EX-99.J.3 14 d820867dex99j3.htm AMENDMENT TO THE AMENDED AND RESTATED CUSTODIAN AGREEMENT Amendment to the Amended and Restated Custodian Agreement

Exhibit j.3

AMENDMENT TO THE

AMENDED AND RESTATED CUSTODIAN AGREEMENT

BETWEEN

EACH MANAGEMENT INVESTMENT COMPANY IDENTIFIED ON APPENDIX A OF

THE AGREEMENT

AND

STATE STREET BANK AND TRUST COMPANY

AMENDMENT to the Amended and Restated Custodian Agreement (the “Agreement”) made as of July 15, 2015 by and between State Street Bank and Trust Company, a Massachusetts trust company (the “Custodian”) and each management investment company identified on Appendix A of the Agreement and each management investment company which becomes a party to this Agreement in accordance with the terms hereof (in each case, a “Fund” or “Funds”), including, if applicable, each series of the Fund identified on Appendix A and each series which becomes a party to this Agreement in accordance with the terms hereof.

WHEREAS, the Agreement provides that it may be amended by agreement between the parties at any time or from time to time in writing; and

WHEREAS, Custodian and the Funds wish to extend the Agreement and to add Funds effective July 31, 2020;

NOW, THEREFORE, the Agreement is hereby amended as follows:

 

  1.

To restate Section 16.1, Term, in its entirety, as follows:

16.1 Term. This Agreement shall remain in full force and effect until April 1, 2026 (the “Term”), unless either party terminates this Agreement prior to April 1, 2026 by giving the other party not less than 120 days advanced written notice. If this Agreement isn’t terminated prior to the expiration of the Term, this Agreement shall automatically renew for successive one-year terms unless a written notice of non-renewal is delivered by the non-renewing party no later than ninety (90) days prior to the expiration of the Term, or any renewal term, as the case may be. A written notice of non-renewal maybe given as to a Fund or a Portfolio.

 

  2.

To restate Section 20.8, Notices, in its entirety, as follows:

20.8 Notices. Any notice, instruction or other communication required to be given hereunder will, unless otherwise provided in this Agreement, be in writing and may be sent by hand, or by facsimile transmission, or overnight delivery by any recognized delivery service, to the parties at the following addresses or such other addresses as may be notified by any party from time to time.

To Any Fund:

Nuveen Investments

8500 Andrew Carnegie Blvd.

Charlotte, NC 28262

Attn: Heather Bienskie

Phone: 704-988-3801


with a copy to:

Nuveen Investments

333 West Wacker Drive

Chicago, IL 60606

Attn: Nuveen Legal, Associate General Counsel

To the Custodian:

STATE STREET BANK AND TRUST COMPANY

One Lincoln Street

Boston, MA 02111

Attention: Louis Abruzzi

Telephone: 617-662-0300

with a copy to:

STATE STREET BANK AND TRUST COMPANY

Legal Division – Global Services Americas

One Lincoln Street

Boston, MA 02111

Attention: Senior Vice President and Senior Managing Counsel

 

  3.

To add a new Section 20.18, Information Security, as follows:

20.18 Information Security. Custodian represents that it currently maintains and shall continue to maintain throughout the term of this Agreement physical, electronic and procedural safeguards as described in the State Street Client Information Security Addendum attached hereto.

 

  4.

To add a new Section 20.19, Business Continuity, as follows:

20.19 Business Continuity. Custodian shall maintain throughout the term of this Agreement business continuity, disaster recovery, and backup capabilities (the “Plan(s)”) that permit Custodian to perform its obligations hereunder with minimal disruptions or delays. The Plans shall provide for the recovery from disruptions to suppliers, sites, technology and staff, including pandemic planning or other impacts that could result in mass protracted absenteeism. Custodian shall also maintain recovery time objectives (“RTOs”) for all business critical functions used to perform the services. Custodian’s current RTOs priority levels for critical functions, which are objectives, do not exceed seven (7) business days. RTOs are Custodian’s internal guidelines only and may be updated from time to time by Custodian. Upon request, Custodian will provide to the Funds updates, if any, on RTOs.

