compliance documentation what cybersecurity

WHAT CYBERSECURITYCOMPLIANCE DOCUMENTATIONDOES THE SEC REQUIRE A

FIRM TO MAINTAIN?

HOW TO BUILD A VERY SOLID SEC CYBERSECURITY COMPLIANCE

DOCUMENTATION PROGRAM.

At MTradecraft, we provide cybersecurity auditing and penetration

testing services to SEC and FINRA registered firms. We current

support over 180 firms and I want to discuss a very important

observation from working with these firms. I consistently notice

there is confusion among firm leadership on how to interpret the

SEC’s (or FINRA, or any SSB’s) guidance on cybersecurity

compliance. I hope this documents helps cut directly to what you

need to be doing at your firm.

The SEC’s written guidance is generic and not helpful. I am not

going to cover what the SEC has published in this paper but I

highly encourage you to read all the SEC’s cybersecurity related

releases. Instead, I want to focus on real world solutions to

help you build an operationally streamlined cybersecurity

compliance program. In most of my engagements, I am working with

CCOs who are, by and large, technically savvy individuals. They

would have no problem performing their cybersecurity compliance

duties if they only knew what they were. This paper is for you.

First, let us set the stage and consider how a typical firm’s IT

infrastructure might be structured. Consider the graphic below

which represents a simple example of how a firm’s systems are

interconnected.

www.mtradecraft.com | [email protected]

http://www.mtradecraft.com/

mailto:[email protected]

The yellow flags represent items that a CCO is responsible for

ensuring are up-to-date, properly patched, and not susceptible to

any known vulnerabilities. The “External Penetration Test”,

“Social Engineering”, and “Internal Penetration Tests” identify

locations that you need to be actively monitored and tested for

vulnerabilities. These are potential entry points for malicious

attackers. As a penetration tester, these are the area’s I focus

on.

If you hired an outsourced IT company to administer your network,

do not trust them to perform these cybersecurity audits for you.

They won’t. Or, if you do trust them; make sure they are sending

you the PDF documentation to prove that they are performing these

cybersecurity auditing tasks. The SEC will want to see the

documentation.



Cybersecury Law #1: The easier a device is to deploy and

administer; the more vulnerabile it is.

In my experience, 99% of IT firms will not give you that

cybersecurity compliance documentation because at the end of the

day IT firms want to deliver repetitive technology (easy to

deploy and administer) to hundreds of firms whereas SEC

registered firms need redundant and secure technology (difficult

to deploy and adminsiter). So, there is an inherent conflict of

interest when outsourcing your IT operations. You and the IT

vendor have different goals. I don’t sell those kinds of services

so I am not trying to knock my competition here.

Regardless of if you outsource your IT or if you have those

operations in house; the CCO is still responsible for producing

the required cybersecurity compliance documentation. To perform

this work, you can hire an outsourced cybersecurity auditing

company (wink: such as MTradecraft : wink) to perform these

audits and produce your documentation. When choosing a firm, it

is important to make sure there are no conflicts of interest.

For example, don’t select a cybersecurity firm that sells ongoing

monitoring services because they will convieniently find all

kinds of vulnerabilities that will require their $299/month

monitoring service. Don’t take the bait.

Or, you can tackle it yourself.

Below I will outline how I set up my client’s cybersecurity

compliance folders. The suggestions below are just a baseline

that all firm’s will need. Depending on your infrasctructure or

operations (locations, parent companies, IT deployments, etc) you

will probably require additional documentation.



https://www.mtradecraft.com/

First, let’s start with the Policies and Procedures documents.

Cybersecurity Compliance Document #1

The Cybersecurities Policies and Procedures Manual

Here is the outline I use when crafting this document for my

clients. You can use these topics to craft a manual that is

custom written for your firm. If you need a template for this,

just let me know and I will send you one.

Cybersecurity Compliance Document #2

Employee Technology Use Agreement Forms.

This policy sets forth a basic set of standards for the use and protection of a firm’s computer assets. It should be administeredto all firm personnel at onboarding and once again annually. Employees need to sign off that they read and agreement with the document.

See Appendix B for a template I use with my clients.

Cybersecurity Compliance Documents #3-1000.

Documentation of the Active Monitoring of Firm IT Assets

Our personal preference is to use Tenable’s Nessus software to

provide what we consider to be industry leading vulnerability

scanning and reporting capabilities with our clients. Deploying a

scanning solution like Nessus will allow a CCO to build a set-it-

and-forget-it monitoring solution. At MTradecraft, we deploy

these scanners to automatically scan our client’s entire network

and domain once a week and email a report to the CCO. The CCO can



then read the report, respond to any needed actions, and then

file that report away in his Cybersecurity Compliance Folder. If

a vulnerability is detected, Nessus will present you with a

solution in the report.

