EX-99.P CODE ETH 7 ex99p14.htm

Code of Ethics Statement

Background

In accordance with SEC regulations, Hypatia Capital Management LLC (“HCML”) has adopted a code of ethics to:

Set forth standards of conduct expected of all supervised persons (including compliance with federal securities laws);

Safeguard material non-public information about client transactions; and

Require “access persons” to report their personal securities transactions. In addition, the activities of an investment adviser and its personnel must comply with the broad antifraud provisions of Section 206 of the Advisers Act, Section 17j-1 of the Advisers Act, and related federal securities law.

Introduction

As an investment advisory firm, HCML has an overarching fiduciary duty to its clients. They deserve its undivided loyalty and effort, and their interests come first. HCML has an obligation to uphold that fiduciary duty and see that its personnel do not take inappropriate advantage of their positions and the access to information that comes with their positions.

HCML holds its supervised persons accountable for adhering to and advocating the following general standards to the best of their knowledge and ability:

Always place the interest of the clients first and never benefit at the expense of advisory clients;

Always act in an honest and ethical manner, including in connection with the handling and avoidance of actual or potential conflicts of interest between personal and professional relationships;

Always maintain the confidentiality of information concerning the identity of security holdings and financial circumstances of clients;

Fully comply with applicable laws, rules and regulations of federal, state and local governments and other applicable regulatory agencies; and

Proactively promote ethical and honest behavior with HCML including, without limitation, the prompt reporting of violations of, and being accountable for adherence to, this Code of Ethics.

Failure to comply with HCML’s Code of Ethics may result in disciplinary action, up to and including termination of employment.

Definitions

“Access Person” includes any supervised person who has access to non-public information

regarding any client’s purchase or sale of securities, or non-public information regarding the portfolio holdings of any client account or any fund the adviser or its control affiliates manage, or is involved in making securities recommendations to clients, or has access to such recommendations that are non-public. All of the firm’s directors, officers, and partners are presumed to be access persons.

“Advisers Act” means Investment Advisers Act of 1940.

“Adviser” means HCML.

“Beneficial ownership” shall be interpreted in the same manner as it would be under Rule 16a-1(a)(2) under the Securities Exchange Act of 1934: a direct or indirect “pecuniary interest” that is held or shared by a person directly or indirectly in a security, through any contract, arrangement, understanding, relationship or otherwise, which offers the opportunity to directly or indirectly profit or share in any profit from a transaction. An access person is presumed to have beneficial ownership of any family member’s account.

“CCO” means Chief Compliance Officer per rule 206(4)-7 of the Investment Advisers Act of 1940.

For the purposes of this Code of Ethics, a “Conflict of Interest” will be deemed to be present when an individual’s private interest interferes in any way, or even appears to interfere, with the interests of the adviser as a whole.

“Initial Public Offering” means an offering of securities registered under the Securities Act of 1933, the issuer of which, immediately before the registration, was not subject to the reporting requirements of Section 13 or Section 15(d) of the Securities Exchange Act of 1934.

“Investment personnel” means any employee of the investment adviser or of any company in a control relationship to the investment adviser who, in connection with his or her regular functions or duties, makes or participates in making recommendations regarding the purchase or sale of securities for clients.

“Limited Offering” means an offering that is exempt from registration under the Securities Act of 1933 pursuant to Section 4(2) or Section 4(6) thereof or pursuant to Rule 504, Rule 505 or Rule 506 thereunder.

“Reportable Security” means any note, stock, treasury stock, security future, bond, debenture, evidence of indebtedness, certificate of interest or participation in any profit-sharing agreement, collateral-trust certificate, preorganization certificate or subscription, transferable share, investment contract, voting-trust certificate, certificate of deposit for a security, fractional undivided interest in oil, gas, or other mineral rights, any put, call, straddle, option, or privilege on any security (including a certificate of deposit) or on any group or index of securities (including any interest therein or based on the value thereof), or any put, call, straddle, option, or privilege entered into on a national securities exchange relating to foreign currency, or, in general, any interest or instrument commonly known as a “security”, or any certificate of interest or participation in, temporary or interim certificate for, receipt for, guaranty of, or

warrant or right to subscribe to or purchase any of the foregoing, except:

Direct obligations of the Government of the United States;

Bankers' acceptances, bank certificates of deposit, commercial paper and high quality short-term debt instruments, including repurchase agreements;

Shares issued by money market funds;

Shares issued by open-end funds other than reportable funds;

Shares issued by unit investment trusts that are invested exclusively in one or more open-end funds, none of which are reportable funds.