 

  5.

Effective July 31, 2020, restating Appendix A, in its entirety, as attached.

 

  6.

To add the “State Street Client Information Security Addendum” as attached hereto.

 

  7.

All other provisions, terms and conditions contained in the Agreement, as amended, shall remain in full force and effect.


IN WITNESS WHEREOF, the parties hereto have executed this Amendment as of the 31st day of July 2020.

 

STATE STREET BANK AND TRUST COMPANY     EACH OF THE MANAGEMENT INVESTMENT COMPANIES AND SERIES SET FORTH ON APPENDIX A HERETO

Signed on its behalf:

 

By:                /s/ Andrew Erickson

   

Signed on its behalf:

 

By:    /s/ E. Scott Wickerham        

(Authorized Signatory)

 

Name: Andrew Erickson

   

(Authorized Signatory)

 

Name: E. Scott Wickerham

Title: Executive Vice President

   

Title: SMD, Head of Fund Admnin, VP & Controller of the Funds


APPENDIX A

TO

AMENDED AND RESTATED MASTER CUSTODIAN AGREEMENT

July 15, 2015

(Updated as of July 31, 2020)

NUVEEN CLOSED-END MANAGEMENT INVESTMENT COMPANIES

Nuveen All Cap Energy MLP Opportunities Fund

Nuveen AMT-Free Municipal Credit Income Fund f/k/a Nuveen Enhanced AMT-Free Municipal Credit Opportunities Fund

Nuveen AMT-Free Municipal Value Fund

Nuveen AMT-Free Quality Municipal Income Fund f/k/a Nuveen AMT-Free Municipal Income Fund

Nuveen Arizona Quality Municipal Income Fund f/k/a Nuveen Arizona Premium Income Municipal Fund

Nuveen Build America Bond Opportunity Fund

Nuveen California AMT-Free Quality Municipal Income Fund f/k/a Nuveen California AMT-Free Municipal Income Fund

Nuveen California Dividend Advantage Municipal Fund 2

Nuveen California Dividend Advantage Municipal Fund 3

Nuveen California Municipal Value Fund 2

Nuveen California Municipal Value Fund, Inc.

Nuveen California Quality Municipal Income Fund f/k/a Nuveen California Dividend Advantage Municipal Fund

Nuveen California Select Tax-Free Income Portfolio

Nuveen Connecticut Quality Municipal Income Fund f/k/a Nuveen Connecticut Premium Income Municipal Fund

Nuveen Core Equity Alpha Fund

Nuveen Credit Opportunities 2020 Target Term Fund

Nuveen Credit Opportunities 2022 Target Term Fund

Nuveen Credit Opportunities 2024 Target Term Fund

Nuveen Credit Strategies Income Fund

Nuveen Diversified Dividend and Income Fund

Nuveen Dow 30SM Dynamic Overwrite Fund

Nuveen Dynamic Municipal Opportunities Fund

Nuveen Emerging Markets Debt 2022 Target Term Fund

Nuveen Emerging Markets Debt 2025 Term Fund

Nuveen Energy MLP Total Return Fund

Nuveen Enhanced Municipal Value Fund

Nuveen Floating Rate Income Fund

Nuveen Floating Rate Income Opportunity Fund

Nuveen Georgia Quality Municipal Income Fund f/k/a Nuveen Georgia Dividend Advantage Municipal Fund 2

Nuveen Global Equity Income Fund

Nuveen Global High Income Fund

Nuveen High Income 2020 Target Term Fund

Nuveen High Income 2023 Target Term Fund

Nuveen High Income December 2018 Target Term Fund

Nuveen High Income December 2019 Target Term Fund


Nuveen High Income November 2021 Target Term Fund

Nuveen Intermediate Duration Municipal Term Fund

Nuveen Intermediate Duration Quality Municipal Term Fund

Nuveen Maryland Quality Municipal Income Fund f/k/a Nuveen Maryland Premium Income Municipal Fund

