Exhibit (r)(3)
Combined Code of Ethics
Last updated: April 10, 2024
Contents
|
CODE OF ETHICS
|2
|
BACKGROUND
|2
|
RISKS
|3
|
POLICIES AND PROCEDURES
|3
|
CONFLICTS OF INTEREST
|13
|
BACKGROUND
|13
|
RISKS
|13
|
POLICIES AND PROCEDURES
|14
|
INSIDER TRADING
|16
|
BACKGROUND
|16
|
RISKS
|17
|
POLICIES AND PROCEDURES
|18
|
GIFTS AND ENTERTAINMENT
|20
|
BACKGROUND
|20
|
RISKS
|20
|
POLICIES AND PROCEDURES
|20
|
APPENDIX A - DEFINITIONS
|26
1
CODE OF ETHICS
Most Recently Revised: October 2023
Background
This Code of Ethics (“Code”) has been adopted by various Paralel entities, together and separately referred to as “Paralel” within this Code, including:
|•
|
Paralel Technologies LLC (“PTL”)
|•
|
Paralel Advisors LLC (“PAL”)
|•
|
Paralel Distributors, Inc. (“PDL”)
The Code is designed to comply with Rule 204A-1 under the Investment Advisers Act of 1940 (“Advisers Act”) and Rule 17j-1 under the Investment Company Act of 1940 (the “1940 Act”). By adopting and adhering to a code that meets the applicable requirements under the Advisers Act and 1940 Act, it is intended that Paralel employees who are deemed to be Access Persons and/or Investment Persons, will not also be subject to duplicative reporting requirements under various other codes for fund companies for which they may serve as an officer or are otherwise deemed to be an Access Person or Supervised Person. However, all such persons should check with each company’s Compliance or Legal representatives to confirm their status.
In addition to the policies found directly in this Code, Paralel’s Gift and Entertainment, Conflicts of Interest, and Insider Trading policies shall also be deemed to be part of this Code.
Employees who are also registered with the Financial Industry Regulatory Authority (“FINRA”) as a Registered Representative may have additional requirements and/or restrictions in addition to those described herein. Those Registered Representatives should consult their Written Supervisory Procedures for any additional requirements that may apply.
Paralel and its employees are prohibited from engaging in fraudulent, deceptive or manipulative conduct. The Code is designed to reinforce Paralel’s reputation for integrity by avoiding even the appearance of impropriety in the conduct of our business. This Code was developed to promote the highest standards of behavior and ensure compliance with applicable laws.
Employees are required to promptly report any known violations of the Code to the relevant entity’s Chief Compliance Officer (“CCO” as defined). This includes violations that come to your attention that may have been inadvertent and/or violations that other employees may have committed. The CCO (or a designee) will promptly investigate the matter and take appropriate action, if needed. There will be no retribution against any employee for making such a report, and every effort will be made to protect the identity of the reporting employee. There may be additional provisions for reporting violations that are covered under applicable policies and employees should make themselves familiar with these policies or consult with the CCO.
2
Employees should be aware that they may be held personally liable for any improper or illegal acts committed during their course of employment, and that “ignorance of the law” is not a defense. Paralel employees are expected to read the Code carefully and observe and adhere to its guidance at all times. Failure to comply with the provisions of the Code may result in serious sanctions including, but not limited to: disgorgement of profits, termination, personal criminal or civil liability and referral to law enforcement agencies or other regulatory agencies.
The provisions of the Code are not all-inclusive. Rather, they are intended as a guide for employees of Paralel in their conduct. In those situations where an employee may be uncertain as to the intent or purpose of the Code, they are advised to consult with the CCO. All questions arising in connection with personal securities trading should be resolved in favor of the Client, even at the expense of the interests of employees.
The CCO will periodically report to senior management/board of directors of Paralel and the respective Fund boards where Paralel serves in the capacity of investment adviser, administrator and/or distributor to document compliance or noncompliance with this Code. Each employee is responsible for knowing their responsibilities under the Code.
Risks
In developing these policies and procedures, Paralel considered the material risks associated with administering the Code of Ethics. This analysis includes risks such as:
|•
|
Supervised Persons do not understand the fiduciary duty that they, and Paralel, owe to Client accounts;
|•
|
Supervised Persons and/or Paralel fail to identify and comply with all applicable Federal Securities Laws;
|•
|
Access Persons do not report personal Securities transactions;
|•
|
Access Persons trade personal accounts ahead of Client accounts;
|•
|
Access Persons allocate profitable trades to personal accounts or unprofitable trades to Client accounts;
|•
|
Violations of the Federal Securities Laws, the Code of Ethics, or the policies and procedures set forth in this Manual, are not reported to the CCO and/or appropriate supervisory personnel;
|•
|
Paralel does not provide its Code of Ethics and any amendments to all Supervised Persons; and
|•
|
Paralel does not retain Supervised Persons’ acknowledgements that they received the Code of Ethics and any amendments.
Policies and Procedures
Who is Covered By the Code?
All permanent employees are covered under the Code. All employees are deemed a “Supervised Person”. Certain Supervised Persons will also be deemed an Access Person and subject to additional personal trading and other requirements. Certain Access Persons will also be deemed an Investment Person and
3
subject to additional personal trading, transaction, and pre-clearance restrictions, as well as other requirements.
Specific definitions of Supervised Person, Access Person, and Investment Person are available in the Appendix A, attached. At any time, employees may check their status by contacting Compliance.
Temporary employees may be subject to either all or certain provisions within the Code. The CCO may deem a temporary employee a Supervised Person, Access Person, or Investment Person as determined appropriate. The CCO may exempt a temporary employee (e.g. summer intern, work study) from certain aspects of this Code or require additional or different certifications, prohibitions, or requirements as determined appropriate to ensure the effective operation of this Code.
Code of Conduct, Fiduciary Standards, and Compliance with the Federal Securities Laws
At all times, Paralel and its employees, including all Supervised Persons, inclusive of all Access Persons and Investment Persons, must comply with the spirit and the letter of the Federal Securities Laws and the rules governing the capital markets.
The CCO administers the Code of Ethics (or the “Code”). All questions regarding the Code should be directed to the CCO. Supervised Persons must cooperate to the fullest extent reasonably requested by the CCO to enable (i) Paralel to comply with all applicable Federal Securities Laws and (ii) the CCO to discharge their duties under the Manual.
All Supervised Persons will act with competence, dignity, integrity, and in an ethical manner, when dealing with Reportable Funds, Clients, the public, prospects, third-party service providers and fellow Supervised Persons. Supervised Persons must use reasonable care and exercise independent professional judgment when conducting investment analysis, making investment recommendations, trading, promoting Paralel’s services, and engaging in other professional activities.
Paralel expects all Supervised Persons to adhere to the highest standards with respect to any potential conflicts of interest with Reportable Funds or Clients. As a fiduciary, Paralel must act in its Clients’ best interests. Notify the CCO promptly about any practice that creates, or gives the appearance of, a material conflict of interest.
Supervised Persons of Paralel that perform functions that give such individuals knowledge of a Reportable Fund’s investment activities may not, in connection with the purchase or sale, directly or indirectly, of a security held or to be acquired by any Fund:
|•
|
employ any device, scheme, or artifice to defraud a Fund;
|•
|
make any untrue statement of a material fact to a Fund or omit to state a material fact necessary in order to make the statements made to a Fund, in light of the circumstances under which they are made, not misleading;
|•
|
engage in any act, practice or course of business that operates or would operate as a fraud or deceit upon the Fund; or
|•
|
engage in any manipulative practice with respect to a Fund.
4
Supervised Persons are generally expected to discuss any perceived risks, or concerns about Paralel’s business practices, with their direct supervisor. However, if a Supervised Person is uncomfortable discussing an issue with their supervisor, or if they believe that an issue has not been appropriately addressed, they should bring the matter to the CCO’s attention.
Reporting Violations
Improper actions by Paralel or its Supervised Persons could have severe negative consequences for Paralel, its Reportable Funds, and Paralel’s Supervised Persons. Impropriety, or even the appearance of impropriety, could negatively impact all Supervised Persons, including people who had no involvement in the problematic activities.
Supervised Persons must promptly report any improper or suspicious activities, including any suspected violations of the Code of Ethics or the Federal Securities Laws to the CCO. Issues can be reported to the CCO through the Confidential Reporting Form (Whistleblower) on MCO. Reports of potential issues may be made anonymously. Any reports of potential problems will be thoroughly investigated by the CCO, who will report directly to the CEO on the matter. Any problems identified during the review will be addressed in ways that reflect Paralel’s fiduciary duty to its Clients.
A Supervised Person’s identification of a material compliance issue will be viewed favorably by the Company’s senior executives. Retaliation against any Supervised Person who reports a violation of the Code of Ethics in good faith is strictly prohibited and will be cause for corrective action, up to and including dismissal. If a Supervised Person believes that he or she has been retaliated against, he or she should notify the Chief Compliance Officer directly.
Violations of this Code of Ethics, or the other policies and procedures set forth in the Manual, may warrant sanctions including, without limitation, requiring that personal trades be reversed, requiring the disgorgement of profits or gifts, issuing a letter of caution or warning, reporting to the Supervised Person’s supervisor, suspending personal trading rights, imposing a fine, suspending employment (with or without compensation), making a civil referral to the SEC, making a criminal referral, terminating employment for cause, and/or a combination of the foregoing. Violations may also subject a Supervised Person to civil, regulatory or criminal sanctions. No Supervised Person will determine whether he or she committed a violation of the Code of Ethics, or impose any sanction against himself or herself. All sanctions and other actions taken will be in accordance with applicable employment laws and regulations.
If the CCO determines that a material violation of this Code of Ethics has occurred, the CCO will promptly report the violation, and any associated action(s), to Paralel’s senior management. If senior management determines that the material violation may involve a fraudulent, deceptive or manipulative act, Paralel will report its findings to a Fund’s Board of Directors or Trustees pursuant to Rule 17j-1.
For the avoidance of doubt, nothing in this Manual prohibits Supervised Persons from reporting potential violations of federal law or regulation to any governmental agency or entity, including but not limited to the Department of Justice, the SEC, or any agency’s inspector general, or from making other disclosures that are protected under the whistleblower provisions of federal law or regulation. Supervised Persons do not need prior authorization from their supervisor, other members of management, the CCO, or any other person or entity affiliated with Paralel to make any such reports or disclosures and do not need to notify Paralel that they have made such reports or disclosures. Additionally, nothing in this Manual prohibits
5
Supervised Persons from recovering an award pursuant to a whistleblower program of a government agency or entity.
Distribution of the Code and Acknowledgement of Receipt
Paralel will distribute the Company’s Code of Ethics, to each Supervised Person upon the commencement of employment, annually, and upon any change to the Code of Ethics or any material change to another portion of the Manual.
All Supervised Persons must use MCO to acknowledge that they have received, read, understood, and agree to comply with the Company’s policies and procedures described in this Manual, including this Code of Ethics.
Personal Securities Transactions
(Applies to All Access Persons, Including Investment Persons)
Access Person trades should be executed in a manner consistent with our fiduciary obligations to our funds and Clients: trades should avoid actual improprieties, as well as the appearance of impropriety. Employee trades must not be timed to precede orders placed for any client, nor should trading activity be so excessive as to conflict with the Access Person’s ability to fulfill daily job responsibilities.
In the event of a material change to this Personal Securities Transactions section of the Code of Ethics, the CCO shall inform each Reportable Fund’s CCO of such change.
Accounts Covered by the Policies and Procedures, Beneficial Ownership
Paralel’s Personal Securities Transactions policies and procedures apply to all accounts (“Accounts”) holding or that can hold any Securities over which Access Persons have any Beneficial Ownership interest, which typically includes accounts held by immediate family members sharing the same household, or non-funds over which Access Persons exercise investment discretion. Immediate family members include children, step-children, grandchildren, parents, step-parents, grandparents, spouses, domestic partners, siblings, parents-in-law, and children-in-law, as well as adoptive relationships that meet the above criteria.
It may be possible for Access Persons to exclude Accounts held personally or by immediate family members sharing the same household if the Access Persons does not have any direct or indirect influence or control over the Accounts, or if the Access Persons can rebut the presumption of beneficial ownership over family members’ accounts. Access Person should consult with the CCO before excluding any Accounts held by immediate family members sharing the same household.
