnel’s immediate possession.
c. Inactivity Timeout - Custodian will employ access and password controls as well as inactivity timeouts of no longer than thirty (30) minutes on laptops, desktops and mobile devices managed by Custodian and used by Custodian’s personnel.
10. Information Systems Acquisition Development and Maintenance.
a. Fund Data – Fund Confidential Information will only be used by Custodian for the purposes specified in this Agreement.
b. Virus Management - Custodian will maintain a malware protection program designed to identify, detect, protect, respond and recover from malware infections, malicious code and unauthorized execution of code within the Custodian environment.
c. Change Control – Custodian implements and maintains change control procedures to manage changes to information systems, supporting infrastructure, and facilities. Certain Custodian’s system and application changes undergo testing prior to implementation, which may include relevant security controls, as determined by Custodian on a risk basis and taking into account the type and/or impact of the change and the infrastructure and/or network components in place with respect to such change,.
11. Incident Event and Communications Management.
b. Custodian will notify Fund within forty-eight (48) hours after it has determined that unauthorized access to Fund Confidential Information has occurred, unless otherwise prohibited by applicable law. In such an event, and unless prohibited by applicable law, Custodian will provide information, to the extent available to Custodian, sufficient to provide a reasonable description of the general circumstances and extent of such unauthorized access, and will provide reasonable cooperation to Fund:
i. in the investigation of any such unauthorized access;
ii. in Fund’s efforts to comply with statutory notice or other applicable laws applicable to Fund or its customers; and
iii. in litigation and investigations brought by Fund against third parties, including injunctive or other equitable relief reasonably necessary to protect Fund’s proprietary rights.
- 9 -
For the avoidance of doubt, Xxxxxxxxx will not be required to disclose information that Custodian reasonably determines would compromise the security of Custodian's technology or premises or that would impact other Custodian clients.
12. Offshore Work - Specific to work performed by Custodian from India, Custodian will only access Fund Confidential Information via a Virtual Desktop Interface (“VDI”) with controls in place to protect Fund Confidential Information from data loss at a minimum in accordance with the terms of the Security Schedule and protections of Fund Confidential Information set forth herein. The VDI must be configured to disallow the ability to download data to the host machine or external device.
- 10 -