Nuveen Massachusetts Quality Municipal Income Fund f/k/a Nuveen Massachusetts Premium Income Municipal Fund

Nuveen Michigan Quality Municipal Income Fund f/k/a Nuveen Michigan Quality Income Municipal Fund

Nuveen Minnesota Quality Municipal Income Fund f/k/a Nuveen Minnesota Municipal Income Fund

Nuveen Missouri Quality Municipal Income Fund f/k/a Nuveen Missouri Premium Income Municipal Fund

Nuveen Mortgage and Income Fund f/k/a Nuveen Mortgage Opportunity Term Fund

Nuveen Mortgage Opportunity Term Fund 2

Nuveen Multi-Market Income Fund

Nuveen Municipal 2021 Target Term Fund

Nuveen Municipal Credit Income Fund f/k/a Nuveen Enhanced Municipal Credit Opportunities Fund

Nuveen Municipal Credit Opportunities Fund

Nuveen Municipal High Income Opportunity Fund

Nuveen Municipal Income Fund, Inc.

Nuveen Municipal Value Fund, Inc.

Nuveen NASDAQ 100 Dynamic Overwrite Fund

Nuveen New Jersey Municipal Value Fund

Nuveen New Jersey Quality Municipal Income Fund f/k/a Nuveen New Jersey Dividend Advantage Municipal Fund

Nuveen New York AMT-Free Quality Municipal Income Fund f/k/a Nuveen New York AMT-Free Municipal Income Fund

Nuveen New York Municipal Value Fund 2

Nuveen New York Municipal Value Fund, Inc.

Nuveen New York Quality Municipal Income Fund f/k/a Nuveen New York Dividend Advantage Municipal Fund

Nuveen New York Select Tax-Free Income Portfolio

Nuveen North Carolina Quality Municipal Income Fund f/k/a Nuveen North Carolina Premium Income Municipal Fund

Nuveen Ohio Quality Municipal Income Fund f/k/a Nuveen Ohio Quality Income Municipal Fund

Nuveen Pennsylvania Quality Municipal Income Fund f/k/a Nuveen Pennsylvania Investment Quality Municipal Fund

Nuveen Pennsylvania Municipal Value Fund

Nuveen Preferred and Income 2022 Term Fund

Nuveen Preferred and Income Term Fund

Nuveen Preferred & Income Opportunities Fund f/k/a Nuveen Preferred Income Opportunities Fund

Nuveen Preferred & Income Securities Fund f/k/a Nuveen Preferred Securities Income Fund

Nuveen Quality Municipal Income Fund f/k/a Nuveen Dividend Advantage Municipal Fund

Nuveen Real Asset Income and Growth Fund

Nuveen Real Estate Income Fund

Nuveen S&P 500 Buy-Write Income Fund

Nuveen S&P 500 Dynamic Overwrite Fund

Nuveen Select Maturities Municipal Fund

Nuveen Select Tax-Free Income Portfolio

Nuveen Select Tax-Free Income Portfolio 2

Nuveen Select Tax-Free Income Portfolio 3

Nuveen Senior Income Fund


Nuveen Short Duration Credit Opportunities Fund

Nuveen Strategic Municipal Credit Fund f/k/a Nuveen Municipal High Yield & Special Situations Fund

Nuveen Tax-Advantaged Dividend Growth Fund

Nuveen Tax-Advantaged Total Return Strategy Fund

Nuveen Taxable Municipal Income Fund f/k/a Nuveen Build America Bond Fund

Nuveen Texas Quality Municipal Income Fund f/k/a Nuveen Texas Quality Income Municipal Fund

Nuveen Virginia Quality Municipal Income Fund f/k/a Nuveen Virginia Premium Income Municipal Fund

NUVEEN OPEN-END MANAGEMENT INVESTMENT COMPANIES

NUVEEN MUNICIPAL TRUST, on behalf of:

Nuveen All-American Municipal Bond Fund

Nuveen High Yield Municipal Bond Fund

Nuveen Inflation Protected Municipal Bond Fund

Nuveen Intermediate Duration Municipal Bond Fund

Nuveen Limited Term Municipal Bond Fund

Nuveen Short Duration High Yield Municipal Bond Fund

Nuveen Strategic Municipal Opportunities Fund

NUVEEN MULTISTATE TRUST I, on behalf of:

Nuveen Arizona Municipal Bond Fund

Nuveen Colorado Municipal Bond Fund

Nuveen Maryland Municipal Bond Fund

Nuveen New Mexico Municipal Bond Fund

Nuveen Pennsylvania Municipal Bond Fund

Nuveen Virginia Municipal Bond Fund

NUVEEN MULTISTATE TRUST II, on behalf of:

Nuveen California High Yield Municipal Bond Fund

Nuveen California Intermediate Municipal Bond Fund

Nuveen California Municipal Bond Fund

Nuveen Connecticut Municipal Bond Fund

Nuveen Massachusetts Municipal Bond Fund

Nuveen New Jersey Municipal Bond Fund

Nuveen New York Municipal Bond Fund

NUVEEN MULTISTATE TRUST III, on behalf of:

Nuveen Georgia Municipal Bond Fund

Nuveen Louisiana Municipal Bond Fund

Nuveen North Carolina Municipal Bond Fund

Nuveen Tennessee Municipal Bond Fund

NUVEEN MULTISTATE TRUST IV, on behalf of:

Nuveen Kansas Municipal Bond Fund

Nuveen Kentucky Municipal Bond Fund

Nuveen Michigan Municipal Bond Fund


Nuveen Missouri Municipal Bond Fund

Nuveen Ohio Municipal Bond Fund

Nuveen Wisconsin Municipal Bond Fund

NUVEEN INVESTMENT TRUST, on behalf of:

Nuveen Equity Market Neutral Fund

Nuveen Global Total Return Bond Fund

Nuveen Large Cap Core Fund

Nuveen Large Cap Growth Fund

Nuveen Large Cap Value Fund

Nuveen NWQ Global All-Cap Fund

Nuveen NWQ Global Equity Income Fund

Nuveen NWQ Multi-Cap Value Fund

Nuveen NWQ Large-Cap Value Fund

Nuveen NWQ Small-Cap Value Fund

Nuveen NWQ Small/Mid-Cap Value Fund

Nuveen U.S. Infrastructure Bond Fund

NUVEEN INVESTMENT TRUST II, on behalf of:

Nuveen Emerging Markets Equity Fund

Nuveen Equity Long/Short Fund

Nuveen Global Growth Fund

Nuveen International Growth Fund

Nuveen NWQ International Value Fund

Nuveen NWQ Japan Fund

Nuveen Santa Barbara Dividend Growth Fund

Nuveen Santa Barbara Global Dividend Growth Fund

Nuveen Santa Barbara International Dividend Growth Fund

Nuveen Symphony Dynamic Equity Fund

Nuveen Symphony International Equity Fund

Nuveen Symphony Mid-Cap Core Fund

Nuveen Symphony Small Cap Core Fund

Nuveen Tradewinds Emerging Markets Fund

Nuveen Winslow International Large Cap Fund

Nuveen Winslow International Small Cap Fund

Nuveen Winslow Large-Cap Growth ESG Fund f/k/a Nuveen Winslow Large-Cap Growth Fund

Nuveen Winslow Managed Volatility Equity Fund

NUVEEN INVESTMENT TRUST III, on behalf of:

Nuveen Symphony Dynamic Credit Fund

Nuveen Symphony Floating Rate Income Fund

Nuveen Symphony High Yield Bond Fund

Nuveen Symphony High Yield Income Fund f/k/a Nuveen Symphony Credit Opportunities Fund

NUVEEN INVESTMENT TRUST V, on behalf of:

Nuveen Global Real Estate Securities Fund

Nuveen Gresham Diversified Commodity Strategy Fund

Nuveen Gresham Long/Short Commodity Strategy Fund

Nuveen Gresham Managed Futures Strategy Fund


Nuveen Multi-Asset Income Fund

Nuveen Multi-Asset Income Tax-Aware Fund

Nuveen NWQ Flexible Income Fund

Nuveen Preferred Securities and Income Fund f/k/a Nuveen Preferred Securities Fund