Speaking of cybersecurity compliance folders, here is how I

suggest you structure that folder. We will use an example from

my old firm, Vela Ford.

Cybersecurity Folder Descriptions

Vela Ford Vulnerability Scan Databases: Each time Nessus runs a

scan, it will produce a database. Save those here.

Vulnerability Reports – Austin and San Antonio Offices : We like

to save my vulnerability scans for each office in seperate

folders. From Nessus, I export each scan report to a PDF and

save it here. I also include network maps for each office and

screenshots from each audit in this folder.

Vulnerability Reports – External Assets: This is where we save

vulnerability scan reports for external assets like email

servers, client portals, websites, webapps, etc.



2020 December Vela Ford...Annual Executive Summary: Each year you

need to perform a cybersecurity audit in conjuction with your

annual 206-4 compliance review. Document that audit in an

executive summary and save it you compliance folder. Be sure to

follow up and document any remediations that you make.

Remember, with the SEC if you didn’t document “it”...”it” didn’t

happen.

We find that structuring a folder in this manner makes for an

easy audit – when the day does come. We designed this structure

by researching actual cybersecurity/IT documenation requests that

my clients had received from the SEC (and SSBs).

Please see Appendix A for a list of those requests.

Each firm is going to be unique in regards to what systems need

documentation and monitoring, but I hope this provides a quick

outline of how you should be thinking about your cybersecurity

compliance obligations.

If you have any questions or are curious how MTradecraft can

assist in helping you set up your cybersecurity compliance

workflows, please let us know.



About the Author:

My name is Brian Hahn and I founded MTradecraft in 2009. I have been in the investment industry for over 20 years with experienceas a:

-COO|CCO of a SEC Registered Investment Advisor-Head Trader and Operations Manager for a SEC registered hedge fund.-CS Associate at Ray Dalio's Bridgewater Associates. -Co-Founder of two investment management firms (a RIA and hedge fund)

I have experience designing every aspect of a firm's IT operations, compliance manuals, operational workflows, and cybersecurity infrastructure.

Unlike most firms, I do not sell ongoing cybersecurity products, nor am I affiliated with outside IT vendors. That means you will receive unbiased advice that is focused on protecting your network and you never have to worry about an up sell at the end.

I live and breathe cybersecurity and investment management operations and I am dedicated to the tradecraft of helping my clients protect their most sensitive data and client relationships.

MTradecraft supports over 180 clients nationwide.

We serve all financial institutions, with focused expertise inthe RIA, broker-dealer, hedge fund, and family office space.



mailto:[email protected]

Appendix A

SEC Cybersecurity Compliance Documentation

Requests

-----------------------------------------------------------------

Does the firm have: (i) a written Business Continuity Plan;

(ii) a Pandemic Continuity of Operations Plan; and/or (iii)

equivalent informal plans or guidance (collectively, “BCP”)?

If so:

1. Briefly describe some of the aspects of the BCP that

are particularly applicable to maintaining continuity

of business operations when dealing with the COVID-19

pandemic (e.g., personnel working remotely).

2. Are there any business operations that cannot be

performed remotely?

-----------------------------------------------------------------

If the firm has a BCP, has the firm activated/implemented

its BCP in response to COVID-19? If so, please describe:

1. What aspects of the plan have been implemented?

2. Whether the firm has identified any preliminary

weaknesses or unforeseen issues since implementing its

BCP?

3. Whether the firm has encountered, thus far, any

limitations in its ability to operate critical systems

or conduct critical operations in connection with its

personnel working remotely?

4. Whether working remotely has affected the firm’s



oversight of any of its third-party vendors or service

providers?

5. Does the firm’s BCP efforts address the resiliency

practices of its key third-party vendors, service

providers, and business partners (collectively,

“vendors”) (i.e., the continuation of the vendors’

business functions affecting the firm’s key

operations)? For example, does the firm make sure that

vendors address:

1. Continuity program activities, such as regularly

reviewing and updating their BCP?

2. Disaster recovery plans for their systems, such as

identifying the locations where data is backed up

and recovery time objectives?

3. Business continuity procedures, such as

comprehensive continuity strategies and procedures

with all of their vendors?

4. Communication practices, such as internal and

external communication plans with their vendors

and clients/customers?

-----------------------------------------------------------------

Is the firm prepared to have all of its personnel operate

remotely for several weeks (e.g., 3+) or months, if required

or appropriate? Are any personnel unable to operate remotely

or unable to do so for several weeks or months?