“Supervised Persons” means directors, officers, and partners of the adviser (or other persons occupying a similar status or performing similar functions); employees of the adviser; and any other person who provides advice on behalf of the adviser and is subject to the adviser’s supervision and control.

Compliance Procedures

Compliance with Laws and Regulations

Supervised persons of HCML must comply with applicable state and federal securities laws. Specifically, supervised persons are not permitted, in connection with the purchase or sale, directly or indirectly, of a security held or to be acquired by a client:

To defraud such client in any manner;

To mislead such client, including making any statement that omits material facts;

To engage in any act, practice or course of conduct that operates or would operate as a fraud or deceit upon such client;

To engage in any manipulative practice with respect to such client;

To engage in any manipulative practice with respect to securities, including price manipulation.

Prohibited Purchases and Sales

Insider Trading

Illegal insider trading refers generally to buying or selling a security, in breach of a fiduciary duty or other relationship of trust and confidence, while in possession of material, non-public information about the security. The SEC defines information as material if “there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision.” Information is non-public if it has not been disseminated in a manner making it available to investors generally.

HCML strictly prohibits trading personally or on the behalf of others, directly or indirectly, based on the use of material, non-public or confidential information. HCML additionally prohibits the communicating of material non-public information to others in violation of the

law. Employees who are aware of the misuse of material non-public information should report such to the CCO. This policy applies to all of HCML’s employees and associated persons without exception.

Please note that it is the SEC’s position that the term “material non-public information” relates not only to issuers but also to the adviser’s securities recommendations and client securities holdings and transactions.

Initial Public Offerings (IPOs)

No access person or other employee may acquire, directly or indirectly, beneficial ownership in any securities in an Initial Public Offering.

Limited or Private Offerings

No access person or other employee may acquire, directly or indirectly, beneficial ownership in any securities in a Limited or Private Offering without first obtaining the prior approval of the CCO. Investment personnel are required to disclose such investment to any client considering an investment in the issuer of such Limited or Private Offering.

Miscellaneous Restrictions

Blackout Periods

From time to time, representatives of HCML may buy or sell securities for themselves at or around the same time as clients. This may provide an opportunity for representatives of HCML to buy or sell securities before or after recommending securities to clients resulting in representatives profiting off the recommendations they provide to clients. Such transactions may create a conflict of interest. When similar securities are being bought or sold, HCML employees will either transact clients’ transactions before their own or will transact alongside clients’ transactions in block or bunch trades.

Margin Accounts

Investment personnel are prohibited from purchasing securities on margin.

Option Transactions

Investment personnel are prohibited from purchasing options.

Short Sales

Investment personnel are prohibited from selling any security short, in their own accounts, that is owned by any client of the firm, except for short sales “against the box”.

Short-Term Trading

Securities held in client accounts may not be purchased and sold, or sold and repurchased, within 30 calendar days by investment personnel. The CCO may, for good cause shown, permit a short-term trade, but shall record the reasons and grant of permission with the records of the Code.

Prohibited Activities

Conflicts of Interest

HCML has an affirmative duty of care, loyalty, honesty, and good faith to act in the best interest of its clients. A conflict of interest may arise if a person’s personal interest interferes, or appears to interfere, with the interests of HCML or its clients. A conflict of interest can arise whenever a person takes action or has an interest that makes it difficult for him or her to perform his or her duties and responsibilities for HCML honestly, objectively and effectively.

While it is impossible to describe all of the possible circumstances under which a conflict of interest may arise, listed below are situations that most likely could result in a conflict of interest and that are prohibited under this Code of Ethics:

Access persons may not favor the interest of one client over another client (e.g., larger accounts over smaller accounts, accounts compensated by performance fees over accounts not so compensated, accounts in which employees have made material personal investments, accounts of close friends or relatives of supervised persons). This kind of favoritism would constitute a breach of fiduciary duty;

Access persons are prohibited from using knowledge about pending or currently considered securities transactions for clients to profit personally, directly or indirectly, as a result of such transactions, including by purchasing or selling such securities.

Access persons are prohibited from recommending, implementing or considering any securities transaction for a client without having disclosed any material beneficial ownership, business or personal relationship, or other material interest in the issuer or its affiliates, to the CCO. If the CCO deems the disclosed interest to present a material conflict, the investment personnel may not participate in any decision-making process regarding the securities of that issuer.

Political and Charitable Contributions

Supervised persons that may make political contributions, in cash or services, must report each such contribution to the CCO who will compile and report thereon as required under relevant regulations. Supervised persons are prohibited from considering the adviser’s current or anticipated business relationships as a factor in soliciting political or charitable donations.