NUVEEN MANAGED ACCOUNTS PORTFOLIOS TRUST, on behalf of

Nuveen Core Impact Bond Managed Accounts Portfolio

Municipal Total Return Managed Accounts Portfolio

NUVEEN INVESTMENT FUNDS, INC., on behalf of

Nuveen Dividend Value Fund

Nuveen Global Infrastructure Fund

Nuveen Credit Income Fund f/k/a Nuveen High Income Bond Fund

Nuveen Large Cap Select Fund

Nuveen Mid Cap Growth Opportunities Fund

Nuveen Mid Cap Growth Value Fund

Nuveen Minnesota Intermediate Municipal Bond Fund

Nuveen Minnesota Municipal Bond Fund

Nuveen Nebraska Municipal Bond Fund

Nuveen Oregon Intermediate Municipal Bond Fund

Nuveen Real Asset Income Fund

Nuveen Real Estate Securities Fund

Nuveen Short Term Municipal Bond Fund

Nuveen Small Cap Growth Opportunities Fund

Nuveen Small Cap Select Fund

Nuveen Small Cap Value Fund

Nuveen Strategic Income Fund


State Street Client Information Security Addendum

All capitalized terms not defined in this State Street Client Information Security Addendum (this “Security Addendum”) shall have the meanings ascribed to them in Amended and Restated Master Custodian Agreement by and between State Street Bank and Trust Company (“State Street”) and each management investment company identified on Appendix A of the Agreement (“Client”) dated July 15, 2015 (the “Agreement”).

State Street and Client hereby agree that State Street shall maintain an information security policy (“Security Policy”) that satisfies the requirements set forth below; provided, that, because information security is a highly dynamic space (where laws, regulations and threats are constantly changing), State Street reserves the right to make changes to its information security controls at any time and at the sole discretion of State Street in a manner that it believes does not materially reduce the protection it applies to Client Data. State Street will review the policy on an annual basis.

From time to time, State Street may subcontract services performed under the Agreement (to the extent provided for under the Agreement) or provide access to Client’s Confidential Information (“Client Data”) its network to a subcontractor or other third party; provided, that, such subcontractor or third party implements and maintains security measures that State Street believes are at least as stringent as those described in this Security Addendum. State Street must maintain an up-to-date list of subcontractors that access, store, transmit, or use Client Data, and must provide the list to Client upon request.

For subcontractors who collect, transmit, share, store, control, process, manage or access Client Data, State Street is responsible for assessing and monitoring subcontractor control environments.

 

1.

Objective.

The objective of State Street’s Security Policy and related information security program is to implement data security measures consistent in all material respects with applicable prevailing industry practices and standards (“Objective”). State Street must define job responsibilities to ensure effective management of information security and appropriate separation of duties within the organization. State Street will use utilize qualified information security personnel sufficient to manage State Street’s cybersecurity risks. In order to meet such Objective, State Street uses commercially reasonable efforts to:

a.        Protect the privacy, confidentiality, integrity, and availability of all confidential data and information disclosed by or on behalf of Client to, or otherwise comes into the possession of State Street, in connection with the provision of Services under the Agreement and to the extent the same is deemed Client Data;

b.        protect against accidental, unauthorized, unauthenticated or unlawful access, copying, use, processing, disclosure, alteration, transfer, loss or destruction of the Client Data;

c.        comply with applicable governmental laws, rules and regulations that are relevant to the handling, processing and use of Client Data by State Street in accordance with the Agreement;

d.        implement customary administrative, physical, technical, procedural and organizational safeguards; and

e.        limit the amount of Client Data collected to that reasonably necessary to accomplish the Services, limit the time such information is retained to that reasonably necessary to perform the Services, and limit access to those persons who are reasonably required to access or handle the Client Data in order to perform the Services.

 

2.