-----------------------------------------------------------------

Does the firm have a contingency plan if its essential

personnel are unable to work, or only able to work on a

part-time basis, for several weeks or months? For example,



personnel may be incapacitated or are only able to work

part-time if they are caring for children.

-----------------------------------------------------------------

Has the COVID-19 pandemic created hardships for the firm

(e.g., financial, human resources, or otherwise)?

-----------------------------------------------------------------

Has the firm considered assessing the impact of COVID-19 on

its business and operations? If so, is it underway, or when

does the firm believe it will undergo this assessment?

What other issues or concerns does the firm want to share

with the SEC, including any challenges related to COVID-19

that have impacted other firms?

-----------------------------------------------------------------

For each of the following practices employed by the Firm for

management of information security assets, please provide the

month and year in which the noted action was last taken; the

frequency with which such practices are conducted; the group with

responsibility for conducting the practice;

and, if not conducted firmwide, the areas that are included

within the practice. Please also provide a copy of any relevant

policies and procedures.

• Physical devices and systems within the Firm are inventoried

and assessed for risks.

• Software platforms and applications within the Firm are

inventoried and audited.

• Maps of network resources, connections, and data flows



(including locations where customer data is housed) are created

or updated.

• Connections to the Firm’s network from external sources are

catalogued and assessed.

• Resources (hardware, data, 2 factor-authentication, and

software) are prioritized for protection based on their

sensitivity and business value.

• Logging capabilities and practices are assessed for adequacy,

appropriate retention, and secure maintenance.

-----------------------------------------------------------------

Please provide a copy of the Firm’s written information security

policy and employee usage agreements.

-----------------------------------------------------------------

Please indicate whether the Firm conducts periodic risk

assessments to identify cybersecurity threats, vulnerabilities,

physical vulnerabilities and potential business consequences. If

such assessments are conducted: a. Who (business group/title)

conducts them, and in what month and year was the most recent

assessment completed? b. Please describe any findings from the

most recent risk assessment that were deemed to be potentially

moderate or high risk and have not yet been fully remediated.

-----------------------------------------------------------------

Does the Registrant use any cloud-based storage (e.g., Dropbox,

SkyDrive, Google Docs, etc.) for data backup or any other

purpose? If so, please list the vendors used and all due

diligence research associated with each vendor. Is the

Registrant using a personal or business version of the cloud

storage? Please provide a copy of the terms of service agreement

from each cloud storage vendor that the Registrant is using.



-----------------------------------------------------------------

Does the Registrant have any written policies and procedures to

govern the use of/access of firm data? If so, please provide

copies of the policies and procedures.

-----------------------------------------------------------------

Has the Registrant ever had any data breaches or any other

cybersecurity issues (e.g., hacking incidents, ransomware, etc.)?

If yes, please provide a timeline and describe the nature of the

incident. If no, please describe how the firm monitors for

breaches.

-----------------------------------------------------------------

If cybersecurity roles and responsibilities for the Firm’s

workforce and managers have been explicitly assigned and

communicated, please provide written documentation of these roles

and responsibilities. If no written documentation exists, please

provide a brief description.

-----------------------------------------------------------------

Please provide a copy of the Firm’s written business continuity

of operations plan that addresses mitigation of the effects of a

cybersecurity incident and/or recovery from such an incident if

one exists.

-----------------------------------------------------------------

Does the Firm have a Chief Information Security Officer or

equivalent position? If so, please identify the person and title.

If not, where does principal responsibility for overseeing

cybersecurity reside within the Firm?



-----------------------------------------------------------------

Does the Firm maintain insurance that specifically covers losses

and expenses attributable to cybersecurity incidents? If so,

please briefly describe the nature of the coverage and indicate

whether the Firm has filed any

claims, as well as the nature of the resolution of those claims.

-----------------------------------------------------------------

Does the Registrant allow employees (or any person) to access any

personal web-based e-mail accounts (e.g., Google, Yahoo Mail,

Hotmail, etc.) from the firm’s networks? If no, what steps has

the Registrant taken to block network access to personal e-mail?

-----------------------------------------------------------------

Does the Registrant allow employees (or any person) to use their

personal e-mail for business purposes? If yes, what types of

information are transmitted via web-based e-mail? Is web-based e-

mail used for client communications?

-----------------------------------------------------------------

Does the Registrant use a web-based e-mail provider’s or its own

server for e-mail? If the Registrant is using a web-based e-mail

account does it have a business account with the provider? Do

any other entities share the same email server?

-----------------------------------------------------------------

Please provide a copy of the terms of service agreement from each

web-based e-mail provider that the Registrant is using.