Gifts and Entertainment

Supervised persons shall not accept inappropriate gifts, favors, entertainment, special accommodations, or other things of material value that could influence their decision-making or

make them feel beholden to a person or firm. Similarly, supervised persons shall not offer gifts, favors, entertainment or other things of value that could be viewed as overly generous or aimed at influencing decision-making or making a client feel beholden to the firm or the supervised person.

No supervised person may receive any gift, service, or other thing of more than de minimis value from any person or entity that does business with or on behalf of the adviser without written pre-approval by the CCO. No supervised person may give or offer any gift of more than de minimis value to existing clients, prospective clients, or any entity that does business with or on behalf of the adviser without written pre-approval by the CCO. The annual receipt of gifts from the same source valued at $100 or less shall be considered de minimis. Additionally, the receipt of an occasional dinner, a ticket to a sporting event or the theater, or comparable entertainment also shall be considered to be of de minimis value if the person or entity providing the entertainment is present.

All gifts, given and received, will be recorded in a log (see Sample 10).

No supervised person may give or accept cash gifts or cash equivalents to or from a client, prospective client, or any entity that does business with or on behalf of the adviser.

Bribes and kickbacks are criminal acts, strictly prohibited by law. Supervised persons must not offer, give, solicit or receive any form of bribe or kickback.

Service on Board of Directors

Supervised persons shall not serve on the board of directors of publicly traded companies absent prior authorization by the CCO. Any such approval may only be made if it is determined that such board service will be consistent with the interests of the clients and of HCML, and that such person serving as a director will be isolated from those making investment decisions with respect to such company by appropriate procedures. A director of a private company may be required to resign, either immediately or at the end of the current term, if the company goes public during his or her term as director.

Confidentiality

Supervised persons shall respect the confidentiality of information acquired in the course of their work and shall not disclose such information, except when they are authorized or legally obliged to disclose the information. They may not use confidential information acquired in the course of their work for their personal advantage. Supervised persons must keep information about clients (including former clients) in strict confidence, including the client’s identity (unless the client consents), the client’s financial circumstances, the client’s security holdings, and advice furnished to the client by the firm.

Pre-Clearance

For any activity where it is indicated in the Code of Ethics that pre-clearance is required, the

following procedure must be followed:

Pre-clearance requests must be submitted by the requesting supervised person to the CCO in writing. The request must describe in detail what is being requested and any relevant information about the proposed activity;

The CCO will respond in writing to the request as quickly as is practical, either giving an approval or declination of the request, or requesting additional information for clarification;

Pre-clearance authorizations expire 48 hours after the approval, unless otherwise noted by the CCO on the written authorization response;

Records of pre-clearance requests and responses will be maintained by the CCO for monitoring purposes and ensuring the Code of Ethics is followed.

Personal Securities Reporting and Monitoring

Holdings Reports

Every access person shall, no later than ten (10) days after the person becomes an access person and quarterly thereafter, file a holdings report containing the following information (see Sample 8):

Ø The title, exchange ticker symbol or CUSIP number (when available), type of security, number of shares and principal amount of each Reportable Security in which the access person has any direct or indirect beneficial ownership when the person becomes an access person;

Ø The name of any broker, dealer or bank with whom the access person maintains an account in which any securities are held for the direct or indirect benefit of the access person;

Ø The date that the report was submitted by the access person.

The information in the holdings report must be current as of a date no more than forty-five (45) days prior to the date the report was submitted.

Transaction Reports

Every access person shall, no later than 30 days after the end of calendar quarter, file transaction reports containing the following information (see Sample 9):

Ø For each transaction involving a Reportable Security in which the access person had, or as a result of the transaction acquired, any direct or indirect beneficial interest, the access person must provide the date of the transaction, the title, exchange ticker symbol or CUSIP number (when available), type of security, the interest rate and maturity date (if applicable), number of shares and principal amount of each involved in the transaction;

Ø The nature of the transaction (e.g., purchase, sale);

Ø The price of the security at which the transaction was effected;

Ø The name of any broker, dealer or bank with or through the transaction was effected;

Ø The date that the report was submitted by the access person.

Access persons may use duplicate brokerage confirmations and account statements in lieu of submitting quarterly transaction reports, provided that the required information is contained in those confirmations and statements.

Report Confidentiality

Holdings and transaction reports will be held strictly confidential, except to the extent necessary to implement and enforce the provisions of the code or to comply with requests for information from government agencies.

Exceptions to Reporting Requirements

Access persons do not need to submit:

Any report with respect to securities held in accounts over which the access person had no direct or indirect influence or control;

A transaction report with respect to transactions effected pursuant to an automatic investment plan;

A transaction report if the report would duplicate information contained in broker trade confirmations or account statements that the firm holds in its records so long as it receives the confirmations or statements no later than 30 days after the end of the applicable calendar quarter.