6
Reportable Securities1
Paralel requires Access Persons to provide periodic reports regarding transactions and holdings in all “Reportable Securities,” which include any Security, except:
|•
|
Direct obligations of the Government of the United States;
|•
|
Bankers’ acceptances, bank certificates of deposit, commercial paper and high-quality short-term debt instruments, including repurchase agreements;
|•
|
Shares issued by money market funds;
|•
|
Shares issued by open-end investment companies registered under the Investment Company Act of 1940, other than investment companies advised or underwritten by Paralel or an affiliate;
|•
|
Interests in 529 college savings plans; and
|•
|
Shares issued by unit investment trusts that are invested exclusively in one or more open-end investment companies registered under the Investment Company Act of 1940, none of which are advised, underwritten by Paralel or an affiliate.
Crypto and Other Digital Assets
Any Access Person who wishes to purchase, acquire or sell any asset that is issued and transferred using distributed ledger or blockchain technology, including, but not limited to, virtual currencies, cryptocurrencies, digital “coins” or “tokens” (“Digital Assets”), should consult with the CCO as to whether such Digital Asset would be considered a Security, and specifically a “Digital Security”, for purposes of this policy. A Digital Asset is likely to be considered a Digital Security if it is offered and sold as an investment contract. On April 3, 2019, the SEC published a framework for investment contract analysis of Digital Assets.2 The CCO may use this framework, among other relevant SEC guidance, to determine whether a Digital Asset would be considered a Digital Security for the purposes of this policy. If the CCO determines that such Digital Asset should be considered a Digital Security, the Digital Asset will be considered a Reportable Security for purposes of this policy.
Reporting
Paralel must collect information regarding the personal trading activities and holdings of all Access Persons. Access Persons must submit, through MCO, quarterly reports regarding Reportable Securities transactions and newly opened Accounts that hold or can hold Securities, as well as initial and annual reports regarding holdings and existing Accounts.
|1
|
Rule 17j-1 limits the Reportable Securities reporting exemptions to “i) Direct obligations of the Government of the United States; (ii) Bankers’ acceptances, bank certificates of deposit, commercial paper and high quality short-term debt instruments, including repurchase agreements; and (iii) Shares issued by open-end Funds.” Therefore, Supervised Persons of Paralel that perform functions that give such individuals knowledge of an advised fund’s investment activities are subject to this more restrictive list of reporting exemptions.
|2
|
https://www.sec.gov/files/dlt-framework.pdf
7
Initial Reporting - Securities Holdings and Accounts
Access Persons must report the existence of any Accounts that holds or can hold any Securities (including Securities excluded from the definition of a Reportable Security), as well as all Reportable Securities holdings. Reports relating to Accounts and Reportable Securities holdings must be submitted via MCO within 10 days of an individual first becoming an Access Person. Initial reports must be current as of a date no more than 45 days prior to the date that the person became an Access Person.
Account Types and Reporting: Accounts that can hold Reportable Securities must be linked in MCO to ensure Paralel receives an electronic feed from the broker/dealer. Access Persons should discuss with the compliance team or the CCO if an electronic feed is available with a particular broker and how to establish an electronic feed with a broker. In situations where an electronic feed is not available with a particular broker, an alternative reporting process specified by the CCO may be required (such as providing duplicate statements) or, in certain instances, the compliance team or CCO may require Access Persons to move Accounts from existing brokers to a preferred broker so that an electronic feed may be established. The Access Person is fully responsible for ensuring compliance with this Code if an alternative process is permitted.
For Accounts that are unable to hold or transact in Reportable Securities (“NRS Accounts”), Access Persons will need to report NRS Accounts in MCO initially, providing the brokerage name and account number of the NRS Account in MCO. The Chief Compliance Officer or his/her designee reserves the right to request additional information as they may determine appropriate and monitor such NRS Accounts for any abusive trading practices that would violate this Code.
Paralel 401k Account Guidance – Provided that an Access Person has not linked his/her Paralel 401k Account to a brokerage (allowing investments outside of the limited set in the 401k), such account will generally be considered a NRS Account.
If an Access Person does not have any holdings and/or accounts to report, this should be indicated within MCO within 10 days of becoming an Access Person.
Ongoing Reporting – New Accounts
Upon opening a new Account (other than an NRS Account) and prior to the completion of any transactions in the account, Access Persons must report the Account and ensure it is linked with an electronic feed from the broker/dealer (unless otherwise approved) as described in the initial reporting section above. NRS Accounts may be reported in conjunction with the quarterly reports as described below.
Quarterly Reporting – Accounts and Transactions in Reportable Securities
Each quarter, Access Persons must report all Reportable Securities transactions in Accounts in which they have a Beneficial Interest – this may be completed by affirming that the transactions reflected in MCO that Paralel received from the broker/dealer are accurate and complete, or for Accounts that are not connected by an electronic feed, by manually entering all transactions in Reportable Securities in MCO.
8
Access Persons must also report any NRS Accounts opened during the quarter that otherwise had not already been reported. Reports regarding Reportable Securities transactions and newly opened Accounts must be submitted via MCO within 30 days of the end of each calendar quarter.
Access Persons must utilize MCO to fulfill quarterly reporting obligations.
If an Access Person did not have any transactions in non-exempt Securities or Account openings to report, this should be indicated in MCO within 30 days after the end of each calendar quarter.
Annual Holdings and Accounts Reports
Access Persons must annually confirm the list of Accounts in MCO and report all Reportable Securities holdings. Reports regarding accounts and holdings must be submitted via MCO on or before February 14th of each year. Annual reports must be current as of December 31st.
Annual reports must disclose the existence of all Accounts that hold or can hold any Securities, including NRS Accounts. If an Access Person does not have any holdings and/or accounts to report, this should be indicated within MCO by February 14th of each year.
Exceptions from Reporting Requirements
There are limited exceptions from certain reporting requirements. Specifically, Access Persons are not required to submit reports as follows:
|•
|
Automatic Investment Plans: Quarterly transaction reports are not required for any transactions in Reportable Securities effected pursuant to an Automatic Investment Plan, including Dividend Reinvestment Plans; or
|•
|
Managed Accounts: No reports (either holdings/transaction reports) are required with respect to Securities held in Accounts over which the Access Person has no direct or indirect influence or control (known as “Managed Accounts.”)
|•
|
“Managed Account” means an account for which the Access Person has authorized a third-party financial advisor or investment manager, in its sole discretion, to acquire and dispose of assets held in the account. The Access Person may not have any direct or indirect influence or control in the investment decisions of the account, or be made aware of any such investment decisions before transactions are executed by the advisor or manager.
|•
|
While the reporting requirements do not apply to Managed Accounts, other restrictions and requirements applicable to Access Persons (such as preclearance in IPOs and Private Placements) still apply.
For Accounts that may be eligible for either of these exceptions, approval should be sought through MCO to the attention of the CCO who will, on a case-by-case basis, determine whether the plan or account qualifies for an exception to be deemed a Managed Account. In making this determination, the CCO or a designee may ask for supporting documentation, such as a copy of the discretionary account management agreement and/or a written certification from the unaffiliated investment adviser, and may provide Access Persons with the exact wording and a clear definition of “no direct or indirect influence or
9
control” that the adviser consistently applies to all Access Persons. On a sample basis, the CCO may request reports on holdings and/or transactions made in the Managed Account to identify transactions that would have been prohibited pursuant to Paralel’s Code, absent reliance on the reporting exception. Access Persons who claim they have no direct or indirect influence or control over an Account are required to indicate as such in MCO upon commencement of their employment or implementation of such Managed Account and on an annual basis thereafter.
Trading Restrictions for Access Persons
Pre-Clearance Required
|•
|
Initial Public Offerings and Private Placements – Access Persons must have written pre-clearance completed in MCO for any investments in IPOs or Private Placements. Paralel may disapprove any proposed transaction for any reason. If clearance is granted for a specified period of time, the Access Person receiving the approval is responsible for ensuring that his or her trading is completed before the clearance’s expiration. Access Persons should be cautious when submitting good-until-cancelled orders to avoid inadvertent violations of Paralel’s pre-clearance procedures.
|•
|
Any Registered Representative of Paralel is prohibited from participating in IPOs.
|•
|
Reportable Funds – Access Persons are prohibited from the purchase or sale of a Reportable Fund without pre-clearance in MCO being obtained. Access Persons are prohibited from the purchase and sale or sale and purchase of the same Reportable Fund within a sixty (60) calendar day holding period.
Other Restrictions
|•
|
Knowledge of Transaction – Access Persons shall not purchase or sell a Reportable Security in any Account if they had actual knowledge at the time of the transaction that, during the 24 hour period immediately preceding or following the transaction, the Reportable Security was purchased or sold or was considered for purchase or sale by a Fund.
|•
|
Blackout Period – Blackout periods may be determined and established by the CCO. Any such periods will be communicated to all affected persons as necessary.
Access Persons are reminded that all provisions of this Code apply even if not specifically listed in the restrictions above, including the Conflict of Interest and Insider Trading sections set forth below.
Additional Requirements for Investment Persons
Pre-Clearance Requirements for Investment Persons
Investment Persons must have written pre-clearance for all transactions in Reportable Securities, as well as IPOs or Private Placements. Paralel may disapprove any proposed transaction, particularly if the transaction appears to pose a conflict of interest or otherwise appears improper. If clearance is granted for a specified period of time, the Investment Persons receiving the approval is responsible for ensuring that his or her trading is completed before the clearance’s expiration. Investment Persons should be
10
cautious when submitting good-until-cancelled orders to avoid inadvertent violations of Paralel’s pre-clearance procedures.
Pre-clearance is valid for two business days. If the Investment Person still desires to execute the trade, but the trade is not executed within this timeframe, the Investment Persons must request a new pre-clearance approval before entering the trade. Limit orders must be pre-approved for each day the order is open.
Exemptions from Pre-Clearance Requirements:
|•
|
Managed Accounts. Trades effected by the manager of a Managed Account shall not be subject to the pre-clearance procedures.
|•
|
Pre-clearance is always required for trades in Reportable Funds shares, regardless of whether shares are held in a Managed Account.
|•
|
“Managed Account” means an account for which an Investment Person has authorized a professional financial advisor or investment manager, in its sole discretion, to acquire and dispose of assets held in the account. The Investment Person may not make, directly or indirectly, any investment decisions, be made aware of any such investment decisions before transactions are executed by the advisor or manager, or otherwise direct the advisor or manager to effect any transactions in the account. Pre-clearance is not generally required for trades in a Managed Account. However, to the extent that an Investment Person becomes aware of a proposed transaction by the manager in these types of accounts or have personally directed or asked another person to direct trades in these accounts, the Investment Person is required to pre-clear the transaction prior to execution of the trade by the manager.
|•
|
Exchange Traded Funds (“ETF”) and Exchange Traded Notes (“ETN”). Pre-clearance is not required for ETFs or ETNs; however, ETFs and ETNs are subject to the reporting requirements.
|•
|
Purchases or sales that are non-volitional on the part of the Investment Person.
|•
|
Purchases that are part of an automatic dividend reinvestment plan.
|•
|
Purchases effected upon the exercise of rights issues by an issuer pro rata to all holders of a class of its securities.
|•
|
Transactions that meet the de minimis exception, which is personal trade that meets the following conditions: (a) less than $5,000; and (b) is made with no knowledge that a Reportable Fund has purchased or sold the Reportable Security, or is considered purchasing or selling the Reportable Security.;
Investment Persons must use MCO to seek pre-clearance. Pre-clearance is valid for two business days.
Restrictions for Investment Persons
In addition to those restrictions applicable to Access Persons, Investment Persons:
11
|•
|
may not purchase or sell any security that they have knowledge is being considered for purchase or sale by a Reportable Funds.
|•
|
are prohibited from participating in investment clubs unless such membership is approved in writing by the CCO. An investment club is any group of people who pool their money to make joint or group investments.
|•
|
may not make any personal transaction that may be deemed to be a conflict of interest with the interests of the Funds or any Paralel client.
Investment Persons are reminded that all provisions of this Code apply even if not specifically listed in the restrictions above, including the Conflict of Interest and Insider Trading provisions set forth below.
Any Registered Representative of Paralel is prohibited from participating in IPOs.
Personal Trading and Holdings Reviews
Paralel’s Personal Securities Transactions policies and procedures are designed to mitigate any potential material conflicts of interest associated with Access Persons’ personal trading activities. Accordingly, the CCO or a designee will closely monitor Access Persons’ investment patterns to detect the following potentially abusive behavior:
|•
|
Frequent and/or short-term trades in any Security, with particular attention paid to potential market-timing of mutual funds;
|•
|
Personal trading in Securities also held by a client fund advised, underwritten or administered by Paralel;
|•
|
Trading opposite of client trades;
|•
|
Trading ahead of clients; and
|•
|
Trading that appears to be based on Material Nonpublic Information.