-----------------------------------------------------------------

Does the Registrant maintain records of web-based e-mail

communications? If so, how are the records maintained? Does



compliance review web-based e-mail communications?

-----------------------------------------------------------------

Does the Registrant have any written policies and procedures to

govern the access to/use of/maintenance of/review of web-based e-

mail? If yes, please provide copies of the policies and

procedures.

-----------------------------------------------------------------

Please identify any published cybersecurity risk management

process standards, such as those issued by the National Institute

of Standards and Technology (NIST) or the International

Organization for Standardization (ISO), the Firm has used to

model its information security architecture and processes.

-----------------------------------------------------------------

Please indicate which of the following practices and controls

regarding the protection of its networks and information are

utilized by the Firm, and provide any relevant policies and

procedures for each item.

1. The Firm provides written guidance and periodic training to

employees concerning information security risks and

responsibilities. If the Firm provides such guidance and/or

training, please provide a copy of any related written

materials (e.g., presentations) and identify the dates,

topics, and which groups of employees participated in each

training event conducted since January 1, 2013.

2. The Firm maintains controls to prevent unauthorized

escalation of user privileges and lateral movement among

network resources. If so, please describe the controls,

unless fully described within policies and procedures.

3. The Firm restricts users to those network resources



necessary for their business functions. If so, please

describe those controls, unless fully described within

policies and procedures.

4. The Firm maintains an environment for testing and

development of software and applications that is separate

from its business environment.

5. The Firm maintains a baseline configuration of hardware and

software, and users are prevented from altering that

environment without authorization and an assessment of

security implications.

6. The Firm has a process to manage IT assets through removal,

transfers, and disposition.

7. The Firm has a process for ensuring regular system

maintenance, including timely installation of software

patches that address security vulnerabilities.

8. The Firm’s information security policy and training address

removable and mobile media.

9. The Firm maintains controls to secure removable and

portable media against malware and data leakage. If so,

please briefly describe these controls.

10. The Firm maintains protection against Distributed

Denial of Service (DDoS) attacks for critical internet-

facing IP addresses. If so, please describe the internet

functions protected and who provides this protection.

11. The Firm maintains a written data destruction policy.

12. The Firm maintains a written cybersecurity incident

response policy. If so, please provide a copy of the policy

and indicate the year in which it was most recently updated.

Please also indicate whether the Firm conducts tests or

exercises to assess its incident response policy, and if so,

when and by whom the last such test or assessment was

conducted.



13. The Firm periodically tests the functionality of its

backup system. If so, please provide the month and year in

which the backup system was most recently tested.

-----------------------------------------------------------------

Please indicate whether the Firm makes use of encryption. If so,

what categories of data, communications, and devices are

encrypted and under what circumstances?

-----------------------------------------------------------------

Please indicate whether the Firm conducts periodic audits of

compliance with its information security policies. If so, in what

month and year was the most recent such audit completed, and by

whom was it conducted?

-----------------------------------------------------------------

Please indicate whether the Firm provides customers with on-line

account access. If so, please provide the following information:

a. The name of any third party or parties that manage the

service.

b. The functionality for customers on the platform (e.g., balance

inquiries, address and contact information changes, beneficiary

changes, transfers among the customer’s accounts, withdrawals or

other external transfers of funds). c. How customers are

authenticated for on-line account access and transactions.

d. Any software or other practice employed for detecting

anomalous transaction requests that may be the result of

compromised customer account access.

e. A description of any security measures used to protect

customer PINs stored on the sites.

f. Any information given to customers about reducing

cybersecurity risks in conducting transactions/business with the



Firm.

-----------------------------------------------------------------

Please provide a copy of the Firm’s procedures for verifying the

authenticity of email requests seeking to transfer customer

funds. If no written procedures exist, please describe the

process.

-----------------------------------------------------------------

Please provide a copy of any Firm policies for addressing

responsibility for losses associated with attacks or intrusions

impacting customers. a. Does the Firm offer its customers a

security guarantee to protect them against hacking of their

accounts? If so, please provide a copy of the guarantee if one

exists and a brief description.

-----------------------------------------------------------------

If the Firm conducts or requires cybersecurity risk assessments

of vendors and business partners with access to the Firm’s

networks, customer data, or other sensitive information, or due

to the cybersecurity risk of the outsourced function, please

describe who conducts this assessment, when it is required, and

how it is conducted. If a questionnaire is used, please provide a

copy. If assessments by independent entities are required, please

describe any standards established for such assessments.

-----------------------------------------------------------------

If the Firm regularly incorporates requirements relating to

cybersecurity risk into its contracts with vendors and business

partners, please describe these requirements and the

circumstances in which they are incorporated. Please provide a

sample copy.