Review of Personal Securities

HCML is required by the Advisers Act and applicable state law to review access persons’ initial Holdings report and to do so quaterly thereafter. Transaction reports are reviewed at least quarterly. The CCO is responsible for reviewing these transactions and holdings reports. The CCO’s personal securities transactions and reports shall be reviewed by designated firm personnel.

Access persons are subject to the reporting requirements detailed above for personal accounts and all accounts in which they have any beneficial ownership in any reportable securities. For clarification, these terms are defined in this Code.

Single Access Person Advisers

If at any time HCML only has one access person, the person will not be required to submit reports but will maintain records of all holdings and transactions. It is assumed that all trades by the sole access person are reviewed as the trades are entered.

Certification of Compliance

Initial Certification

The firm is required to provide supervised persons with a copy of this Code. Supervised persons are to certify in writing via an attestation statement (see Sample 1) that they have: (a) received a copy of this Code; (b) read and understand all provisions of this Code; and (c) agreed to comply with the terms of this Code.

Acknowledgement of Amendments

The firm must provide supervised persons with any amendments to this Code and supervised persons must submit a written acknowledgement that they have received, read, and understood the amendments to this Code.

Annual Certification

Supervised persons must annually certify via an attestation statement that they have read, understood, and complied with this Code of Ethics and that the supervised person has made the reports required by this code and has not engaged in any prohibited conduct.

The CCO shall maintain records of these certifications of compliance (see Sample 1).

Reporting Violations and Whistleblower Provisions

Supervised persons must report violations of the firm’s Code of Ethics promptly to the CCO. If the CCO is involved in the violation or is unreachable, supervised persons may report directly to the CCO’s supervisor or other firm principal. Reports of violations will be treated confidentially to the extent permitted by law and investigated promptly and appropriately. Persons may report violations of the Code of Ethics on an anonymous basis. Examples of violations that must be reported include (but are not limited to):

Noncompliance with applicable laws, rules, and regulations;

Fraud or illegal acts involving any aspect of the firm’s business;

Material misstatements in regulatory filings, internal books and records, clients records or reports;

Activity that is harmful to clients, including fund shareholders;

Deviations from required controls and procedures that safeguard clients and the firm; and

Violations of the firm’s Code of Ethics.

No retribution will be taken against a person for reporting, in good faith, a violation or suspected violation of this Code of Ethics.

Retaliation against an individual who reports a violation is prohibited and constitutes a further violation of the Code.

Compliance Officer Duties

Training and Education

CCO shall be responsible for training and educating supervised persons regarding this Code. Training will occur periodically as needed and supervised persons are required to attend any training sessions or read any applicable materials.

Recordkeeping

CCO shall ensure that HCML maintains the following records in a readily accessible place:

A copy of each Code of Ethics that has been in effect at any time during the past five years;

A record of any violation of the Code and any action taken as a result of such violation for five years from the end of the fiscal year in which the violation occurred;

A record of written acknowledgements and/or attestation statements of receipt of the Code and amendments for each person who is currently, or within the past five years was, a supervised person. These records must be kept for five years after the individual ceases to be a supervised person of the firm;

Holdings and transactions reports made pursuant to the code, including any brokerage confirmation and account statements made in lieu of these reports;

A list of the names of persons who are currently, or within the past five years were, access and/or supervised persons;

A record of any decision and supporting reasons for approving the acquisition of securities by access or supervised persons in initial public offerings and limited offerings for at least five years after the end of the fiscal year in which approval was granted;

A record of any decisions that grant employees or access or supervised persons a waiver from or exception to the Code.

Annual Review

CCO shall review at least annually the adequacy of this Code of Ethics and the effectiveness of its implementation and make any changes needed.

Sanctions

Any violations discovered by or reported to the CCO shall be reviewed and investigated promptly, and reported through the CCO to the supervisor or other firm principal. Such report shall include the corrective action taken and any recommendation for disciplinary action deemed appropriate by the CCO. Such recommendation shall be based on, among other things, the severity of the infraction, whether it is a first or repeat offense, and whether it is part of a pattern of disregard for the letter and intent of this Code of Ethics. Upon recommendation of the CCO, the supervisor may impose such sanctions for violation of this Code of Ethics as it deems appropriate, including, but not limited to:

Letter of censure;

Suspension or termination of employment;

Reversal of a securities trade at the violator’s expense and risk, including disgorgement of any profit;

In serious cases, referral to law enforcement or regulatory authorities.