Risk Assessments.

a.        Risk Assessment - State Street shall, at least annually, perform risk assessments that are designed to identify material threats (both internal and external) against Client Data, the likelihood of those threats occurring and the impact of those threats upon the State Street organization to evaluate and analyze the appropriate level of information security safeguards (“Risk Assessments”).

b.    Risk Mitigation - State Street shall use commercially reasonable efforts to manage, control and remediate any threats identified in the Risk Assessments that it believes are likely to result in


material unauthorized access, copying, use, processing, disclosure, alteration, transfer, loss or destruction of Client Data, consistent with the Objective, and commensurate with the sensitivity of the Client Data and the complexity and scope of the activities of State Street pursuant to the Agreement.

c.        Security Controls Testing - State Street shall, on approximately an annual basis, engage an independent external party to conduct periodic reviews of State Street’s information security practices. State Street shall have a process to review and evaluate high risk findings resulting from this testing.

3.     Security Controls. Prior to State Street having access to Client Data, then annually and upon Client’s reasonable request, State Street shall provide Client’s Chief Information Security Officer or his or her designee with a copy of its corporate information security controls that form the basis for State Street’s Security Policy and an opportunity to discuss State Street’s information security measures with a qualified member of State Street’s information technology management team.

 

4.

Organizational Security.

a.        Responsibility - State Street shall assign responsibility for information security management to senior personnel only and will name a State Street employee to be responsible for leading this information security function.

b.        Access - State Street shall permit only those personnel performing roles supporting the provision of Services under the Agreement to access Client Data.

c.        Confidentiality - State Street personnel who have accessed or otherwise been made known of Client Data shall maintain the confidentiality of such information in accordance with the terms of the Agreement.

d.        Policy Exception - As part of the Security Policy State Street shall implement a process by which exceptions to the Security Policy are reviewed and processed. This exception process must be documented.

e.        Training - State Street will provide information security training on approximately an annual basis, to its personnel.

 

5.

Data Protection.

a.        Data Sensitivity - State Street acknowledges that it understands the sensitivity of Client Data.

b.        Data Flow - State Street must document data flows and associated protections for data which is sent or received between Client systems and State Street systems.

c.        External Hosting Facilities – State Street shall implement controls, consistent with applicable prevailing industry practices and standards, regarding the collection, use, storage and/or disclosure of Client Data by an external hosting provider.

d.        Segregation of Client Data - State Street shall use generally accepted security management controls designed to ensure that none of State Street’s other clients have access to Client Data.

 

6.

Physical Security and Data Destruction.

a.        Securing Physical Facilities - State Street shall maintain systems located in State Street facilities that host Client Data or provide Services under the Agreement in an environment that is designed to be physically secure and to allow access only to authorized individuals. A secure environment includes the availability of onsite security personnel on a 24 x 7 basis or equivalent means of monitoring locations supporting the delivery of Services under the Agreement.

b.        Physical Security of Media - State Street shall implement controls, consistent with applicable prevailing industry practices and standards that are designed to deter the unauthorized viewing, copying, alteration or removal of any media containing Client Data. Removable media on which Client Data is stored (including thumb drives, CDs, and DVDs, and PDAS) by State Street must be encrypted using at least 256 bit AES (or equivalent).

c.        Media Destruction – State Street shall destroy removable media and any mobile device (such as discs, USB drives, DVDs, back-up tapes, laptops and PDAs) containing Client Data or use commercially reasonable efforts to render Client Data on such physical media unintelligible if such


media or mobile device is no longer intended to be used. All backup tapes that are not destroyed must meet the level of protection described in this Security Addendum until destroyed. Electronic media that is not physically destroyed as part of the disposal process must be irrevocably erased or degaussed, such that the media is no longer readable for any purpose. State Street must develop and document information destruction processes that meet industry standards and must be used in all cases when Client Data is no longer needed. State Street shall keep records of all Client Data destruction completed and provide such records to Client upon demand or provide a certification that all such information has been destroyed in accordance with this Security Addendum.

d.        Paper Destruction - State Street shall cross shred all paper waste containing Client Data and dispose in a secure and confidential manner.

 

7.

