|Item 30. Exhibit (g) i. a. 3.
|___________________________________________________________________________
|NOTE: certain information enclosed within brackets
|has been excluded from this exhibit because it is
|both (i) not material and (ii) would likely cause
|competitive harm to the registrant if publicly disclosed.
|___________________________________________________________________________
|AMENDMENT to the
|REINSURANCE AGREEMENTS
|in the attached Exhibit 1
|(the “Agreements”)
|between
|MASSACHUSETTS MUTUAL LIFE INSURANCE COMPANY,
|MML BAY STATE LIFE INSURANCE COMPANY, and
|C.M. LIFE INSURANCE COMPANY
|(hereinafter the “Ceding Company”)
|and
|HANNOVER LIFE REASSURANCE COMPANY OF AMERICA
|(hereinafter the “Reinsurer”)
Effective October 1, 2018, the Amendment Effective Date, the Ceding Company and the Reinsurer agree to amend the Agreements to add Information Security.
|1.
|The Article that addresses the Gramm-Leach-Bliley Privacy Act language is hereby removed from the Agreements and replaced with the Information Security Article in the attached Exhibit 2.
|2.
|Data Security Procedures, in the attached Exhibit 3, is hereby added to the Agreements.
All terms and conditions of the Agreements not in conflict with the terms and conditions of this Amendment shall continue unchanged.
[SIGNATURE PAGE FOLLOWS]
Page 1 of 6
[_____]
Amendment to add information security to all treaties, page 2
IN WITNESS WHEREOF, the parties hereto execute this Amendment in good faith:
|MASSACHUSETTS MUTUAL LIFE INSURANCE COMPANY
|By:
|/s/ Peter G Ferris
|Date:
|11-16-18
|Peter G Ferris
|Vice President & Actuary
|MML BAY STATE LIFE INSURANCE COMPANY
|By:
|/s/ Peter G Ferris
|Date:
|11-16-18
|Peter G Ferris
|Vice President & Actuary
|C.M. LIFE INSURANCE COMPANY
|By:
|/s/ Peter G Ferris
|Date:
|11-16-18
|Peter G Ferris
|Vice President & Actuary
|HANNOVER LIFE REASSURANCE COMPANY OF AMERICA
|By:
|/s/ Jay Biehl
|Date:
|11/15/18
|Print name:
|Jay Biehl
|Title:
|SVP
HANNOVER LIFE REASSURANCE COMPANY OF AMERICA
|By:
|/s/ Joan M Paulter
|Date:
|11/15/2018
|Print name:
|Joan Paulter
|Title:
|VP
Page 2 of 6
[_____]
Amendment to add information security to all treaties, page 3
Exhibit 1
|Effective Date of Agreement
|
Description
|Reinsurer’s Agreement #
|
TAI Code
Coins / YRT
|4/1/2005
|GUL/GVUL
|[_____]
|[_____]
|YRT
|4/1/2010
|GUL/GVUL NY
|[_____]
|[_____]
|YRT
|12/1/2015
|GULII/GVULII
|[_____]
|[_____]
|YRT
Page 3 of 6
[_____]
[page break]
Exhibit 2
Information Security Article
The parties hereto acknowledge that the Reinsurer and its affiliates may have access to Personal Information, as defined below, as is otherwise necessary for purposes of the reinsurance provided under the Agreements.
The Ceding Company agrees to, and will, transmit Personal Information to the Reinsurer on an encrypted basis using encryption methods and software generally accepted and customarily used in the insurance industry.
To the extent that any Personal Information is provided to the Reinsurer or its affiliates in connection with the Agreements, the Reinsurer agrees to, and agrees to cause its affiliates and instruct its representatives and service providers to, comply with the privacy laws applicable to such Personal Information and protect the confidentiality and security of any Personal Information provided to it hereunder by:
|a.
|holding all Personal Information in strict confidence;
|b.
|maintaining appropriate measures that are designed to protect the security, integrity and confidentiality of Personal Information; and
|c.
|disclosing and using Personal Information received under the Agreements for purposes of carrying out the transactions contemplated by the Agreements, for retrocession purposes, as requested by external auditors, as required by court order, or as required by law or regulation.
The Reinsurer agrees that it shall as promptly as reasonably practicable (and in any event in accordance with applicable law), notify the Ceding Company when it becomes aware of any Security Breach, defined as the unauthorized access of Company Information. Company Information is defined in Exhibit 3. In addition to such notification, no later than [_____] calendar days after detection (or later if legally acceptable but in no case more than [_____]) of the Security Breach, the Reinsurer will also provide Ceding Company with a report summarizing the Security Breach, which will include, at a minimum, the following: date, time, description, how the Security Breach was detected, systems and/or data (including Personal Information) subject to unauthorized access, root cause, corrective action taken to date and any additional planned actions.