-----------------------------------------------------------------

Please provide a copy of policies and procedures and any training

materials related to information security procedures and

responsibilities for trainings conducted since January 2017 for

vendors and business partners authorized to access its network.

-----------------------------------------------------------------

If the Firm assesses the segregation of sensitive network

resources from resources accessible to third parties, who

(business group/title) performs this assessment, and provide a

copy of any relevant policies and procedures?

-----------------------------------------------------------------

If vendors, business partners, or other third parties may conduct

remote maintenance of the Firm’s networks and devices, describe

any approval process, logging process, or controls to prevent

unauthorized access, and provide a copy of any relevant policies

and procedures.

-----------------------------------------------------------------

For each of the following practices employed by the Firm to

assist in detecting unauthorized activity on its networks and

devices, please briefly explain how and by whom (title,

department and job function) the practice is carried out.

• Identifying and assigning specific responsibilities, by job

function, for detecting and reporting suspected unauthorized

activity.

• Maintaining baseline information about expected events on the

Firm’s network.

• Aggregating and correlating event data from multiple sources.

• Establishing written incident alert thresholds.



• Monitoring the Firm’s network environment to detect potential

cybersecurity events.

• Monitoring the Firm’s physical environment to detect potential

cybersecurity events.

• Using software to detect malicious code on Firm networks and

mobile devices.

• Monitoring the activity of third party service providers with

access to the Firm’s networks.

• Monitoring for the presence of unauthorized users, devices,

connections, and software on the Firm’s networks.

• Evaluating remotely-initiated requests for transfers of

customer assets to identify anomalous and potentially fraudulent

requests.

• Using data loss prevention software.

• Conducting penetration tests and vulnerability scans. If so,

please identify the month and year of the most recent penetration

test and recent vulnerability scan, whether they were conducted

by Firm employees or third parties, and describe any findings

from the most recent risk test and/or assessment that were deemed

to be potentially moderate or high risk but have not yet been

addressed.

• Testing the reliability of event detection processes. If so,

please identify the month and year of the most recent test.

• Using the analysis of events to improve the Firm’s defensive

measures and policies.

-----------------------------------------------------------------

Did the Firm update its written supervisory procedures to reflect

the Identity Theft Red Flags Rules, which became effective in

2013 (17 CFR § 248—Subpart C—Regulation S-ID)?

a. If not, why?



-----------------------------------------------------------------

How does the Firm identify relevant best practices regarding

cybersecurity for its business model?

-----------------------------------------------------------------

Since January 1, 2016, has your Firm experienced any of the

following types of events? If so, please provide a brief summary

for each category listed below, identifying the number of such

incidents (approximations are acceptable when precise numbers are

not readily available) and describing their significance and any

effects on the Firm, its customers, and its vendors or

affiliates. If the response to any one item includes more than 10

incidents, the respondent may note the number of incidents and

describe incidents that resulted in losses of more than $5,000,

the unauthorized access to customer information, or the

unavailability of a Firm service for more than 10 minutes. The

record or description should, at a minimum, include: the extent

to which losses were incurred, customer information accessed, and

Firm services impacted; the date of the incident; the date the

incident was discovered and the remediation for such incident.

• Malware was detected on one or more Firm devices. Please

identify or describe the malware.

• Access to a Firm web site or network resource was blocked or

impaired by a denial of service attack. Please identify the

service affected, and the nature and length of the impairment.

• The availability of a critical Firm web or network resource was

impaired by a software or hardware malfunction. Please identify

the service affected, the nature and length of the impairment,

and the cause.

• The Firm’s network was breached by an unauthorized user. Please

describe the nature, duration, and consequences of the breach,

how the Firm learned of it, and how it was remediated.



• The compromise of a customer’s or vendor’s computer used to

remotely access the Firm’s network resulted in fraudulent

activity, such as efforts to fraudulently transfer funds from a

customer account or the submission of fraudulent payment requests

purportedly on behalf of a vendor.

• The Firm received fraudulent emails, purportedly from

customers, seeking to direct transfers of customer funds or

securities.

• The Firm was the subject of an extortion attempt by an

individual or group threatening to impair access to or damage the

Firm’s data, devices, network, or web services.

• An employee or other authorized user of the Firm’s network

engaged in misconduct resulting in the misappropriation of funds,

securities, sensitive customer or Firm information, or damage to

the Firm’s network or data.