The CCO will review all reports submitted pursuant to the Personal Securities Transactions policies and procedures for potentially abusive behavior and will compare Access Person trading with Funds’ trades as necessary. Any personal trading that appears abusive may result in further inquiry by the CCO and/or sanctions, up to and including dismissal.
The CEO or his delegate (currently the Paralegal Manager) will use MCO to monitor the CCO’s personal Securities transactions for compliance with the Personal Securities Transactions policies and procedures.
Disclosure of the Code of Ethics
Paralel will, upon request, furnish Funds with a copy of the Code of Ethics.
12
CONFLICTS OF INTEREST
Most Recently Revised: April 2023
Background
Conflicts of interest may exist between various individuals and entities, including Paralel, Supervised Persons, and current or prospective Reportable Funds or Clients. Any failure to identify or properly address a conflict can have severe negative repercussions for Paralel, its Supervised Persons, and/or Funds or Clients. In some cases, the improper handling of a conflict could result in litigation and/or disciplinary action.
Section 206(2) of the Advisers Act prohibits investment advisers from engaging in any transaction, practice, or course of business which operates as a fraud or deceit upon any client or prospective client whereas Section 206(4) of the Advisers Act prohibits investment advisers from engaging in any act, practice, or course of business which is fraudulent, deceptive, or manipulative. Rule 206(4)-8(a) under the Advisers Act effectively extends this prohibition so as to apply to pooled investment vehicle investors or prospective investors. A failure to identify, disclose and/or manage a conflict of interest could constitute a violation of any of these provisions.
Risks
In developing these policies and procedures, Paralel considered the material risks associated with conflicts of interest. This analysis includes risks such as:
|•
|
Supervised Persons do not understand what could constitute an actual or apparent conflict of interest;
|•
|
Supervised Persons engage in conduct that could entail an actual or apparent conflict of interest without giving Paralel the opportunity to prevent such activity or take sufficient steps to manage and/or disclose the actual or apparent conflict of interest;
|•
|
Paralel engages in conduct in its capacity as the investment adviser (or in its affiliates’ capacity in other servicing roles) that could entail an actual or apparent conflict of interest with its obligations on behalf of the other, without taking sufficient steps to manage and/or disclose the actual or apparent conflict of interest; and
|•
|
The interests of more than one Client are in conflict with each other and Paralel does not resolve this conflict or resolves it in a way that is not fair and reasonable to all affected parties, or that disproportionately disadvantages one or more parties.
13
Policies and Procedures
Paralel’s policy is to disclose, mitigate, and/or eliminate all identified conflicts of interest in the best interests of its Funds and Clients. In the event that a conflict of interest arises between client funds, Paralel’s policy is to seek to resolve such conflict as fairly as possible in relation to all parties.
Understanding and Identifying Conflicts of Interest
Paralel’s policies and procedures have been designed to identify and properly disclose, mitigate, and/or eliminate applicable conflicts of interest. Supervised Persons should refer to applicable sections of this Manual when conducting the activities addressed therein. To the extent such activities entail an actual, potential or apparent conflict of interest, the relevant Manual section will typically provide guidance or instructions as to how to proceed. If a Supervised Person has any questions about the contents of this Manual or any particular section thereof, they should contact the CCO to discuss further.
Paralel requires Supervised Persons to complete a Compliance Questionnaire included within MCO upon joining the Company and generally quarterly thereafter. Many of these questions are intended to identify actual or potential conduct that could constitute an actual, potential or apparent conflict of interest. If a Supervised Person has any questions about the questions included in the Compliance Questionnaire, they should contact the CCO to discuss further.
However, written policies and procedures cannot address and a compliance questionnaire cannot anticipate every potential conflict. With this in mind, Supervised Persons should be cognizant of any and all potential conflicts of interest regardless of whether Paralel has contemplated them or not in its existing policies and procedures and/or the Compliance Questionnaire. Upon identifying such a potential conflict of interest, Supervised Persons should bring it to the attention of the CCO as soon as possible so that Paralel can assess the potential conflict and take the necessary steps to properly address it.
While it is not possible to provide a precise or comprehensive definition of a conflict of interest, Paralel is providing the following guidance to better enable Supervised Persons to recognize potential conflicts of interest:
|•
|
One factor that is common to many conflict of interest situations is the possibility that Paralel’s or a Supervised Person’s actions or decisions will be affected because of actual or potential differences between or among the interests of Paralel, Clients, and/or the Supervised Person’s own personal interests. If you suspect that any of these parties’ interests may not be aligned and that this could affect your or Paralel’s decisions or actions, a potential conflict of interest may exist.
|•
|
A situation may be found to involve a conflict of interest even if it does not result in any financial loss to Paralel or Clients, or any gain to Paralel, certain Clients, and/or the Supervised Person, and irrespective of the motivations of Paralel or the Supervised Persons involved. Such factors should not prevent you from notifying the CCO of a potential conflict of interests.
14
Addressing Conflicts of Interest
As stated above, Paralel’s policies and procedures have been designed to identify and properly disclose, mitigate, and/or eliminate applicable conflicts of interest. The following procedures apply to potential conflicts of interest that may not currently be anticipated by such existing policies and procedures.
The CCO is responsible for determining how to address a newly identified potential conflict of interest. Supervised Persons should not seek to address a potential conflict of interest without the CCO’s involvement unless it is not possible to contact the CCO on a timely basis. In such situations, Supervised Persons should use good judgment in identifying and responding appropriately to actual or apparent conflicts and notify the CCO of the potential conflict and their conduct in response as soon as possible thereafter.
The following principles govern Paralel’s approach to addressing conflicts of interest:
|•
|
To the extent possible, potential conflicts of interest should be resolved in such a way so as to prevent the potential conflict of interest from becoming an actual or apparent conflict of interest.
|•
|
To the extent possible, conflicts of interest that involve Paralel and/or its Supervised Persons on one hand, and Clients on the other hand, will generally be disclosed and resolved in a way that favors the interests of Clients over the interests of Paralel and its Supervised Persons.
15
INSIDER TRADING
Most Recently Revised: April 2023
Background
Section 204A of the Advisers Act requires every investment adviser to establish, maintain, and enforce written policies and procedures reasonably designed, taking into consideration the nature of such investment adviser’s business, to prevent the misuse of Material Nonpublic Information by such investment adviser or any associated person. In the past, the Federal Securities Laws have been interpreted to prohibit the following activities:
|•
|
Trading by an insider while in possession of Material Nonpublic Information;
|•
|
Trading by a non-insider while in possession of Material Nonpublic Information, where the information was disclosed to the non-insider in violation of an insider’s duty to keep it confidential;
|•
|
Trading by a non-insider who obtained Material Nonpublic Information through unlawful means such as computer hacking; and
|•
|
Communicating Material Nonpublic Information to others in breach of a fiduciary duty.
What Information is Material?
Many types of information may be considered material, including, without limitation, advance knowledge of:
|•
|
Dividend or earnings announcements;
|•
|
Asset write-downs or write-offs;
|•
|
Additions to reserves for bad debts or contingent liabilities;
|•
|
Expansion or curtailment of company or major division operations;
|•
|
Merger, joint venture announcements;
|•
|
New product/service announcements;
|•
|
Discovery or research developments;
|•
|
Criminal, civil and government investigations and indictments;
|•
|
Pending labor disputes;
|•
|
Debt service or liquidity problems;
|•
|
Bankruptcy or insolvency;
|•
|
Tender offers and stock repurchase plans;
|•
|
Recapitalization plans; and
|•
|
Major developments in litigation or events that could lead to litigation (e.g., a cyber breach or a data leak).
Information provided by a company could be material because of its expected effect on a particular class of securities, all of a company’s securities, the securities of another company, or the securities of
16
several companies. The prohibition against misusing Material Nonpublic Information applies to a wide range of financial instruments including, but not limited to, equities, bonds, warrants, options, futures, forwards, swaps, commercial paper, government-issued securities, and Digital Securities. Material information need not relate to a company’s business. For example, information about the contents of an upcoming newspaper column may affect the price of a security, and therefore be considered material. Advance notice of forthcoming secondary market transactions could also be material.
Supervised Persons should consult with the CCO if there is any question as to whether nonpublic information is material.
What Information is Nonpublic?
Once information has been effectively distributed to the investing public, it is no longer nonpublic. However, the distribution of Material Nonpublic Information must occur through commonly recognized channels for the classification to change. In addition, there must be adequate time for the public to receive and digest the information. Non-public information does not change to public information solely by selective dissemination. The confirmation by an insider of unconfirmed rumors, even if the information in question was reported as rumors in a public form, may be nonpublic information. Examples of the ways in which nonpublic information might be transmitted include, but are not limited to:
|•
|
In person;
|•
|
In writing;
|•
|
By telephone;
|•
|
During a presentation;
|•
|
By email, instant messaging, or Bloomberg messaging;
|•
|
By text message or through Twitter; or
|•
|
On a social networking site such as Facebook or LinkedIn.
Supervised Persons must be aware that even where there is no expectation of confidentiality, a person may become an insider upon receiving Material Nonpublic Information. Supervised Persons should consult with the CCO if there is any question as to whether material information is nonpublic.
Penalties for Trading on Material Nonpublic Information
Severe penalties exist for firms and individuals that engage in Insider Trading, including civil injunctions, disgorgement of profits, and jail sentences. Further, fines for Insider Trading may be levied against individuals and companies in amounts up to three times the profit gained or loss avoided (and up to $1,000,000 for companies). Paralel is not obligated to pay legal fees, penalties, or other costs incurred by Supervised Persons found guilty of insider trading.
Risks
In developing these policies and procedures, Paralel considered the material risks associated with insider trading. This analysis includes risks such as:
|•
|
Supervised Persons place trades in personal and/or Client accounts while in possession of Material Nonpublic Information;
|•
|
Supervised Persons pass Material Nonpublic Information on to others;
17
|•
|
Supervised Persons are not aware of what constitutes Material Nonpublic Information;
Paralel has established the following guidelines to mitigate these risks.
Policies and Procedures
Supervised Persons are strictly forbidden from engaging in Insider Trading, either personally or on behalf of Paralel’s Funds. Paralel’s Insider Trading policies and procedures apply to all Supervised Persons, as well as any transactions in any securities by family members, trusts, or corporations, directly or indirectly controlled by such persons. The policy also applies to transactions by corporations in which the Supervised Person is an officer, director, or 10% or greater stockholder, as well as transactions by partnerships of which the Supervised Person is a partner unless the Supervised Person has no direct or indirect control over the partnership.
Procedures for Recipients of Material Nonpublic Information
If a Supervised Person has questions as to whether they are in possession of Material Nonpublic Information, they may inquire about whether such information qualifies as Material Public Information. The CCO will conduct research to determine if the information is likely to be considered material, and whether the information has been publicly disseminated.
Given the severe penalties imposed on individuals and firms engaging in Insider Trading, a Supervised Person:
|•
|
Must not trade the securities of any company about which they may possess Material Nonpublic Information, or derivatives related to the issuer in question;
|•
|
Must not discuss any potentially Material Nonpublic Information with colleagues or a fund sub-adviser, except as specifically required by their position, which shall first be approved by the CCO; and
|•
|
Must not conduct research, trading, or other investment activities regarding a security for which they may have Material Nonpublic Information.
If a Supervised Person believes that they have either violated or may be asked to violate any of the above requirements regarding Material Nonpublic information, they must immediately report such fact or belief to the CCO to determine the appropriate course of action. Quarterly, the Supervised Persons will certify that they will follow these requirements in the future, and that they have not violated such requirements across the past quarter
Selective Disclosure
Non-public information about Paralel’s investment strategies, trading, and Client holdings may not be shared with third parties except as is necessary to implement investment decisions and conduct other legitimate business. Supervised Persons must never disclose proposed or pending trades or other sensitive information to any third-party without the prior approval of the CCO. Federal Securities Laws may prohibit the dissemination of such information, and doing so may be considered a violation of the fiduciary duty that Paralel owes to its Funds.
18
Supervised Persons should not disclose proposed or pending trades to any Client or other individual or entity outside of Paralel other than a trading counterparty with a legitimate need to know the information.