The Reinsurer shall comply with the additional data security procedures set forth in Exhibit 3.
“Personal Information“ means (i) any “nonpublic personal information” as such term is defined under the Title V of the U.S. Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 et seq., and the rules and regulations issued thereunder, (ii) any information that can specifically identify an individual, such as name, signature, address, social security number, telephone number or other unique identifier, together with any other information that relates to an individual who has been so identified in any format whether written, electronic or otherwise, (iii) information that can be used to authenticate an individual (including, without limitation, passwords or PINs, biometric data, unique identification numbers, answer to security questions, or other personal identifiers) in any format whether written, electronic or otherwise, or (iv) any personally identifiable medical, financial and other personal information, in each case about proposed, current and former applicants, policy owners, contract holders, insureds, claimants and beneficiaries of policies covered under the Agreements.
Page 4 of 6
[_____]
Exhibit 3
Data Security Procedures
The Reinsurer shall develop and employ administrative, technical, and physical access control procedures, restrictions and safeguards to protect its computer and communication environment, including any Company Information stored thereon, against unauthorized access, use, alteration, or destruction. “Company Information” shall mean any data owned by the Ceding Company and in the possession of the Reinsurer (including any Personal Information). The Reinsurer agrees that Company Information shall be deemed “Confidential Information” and shall be used by the Reinsurer only in connection with the reinsurance provided under the Agreements.
The Ceding Company agrees that the transfer of Company Information to the Reinsurer will be secured through the use of commercially reasonable encryption technology or physical security measures.
The Reinsurer shall operate, monitor, review and continually improve a written information security management system (ISMS) in accordance with international Standard ISO/IEC 27002:2013 framework, as same may be amended, supplemented or restated or other equivalent and applicable authoritative sources as acceptable to the Ceding Company, in its sole discretion. The Reinsurer shall implement, maintain, assess, monitor, and enforce compliance in all material respects with the Reinsurer’s ISMS.
The Reinsurer shall develop and employ disaster recovery and business continuity plans to ensure that the Reinsurer will continue to provide reinsurance as contemplated under the Agreements. The Reinsurer shall comply in all material respects with all federal and state laws relating to privacy, the protection of personal information, and data protection (including without limitation applicable security breach notification obligations).
The Reinsurer shall permit the Ceding Company or, as the Ceding Company may require, the Ceding Company’s representatives or government authorities, directly or in association with an auditor or analyst, to audit the data center architecture, systems and procedures used in connection with the reinsurance provided by the Reinsurer under the Agreements in order to evaluate the Reinsurer’s compliance with security, confidentiality and privacy obligations, detect and assess potential vulnerabilities, and evaluate the Reinsurer’s preparedness for contingencies that could affect such reinsurance. The Reinsurer will (and will cause its subcontractors to) keep and maintain complete and correct books, records and documentation relating to (their) the reinsurance provided under the Agreements.
The Reinsurer will not disclose Company Information to any other parties except as necessary for retrocession purposes, as requested by external auditors, as required by court order, or as required by law or regulation.
The Reinsurer shall not transfer, store or process any Company Information in any location outside of the United States of America except as may otherwise be required for reporting to the Reinsurer’s retrocessionaires or by the Reinsurer’s group internal processes and procedures.
The Reinsurer will implement commercially reasonable personnel and administrative controls to mitigate security risks, including but not limited to: (a) background checks on the Reinsurer’s U.S.
Page 5 of 6
[_____]
employees with administrator access to the Reinsurer’s hosting platform; and (b) limiting access to the Reinsurer’s hosting platform to authorized individuals.
The Reinsurer shall not permit any subcontractor to access Company Information except for the uses otherwise provided in the Agreements, and the Reinsurer shall prohibit such subcontractors from using Company Information for any other purpose. The Reinsurer remains responsible for its subcontractors’ compliance with the obligations of the Agreements. The Reinsurer shall require any subcontractors to whom the Reinsurer transfers Company Information or permits access to Company Information by use of the Reinsurer’s computer or communications environment, to enter into a written agreement with the Reinsurer requiring the subcontractor abide by terms no less protective than the Agreements for protection of the Company Information.
The Reinsurer shall indemnify the Ceding Company for actual, direct damages or costs incurred by Ceding Company related to unauthorized access, disclosure or use of Company Information due to the Reinsurer’s violation of its information security obligations hereunder including (i) governmental fines and/or penalties imposed on the Ceding Company, (ii) costs of remedial actions required of Ceding Company by law, and (iii)) costs reasonably incurred by Ceding Company relating to required notice of data breach to affected customers of Ceding Company.
Page 6 of 6
[_____]