-----------------------------------------------------------------

Since January 1, 2016, if not otherwise reported above, did the

Firm, either directly or as a result of an incident involving a

vendor, experience the theft, loss, unauthorized exposure, or

unauthorized use of or access to customer information? Please

respond affirmatively even if such an incident resulted from an

accident or negligence, rather than deliberate wrongdoing. If so,

please provide a brief summary of each incident or a record

describing each incident. Please indicate whether it was reported

to the following:

• Law enforcement (please identify the entity)

• FinCEN (through the filing of a Suspicious Activity Report)

• FINRA • A state or federal regulatory agency (please identity

the agency and explain the manner of reporting)

• An industry or public-private organization facilitating the

exchange of information about cybersecurity incidents and risks



-----------------------------------------------------------------

What does the Firm presently consider to be its three most

serious cybersecurity risks, and why?

-----------------------------------------------------------------

Please feel free to provide any other information you believe

would be helpful to the Securities and Exchange Commission in

evaluating the cybersecurity posture of the Firm or the

securities industry.



Appendix B

Employee Technology Use Policy

This policy sets forth a basic set of standards for the use and protection of {FIRM NAME} computer assets. This policy relates, but is not limited to,computer workstations, servers, laptop computers, electronic mail, databases, networks, and connection(s) to the intranet, internet, and any other information technology services databases, networks and connection(s) to the intranet, internet and an available both nowand in the future.

Information and Information Technology Systems including the computers, networks, applications (both third party and proprietary), technology facilities and the data housed therein, permit individuals, including all officers and directors, full-time, part-time and temporary employees, interns, consultants, independent contractors and other non-{FIRM NAME} personnel (collectively. "Users") to perform their duties at {Firm Name}.

Users are not allowed to remove any “Confidential Information" as described in the Code of Ethics from {FIRM NAME} networks or property by any means (including, but not limited to, internet, email, CD/DVD, disk, printed page), without the approval of theirChief Compliance Officer.

{FIRM NAME}'s Information and Information Technology Systems are intended solely for {FIRM NAME} business purposes. Personal use is not permissible. You are required to make sure your use: (i) does not involve a significant amount of resources that could otherwise be used for business purposes; (ii) does not interfere with a User's productivity; (iii) does not preempt any business activity; (iv) is not contrary to any other {FIRM NAME} policy; (v) does not intentionally make {FIRM NAME} susceptible to excessive spam or unsolicited requests; and (vi) does not disparage or diminish the reputation of {FIRM NAME} or its employees, officers, directors, shareholders and clients. It is the responsibility of each User to ensure that {FIRM NAME} Information and Information Technology Systems are used properly.



Users should not expect electronic communications made or received using {FIRM NAME}'s Information Technology Systems to beprivate. {FIRM NAME} expressly reserves the right to without notice access and examine {FIRM NAME} computer systems and networks and all information stored or transmitted through these systems and networks including, but not limited to, all electronic mail. As such, Users should have no expectation of privacy in the use of {FIRM NAME}'s Information Technology Systems. {FIRM NAME} may monitor all activity on {FIRM NAME} technology systems, including but not limited to personal uses such as online banking, online health information, shopping, or personal email. This monitoring may include keystroke logging, screen captures, and Internet activity monitoring, which may reveal personal information such as bank account information, passwords, medical information, or other personal information. Any information obtained by {FIRM NAME} during such monitoring may be used for any appropriate purpose as determined by {FIRM NAME} in its sole and exclusive discretion.

All electronic communications (e.g., email, IM, etc.) made using {FIRM NAME}'s networks, computers, systems or other property willbe deemed the exclusive property of {FIRM NAME}. All electronic communications are to be written in English. If there is a legitimate business need to send a non-English email or communication, a translation must be provided to Compliance at the time the email is sent. The Compliance Department conducts regular reviews of email and instant message communications. The purpose of these reviews is to ensure that {FIRM NAME} is complying with its regulatory obligations as well as its own internal policies including the requirement that all electronic communications be consistent with the professional environment that we strive to maintain. All Users are reminded that such reviews will take place and to carefully consider the appropriateness of any statements made by them in any email communication. Users are further reminded that any personal emails sent via {FIRM NAME}'s electronic communication facilitieswill be retained and are subject to review by {FIRM NAME} compliance personnel as well as our regulators.

The use of web-based email sites (e.g., Gmail, Hotmail, university email, etc.), file upload sites such as Yahoo, or Xdrive personal/home websites, and other web-based publishing sites including blogs is prohibited. Notwithstanding the above, all electronic business communications must go through the {FIRM



NAME} email servers, with the exception of Bloomberg instant messages. In the event of a {FIRM NAME} declared emergency, the use of personal, web-based email sites (e.g., Gmail, Hotmail, etc.) may be used, however, in all cases Compliance must be carbon copied on every email.

