|
a)
|
premium billing
|
b)
|
insurance policy administrative changes
|
c)
|
provide insurance investment performance analysis and reporting
|
d)
|
facilitate monthly transfer elections
|
e)
|
quarterly social security sweep and death claim processing
|
f)
|
quarterly life insurance analysis reporting
|
(i)
|
Upon Clark’ bankruptcy, insolvency or assignment of commissions for the benefit of creditors, conviction of Clark of any felony or fraud or of any crime involving dishonesty;
|
(ii)
|
Upon Clark’ material failure to acquire or continuously maintain all licenses required by state or federal law or cancellation of or refusal to renew by the insurance regulatory authority any license, certificate or other regulatory approval required by Clark to perform their duties under this Agreement;
|
(iii)
|
Upon any material violation by Clark or its officers, employees or agents of any rule or regulation of any regulatory authority having jurisdiction which would materially adversely affect Clark’s ability to satisfy its obligations under this Agreement; or
|
(iv)
|
Upon Clark’ failure to perform or observe any material term, covenant or agreement contained in this Agreement which failure shall remain unremedied for 30 days after the receipt from Transamerica of written notice thereof.
|
(i)
|
Upon Transamerica’s bankruptcy, insolvency, conviction of their officers or supervisory personnel of any felony or fraud or of any crime involving dishonesty;
|
(ii)
|
Upon Transamerica’s material failure to acquire or continuously maintain all licenses required by state or federal law, or cancellation of or refusal to renew by the insurance regulatory authority any license, certificate or other regulatory approval required by Transamerica to perform their duties under this Agreement;
|
(iii)
|
Upon any material violation by Transamerica or its officers, employees or agents of any rule or regulation of any regulatory authority having jurisdiction which would materially adversely affect Transamerica’s ability to satisfy its obligations under this Agreement; or
|
(iv)
|
Upon Transamerica’s failure to perform or observe any material term, covenant or agreement contained in this Agreement which failure shall
|
7.0.1
|
Clark represents and warrants that:
|
a.
|
it is a limited liability company domiciled in Illinois in good standing;
|
b.
|
that it has or will have all licenses and permits necessary for it to carry on the activities contemplated by this Agreement;
|
c.
|
that it is not the subject of any license revocation proceeding in any jurisdiction;
|
d.
|
that it may enter into and perform its obligations under this Agreement without violating any federal or state securities law or insurance law and any regulation or order thereunder, or any contractual or other obligation to any other person; and
|
e.
|
it is and will remain throughout the term of this Agreement appropriately licensed, appointed, and registered to perform the Services pursuant to the applicable laws, statutes, rules and regulations promulgated by any state, local and/or federal regulation authority.
|
7.0.2
|
Transamerica represents and warrants that:
|
b.
|
is duly licensed as a life insurance company in all jurisdictions where its activities would require licensing; and
|
c.
|
that it is not the subject of any license revocation proceeding in any jurisdiction, and
|
d.
|
that it may enter into and perform its obligations under this Agreement without violating any federal or state securities law or insurance law and any regulation or order thereunder, or any contractual or other obligation to any other person.
|
1.
|
Overview. The purpose of this Attachment A is to define the Information Security practices that Clark agrees to establish, administer and maintain to protect the security, integrity and availability of Customer information assets.
|
2.
|
Definitions. For purposes of Attachment A, the terms defined below have the following meaning:
|
a.
|
“Agent” means anyone who, through either an agency or contractual relationship, has authority to view, host, store, process, transmit, print, back up or destroy Customer Information Assets.
|
b.
|
“Customer Information Assets” are Information Assets belonging to or under the control of Customer, including but not limited to, all information and data provided by Customer to Clark in any form, and any information or data generated as a result thereof (excluding any information that is of public record or that Customer provides written permission for its disclosure).
|
c.
|
“Information Assets” are defined as information and data in any form, whether electronic, hardcopy, photographic image, microfiche or microfilm or in digital, magnetic, optical or electronic form. It also includes all computing, network, and telecommunications systems and equipment, which view, host, store, process, transmit, print, back up or destroy information and data (e.g., personal computers, laptops, workstations, servers, network devices, software, portable storage devices, electronic storage media, cabling, and other computing and infrastructure equipment).