Sub-Advisory Relationships
Paralel will delegate management of Client assets to third-party sub-advisors. In doing so, Paralel may receive Material Nonpublic Information about these managers’ investment strategies and trading activities. Paralel’s Supervised Persons are prohibited from trading on, or improperly utilizing, Material Nonpublic Information obtained from third-party managers. Generally, without prior approval of the CCO, Investment Persons should not open a Managed Account with any sub-adviser with which Paralel has engaged for work on a Reportable Fund.
Rumors
Supervised Persons are prohibited from knowingly circulating false rumors or sensational information that might reasonably be expected to affect market conditions for one or more securities, sectors, or markets, or improperly influencing any person or entity. Creating or passing false rumors with the intent to manipulate securities prices or markets may violate the antifraud provisions of Federal Securities Laws.
This policy is not intended to discourage or prohibit appropriate communications between Supervised Persons of Paralel and other market participants and trading counterparties. Supervised Persons should consult with the CCO regarding questions about the appropriateness of any communications.
19
GIFTS AND ENTERTAINMENT
Most Recently Revised: April 2024
Background
Supervised Persons should not engage in any activity, practice, or act which conflicts with the best interest of the Company or its Clients. Accepting gifts of more than a nominal value could have the potential to influence an employee in such a way as to impede his or her best judgment when making decisions on behalf of the Company or its Clients. Supervised Persons may generally give and receive gifts and entertainment, so long as such gifts and entertainment are not lavish or excessive, and do not give the appearance of being designed to improperly influence the recipient.
Risks
In developing these policies and procedures, Paralel considered the risk that Supervised Persons would be improperly influenced by excessive gifts or entertainment. Paralel also considered the risk that Supervised Persons would try to use gifts or entertainment to exert improper influence on another individual or entity. Paralel established the following guidelines to mitigate these risks.
Policies and Procedures
Guiding Principles
Paralel holds its Supervised Persons to high ethical standards and strictly prohibits any giving or receipt of things of value that are designed to improperly influence the recipient. The purpose of business gifts and entertainment is to create goodwill and sound working relationships, not to gain unfair advantage. Anti-bribery and anti-corruption statutes in the U.S. are broadly written, so Supervised Persons should consult with the CCO if there is even an appearance of impropriety associated with the giving or receipt of anything of value.
Registered Representatives - Employees who are also registered with the Financial Industry Regulatory Authority (“FINRA”) as a Registered Representative may have additional requirements and/or restrictions in addition to those described herein. Those Registered Representatives should consult their Written Supervisory Procedures (“WSP”) for any additional requirements.
Specific Policies and Procedures
Paralel and its Supervised Persons are prohibited from directly or indirectly giving gifts or entertainment that may appear lavish or excessive. Definitions and policies for the giving and receipt of entertainment and gifts for this section are below. While this policy applies to Paralel broadly (i.e., PTL, PAL, PDL), it is important that Supervised Persons consider the capacity in which they are acting when giving or permitting to be given anything of value as certain entities and individuals have regulatory requirements while others do not.
20
Entertainment is a meeting, meal or other activity where both you and a business partner are present and have the opportunity to discuss business or any participant’s employer bears the cost. It does not include events that have been organized by Paralel, such as Paralel organized receptions or multi-client entertainment. If the giver is not present for the event or activity, it will be considered a gift.
Paralel recognizes that participating in entertainment events with Business Partners may help further legitimate business purposes and objectives. Examples of permissible entertainment events include lunches, dinners, golf outings, cocktail parties and regular season sporting events (“entertainment events”). Supervised Persons are encouraged to participate in entertainment events with whom the Company maintains business relationships, so long as they are reasonable and customary types of entertainment events in a business context. Nonetheless, extravagant entertainment from or to a client, prospective client or other person or entity with which Paralel conducts business is strictly prohibited. Supervised Persons are not required to obtain prior approval before participating in or hosting an entertainment event, provided that the entertainment event is not lavish or extravagant in nature.
A Gift is anything of value that is given with the intent to foster a legitimate business relationship. Gifts can include merchandise such as wine, gift baskets, or tickets if the giver does not attend. Cash gifts are not permitted to be given or received.
Gifts such as holiday baskets or lunches delivered to Paralel’s offices, which are received on behalf of the Company, do not require reporting. Promotional items valued at less than $100 that clearly display the giver’s company logo also need not be reported. Examples of promotional gifts include mugs, hats, jackets, and umbrellas.
The Value of any Gifts or Entertainment given or received must be the greater of cost or market value. If the cost or market value is not easily determined, an employee can estimate the approximate value or request further guidance from the CCO or designee.
Disclosures and Approvals
Disclosures of Gifts or Entertainment
All disclosures of applicable gifts or entertainment must be disclosed via the Gifts and Entertainment Form found on MCO (when receiving) or in Ramp expense reporting and quarterly reporting process via corporate (when giving) as set forth below.
MCO disclosures should be completed on at least a quarterly basis along with regular quarterly Code requirements but, unless otherwise indicated, may be done prior or immediately following the act occurring as well.
Information required to be disclosed in expense reports should be provided in the Ramp expense reporting system whenever required following the action.
Approvals of Gifts or Entertainment (when required)
All approvals, unless otherwise indicated, must come from the CCO or designee, which can be accomplished by completing a request using MCO’s Gifts and Entertainment Form request form.
21
Generally, pre-approval should be obtained to the extent feasible when approval is required. However, due to the nature of gift-giving and the impromptu nature of some Entertainment, approval for employees accepting such items may often be after the fact.
If a gift request is not approved and returning or rejecting the item would negatively affect the business relationship, the gift should be turned over to the CCO and the gift will be donated to charity.
Specific Requirements
The chart that follows sets forth the various requirements related to the receipt and giving of gifts and entertainment for Supervised Persons. Please note that FINRA Registered Representatives may have additional requirements detailed in the applicable WSP related to gifts and entertainment. In addition, there are specific requirements related to Investment Persons which are different than Supervised Persons.
22
Paralel G&E Requirements
|Type
|Value
|Approval Required*
|Disclosure Required
|Recipient
|De-minimis (under ~$100, or reasonable amount for routine activities, e.g. board meeting dinner received in connection to services provided; attendance at industry events with drinks, etc.).
|None
|None
|
More than de-minimis, but less than $500 per person per event
(<$250 for an Investment Person)
|None
|Disclose at least quarterly in MCO
|
Greater than $500 per person per event
(>$250 for an Investment Person)
|Approval required (pre-approval preferred)
|Any value from a broker/dealer to an Investment Person
|Pre-approval required; generally not allowed
|Giver*
|De-minims or routine activities
|None
|None
|More than de-minims, but less than $500 per person per event
|
None
|Indicate recipient / relationship in expense report. Confirm in quarterly reporting process.
|Greater than $500 per person per event
|Approval required (pre-approval preferred)
|Any value to a broker/dealer from an Investment Person
|Pre-approval required; generally not allowed
|Recipient
|Cash or equivalent
|Not permitted
|--
|De-minimis (less than ~$100) promotional/logo items, gift baskets for department, etc.
|None
|None
|More than de-minimis, but less than $100 in total from same Business Partner per year.
|None
|Quarterly disclosure required in MCO
|Greater than $100 in total from same Business Partner per year
|Approval required, strictly prohibited for FINRA Reg. Reps+
|Any value from a broker/dealer to an Investment Person
|Pre-approval required; generally not allowed
|Giver*
|Cash or equivalent
|Not permitted
|--
|De-minimis (less than ~$100) promotional/logo items, gift baskets for department, etc.
|None
|None
|More than de-minimis, but under $100 per Business Partner per year
|None
|Indicate recipient / relationship in expense report. Confirm in quarterly reporting process.
|Over $100 per Business Partner per year (from budget).
|Approval required; strictly prohibited for FINRA Registered Reps+
|Any value to a broker/dealer from an Investment Person
|Pre-approval required; generally not allowed
|*
|
Additional manager approval may be required depending on the individual and position.
|+
|
There may be instances which the CCO determines such gift is allowable; only permitted with pre-clearance.
23
Exceptions to Entertainment Limits. The limits and reporting requirements set forth above generally do not apply to personal relationships with business partners that are not conducted for the purpose of awarding business.
Exceptions to Gift Giving Limits. The limits set forth above generally do not apply to personal gifts, such as a wedding gift or a congratulatory gift for the birth of a child, provided that these gifts are not in relation to the business of Paralel.
Additionally, certain Supervised Persons have roles which require them to perform functions in various capacities for Paralel entities. By way of example, the CEO may participate in, or provision, entertainment events for clients and prospective clients of PTL as a natural part of the sales and relationship cycle. While such entertainment may not improperly influence the recipient or have even an appearance of impropriety, the CCO has the authority to grant an exception to the Gifts and Entertainment reporting requirements for these individuals/circumstances.
Gifts and Entertainment Given to Foreign Governments and “Government Instrumentalities” – The Foreign Corrupt Practices Act (“FCPA”) prohibits the direct or indirect giving of, or a promise to give, “things of value” in order to corruptly obtain a business benefit from an officer, employee, or other “instrumentality” of a foreign government. Companies that are owned, even partly, by a foreign government may be considered an “instrumentality” of that government. In particular, government investments in foreign financial institutions may make the FCPA applicable to those institutions. Individuals acting in an official capacity on behalf of a foreign government or a foreign political party may also be “instrumentalities” of a foreign government.
The FCPA includes provisions that may permit the giving of gifts and entertainment under certain circumstances, including certain gifts and entertainment that are lawful under the written laws and regulations of the recipient’s country, as well as bona-fide travel costs for certain legitimate business purposes. However, these exceptions are limited and is dependent on the relevant facts and circumstances. Paralel and its Supervised Persons must comply with the spirit and the letter of the FCPA at all times. Supervised Persons must obtain pre-clearance from the CCO prior to giving anything of value that might be subject to the FCPA except food and beverages (not lavish or excessive) that are provided during a legitimate business meeting.
Supervised Persons must consult with the CCO if there is any question as to whether gifts or entertainment need to be pre-cleared and/or reported in connection with this policy.
Internal Controls
Gifts and Entertainment Tracking – As noted in the chart above, a combination of expense reporting, corporate reporting and MCO has been implemented to track Supervised Persons’ provision and receipt of gifts and entertainment.
Monitoring Third Parties – Supervised Persons are responsible for assessing whether agreements with third parties should include anti-bribery representations and for ensuring that any necessary representations are included in executed agreements. Supervised Persons should consult with the CCO as needed. The Company will offer anti-bribery training sessions if the CCO or their designee believes that they are necessary given the types of clients the Company has. Supervised Persons may not execute
24
agreements with third parties that are reasonably expected to interact with government officials without the CCO’s approval.
If a third-party is reasonably expected to interact with government officials, the Supervised Person will review any expense claims submitted by the third-party and may require explanations and supplemental documentation to ensure that the third-party has not provided improper gifts or entertainment on Paralel’s behalf. The Supervised Person will escalate any potential items to the CCO or designee that may require additional review.
25
APPENDIX A – DEFINITIONS
The following defined terms are used throughout this Code of Ethics. Other capitalized terms are defined within specific sections of the Code.
|•
|
1940 Act – The Investment Company Act of 1940, as amended.
|•
|
Access Person – Any Supervised Persons of PAL, who:
|•
|
has access to non-public information regarding any clients’ transactions, or non-public information regarding the portfolio holdings of any Reportable Fund(s) or subsidiary of a Reportable Fund;
|•
|
is involved in making securities recommendations to a Reportable Fund, or has access to such recommendations that are non-public; or
|•
|
in connection with his or her regular functions or duties, makes, participates in or obtains information regarding a Reportable Fund’s transactions or whose functions relate to the making of any recommendations with respect to a Reportable Fund’s transactions;
In addition, Access Persons will include the following persons, with notice to such person:
|•
|
any Supervised Person of a Paralel entity who the CCO designates as an Access Person after consideration of applicable law and/or regulations and any other factors deemed appropriate by the CCO; or
|•
|
any consultant, intern, or independent contractor hired or engaged by any Paralel entity, as determined appropriate by the CCO.
All of PAL’s directors, officers, and partners are presumed to be Access Persons (officers of affiliates of PAL will be determined by the CCO). All officers of a Reportable Fund will also be an Access Person.
|•
|
Advisers Act – The Investment Advisers Act of 1940, as amended.
|•
|
Automatic Investment Plan – A program in which regular trades are made automatically in accordance with a predetermined schedule and allocation. An Automatic Investment Plan includes a dividend reinvestment plan.
|•
|
Beneficial Interest – An individual has a Beneficial Interest in a security if he or she can directly or indirectly profit from the security. An individual generally has a Beneficial Interest in all securities held directly or indirectly, as well as those owned directly or indirectly by family members sharing the same household.
|•
|
Business Partner – Includes all current or potential clients and vendors of Paralel, any registered broker/dealers, and any firms which Paralel might have a business relationship in in the future.