All information received, stored or transmitted on behalf of {FIRM NAME} is to be treated as Confidential Information. As such, no internal email may be forwarded outside of {FIRM NAME} unless: (i) there is a special business reason to do so; or (ii) the forwarded email is about specific {FIRM NAME} benefits or events available only to your family (or similar close relationship), e.g., emails regarding the company Christmas party.

All electronic communications form a part of {FIRM NAME}'s company records. As such, electronic communications may be subject to disclosure to law enforcement or government officials or to other third parties through subpoena appropriate and lawfulor otherwise. Users must ensure that business information contained in electronic communications is accurate,

Moreover, the Investment Advisers Act of 1940 (the "Act") requires that {FIRM NAME} maintain the originals of all written communications (including email) received and copies of all written communications sent to any party, including persons that are not clients of {FIRM NAME}, relating to the business of providing investment services. It is our policy to retain all internal and external email and internal instant messages, as well as all Bloomberg messages.

Users must conduct themselves in a courteous and professional manner when using {FIRM NAME}'s Information Technology Systems, including when using all email and other electronic communications. Users should write all email and other electroniccommunications with the same degree of responsibility that they would employ when writing letters or internal memoranda on {FIRM NAME}'s letterhead.

GENERAL RULES

The following are some basic rules governing the use of Information and Information Technology Systems at {FIRM NAME}

A. HARDWARE AND SOFTWARE

{FIRM NAME} provides each User with job appropriate hardware and



software. The hardware and software are owned and maintained by {FIRM NAME}, which has the right at any time, without notice, to examine and/or confiscate any hardware, software or data maintained on such hardware and/or {FIRM NAME}'s Information Technology Systems. If there is a technology device that has not been provided to you that you believe will help you to be more productive in performing your duties, please have it approved by the firm’s Chief Compliance Officer.

No unapproved information technology devices should be used in conjunction with {FIRM NAME}'s Information Technology Systems. This includes, but is not limited to, other computers, laptops, ZIP drives, Thumb drives, USB drives, memory sticks, CDR/CDRW drives or any other mass storage devices. Exceptions will only begranted on a case-by-case basis, in writing, by the Chief Compliance Officer.

Any software installed or data files stored on a {FIRM NAME} computer must be approved in advance. This includes software and data files downloaded from the internet. Using, downloading, installation and/or storage of illegal or pirated software or files are not permitted in any form. In general, the software will be approved if it is properly licensed, intended for a legitimate business purpose, and does not expose {FIRM NAME} to security risks. Non-business related software should not be installed on {FIRM NAME} computers. If you are unsure of what is considered prohibited, please contact the Chief Compliance Officer.

EVERY EMPLOYEE IS RESPONSIBLE FOR THEIR COMPUTER BEING PATCHED AND UPDATED AT ALL TIMES.

B. USER ID AND PASSWORD

Each User must have a User-ID and password prior to being able touse any {FIRM NAME} computer or Information Technology System. A User-ID and a password, both of which are unique to an individual, will be supplied to each user upon onboarding.

Strong Passwords are Required at All Times. Passwords must be atleast 13 characters long and contain atleast 1 of each: Upper Case Letter, Lower Case Letter, Symbol, and a Number.

Each User is responsible for all activity that occurs on his or her User-ID unless such ID is stolen and it is demonstrated that the User was not negligent in having allowed such theft to occur.User- ID's are revoked when a User is no longer authorized to



access {FIRM NAME}'s Information Technology Systems. User-ID's are also subject to suspension if not used regularly or if an incorrect password is entered repeatedly.

It is the responsibility of each User to protect the confidentiality of his or her password. Passwords must not be shared with others or recorded in any places where they might be found. All User must log ALL passwords in LastPass. Users are responsible to protect it and report promptly if it is lost or stolen. Users who are provided with other authentication hardwaresuch as a Securld token, Yubikey or smartcard must take care to protect it and report it lost or stolen immediately.

Users must not allow others to use their access without supervision.

C. REMOTE DIAL UP AND VPN ACCESS

{FIRM NAME} provides VPN access to the Information Technology Systems to facilitate work while away from the {FIRM NAME} premises. Users must not share their remote access or allow others to use it

D. DAILY BACKUPS

The firm is required to conduct periodic backups of all information that resides on its central computer systems, servers, and networks in order to protect {FIRM NAME}'s information resources from loss or damage. Maintenance of information stored on a User's personal computer or laptop hard drive (e.g., C: drive) is the responsibility of the User and is not included in normal backup procedures and recovery capabilities. In case of equipment failure or upgrade, any information on a local system may be lost.