Communications and Operations Management.

a.        Firewall Management – Firewall management processes must be documented and meet industry standards. Any files containing Client Data on a system connected to the internet must be protected with up to date, industry standard, firewall protections and operating system security patches designed to maintain integrity and security of the Client Data.

b.        Network Access – State Street must implement controls designed to prevent unauthorized devices from physically connecting to the internal network or to detect and alert an administrator (e.g. Network Access Control device (NAC)).

c.        Monitoring Systems - State Street shall monitor its systems (i) security incidents; (ii) unauthorized use of or access to Client Data; and (iii) violations and suspicious activity. This includes suspicious external activity (including unauthorized probes, scans or break-in attempts) and suspicious internal activity (including unauthorized system administrator access, unauthorized changes to its systems or network, system or network misuse or theft or mishandling of Client Data). State Street shall maintain audit and logging capabilities that will enable the State Street to effectively detect, respond to and investigate a data security incident.

d.        Intelligence Services - State Street shall monitor industry-standard information channels for newly identified system vulnerabilities and emerging risks regarding the technologies and Services provided to Client.

e.        Intrusion Detection and Prevention - State Street shall maintain software, hardware, intrusion detection system, personnel and other resources designed to ascertain whether a penetration attempt is being made against any part of State Street’s network, mainframe, server or other infrastructure used by State Street to process, store or transport Client Data. This may include deploying intrusion detection /intrusion prevention controls to block, monitor, and alert State Street of security incidents that may require escalation to, and response from, State Street’s incident response personnel on a 24 hours per day, 7 days per week, 365 days per year basis.

f.        Network Penetration Testing - State Street shall, on approximately an annual basis, contract with an independent third party to conduct network penetration test. State Street shall have a process to review and evaluate high risk findings resulting from this testing. The cost of vulnerability and penetration testing will be assumed by State Street.

g.        Data Protection During Transmission - State Street shall encrypt, using an industry recognized encryption algorithm, personally identifiable Client Data when in transit across public networks.

h.        Data Loss Prevention - State Street shall implement a data loss prevention program that is designed to identify, detect, monitor and alert on abnormal external data movement.

i.        Malicious Code – State Street shall implement controls that are designed to detect the introduction or intrusion of malicious code on information systems handling or holding Client Data and implement a process for removing said malicious code from information systems handling or holding Client Data.

 

8.

Access Controls.

a.        Authorized Access - State Street shall have controls that are designed to maintain the logical separation such that access to systems hosting Client Data and/or being used to provide Services to Client will uniquely identify each individual requiring access, grant access only to


authorized personnel based on the principle of least privileges, and prevent unauthorized access to Client Data.

b.        User Access - State Street shall have a process to promptly disable access to Client Data by any State Street personnel who no longer requires such access, State Street will also promptly remove access of Client personnel upon receipt of notification from Client.

c.        Authentication Credential Management - State Street shall communicate authentication credentials to users in a secure manner, with a proof of identity check of the intended users. Initial password must be delivered in a secure manner and are required to be changed upon first logon.

d.        Multi-Factor Authentication for Remote Access - State Street shall use multi factor authentication and a secure tunnel when remotely accessing State Street’s internal network.

e.        Access Recertification - State Street must document a process to regularly recertify access to those facilities, systems, networks and applications that store, use, or otherwise have access to Client Data. This should include a documented review of access rights to confirm that access is still appropriate based on business needs. This review should occur at least annually or more frequently depending on risk and industry standards.

f.        Unique IDs - State Street must assign unique user IDs that are reasonably designed to maintain the integrity of the security of the access control to each person with computer access.

g.        Password Standards - State Street must document a password policy with a reasonably secure method of assigning and selecting passwords, or the use of unique identifier technologies, such as biometrics or token devices that cover all systems that store, access, transmit or process Client Data. Where technically feasible, passwords cannot be vendor supplied default passwords. This policy shall define standards for controlling password length, strength and change frequency.

h.        Control of Passwords - State Street personnel must maintain the confidentiality of system passwords, keys, and passcodes used for the protection of Client Data must not be hard-coded into any scripts.

i.        Account Lockout - State Street must deploy controls to lock accounts when no more than five invalid login attempts are made.

j.        Password Reset – State Street must employ a secure and documented process to reset passwords that requires verification of user identity prior to password reset.