Diminished Capacity & Elder Financial Abuse Policy

Diminished Capacity

Increased life spans bring an increased chance that clients may suffer from some sort of diminished capacity (an impaired mental state or condition). Diminished capacity may be the result of trauma, intoxication, disease/disorder (e.g., dementia, Alzheimer's disease, bipolar disorder), age-related memory changes, or other changes to the client. Signs of diminished capacity may include:

Memory loss (is the client repeating orders or questions?)

Disorientation (is the client confused about time, place or simple concepts?)

Difficulty performing simple tasks

Significantly poorer judgment than in the past

Drastic mood swings

Difficulty with abstract thinking

As clients reach a certain age, the effects of diminished capacity may begin to impact financial capacity. Financial capacity can be defined as the ability to independently manage one’s financial affairs in a manner consistent with personal self-interest.

Elder Financial Abuse

Elder financial abuse spans a broad spectrum of conduct including but not limited to: forging signatures; getting an individual to sign over financial ownership of property; taking assets without consent; obtaining a power of attorney (POA) through deception, coercion, or undue influence; using property or possessions without permission; promising various care in exchange for money or property and not following through; perpetrating scams; or engaging in other deceptive acts. While HCML may not be aware of many of these situations at large, supervised persons may suspect such situations when the assets upon which the firm is advising become the targets of these acts. These situations often occur along with the onset of diminished capacity. Signs of elder financial abuse may include:

Increased reluctance to discuss financial matters

Drastic shifts in investment style

Abrupt changes in wills, trusts, POAs, or beneficiaries

Concern or confusion about missing funds

Atypical or unexplained withdrawals, wire transfers or other changes in financial situation

Appearance of insufficient care despite significant wealth

As a fiduciary to clients, HCML will research the options for reporting of these situations to the proper authorities. Most jurisdictions have the option of using a Department of Social Services (or other similar department) anonymous “tip line” to report possible elder financial abuse issues.

Firm Policy

HCML recognizes its responsibility to work with clients and any necessary family, friends, or medical personnel the client has named in order to move forward if the client’s financial capacity has been compromised. In order to address these circumstances, HCML has adopted the following policies:

HCML will ascertain whether clients have created a living will (durable power of attorney) directed at the client’s financial interest in the event financial capacity becomes compromised.

HCML will ask all clients to provide the name and contact information of at least one family member (ideally), trusted professional, or non-relative client “advocate” to contact in the event its suspect any irregular activities that may be related to diminished capacity or elder financial abuse (see Sample 11).

HCML will request signed permission from client to discuss any suspicious activity in client’s accounts with approved third party(ies) if diminished capacity or elder financial abuse is suspected.

If a supervised person suspects a client may be suffering from diminished capacity or elder financial abuse, then the supervised person shall immediately inform the CCO or supervisor. HCML will document the interaction with the client that prompted the suspicion in the client’s file or in a separate file that contains details of all reported suspicions of diminished capacity or elder financial abuse. Until the suspicion is resolved, supervised persons will not meet with the client alone and will continue to thoroughly document all client interactions.

In the event the financial capacity of the client has deteriorated beyond the point of effective and ethical investment advice and a POA, guardian, or trustee has not been appointed, HCML will terminate the investment advisory relationship and report the circumstances to the designated family member, client advocate, or approved third party or, if none, to the appropriate authority in the applicable jurisdiction (e.g., adult protective services agency).

Staff Training

On an annual basis, HCML will conduct a firm-wide training session to ensure that staff members are properly trained and equipped to implement the above policies. New staff members will receive training, led by the CCO, within one (1) month of their initial hire date.

Privacy of Client Information

Information Collected and Shared

HCML’s privacy policy statement is given to clients at the initial signing of the client contract and mailed or emailed with client consent once annually, if the policy is updated. The CCO will document the date the privacy policy was delivered to each client for each year if an annual delivery is required. HCML may collect information about clients from the following sources:

Information received from client on applications, via other forms, or during conversations;

Information about client’s transactions with HCML or others; and

Information provided by a consumer reporting agency.

Below are the reasons for which HCML may share a client’s personal information:

With specific third parties as requested by the client (see Sample 11);

For everyday business purposes – such as to process client transactions, maintain client account(s), respond to court orders and legal investigations, or report to credit bureaus;

For marketing by HCML – to offer HCML’s products and services to clients;

For joint marketing with other financial companies;

For affiliates’ everyday business purposes – information about client transactions and experience; or

For non-affiliates to market to clients (only where allowed).

If a client decides to close his or her account(s) or becomes an inactive customer, HCML will adhere to the privacy policies and practices as described in this manual, as updated.