26
|•
|
CCO – Paralel’s Chief Compliance Officer, as applicable to the relevant entity (PTL, PDL, or PAL). References to the CCO completing activities discussed throughout the Code are assumed to be delegable at the discretion of the CCO, unless otherwise stated.
|•
|
CEO – Paralel’s Chief Executive Officer. References to the CEO completing activities discussed throughout the Code are assumed to be delegable at the discretion of the CEO.
|•
|
Employees – Paralel’s officers, directors, principals, and employees and, if designated by the CCO, contractors.
|•
|
Exchange Act – The Securities Exchange Act of 1934.
|•
|
Federal Securities Laws – The Federal Securities Laws include the Securities Act, the Exchange Act, the Sarbanes-Oxley Act of 2002, the 1940 Act, the Advisers Act, Title V of the Gramm-Leach-Bliley Act, the Dodd-Frank Act of 2010, any rules adopted by the SEC under any of these statutes, the Bank Secrecy Act as it applies to investment companies and investment advisers, and any rules adopted thereunder by the SEC or the Department of the Treasury.
|•
|
FINRA – The Financial Industry Regulatory Authority, a self-regulatory organization.
|•
|
Front-Running – Trading a favored account ahead of other accounts.
|•
|
Insider Trading – Trading personally or on behalf of others on the basis of Material Nonpublic Information, or improperly communicating Material Nonpublic Information to others.
|•
|
Investment Persons – “Investment Person” shall mean any Access Person (within Paralel) who makes investment decisions for Paralel or its Reportable Funds, who provides investment related information or advice to portfolio managers, or helps to execute and/or implement a portfolio manager’s decisions. This typically includes for example, portfolio managers, portfolio assistants, traders, and securities analysts. This may include any consultant, intern, or independent contractor hired or engaged by a Paralel entity, as determined appropriate by the CCO.
|•
|
IPO – An initial public offering. An IPO is an offering of securities registered under the Securities Act where the issuer, immediately before the registration, was not subject to the reporting requirements of sections 13 or 15(d) of the Exchange Act.
|•
|
Material Nonpublic Information – Information that (i) has not been made generally available to the public, and that (ii) a reasonable investor would likely consider important in making an investment decision. Supervised Persons should consult with Paralel’s CCO about any questions as to whether information constitutes Material Nonpublic Information.
|•
|
Outside Counsel – Counsel retained by Paralel.
|•
|
Registered Representative – The term “Registered Representative” as used within this Code, refers to an employee who holds a securities license, and is actively registered, with FINRA.
27
|•
|
Reportable Funds – Registered open-end (mutual fund or ETFs) and closed-end funds for which Paralel provides investment advisory services or serves as the principal underwriter.
|•
|
RIC – An investment company registered under the 1940 Act, often referred to as a fund.
|•
|
Security – The SEC defines the term “Security” broadly to include stocks, bonds, certificates of deposit, options, interests in Private Placements, futures contracts on other securities, participations in profit-sharing agreements, and interests in oil, gas, or other mineral royalties or leases, among other things. “Security” is also defined to include any instrument commonly known as a security. “Security” also includes any Digital Security.
|•
|
SEC – The Securities and Exchange Commission.
|•
|
Securities Act – The Securities Act of 1933.
|•
|
Supervised Person – Any partner, officer, director (or other person occupying a similar status or performing similar functions), or employee of a Paralel entity, or other person who provides investment advice on behalf of Paralel and is subject to Paralel’s supervision and control.
28
Information Security Policy
Goal
This policy defines the minimum information security requirements for Paralel Technologies as defined below. Based on business needs and specific requirements, Paralel Technologies may exceed the security requirements put forth in this document but will attempt to, at a minimum, achieve the security levels required by this policy.
This policy acts as an umbrella document to all other security policies and associated standards. This policy defines the responsibility to:
|•
|
protect and maintain the confidentiality, integrity and availability of information and related infrastructure assets;
|•
|
manage the risk of security exposure or compromise;
|•
|
assure a secure and stable information technology (IT) environment;
|•
|
identify and respond to events involving information asset misuse, loss or unauthorized disclosure;
|•
|
monitor systems for anomalies that might indicate compromise; and
|•
|
promote and increase the awareness of information security.
Failure to secure and protect the confidentiality, integrity and availability of information assets in today’s highly networked environment can damage or shut down systems that operate critical infrastructure, financial and business transactions; compromise data; and result in legal and regulatory non-compliance.
NIST Framework Correlation
This policy correlates with the following NIST Framework points:
|•
|
IDENTIFY: Asset Management (ID.AM)
|•
|
ID.AM-1 Physical devices and systems within the organization are inventoried.
|•
|
ID.AM-2 Software platforms and applications within the organization are inventoried.
|•
|
ID.AM-5 Resources (e.g., hardware, devices, data, time, and software) are prioritized based on their classification, criticality, and business value).
|•
|
ID.AM-6 Cybersecurity roles and responsibilities for the entire workforces and third-party stakeholders (e.g. suppliers, customers, partners) are established.
|•
|
PROTECT: Awareness and Training (PR.AT)
1
|•
|
PR.AT-1 All users are informed and trained.
|•
|
PROTECT: Data Security (PR.DS)
|•
|
PR.DS-1 Data-at-rest is protected.
|•
|
PR.DS-2 Data-in-transit is protected.
|•
|
PROTECT: Information Protection Processes and Procedures (PR.IP)
|•
|
PR.IP-4 Backups of information are conducted, maintained, and tested.
|•
|
PROTECT: Proactive Technology (PR.PT)
|•
|
PR.PT-4 Communications and control networks are protected.
Postconditions
Appropriate measures are in place to protect the confidentiality, integrity, and availability of data; staff and all other affiliates understand their role and responsibilities, have adequate knowledge of security policy, procedures and practices and know how to protect information.
Participants
This policy encompasses all systems, automated and manual, for which Paralel Technologies has responsibility, including systems managed or hosted by third parties on behalf of Paralel Technologies. It addresses all information, regardless of the form or format, which is created or used in support of business activities.
Policy
This policy defines a framework that will assure appropriate measures are in place to protect the confidentiality, integrity and availability of data; and assure staff and all other affiliates understand their role and responsibilities, have adequate knowledge of security policy, procedures and practices and know how to protect information.
Functional Responsibilities – Executive Management Executive management is responsible for:
1. evaluating and accepting risk on behalf of Paralel Technologies;
2
2. identifying information security responsibilities and goals and integrating them into relevant processes;
3. supporting the consistent implementation of information security policies and standards;
4. supporting security through clear direction and demonstrated commitment of appropriate resources;
5. promoting awareness of information security best practices through the regular dissemination of materials provided by the designated security representative;
6. implementing the process for determining information classification and categorization, based on industry recommended practices, organization directives, and legal and regulatory requirements, to determine the appropriate levels of protection for that information;
7. implementing the process for information asset identification, handling, use, transmission, and disposal based on information classification and categorization;
8. determining who will be assigned and serve as information owners while maintaining ultimate responsibility for the confidentiality, integrity, and availability of the data;
9. participating in the response to security incidents;
10. complying with notification requirements in the event of a breach of private information;
11. adhering to specific legal and regulatory requirements related to information security;
12. communicating legal and regulatory requirements to the ISO/designated security representative; and
13. communicating requirements of this policy and the associated standards, including the consequences of non-compliance, to the workforce and third parties, and addressing adherence in third party agreements.
Functional Responsibilities – CTO (CISO)
The CTO (CISO) is responsible for:
1. maintaining familiarity with business functions and requirements;
2. assessing compliance with information security policies and legal and regulatory information security requirements; evaluating and understanding information security risks and how to appropriately manage those risks;
3. representing and assuring security architecture considerations are addressed;
3
4. advising on security issues related to procurement of products and services;
5. participating in the response to potential security incidents;
6. participating in the development of enterprise policies and standards;
7. promoting information security awareness;
8. providing in-house expertise and security consultants as needed;
9. developing the security program and strategy, including measures of effectiveness;
10. establishing and maintaining enterprise information security policy and standards;
11. assessing compliance with security policies and standards;
12. providing incident response coordination and expertise;
13. monitoring networks for anomalies;
14. monitoring external sources for indications of data breaches, defacements, etc.;
15. providing awareness materials and training resource;
16. supporting security by providing clear direction and consideration of security controls in the data processing infrastructure and computing network(s) which support the information owners;
17. implementing the proper controls for information owned based on the classification designations;
18. fostering the participation of information security in protecting information assets, and in identifying, selecting and implementing appropriate and cost-effective security controls and procedures.
Functional Responsibilities – Workforce
The workforce is responsible for:
1. understanding the baseline information security controls necessary to protect the confidentiality, integrity and availability of information entrusted to them;
2. protect information and resources from unauthorized use or disclosure;
3. protecting personal, private, sensitive information from unauthorized use or disclosure;
4. abiding by Acceptable Use of Information Technology Resources Policy
4
5. reporting suspected information security incidents or weaknesses to the appropriate manager and ISO/designated security representative
6. implementing business continuity and disaster recovery plans.
Separation of Duties
a. To reduce the risk of accidental or deliberate system misuse, separation of duties and areas of responsibility must be implemented where appropriate.
b. Whenever separation of duties is not technically feasible, other compensatory controls must be implemented, such as monitoring of activities, audit trails and management supervision.
c. The audit and approval of security controls must always remain independent and segregated from the implementation of security controls.
Information Classification and Handling
a. All information, which is created, acquired or used in support of business activities, must only be used for its intended business purpose.
b. All information assets must have an information owner established within the lines of business.
c. Information must be properly managed from its creation, through authorized use, to proper disposal.
d. All information must be classified on an ongoing basis based on its confidentiality, integrity, and availability characteristics.
e. An information asset must be classified based on the highest level necessitated by its individual data elements.
f. If Paralel Technologies is unable to determine the confidentiality classification of information or the information is personal identifying information (PII) the information must have a high confidentiality classification and, therefore, is subject to high confidentiality controls.
g. Merging of information which creates a new information asset or situations that create the potential for merging (e.g., backup tape with multiple files) must be evaluated to determine if a new classification of the merged data is warranted.
h. All reproductions of information in its entirety must carry the same confidentiality classification as the original. Partial reproductions need to be evaluated to determine if a new classification is warranted.
i. Each classification has an approved set of baseline controls designed to protect these
5
classifications and these controls must be followed.
j. Paralel Technologies will communicate the requirements for secure handling of information to its workforce.
k. A written or electronic inventory of all information assets must be maintained.
l. Content made available to the public must be reviewed according to a process that will be defined and approved by Paralel Technologies. The process must include the review and approval of updates to publicly available content and must consider the type and classification of information posted.
m. PPI must not be made available without appropriate safeguards approved by Paralel Technologies.
n. For non-public information to be released outside of Paralel Technologies or shared between other entities, a process must be established that, at a minimum:
|•
|
evaluates and documents the sensitivity of the information to be released or shared;
|•
|
identifies the responsibilities of each party for protecting the information;
|•
|
defines the minimum controls required to transmit and use the information;
|•
|
records the measures that each party has in place to protect the information;
|•
|
defines a method for compliance measurement;
|•
|
provides a signoff procedure for each party to accept responsibilities; and
|•
|
establishes a schedule and procedure for reviewing the controls.
IT Asset Management
Entities are required to maintain an inventory of hardware and software assets, including all system components (e.g., network address, machine name, software version) at a level of granularity deemed necessary for tracking and reporting.
a. Processes must be implemented to identify unauthorized hardware and/or software and notify appropriate staff when discovered.
Cyber Incident Management
6
a. Paralel Technologies must have an incident response plan, consistent standards, to effectively respond to security incidents.
b. All observed or suspected information security incidents or weaknesses are to be reported to appropriate management and CTO (CISO) as quickly as possible.
c. The CTO (CISO) must be notified of any cyber incident which may have a significant or severe impact on operations or security, or which involves digital forensics, to follow proper incident response procedures and guarantee coordination and oversight.