|
d.
|
“Information Security” is defined as the protection against the loss of an Information Asset’s confidentiality, integrity or availability.
|
e.
|
“Information Security Breach” is defined as any unauthorized access, use, disclosure or acquisition of Information Assets.
|
f.
|
“Information Security Program” is defined as the policies, procedures and controls, designed to protect the confidentiality, integrity, and availability of Information Assets.
|
g.
|
“Information Security Vulnerability” is defined as a weakness in information security controls which could be exploited to gain unauthorized access to Information Assets.
|
a.
|
“Physical Security” or “Physically Secured” is defined as the protection of information in hardcopy form, information technology hardware, infrastructure and facilities, as well as, power or environmental control, utilities used in data processing operations, against loss or unauthorized acquisition, access or disclosure, damage or misuse during its production, storage, distribution, use or destruction.
|
2.
|
Organizational Roles and Responsibilities.
|
3.
|
Information Security Program Framework and Right to Audit.
|
a.
|
Clark agrees to conform its Information Security Program to the framework set forth by the International Standards Organization (“ISO”) in the ISO’s Code of Practice for Information Security Management (“ISO/IEC 27002:2005,” as amended from time to time). Clark also agrees to include in its Information Security Program the practices described in this Attachment A.
|
b.
|
Upon request, Clark agrees to provide Customer a written certification as to its compliance with the terms of this Attachment A.
|
c.
|
At least annually, and following any Information Security Breach of Clark involving Customer Information Assets, Clark shall grant Customer or a third-party appointed by Customer permission to perform a written or on-site audit or assessment of Clark ’s compliance with the Information Security Program requirements.
|
4.
|
General Information Security Requirements.
|
a.
|
Clark agrees to take reasonable measures to segregate job functions and roles performed by its employees or Agents to ensure that no individual, internal or external to Clark, has conflicting duties that could jeopardize the security, integrity or availability of Customer Information Assets. Such measures may include, but are not limited to, permitting only Clark employees or Agents with a “business need to know” to access and manage Customer Information Assets, providing the most minimal level of access needed to perform a given job function (the “principle of least privilege”).
|
a.
|
Clark agrees to prohibit the installation of unauthorized or unlicensed software on Clark Information Assets by its employees or Agents or to permit unauthorized connection to or interaction with Customer’s company network.
|
b.
|
To guard against unauthorized access, Clark agrees to configure with industry standard encryption technology, its portable devices that store, process, transmit or destroy Customer Information Assets, such as, laptops, personal digital assistants, Blackberries®, smart phones, hand-held or palmtop computers, portable memory drives, and other similar portable devices.
|
2.
|
Information Asset Classification, Information Asset Management and Record Retention.
|
a.
|
Clark agrees to establish reasonable measures to classify and control its Information Assets to indicate the ownership, custodianship and degree of sensitivity consistent with Customer’s Information Asset classification program to ensure that Customer Information Assets receive an appropriate level of protection by Clark . Customer’s Information Asset classification program provides for the segregation of Information Assets into the following categories: public information, non-sensitive business data, proprietary information and confidential information.
|
b.
|
Clark agrees to maintain and preserve Customer’s Information Assets pursuant to Customer’s record retention requirements. Clark agrees not to dispose of any Customer Information Assets without prior written notice and securing Customer’s affirmative approval of such proposed destruction. Destruction methodologies must be performed in a secure manner such that the information cannot be recreated or read after disposal.
|
3.
|
Human Resources & the Business of Insurance.
|
a.
|
Clark agrees to perform sufficient criminal background checks prior to employment to ensure that individuals convicted of any criminal felony involving theft, dishonesty or a breach of trust do not access Customer Information Assets or render services to the Customer as prohibited by the Violent Crime Control and Law Enforcement Act of 1994 (see 18 U.S. Code §§ 1033 and 1034).
|
a.