Storing Client Information

HCML uses various methods to store and archive client files and other information. Third party services or contractors used have been made aware of the importance HCML places on both firm and client information security. HCML also restricts access to clients’ personal and account information to those employees who need to know that information to provide products or services to its clients. In addition to electronic protection, procedural safeguards, and personnel measures, HCML has implemented reasonable physical security measures at its home office location.

In addition to HCML’s listed access persons, any IT persons or other technical consultants employed at the firm may also have access to non-public client information at any time. An on-site or off-site server that stores client information, third-party software that generates statements or performance reports,

or third-party client portals designed to store client files all hold the potential for a breach of non-public client information.

To mitigate a possible breach of the private information, HCML uses encryption software on all computers and carefully evaluates any third-party providers, employees, and consultants with regard to their security protocols, privacy policies, and/or security and privacy training.

Identity Theft Red Flags

The CFTC (U.S. Commodity Futures Trading Commission), SEC (U.S. Securities and Exchange Commission), and many state regulators, have published rules concerning identity theft encouraging or requiring investment advisers to train firm personnel to recognize “red flags” regarding possible identity theft of advisory clients. While many of these provisions may also be covered in the firm’s broader privacy and AML (anti-money laundering) policies, the list below is a brief non-exhaustive listing of the items and information that all HCML personnel should monitor and safeguard to guard against any breach of a client’s identity:

SAFEGUARDING IDENTIFYING INFORMATION

Individual client’s social security numbers

Corporate or other entity client’s tax identification numbers

Individual driver’s license number or other personal identification card

Passport numbers

Financial account numbers (credit card, bank, investment, etc.) and any accompanying passwords or access codes

POTENTIAL CAUSES OF IDENTITY INFORMATION BREACHES

Loss of theft of computers and/or other equipment

Hacking of computer networks

Inadvertent exposure of client information to unauthorized individuals (non-locked files, files left on desk, cleaning services, shredding services, etc.)

Physical break-ins / theft

HCML personnel are instructed to notify the firm if they detect or have reason to believe that any of the above shown red flag activities may have occurred or if any of the red flag information listed may have been stolen or leaked by any firm personnel. The CCO, CISO, or principal is then tasked with investigating the report and taking appropriate actions. The non-exhaustive list of possible follow-up actions includes notification of the parties involved, notification of appropriate regulatory officials if required, taking remedial actions to assist in the recovery of the stolen information, and possible sanctions of firm personnel if deemed necessary.

Staff Training

On an annual basis, HCML will conduct a firm-wide training session to ensure that staff members are properly trained and equipped to implement the above policies regarding client privacy. New staff members will receive training, led by the CCO, within one (1) month of their initial hire date.

Client Records

Client records will be retained by HCML for at least 5 years after the year in which the record was produced, or as otherwise required by law. With respect to disposal of non-public personal information, HCML will take reasonable measures to protect against unauthorized access to or use of such information in connection with its disposal.

HCML takes the privacy and confidentiality of all its clients and personnel very seriously. It will continue to make, and document, any changes needed to promote the security of client information. Additional safeguards are described in the Cybersecurity & Information Security Policy section of this manual.

Cyber Security & Information Security Policy

HCML has appointed John Grenawalt as the firm’s Chief Information Security Officer (“CISO”). The CISO is responsible for managing HCML’s information security program.

Access Persons

Access Person: Any of HCML’s supervised persons who have access to non-public information regarding any client’s purchase or sale of securities, or information regarding the portfolio holdings of any reportable fund, or who is involved in making securities recommendations to clients, or who has access to such recommendations that are non-public.

The following employee(s) will manage non-public information:

Name	Title
Patricia Lizarraga	Managing Partner
John Grenawalt	Chief Operating Officer

Inventory of Technology Infrastructure

On an annual basis, the CCO of HCML will make an inventory of the following:

Physical devices and systems (computers, servers, etc.);

Software platforms and applications (email applications, file management, etc.);

Systems that house client data; and

Third-party contractors that have access to systems, platforms, etc.

HCML’s primary software platforms that may contain client data are summarized below.

Type of System	Name of System
Customer Relationship Management (CRM)	SalesForce
Email Provider / Hosting	Microsoft Office 365
Document Management / Storage	SharePoint

HCML utilizes cloud-based technology systems, which it believes provide increased information security capabilities including:

Ability to leverage the established infrastructure of trusted technology industry leaders; and

Improved system alert capabilities including better user activity logging and alerts related to unusual user activity.

HCML also recognizes that cloud-based technology creates a greater reliance on passwords and user login security. In particular, HCML understands that certain users with administrative access to the firm’s cloud-based technology systems may pose even greater risk given their expanded access to sensitive client data. As such, HCML has designed and will continue to further develop information security policies with this increased risk as a focus.