Physical and Environmental Security
a. Information processing and storage facilities must have a defined security perimeter and appropriate security barriers and access controls.
b. A periodic risk assessment must be performed for information processing and storage facilities to determine whether existing controls are operating correctly and if additional physical security measures are necessary. These measures must be implemented to mitigate the risks.
c. Information technology equipment must be physically protected from security threats and environmental hazards. Special controls may also be necessary to protect supporting infrastructure and facilities such as electrical supply and cabling infrastructure.
d. All information technology equipment and information media must be secured to prevent
compromise of confidentiality, integrity, or availability in accordance with the classification of information contained therein.
Account Management and Access Control
a. All accounts must have an individual employee or group assigned to be responsible for account management. This may be a combination of the business unit and information technology (IT).
b. Except as described in the Account Management/Access Control Standard, access to systems must be provided using individually assigned unique identifiers, known as user-IDs.
c. Associated with each user-ID is an authentication token (e.g., password, key fob, biometric) which must be used to authenticate the identity of the person or system requesting access.
d. Automated techniques and controls must be implemented to lock a session and require authentication or re-authentication after a period of inactivity for any system where authentication is required. Information on the screen must be replaced with publicly viewable information (e.g., screen saver, blank screen, clock) during the session lock.
7
e. Automated techniques and controls must be implemented to terminate a session after specific conditions are met as defined in the Account Management/Access Control Standard.
f. Tokens used to authenticate a person or process must be treated as confidential and protected appropriately.
g. Tokens must not be stored on paper, or in an electronic file, hand-held device or browser, unless they can be stored securely and the method of storing (e.g., password vault) has been approved by the ISO/designated security representative.
h. Information owners are responsible for determining who should have access to protected resources within their jurisdiction, and what those access privileges should be (read, update, etc.).
i. Access privileges will be granted in accordance with the user’s job responsibilities and will be limited only to those necessary to accomplish assigned tasks in accordance with business need and functions (i.e., least privilege).
j. Users of privileged accounts must use a separate, non-privileged account when performing normal business transactions (e.g., accessing the Internet, e-mail).
k. All remote connections must be made through managed points-of-entry reviewed by the CTO (CISO) or designated representative.
l. Practices which assure the appropriate protection of data in remote environments must is shared with staff through Acceptable Use of Information Technology Resources Policy.
Systems Security
a. Systems include but are not limited to servers, platforms, networks, communications, databases and software applications.
1. An individual or group must be assigned responsibility for maintenance and administration of any system deployed on behalf of Paralel Technologies. A list of assigned individuals or groups must be centrally maintained.
2. Security must be considered at system inception and documented as part of the decision to create or modify a system.
3. All systems must be developed, maintained, and decommissioned in accordance with a secure system development lifecycle (SSDLC).
4. Each system must have a set of controls commensurate with the classification of any data that is stored on or passes through the system.
5. All system clocks must synchronize to a centralized reference time source set to UTC
8
(Coordinated Universal Time) which is itself synchronized to at least three synchronized time sources.
6. Environments and test plans must be established to validate the system works as intended prior to deployment in production.
7. Separation of environments (e.g., development, test, quality assurance, production) is required, either logically or physically, including separate environmental identifications (e.g., desktop background, labels).
8. Formal change control procedures for all systems must be developed, implemented, and enforced. At a minimum, any change that may affect the production environment and/or production data must be included.
Databases and Software (including in-house or third party developed and commercial off the shelf (COTS):
1. All software written for or deployed on systems must incorporate secure coding practices, to avoid the occurrence of common coding vulnerabilities and to be resilient to high-risk threats, before being deployed in production.
2. Once test data is developed, it must be protected and controlled for the life of the testing in accordance with the classification of the data.
3. Production data may be used for testing only if a business case is documented and approved in writing by the information owner and the following controls are applied:
a.
i. All security measures, including but not limited to access controls, system configurations and logging requirements for the production data are applied to the test environment and the data is deleted as soon as the testing is completed; or
ii. sensitive data is masked or overwritten with fictional information.
4. Where technically feasible, development software and tools must not be maintained on production systems.
5. Where technically feasible, source code used to generate an application or software must not be stored on the production system running that application or software.
6. Scripts must be removed from production systems, except those required for the operation and maintenance of the system.
9
7. Privileged access to production systems by development staff must be restricted.
8. Migration processes must be documented and implemented to govern the transfer of software from the development environment up through the production environment.
b. Network Systems:
1. Connections between systems must be authorized by the executive management of all relevant entities and protected by the implementation of appropriate controls.
2. All connections and their configurations must be documented, and the documentation must be reviewed by the information owner and the ISO/designated security representative annually, at a minimum, to assure:
a.
i. the business case for the connection is still valid and the connection is still
required; and
ii. the security controls in place (filters, rules, access control lists, etc.) are appropriate and functioning correctly.
3. A network architecture must be maintained that includes, at a minimum, tiered network segmentation between:
a.
i. Internet accessible systems and internal systems;
ii. systems with high security categorizations (e.g., mission critical, systems containing PII) and other systems; and
iii. user and server segments.
4. Network management must be performed from a secure, dedicated network.
5. Authentication is required for all users connecting to internal systems.
6. Network authentication is required for all devices connecting to internal networks.
7. Only authorized individuals or business units may capture or monitor network traffic.
8. A risk assessment must be performed in consultation with the ISO/designated security representative before the initiation of, or significant change to, any network technology or project, including but not limited to wireless technology.
10
Collaborative Computing Devices
a. Collaborative computing devices (IoT devices such as independent cameras and microphones) must:
1. prohibit remote activation; and
2. provide users physically present at the devices with an explicit indication of use.
b. Must provide simple methods to physically disconnect collaborative computing devices.
Vulnerability Management
a. All systems must be scanned for vulnerabilities before being installed in production and periodically thereafter.
b. All systems maintained by Paralel Technologies are subject to periodic penetration testing.
c. Penetration tests are required periodically for all critical environments/systems.
d. Where Paralel Technologies has outsourced a system to another entity or a third party, vulnerability scanning/penetration testing must be coordinated.
e. Scanning/testing and mitigation must be included in third party agreements.
f. The output of the scans/penetration tests will be reviewed in a timely manner by the system owner. Copies of the scan report/penetration test must be shared with the ISO/designated security representative for evaluation of risk.
g. Appropriate action, such as patching or updating the system, must be taken to address discovered vulnerabilities. For any discovered vulnerability, a plan of action and milestones must be created, and updated accordingly, to document the planned remedial actions to mitigate vulnerabilities.
h. Any vulnerability scanning/penetration testing must be conducted by individuals who are
authorized by the ISO/designated security representative. The CTO (CISO) must be notified in advance of any such tests. Any other attempts to perform such vulnerability scanning/penetration testing will be deemed an unauthorized access attempt.
i. Anyone authorized to perform vulnerability scanning/penetration testing must have a formal process defined, tested, and always followed to minimize the possibility of disruption.
Operations Security
a. All systems and the physical facilities in which they are stored must have documented operating
11
instructions, management processes and formal incident management procedures related to information security matters which define roles and responsibilities of affected individuals who operate or use them.
b. System configurations must follow approved configuration standards.
c. Planning and preparation must be performed to ensure the availability of adequate capacity and resources. System capacity must be monitored on an ongoing basis.
d. Where the Paralel Technologies provides a server, application or network service to another entity, operational and management responsibilities must be coordinated by all impacted entities.
e. Host based firewalls must be installed and enabled on all workstations to protect from threats and to restrict access to only that which is needed
f. Controls must be implemented (e.g., anti-virus, software integrity checkers, web filtering) across systems where technically feasible to prevent and detect the introduction of malicious code or other threats.
g. Controls must be implemented to disable automatic execution of content from removable media.
h. Controls must be implemented to limit storage of information to authorized locations.
i. Controls must be in place to allow only approved software to run on a system and prevent execution of all other software.
j. All systems must be maintained at a vendor-supported level to ensure accuracy and integrity.
k. All security patches must be reviewed, evaluated, and appropriately applied in a timely manner. This process must be automated, where technically possible.
l. Systems which can no longer be supported or patched to current versions must be removed.
m. Systems and applications must be monitored and analyzed to detect deviation from the access control requirements outlined in this policy and the Security Logging Standard, and record events to provide evidence and to reconstruct lost or damaged data.
n. Audit logs recording exceptions and other security-relevant events must be produced, protected, and kept consistent with record retention schedules and requirements.
o. Monitoring systems must be deployed (e.g., intrusion detection/prevention systems) at strategic locations to monitor inbound, outbound and internal network traffic.
p. Monitoring systems must be configured to alert incident response personnel to indications of compromise or potential compromise.
q. Contingency plans (e.g., business continuity plans, disaster recovery plans, continuity of
12
operations plans) must be established and tested regularly. These should include:
1. An evaluation of the criticality of systems used in information processing (including but not limited to software and operating systems, firewalls, switches, routers, and other communication equipment).
2. Recovery Time Objectives (RTO)/Recovery Point Objectives (RPO) for all critical systems.
r. Backup copies of Paralel Technologies information, software, and system images must be taken regularly in accordance with the organizations defined requirements.
s. Backups and restoration must be tested regularly. Separation of duties must be applied to these functions.
t. Procedures must be established to maintain information security during an adverse event. For those controls that cannot be maintained, compensatory controls must be in place.
Also See Standards:
Secure Configuration Management Standard; Security Logging Standard; Cyber Incident Response Standard; Account Management/Access Control Standard
Compliance
This policy shall take effect upon publication. Compliance is expected with all enterprise policies and standards. Policies and standards may be amended at any time; compliance with amended policies and standards is expected.
If compliance with this standard is not feasible or technically possible, or if deviation from this policy is necessary to support a business function, entities shall request an exception through the Chief Technology Officer’s exception process.
Version History:
11/24/2021 – v1.1 J.Vickery
4/19/2022 – v1.2 J.Vickery
8/31/2022 – v1.3 J.Vickery
13
Acceptable Use of IT Resources Policy
Goal
This document will defines the standard operating procedure for NIST CyberSecurity: Acceptable Use Of Information Technology Resources Sop
Appropriate organizational use of information and information technology (“IT”) resources and effective security of those resources require the participation and support of the organization’s workforce (“users”). Inappropriate use exposes the organization to potential risks including virus attacks, compromise of network systems and services, and legal issues.
NIST Framework Correlation
This policy correlates with the following NIST Framework points:
|•
|
IDENTIFY: Asset Management (ID.AM)
|•
|
ID.AM-1 Physical devices and systems within the organization are inventoried.
|•
|
ID.AM-2 Software platforms and applications within the organization are inventoried.
|•
|
ID.AM-6 Cybersecurity roles and responsibilities for the entire workforces and third-party stakeholders (e.g. suppliers, customers, partners) are established.
|•
|
PROTECT: Awareness and Training (PR.AT)
|•
|
PR.AT-1 All Users are Informed and Trained.
|•
|
PROTECT: Protective Technology (PR.PT)
|•
|
PR.PT-2 Removable media is protected and its use restricted according to policy.
Postconditions
Appropriate organizational use of information and information technology (“IT”) resources and effective security of those resources.
Participants
This policy applies to users of any system’s information or physical infrastructure regardless of its form or format, created or used to support Paralel Technologies. It is the user’s responsibility to read and
1
understand this policy and to conduct their activities in accordance with its terms. In addition, users must read and understand the organization’s Information Security Policy and its associated standards.
Information Statement
Except for any privilege or confidentiality recognized by law, individuals have no legitimate expectation of privacy during any use of Paralel Technologies IT resources or in any data on those resources.
Any use may be monitored, intercepted, recorded, read, copied, accessed, or captured in any manner including in real time, and used or disclosed in any manner, by authorized personnel without additional prior notice to individuals. Periodic monitoring will be conducted of systems used, including but not limited to: all computer files; and all forms of electronic communication (including email, text messaging, instant messaging, telephones, computer systems and other electronic records).
Paralel Technologies may impose restrictions, at the discretion of their executive management, on the use of a particular IT resource. For example, the organization may block access to certain websites or services not serving legitimate business purposes or may restrict user ability to attach devices to the organization’s IT resources (e.g., personal USB drives, iPods).
Users accessing the organization’s applications and IT resources through personal devices must only do so with prior approval or authorization from the organization.
Acceptable Use
All uses of information and information technology resources must comply with Paralel Technologies policies, standards, procedures, and guidelines, as well as any applicable license agreements and laws including Federal, State, local and intellectual property laws.