|
information to enable Customer to remove identified former Clark employee or Agent from accessing Customer’s network or internal systems.
|
|
c. Clark agrees to provide and maintain an Information Security training program for its employees and Agents to enable protection and maintenance of the confidentiality and security of Customer Information Assets. Clark further agrees to impose disciplinary measures on those employees or Agents who violate the Information Security Program.
|
2.
|
Physical Security.
|
9.
|
Information Back Ups.
|
a.
|
Clark agrees to maintain adequate back up facilities reasonably designed to support the recovery of back up copies (“back up” or “back ups”) of Customer Information Assets in accordance with Customer disaster recovery requirements and record retention requirements. Clark agrees to ensure that such back up facilities are reasonably designed to be physically secured.
|
b.
|
Clark agrees to store no more than one (1) full back up and six (6) days of subsequent incremental back ups on Clark ’s premises. Clark further agrees to utilize machine-readable back up technology.
|
c.
|
Clark agrees to encrypt backs ups to prevent unauthorized access to and ensure the confidentiality of Customer Information Assets.
|
10.
|
Network Security.
|
a.
|
Clark agrees that Customer may terminate any network or remote connection (“remote connection”) with Clark at any time, without warning, if Customer suspects or confirms that any such connection is not secure.
|
b.
|
Clark agrees to utilize best practices with respect to establishing and maintaining appropriate controls for its electronic interfaces and connections between its own systems and those of others.
|
a.
|
software patches and security updates, firewall, proxy or other network traffic filtering technology, to protect its Information Assets.
|
b.
|
Clark agrees to utilize appropriate firewall- or proxy-based, or similar architecture to disallow unauthorized in-bound and out-bound connections to Customer Information Assets on its Information Assets that view, host, store, process, transmit, print, back up or destroy Customer Information Assets. Moreover, Clark further agrees to employ intrusion detection systems or intrusion prevention systems to guard against malicious network activity and configure such systems to alert appropriate Clark personnel.
|
c.
|
Clark agrees to configure wireless network access points to ensure that only authorized Clark devices establish a connection to the Clark internal network where Customer Information Assets are viewed, hosted, stored, processed, transmitted, printed, backed up or destroyed. Furthermore, Clark agrees to utilize industry best practices for encryption and other appropriate safeguards to protect against unauthorized access and use.
|
d.
|
Clark agrees to ensure that Customer Information Assets are not available in Information Assets directly exposed to the internet or other non-Clark network, unless previously authorized, in writing, by Customer.
|
10.
|
System Event Logging, Monitoring and Reporting.
|
11.
|
Logical Access.
|
a.
|
the disposition and usage of the account and password, configures the system account with advanced complex password creation rules (e.g., extended password length, hashing algorithms), limits the system account, wherever possible, to allow log on capabilities only to required computers and/or servers, manually changes the system account, at least once a year and upon staff turnover. Moreover, accounts with any access to Customer Information Assets must be configured, as technically possible, to disallow login capability after a maximum of seven (7) consecutive unsuccessful login attempts.
|
b.
|
Clark agrees to store password text in encrypted form in the user identity database and such password text must be rendered unreadable during transmission and storage, if embedded within batch files, automatic login scripts, software macros, terminal function keys, on computer where access controls are disabled, or any location where unauthorized individuals may discover password text.
|
10.
|
Application and System Development.
|
11.
|
Information Security Incident Management.
|
a.
|
Clark agrees to establish and maintain a written information security incident response program (“ISIRP”), which, at minimum, includes: policy and procedures, defined roles and responsibilities of ISIRP members and provides for annual ISIRP training;
|
b.
|
Clark agrees to disclose to Customer any unmitigated Information Security Breach experienced by Clark prior to the execution of this Agreement;
|
c.
|
Clark agrees to report to Customer within twenty-four (24) hours any actual or suspected Information Security Breach involving Customer Information Assets. The parties agree to coordinate and cooperate with each other in investigating the suspected breach. Clark agrees to take immediate steps to remedy the Information Security Breach in accordance with applicable privacy laws and regulations.
|
9.
|
Compliance.