Security of Technology Infrastructure

HCML has implemented the following firm-wide information security polices to help prevent unauthorized access to sensitive client data:

All computers used to access client data will have antivirus software installed. In addition, the antivirus software will have an active subscription and all updates will be scheduled to automatically install.

All staff will utilize devices with up to date operating system software with all security patch and other software updates set to automatically install

All staff workstations (e.g. desktop, laptop, mobile device) will be locked when the device is not in use

All staff workstations (e.g. desktop, laptop, mobile device) will be shut down completely at the end of each workday

All staff workstations (e.g. desktop, laptop, mobile device) will use proper data encryption when possible

All staff mobile devices used to access work email and files will be password protected and will have the capability to be remotely wiped if lost or stolen

All staff members are prohibited from accessing HCML systems from unsecured internet connections

All staff should immediately alert the CCO of any suspicious behavior or potential incidents.

Detection of Unauthorized Activity or Security Breaches

The CCO is responsible for monitoring on-site and cloud-based systems for suspicious activity and security breaches. Such unauthorized activity or security breaches may include:

Logins to company systems after traditional business hours for the local region

Logins to company systems from non-local regions (e.g. outside of the local region, the United States, etc.)

Large transfers of files or data

When suspicious activity or a potential security breach is discovered, the CCO will restrict access to the systems and begin to assess what information may have been accessed and what actions need to be taken to remediate the event.

Regardless of the severity, the CCO will keep a log of all incidents and note the action taken. This log will include the following information about each incident:

Date and time of the incident

How the incident was detected

The nature and severity of the incident

The response taken to address the incident

Any changes made to the Cyber Security & Information Security Policy as a result of the incident

In addition, all staff should immediately alert the CCO of any suspicious behavior or concern.

If the incident is deemed by the CCO to have led to unauthorized release or use of sensitive client information, then the CCO will take the following steps:

Communicate the details of the event to the relevant principals of the firm

Determine if any staff disciplinary action needs to be taken

Determine if any third party vendors were involved in the incident

Contact proper law enforcement and/or regulatory agencies as required by law (if necessary)

Communicate the details of the event and steps being taken to rectify the incident to impacted clients of the firm (if necessary)

Prevention of Unauthorized Funds Transfers

HCML has implemented the following firm-wide information security polices to help prevent unauthorized funds transfers:

Clients must confirm all third party wire requests verbally. Wire requests may not be authorized solely via email; and

Wire requests should be reviewed for suspicious behavior (e.g. time of request, atypical amount of request, etc.).

HCML is particularly aware of the risk caused by fraudulent emails, purportedly from clients, seeking to direct transfers of customer funds or securities and will train staff members to properly identify such fraudulent emails.

User Login Security

HCML has implemented the following firm-wide user login security polices to help prevent unauthorized access to sensitive client data:

All staff passwords are required to meet or exceed the following guidelines:

Contain both upper and lower case letters

Contain at least one number

Contain at least one special character

Be at least 10 characters in length

May not contain words that can be found in a dictionary

May not contain personal information such as pet names, birthdates, or phone numbers

All staff are required to have unique passwords to access each technology system (e.g., desktop computer, CRM system, etc.)

All staff are required to update passwords on a quarterly basis

No passwords are allowed to be stored in writing on paper or on any system

Staff members should not use the “remember password” feature of any application

Staff members should never share passwords with any other staff member or third party

When available, staff is required to utilize two-factor authentication

In addition, staff members should never disclose personal information on any social media website that could allow a third party to gain access to HCML’s systems. Such information includes but is not limited to:

Birthdate

Place of birth

Place of wedding

Name of high school

Name of elementary school

Best friend’s name

Name of favorite pet

Name of favorite drink

Name of favorite song

Mother’s maiden name

Make and model of first car

Favorite color

Name of favorite teacher

User Access Privileges

HCML has implemented the following firm-wide user access privilege polices to help prevent unauthorized access to sensitive client data:

All new staff members login credentials will be created by the CCO;

Staff members will only have access to systems deemed necessary by the CCO;

Staff members, besides the CCO or other designated personnel, will not have access to administrative privileges on systems unless deemed necessary by the CCO; and

Upon a staff member’s departure or termination, the CCO will immediately remove the former staff member’s access to all firm systems.

Staff members may request additional access to systems by contacting the CCO.

Email Use Security and Guidelines

HCML has implemented the following firm-wide email use security polices and guidelines to help prevent unauthorized access to sensitive client data:

All staff should only provide sensitive information electronically to clients via a secure email or client portal;

All staff should never open or download any email attachments from unknown senders;

All staff should never open or download any email attachments from known senders that look suspicious or out of the ordinary;

All staff should never directly click on or open any links sent in emails; and

All staff should be acutely aware of any attempted “phishing” emails seeking to obtain the staff member’s user login credentials. Some warning signs to look for include:

Bad spelling or poor grammar in the email subject or body text;

A company or website with which the staff member is not familiar; and

A suspicious sender email domain.