Consistent with the foregoing, the acceptable use of information and IT resources encompasses the following duties:
|•
|
Understanding the baseline information security controls necessary to protect the confidentiality, integrity, and availability of information;
|•
|
Protecting organizational information and resources from unauthorized use or disclosure;
|•
|
Protecting personal, private, sensitive, or confidential information from unauthorized use or disclosure;
|•
|
Observing authorized levels of access and utilizing only approved IT technology devices or services; and
|•
|
Immediately reporting suspected information security incidents or weaknesses to the appropriate
2
manager and the CTO / designated security representative.
Unacceptable Use
The following list is not intended to be exhaustive but is an attempt to provide a framework for activities that constitute unacceptable use. Users, however, may be exempted from one or more of these restrictions during their authorized job responsibilities, after approval from Paralel Technologies management (e.g., storage of objectionable material in the context of a disciplinary matter).
Unacceptable use includes, but is not limited to, the following:
|•
|
Unauthorized use or disclosure of personal, private, sensitive, and/or confidential information;
|•
|
Unauthorized use or disclosure of organization information and resources;
|•
|
Distributing, transmitting, posting, or storing any electronic communications, material or correspondence that is threatening, obscene, harassing, pornographic, offensive, defamatory, discriminatory, inflammatory, illegal, or intentionally false or inaccurate;
|•
|
Attempting to represent the organization in matters unrelated to official authorized job duties or responsibilities;
|•
|
Connecting unapproved devices to the organization’s network or any IT resource;
|•
|
Connecting organizational IT resources to unauthorized networks;
|•
|
Connecting to any wireless network while physically connected to the organization’s wired network;
|•
|
Installing, downloading, or running software that has not been approved following appropriate security, legal, and/or IT review in accordance with organizational policies;
|•
|
Connecting to commercial email systems (e.g., Gmail, Hotmail, Yahoo) without prior management approval (organizations must recognize the inherent risk in using commercial email services as email is often used to distribute malware);
|•
|
Using an organization’s IT resources to circulate unauthorized solicitations or advertisements for non-organizational purposes including religious, political, or not-for-profit entities;
|•
|
Providing unauthorized third parties, including family and friends, access to the organization’s IT information, resources or facilities;
|•
|
Using the organization’s IT information or resources for commercial or personal purposes, in support of “for-profit” activities or in support of other outside employment or business activity (e.g., consulting for pay, business transactions);
|•
|
Propagating chain letters, fraudulent mass mailings, spam, or other types of undesirable and
3
unwanted email content using organizational IT resources; and
|•
|
Tampering, disengaging, or otherwise circumventing an organization or third-party IT security controls.
Occasional and Incidental Personal Use
Occasional, incidental and necessary personal use of IT resources is permitted, provided such use is otherwise consistent with this policy; is limited in amount and duration; and does not impede the ability of the individual or other users to fulfill the organization’s responsibilities and duties, including but not limited to, extensive bandwidth, resource, or storage utilization.
Exercising good judgment regarding occasional and incidental personal use is important.
Paralel Technologies may revoke or limit this privilege at any time.
Individual Accountability
Individual accountability is required when accessing all IT resources and organization information. Everyone is responsible for protecting against unauthorized activities performed under their user ID. This includes locking your computer screen when you walk away from your system, and protecting your credentials (e.g., passwords, tokens or similar technology) from unauthorized disclosure.
Credentials must be treated as confidential information and must not be disclosed or shared.
Restrictions on Off-Site Transmission and Storage of Information
Users must not transmit restricted organization, non-public, personal, private, sensitive, or confidential information to or from personal email accounts (e.g., Gmail, Hotmail, Yahoo) or use a personal email account to conduct the organization’s business unless explicitly authorized. Users must not store restricted organizational, non-public, personal, private, sensitive, or confidential information on a non-Paralel Technologies issued device, or with a third-party file storage service that has not been approved for such storage by Paralel Technologies.
Devices that contain organizational information must be always attended or physically secured and must not be checked in transportation carrier luggage systems.
User Responsibility for IT Equipment
Users are routinely assigned or given access to IT equipment in connection with their official duties. This
4
equipment belongs to Paralel Technologies and must be immediately returned upon request or at the time an employee is separated from the organization. Users may be financially responsible for the value of equipment assigned to their care if it is not returned to Paralel Technologies.
Should IT equipment be lost, stolen, or destroyed, users are required to notify their manager, including the circumstances surrounding the incident. Users may be subject to disciplinary action which may include repayment of the replacement value of the equipment. Paralel Technologies has the discretion to not issue or re-issue IT devices and equipment to users who repeatedly lose or damage IT equipment.
Use of Social Media
The use of public social media sites to promote organizational activities requires written pre-approval from Paralel Technologies. Approval is at the discretion of the organization and may be granted upon demonstration of a business need, and a review and approval of service agreement terms by organization’s Counsel’s Office. Final approval by the responsible department overseeing Organizational Public Information (OPI) should define the scope of the approved activity, including, but not limited to, identifying approved users.
Unless specifically authorized, the use of organizational email addresses on public social media sites is prohibited. In instances where users access social media sites on their own time utilizing personal resources, they must remain sensitive to expectations that they will conduct themselves in a responsible, professional, and secure manner about references to the organization and staff. These expectations are outlined below.
Registered Representative of Paralel Distributors should also review Paralel’s Written Supervisory Procedures for additional information on the use of social media.
1. Use of Social Media within the Scope of Official Duties
The OPI designee, must review and approve the content of any posting of public information, such as blog comments, tweets, video files, or streams, to social media sites on behalf of the organization. However, OPI approval is not required for postings to public forums for technical support, if participation in such forums is within the scope of the user’s official duties, has been previously approved by his or her supervisor, and does not include the posting of any sensitive information, including specifics of the IT infrastructure. In addition, OPI approval is not required for postings to private, organization approved social media collaboration sites (e.g., Yammer). Blanket approvals may be granted, as appropriate.
Accounts used to manage the organization’s social media presence are privileged accounts and must be treated as such. These accounts are for official use only and must not be used for personal use. Passwords of privileged accounts must follow information security standards, be unique on each site, and must not be the same as passwords used to access other IT resources.
2. Guidelines for Personal Use of Social Media
5
Staff should be sensitive to the fact that information posted on social media sites clearly reflects on the individual and may also reflect on the individual’s professional life. Consequently, staff should use discretion when posting information on these sites and be conscious of the potential perceptions of and responses to the information. It is important to remember that once information is posted on a social media site, it can be captured and used in ways not originally intended. It is nearly impossible to retract, as it often lives on in copies, archives, backups, and memory cache.
Users should respect the privacy of the organization’s staff and not post any identifying information of any staff without permission (including, but not limited to, names, addresses, photos, videos, email addresses, and phone numbers). Users may be held liable for comments posted on social media sites.
If a personal email, posting, or other electronic message could be construed to be an official communication, a disclaimer is strongly recommended. A disclaimer might be: “The views and opinions expressed are those of the author and do not necessarily reflect those of the organization.”
Users should not use their personal social media accounts for official business, unless specifically authorized by the organization. Users are strongly discouraged from using the same passwords in their personal use of social media sites as those used on organizational devices and IT resources, to prevent unauthorized access to resources if the password is compromised.
Compliance
This policy shall take effect upon publication. Compliance is expected with all enterprise policies and standards. Policies and standards may be amended at any time.
If compliance with this standard is not feasible or technically possible, or if deviation from this policy is necessary to support a business function, entities shall request an exception through the Chief Information Security Officer’s exception process.
Version History
Drafted 1/3/22 – J.Vickery
8/31/2022 – J.Vickery – Minor edits
9/19/2023 – J.Vickery – Updated to include Paralel’s Written Supervisory Procedures for Registered Reps using Social Media.
6
Data Destruction and Sanitization Policy
Overview
Paralel regularly stores sensitive information on computer hard drives and other forms of electronic media. As new equipment is obtained and older equipment and media reach end of life, sensitive information on surplus equipment and media must be properly destroyed and otherwise made unreadable to protect Confidential Information or Personally Identifiable Information (PII).
Purpose
Proper disposal and disposition of surplus computer hardware and other storage media manages risks of security breach and inappropriate information disclosure. The primary exposure to Paralel would be an Unauthorized Release of Confidential Information or PII to unauthorized persons.
This policy is designed to address proper disposal procedures for Confidential or PII Information in surplus assets prior to their disposal. Proper sanitization and disposal procedures are key to ensuring data privacy and Information Security.
Scope
This policy applies to all Paralel staff.
Policy
General:
|•
|
The transfer or disposition of data processing equipment, such as computers and related media, shall be controlled and managed according to NIST 800-171 (3.8.3) guidelines.
|•
|
Paralel issued devices are encrypted and data can be rendered unrecoverable simply by deleting the encryption key.
|•
|
Data remains present on unencrypted storage devices (such as printers) even after a disc is “formatted”, power is removed, and the device is decommissioned. Simply deleting the data and formatting the disk on those types of devices does not prevent individuals from restoring data. Sanitization of the media removes information in such a way that data recovery using common techniques or analysis is greatly reduced or prevented.
Data Disposal Procedures:
|•
|
All computer desktops, laptops, hard drives, and portable media must be processed through IT/Office Services for proper disposal.
1
|•
|
Paper and hard copy records shall be disposed of in a secure manner as specified by the archiving and destruction policy.
The CTO shall ensure procedures exist and are followed that:
|•
|
Address the evaluation and final disposition of sensitive information, hardware, or electronic media regardless of media format or type.
|•
|
Specify a process for making sensitive information unusable and inaccessible. These procedures should specify the use of technology (e.g. software, special hardware, etc.) or physical destruction mechanisms to ensure sensitive information is unusable, inaccessible, and unable to be reconstructed.
|•
|
Authorize personnel to dispose of sensitive information or equipment. Such procedures may include shredding, incinerating, or pulp of hard copy materials so that sensitive information cannot be reconstructed. Approved disposal methods include:
|•
|
Physical Print Media shall be disposed of by one (or a combination) of the following methods:
|•
|
Shredding – Media shall be shredded using Paralel issued cross-cut shredders.
|•
|
Shredding Bins – Disposal shall be performed using locked bins located on-site using a licensed and bonded information disposal contractor.
|•
|
Incineration – Materials are physically destroyed using licensed and bonded information disposal contractor.
|•
|
Encypted devices (company issued laptops and other hardware):
|•
|
Delete the encryption key for the specific device.
|•
|
Electronic Media (physical disks, tape cartridge, CDs, printer ribbons, flash drives, printer and copier hard drives, etc.) shall be disposed of by one of the methods:
|•
|
Overwriting Magnetic Media – Overwriting uses a program to write binary data sector by sector onto the media that requires sanitization.
2
|•
|
Degaussing – Degaussing consists of using strong magnets or electric degaussing equipment to magnetically scramble the data on a hard drive into an unrecoverable state.
|•
|
Physical Destruction – implies complete destruction of media by means of crushing or disassembling the asset and ensuring no data can be extracted or recreated.
|•
|
IT documentation, hardware, and storage that have been used to process, store, or transmit Confidential Information or PII shall not be released into general surplus until it has been sanitized and all stored information has been cleared using one of the above methods.
Audit Controls and Management
Documented procedures should be in place for this operational policy as part of the Paralel the firm’s operating procedures. Examples of control documentation includes:
|•
|
Documented procedures related to surplus disposal of hardware and software.
|•
|
Data destruction and surplus logs of equipment identified for disposal.
|•
|
Physical evidence of sanitized assets and/or data destruction/cleansing devices.
Compliance
This policy shall take effect upon publication. Compliance is expected with all enterprise policies and standards. Policies and standards may be amended at any time; compliance with amended policies and standards is expected.
If compliance with this standard is not feasible or technically possible, or if deviation from this policy is necessary to support a business function, entities shall request an exception through the Chief Technology Officer’s exception process.
Version History:
4/8/2024 – Version 1 Published – J.Vickery
3
Business Continuity/Disaster Recovery Plan
Summary
This document defines and outlines the standard operating procedure for Backup & Recovery: DRP/BCP (Business Continuity Plan).
This plan is designed to capture, all the information that describes Paralel Technologies’ ability to withstand a disaster as well as the processes that must be followed to achieve disaster recovery. In addition to this plan, Paralel maintains a Cyber Incident Event plan for cyber specific events.
Definitions
Defines any acronyms or terms that might have ambiguous meanings.
Disaster – A disaster can be caused by man or nature and results in Paralel Technologies not being able to perform all or some of their regular roles and responsibilities or services for a period of time.