 

9.

Encryption Requirements.

a.        Encryption Standards - State Street will define in its Security Policy minimum standards for encryption methods and strength.

b.        Encryption at Rest - State Street shall encrypt any laptops, mobile devices (e.g. Blackberries, PDAs), containing Client Data used by State Street’s personnel using an industry recognized encryption algorithm with at least 256 bit encryption AES (or equivalent).

c.        Encryption Key Management - State Street must document procedures for managing encryption keys as well as any salts used to protect one way hashing functions.    These procedures must include specifications for key provisioning, distribution, revocation, and expiration.

 

10.

Use of Laptop and Mobile Devices in connection with the Agreement.

a.        Secure Storage - State Street shall require that all laptops and mobile devices be securely stored whenever out of the personnel’s immediate possession.

b.        State Street shall maintain the ability to remotely remove Client Data promptly from mobile phones managed by State Street.

c.        Bring Your Own Device - State Street shall ensure security controls, including, mobile device management (MDM), remote wipe capabilities and encryption must be in place if Client Data can be stored, accessed, transmitted to or from, or used on a personal device. State Street must have policies to ensure State Street personnel maintain the security of these devices.

 

11.

Information Systems Acquisition Development and Maintenance.

a.        Client Data – Client Data shall only be used by State Street for the purposes specified in the Agreement.


b.        Virus Management - State Street shall maintain a malware protection program designed to (i) deter malware infections; (ii) detect the presence of malware within the State Street environment; and (iii) recover from any impact caused by malware.

 

12.

Incident Event and Communications Management.

a.        Incident Management/Notification of Breach - State Street shall develop and implement an incident response plan that specifies actions to be taken when State Street or one of its subcontractors suspects or detects that a party has gained unauthorized access to Client Data or systems or applications containing any Client Data (the “Response Plan”). It must be approved by management, and have an owner to maintain and review the program. Such Response Plan shall include the following:

i.        Escalation Procedures - An escalation procedure that includes notification to senior managers and appropriate reporting to regulatory and law enforcement agencies. This procedure shall provide for reporting of incidents that compromise the confidentiality of Client Data (including backed up data) to Client via telephone or email (and provide a confirmatory notice in writing as soon as practicable); provided that the foregoing notice obligation is excused for such period of time as State Street is prohibited by law, rule, regulation or other governmental authority from notifying Client.

ii.        Incident Reporting - State Street will use commercially reasonable efforts to promptly furnish to Client information that State Street has regarding the general circumstances and extent of such unauthorized access.

iii.        Investigation and Prevention - State Street shall reasonably assist Client in investigating of any such unauthorized access and shall use commercially reasonable efforts to: (A) cooperate with Client in its efforts to comply with statutory notice or other legal obligations applicable to Client or its clients arising out of unauthorized access and to seek injunctive or other equitable relief; (B) cooperate with Client in litigation and investigations against third parties reasonably necessary to protect its proprietary rights; and (C) take reasonable actions necessary to prevent mitigate against loss from any such authorized access.

 

13.

Client Data Outside the United States.

a.        Storage, access, transmission or use of Client Data from a location outside the U.S. must be conducted from a State Street location designed to promote the security and confidentiality of data.    Specific security controls may vary from one location to another, based on local jurisdictional limitations and risk practices, but all locations outside the U.S. are subject to State Street’s minimum security standards which may include:

   

i.

ii.

iii.

iv.

 

 

 

 

  

Card key access

Access limited to only authorized persons with a business need are granted access

Visitor badges and State Street identification tags

Closed Circuit TV (CCTV) cameras at site and/or floor entrance and recordings stored and available for thirty (30) to ninety (90) days

   

v.

vi.

vii.

 

 

 

  

Lobby security, alarm, video, packages subject to search.

True floor to true ceiling construction.

Glass, wood, or steel doors.