When a staff member receives a suspicious email, the CCO should be immediately alerted. The CCO will then determine next steps and communicate to other staff members if deemed appropriate.

Mobile Device Usage Guidelines

In order to help prevent unauthorized access to sensitive client and firm data, HCML permits the limited use of personal mobile devices only under the following firm-wide mobile device usage guidelines:

Before utilizing a personal mobile device to access company systems such as company email, the device must be inspected and approved by the CISO to ensure proper security features are activated on the device.

The mobile device’s built-in password / passcode security feature must be activated at all times.

If available, the mobile device’s local or remote wipe security features(s) should be activated.

Staff members should take great caution to not use the mobile device in public places that could expose sensitive client or firm information.

In the event a mobile device used to access company systems is lost or stolen, the staff member should immediately alert the CISO.

Before disposing of any mobile device used to access company systems, all data must be wiped from the mobile device.

Sensitive client or firm information should never be stored or downloaded onto a personal mobile device. If the staff member’s mobile device does not offer a built-in password / passcode security feature, then the device is not permitted to be used to access company systems.

Third Party Vendor Security and Diligence

HCML has implemented the following firm-wide third party vendor security and diligence polices and guidelines to help prevent unauthorized access to sensitive client data:

All third party vendors that have physical access to the office and/or the firm’s systems are required to enter into a non-disclosure agreement (NDA) in order to protect sensitive client information before establishing a business relationship; and

Proper due diligence will be performed on all relevant technology vendors prior to establishing a business relationship and then again on at least an annual basis and will include:

Review of the firm’s information security policies;

Review of the firm’s disaster recovery policies; and

Review of the firm’s general capabilities to ensure it meets HCML’s needs.

All of this information will be stored and maintained in HCML’s vendor diligence file.

Significant Technology System Disruption Plan

In the event of a significant business disruption that results in a significant interruption in access to the firm’s technology systems; HCML will implement its business continuity plan as detailed in this policies and procedures manual.

In the event of the theft, loss, unauthorized exposure, or unauthorized use or of access of client information, the incident will be investigated and documented by the CCO. In the event of a technology system breach, HCML will comply with all local and federal laws to communicate accordingly with the affected third parties.

Testing

On a quarterly basis, HCML will test its current Cyber Security & Information Security Policy and capabilities. The test conducted by the CCO will include the following activities:

Ensure all staff members have proper system access privileges;

Ensure all relevant software patches designed to address security vulnerabilities have been implemented on the firm’s internal server; and

Make a physical inspection of the office to ensure that all workstations have the proper security measures including:

Attempt to access a random sample of firm devices to ensure that proper passwords are in place to prevent access;

Observe staff members access systems with the proper password to ensure that two-factor authentication has been activated;

Ensure staff members are not using the “remember password” feature of any application;

Ensure computers used to access client data have an antivirus software subscription; and

Ensure no passwords are visibly stored in writing on paper or on any system.

On an annual basis, HCML will further test its current Cyber Security & Information Security Policy and capabilities. The test conducted by the CCO will include the following activities:

Conduct a risk assessment to determine if any changes need to made to information security policies and procedures;

Attempt to access users’ accounts with the proper password to ensure that two-factor authentication prevents system access;

Perform any relevant third party penetration tests or vulnerability scans and remediate any relevant discoveries; and

Attempt to restore a sample of files and records from the systems inventoried above to ensure that the restoration process is sufficient and properly configured.

The results from the annual test will be documented and utilized as an opportunity to update the Cyber Security & Information Security Policy.

Data Back-Up Policies

HCML stores sensitive firm and client data on local and third party systems as documented in HCML’s Inventory of Technology Infrastructure. This data is backed up in accordance with HCML’s data back-up and recovery procedures.

Staff Training

On an annual basis, HCML will conduct a firm-wide training session to ensure that all staff members are properly trained and equipped to implement the above policies. New staff members will receive training, led by the CCO, within one (1) month of their initial hire date. The training conducted by the CCO will include the following topics:

Review of the current Cyber Security & Information Security Policy, including a note of any changes to the policy since the last training session;

Review of any relevant information security incidents or suspicious activity;

Review of how to identify potential “phishing” or fraudulent emails;

Review of how to identify potential “Ransomware” or similar attacks;

Review of any relevant regulatory compliance changes or developments; and

Review of general information security best practices.