E.VIRUS-SCREENING SOFTWARE

Virus-screening software has been and will continue to be installed on {FIRM NAME} desktop and laptop computers and must not be disabled for any reason. No User may take any steps to disable any firewalls, filters or similar protections which have been installed by {FIRM NAME}. Users may not load onto the Information Technology Systems or transmit any disabling software, such as Trojan horses, viruses, worms, time bombs or any other form of disabling code.

EVERY USER MUST ENSURE THEIR VIRUS SCREEN SOFTWARE IS ACTIVE AND UP TO DATE



F. LOCK COMPUTER

{FIRM NAME} computers must utilize a screen-saver with password protection, configured to activate after no more than 5 minutes of inactivity unless an exception is approved by the Chief Compliance Officer.

Each User must lock his or her computer (Windows Key + L) beforeleaving at the end of the workday. Users should never leave their computers logged in and unattended.

Users entrusted with {FIRM NAME} computer assets, including desktops, laptops, Blackberries, and software, must exercise due diligence at all times to prevent theft, destruction or other misuses of the assets.

Portable laptops, notebooks. palmtops and other transportable computers containing sensitive {FIRM NAME} information must be treated with the same care provided to {FIRM NAME} documents. If a {FIRM NAME} computer or Information Technology device is lost or stolen, the Chief Compliance Officer must be notified immediately.

G. THIRD PARTY SOFTWARE No User should include any code that is subject to any open source license without the approval of the Chief Compliance Officer.

By signing below, you acknowledge the receipt of this policy and attest that you will follow all rules set within.

------------------------------------------------ --------------------------------

Employee Signature Date

------------------------------------------------ --------------------------------

Chief Compliance Officer Signature Date



Appendix C

Policy and Procedures Manual Outline

INTRODUCTION TO DOCUMENT 4OBJECTIVES OF DOCUMENT 5DEFINITIONS [FIRM SPECIFIC] 3IDENTIFICATION OF RISKS/CYBERSECURITY GOVERNANCE 51. Inventory of Physical Devices 52. Inventory of Software Platforms and Applications 53. Map of Network Resources, Connections and Data Flows 64. Catalog of Connections to the Firm’s Network from ExternalSources 65. Resources Prioritized for Protection Based on Sensitivityand Business Value 76. Logging Capabilities and Practices 77. Periodic Risk Assessment 78. Cybersecurity Roles and Responsibilities 89. Business Continuity Plan 810.Cybersecurity Insurance 811.Deviations from this Cybersecurity Policy 8

ACCESS RIGHTS AND CONTROLS 81. User Access Rights, Controls and Multi Factor Authentication

82. User Passwords 103. Acceptable Use of Firm-Provided Network, Email, Internet,and Mobile Devices 114. User Remote Network Access 125. Login Attempt, Failures, and Lockouts 13

PROTECTION OF FIRM NETWORKS AND INFORMATION 141. Cybersecurity Risk Management Process Standards 142. Written Guidance and Periodic Training RegardingCybersecurity Risks 143. Baseline Configuration of Hardware and Software 144. Hardware Removal, Transfer, and Disposition 145. System Maintenance and Software Patches 156. Removable and Mobile Media 157. Distributed Denial of Service Attacks 158. Cybersecurity Incident Response Policy 179. Server and System Backup Policy 1910.Encryption Policy 2011.Record Keeping Policy 21

RISKS ASSOCIATED WITH REMOTE CUSTOMER ACCESS AND FUNDS TRANSFERREQUESTS 211. Customer Online Account Access 212. Written Identity Theft Prevention Program 22



3. Firm Policies for Addressing Losses Associated withCybersecurity Attacks 22

RISKS ASSOCIATED WITH IT VENDORS AND OTHER THIRD PARTIES 231. IT /SaaS / IaaS Vendor, Third Party Service Provider orBusiness Partner Cybersecurity Risk Assessments 232. IT Vendor or Third Party Service Provider Agreements 233. IT / SaaS / IaaS Vendor, Third Party Service Provider, orBusiness Partner Training Materials 244. Segregation of Network Resources from Resources Accessibleto Third-Parties 245. Segregation of Network Resources for Remote Maintenance byThird Parties 246. Contingency Plans for IT / SaaS / IaaS Vendors, or ThirdParty Service Providers 25

DETECTION OF UNAUTHORIZED ACTIVITY 251. Policies and Procedures for Detecting Unauthorized Activityon the Firm’s Network 252. Monitoring the Firm’s Physical Environment to DetectPotential Cybersecurity Incidents 283. Monitoring the Activity of Third-Party Service Providerswith Access to the Firm’s Network 29