Paralel Technologies defines disasters as the following:
|•
|
One or more vital systems are non-functional
|•
|
The building is not available for an extended period of time but all systems are functional within it
|•
|
The building is available but vital systems are non-functional
|•
|
The building and vital systems are non-functional
Prerequisites
The following list is indicative of the types of events which can result in a disaster, triggering this Disaster Recovery document to be activated:
|•
|
Hurricane
|•
|
Tornado
|•
|
Fire
|•
|
Flash flood
|•
|
Pandemic
|•
|
Power or Technology Outage
|•
|
War
Paralel BCP Plan v 1.3 – October 2022
|•
|
Theft
|•
|
Terrorist Attack
Post Conditions
A well-structured and easily understood plan which will help the company recover as quickly and effectively as possible from a disaster or emergency which interrupts information systems and business operations.
Participants
In the event of a disaster, core departments and certain key personnel will be required to assist the IT department in their effort to restore normal business functionality. The groups represented in the Disaster Management Team include:
|•
|
Leadership
|•
|
Information Technology including External Service Providers
|•
|
Operations
|•
|
Office Manager
Procedures
Roles & Responsibilities
The Disaster Management Team will oversee the entire disaster recovery process. They will be the first team that will need to act in the event of a disaster. This team will evaluate the disaster and will determine what steps need to be taken to get the organization back to business as usual.
Roles and Responsibilities Include:
|•
|
Make the determination that a disaster has occurred and trigger the DRP and related processes.
|•
|
Communicate to all impacted employees, clients and vendors.
|•
|
Be the single point of contact for and oversee all of the DR Teams.
|•
|
Organize and chair regular meetings of the DR Team leads throughout the disaster.
|•
|
Present to the Management Team on the state of the disaster and the decisions that need to be made.
|•
|
Organize, supervise and manage all DRP test and author all DRP updates.
Paralel BCP Plan – August 2023
|•
|
Set the DRP into motion after the Disaster Recovery Lead has declared a disaster
|•
|
Determine the magnitude and class of the disaster
|•
|
Determine what systems and processes have been affected by the disaster
|•
|
Communicate the disaster to the other disaster recovery teams
|•
|
Determine what first steps need to be taken by the disaster recovery teams
|•
|
Keep the disaster recovery teams on track with pre-determined expectations and goals
|•
|
Keep a record of money spent during the disaster recovery process
|•
|
Ensure that all decisions made abide by the DRP and policies set by Paralel Technologies
|•
|
Plan for a secondary work site and it’s ready to restore business operations
|•
|
Create a detailed report of all the steps undertaken in the disaster recovery process
|•
|
Notify the relevant parties once the disaster is over and normal business functionality has been restored
|•
|
After Paralel Technologies is back to business as usual, this team will be required to summarize any and all costs and will provide a report summarizing their activities during the disaster
Dealing with a Disaster
If a disaster occurs at Paralel Technologies, the priority is to ensure that all employees are safe and accounted for. After this, steps must be taken to mitigate any further damage to the facility and to reduce the impact of the disaster to the organization and clients.
Regardless of the category that the disaster falls into, dealing with a disaster can be broken down into the following steps:
|1)
|
Disaster identification and declaration
|2)
|
DRP activation
|3)
|
Communicating the disaster
|4)
|
Assessment of current and prevention of further damage
|5)
|
Standby facilities activation
|6)
|
Establish IT operations
|7)
|
Repair and rebuilding of primary facility
Paralel BCP Plan – August 2023
Disaster Identification and Declaration
Since it is almost impossible to predict when and how a disaster might occur, Paralel Technologies must be prepared to find out about disasters from a variety of possible avenues.
These can include:
|•
|
First hand observation
|•
|
System Alarms and Network Monitors
|•
|
Environmental and Security Alarms in the Primary Facility
|•
|
Security staff
|•
|
Facilities staff
|•
|
End users
|•
|
3rd Party Vendors and clients
|•
|
Media reports
Once the Disaster Management Team has determined that a disaster has occurred, they must officially declare that the company is in an official state of disaster. It is during this phase that the Disaster Management Team must ensure that anyone that was in the primary facility at the time of the disaster (if applicable) has been accounted for and evacuated to safety according to the company’s Evacuation Policy.
Depending on disaster type, the Disaster Management Team may instruct the Communications Team to begin contacting the Authorities, clients, and employees, not at the impacted facility, that a disaster has occurred.
BCP/DRP Activation
Once the Disaster Management Team has formally declared that a disaster has occurred, they will initiate the activation of the DRP by triggering the Disaster Recovery Call Tree. The following information will be provided in the calls that the Disaster Recovery Lead makes and should be passed during subsequent calls:
|•
|
That a disaster has occurred
|•
|
The nature of the disaster (if known)
|•
|
The initial estimation of the magnitude of the disaster
|•
|
The initial estimation of the impact of the disaster
Paralel BCP Plan – August 2023
|•
|
The initial estimation of the expected duration of the disaster
|•
|
Actions that have been taken to this point
|•
|
Actions that are to be taken prior to the meeting of Disaster Recovery Team Leads
|•
|
Scheduled meeting place for the meeting of Disaster Recovery Team Leads
|•
|
Scheduled meeting time for the meeting of Disaster Recovery Team Leads
|•
|
Any other pertinent information
If the Disaster Recovery Lead is unavailable to trigger the Disaster Recovery Call Tree, that responsibility shall fall to the Disaster Management Team Lead.
Communicating During a Disaster
In the event of a disaster Paralel Technologies will need to communicate with various parties to inform them of the effects on the business, surrounding areas and timelines. The IT function/Communications Team will be responsible for contacting all Paralel Technologies stakeholders.
COMMUNICATING WITH THE AUTHORITIES
(If applicable) The Communications Team’s first priority will be to ensure that the appropriate authorities have been notified of the disaster, providing the following information:
|•
|
The location of the disaster
|•
|
The nature of the disaster
|•
|
The magnitude of the disaster
|•
|
The impact of the disaster
|•
|
Assistance required in overcoming the disaster
|•
|
Anticipated timelines
COMMUNICATING WITH EMPLOYEES
The Communications Team’s second priority will be to ensure that the entire company has been notified of the disaster. The best and/or most practical means of contacting all of the employees will be used with preference on the following methods (in order):
|•
|
E-mail (via corporate e-mail where that system still functions)
Paralel BCP Plan – August 2023
|•
|
Slack application
|•
|
E-mail (via non-corporate or personal e-mail)
|•
|
Telephone to employee home phone number
|•
|
Telephone to employee mobile phone number
The employees will need to be informed of the following:
|•
|
Whether it is safe for them to come into the office
|•
|
Where they should go if they cannot come into the office
|•
|
Which services are still available to them
|•
|
Work expectations of them during the disaster
EMPLOYEE CONTACTS
See latest Employee Directory
COMMUNICATING WITH CLIENTS
After all of the organization’s employees have been informed of the disaster, the Communications Team will be responsible for informing clients of the disaster and the impact that it will have on the following:
|•
|
Anticipated impact on service offerings
|•
|
Anticipated impact on delivery schedules
|•
|
Anticipated impact on security of client information
|•
|
Anticipated timelines
Crucial clients will be made aware of the disaster situation first. All other clients will be contacted only after all crucial clients have been contacted.
COMMUNICATING WITH VENDORS
After all of the organization’s employees have been informed of the disaster, the Communications Team will be responsible for informing vendors of the disaster and the impact that it will have on the following:
|•
|
Adjustments to service requirements
|•
|
Adjustments to delivery locations
Paralel BCP Plan – August 2023
|•
|
Adjustments to contact information
|•
|
Anticipated timelines
Crucial vendors will be made aware of the disaster situation first. All other vendors will be contacted only after all crucial vendors have been contacted.
Vendors encompass those organizations that provide everyday services to the enterprise, but also the hardware and software companies that supply the IT department. The Communications Team will act as a go-between between the DR Team leads and vendor contacts should additional IT infrastructure be required.
Assessment of Current and Prevention of Further Damage
Before any employees from Paralel Technologies can enter the primary facility after a disaster, appropriate authorities must first ensure that the premises are safe to enter.
The first team that will be allowed to examine the primary facilities once it has been deemed safe to do so will be the Facilities Team. Once the Facilities Team has completed an examination of the building and submitted its report to the Disaster Management Team, the Information Technology (IT) and Operations Teams will be allowed to examine the building. All teams will be required to create an initial report on the damage and provide this to the Disaster Management Team within 4 hours of the initial disaster.
During each team’s review of their relevant areas, they must assess any areas where further damage can be prevented and take the necessary means to protect Paralel Technologies assets. Any necessary repairs or preventative measures must be taken to protect the facilities; these costs must first be approved by the Disaster Management Team.
Remote Work
Paralel operates a cloud first environment that easily facilitates remote work for all critical business functions. As such, employees will be notified through the DRP plan communication if they should begin remote activities from their homes or other alternate location.
Restoring IT Functionality
Should a disaster actually occur and Paralel Technologies needed to exercise this plan, this section will be referred to frequently as it will contain all of the information that describes the manner in which Paralel Technologies information system will be recovered.
Paralel BCP Plan – August 2023
|IT Systems
|
Rank
|
IT System
|
System Components (In order of importance)
|1
|Core Network
|Routers, Modems, Firewalls, Switches, UPS, Internet Service
|2
|Core Servers*
|Domain Controllers, DNS, DHCP Servers
|3
|File Server*
|Applications and Remote Access Servers may require access to File Servers
|and should be online prior.
|4
|Database Servers*
|Core Applications may require access to database servers and therefore
|Database servers must be online first.
|5
|Web/App Servers*
|All Web & Application Servers
|6
|Remote Access Servers*
|All Remote Access Servers
|7
|Cloud Servers
|No Action Needed
* - Paralel currently operates no servers on premises. All servers are Cloud based.
Plan Testing & Maintenance
While efforts will be made initially to construct this DRP in as complete and accurate a manner as possible, it is difficult to address all possible challenges at any given point in time. Additionally, over time the Disaster Recovery needs of the enterprise will change. As a result of these two factors, this plan will need to be tested on a periodic basis to discover errors and omissions and will need to be maintained to address them.
MAINTENANCE
The DRP will be updated once a year or any time a major system update or upgrade is performed, whichever is more often. The Disaster Management Team will be responsible for updating the entire document, and so is permitted to request information and updates from other employees and departments within the organization in order to complete this task.
Maintenance of the plan will include (but is not limited to) the following:
|1.
|
Ensuring that call trees are up to date
|2.
|
Ensuring that all team lists are up to date
|3.
|
Reviewing the plan to ensure that all of the instructions are still relevant to the organization
Paralel BCP Plan – August 2023
|4.
|
Making any major changes and revisions in the plan to reflect organizational shifts, changes and goals
|5.
|
Ensuring that the plan meets any requirements specified in new laws
|6.
|
Other organizational specific maintenance goals
During the Maintenance periods, any changes to the Disaster Recovery Teams must be accounted for. If any member of a Disaster Recovery Team no longer works with the company, it is the responsibility of the Disaster Management Team to appoint a new team member.
TESTING
Paralel Technologies is committed to ensuring that this DRP/BCP Plan is functional. The DRP should be tested at least every twelve months in order to ensure that it is still effective. Testing the plan will be carried out as follows:
1) Walkthroughs- Team members verbally go through the specific steps as documented in the plan to confirm effectiveness, identify gaps, bottlenecks or other weaknesses. This test provides the opportunity to review a plan with a larger subset of people, allowing the DRP project manager to draw upon a correspondingly increased pool of knowledge and experiences. Staff should be familiar with procedures, equipment, and offsite facilities (if required).
2) Simulations- A disaster is simulated so normal operations will not be interrupted. Hardware, software, personnel, communications, procedures, supplies and forms, documentation, transportation, and utilities should be thoroughly tested in a simulation test. However, validated checklists can provide a reasonable level of assurance for many of these scenarios. Analyze the output of the previous tests carefully before the proposed simulation to ensure the lessons learned during the previous phases of the cycle have been applied.
3) Parallel Testing- A parallel test can be performed in conjunction with the checklist test or simulation test. Under this scenario, historical transactions, such as the prior business day’s transactions are processed against preceding day’s backup files at the contingency processing site or hot site.
4) Full-Interruption Testing- A full-interruption test activates the total DRP. The test is likely to be costly and could disrupt normal operations, and therefore should be approached with caution. The importance of due diligence with respect to previous DRP phases cannot be overstated.
Any gaps in the DRP that are discovered during the testing phase will be addressed by the Disaster Recovery Lead as well as any resources that he/she will require.
Paralel BCP Plan – August 2023
Paralel BCP Plan – August 2023