The URL can be used to link to this page

Home My WebLink AboutAgreement A-22-567 with ReliaStar.pdf Agreement No. 22-567 1 AGREEMENT 2 This Agreement ("Agreement") is dated December 13, 2022 and is between 3 ReliaStar Life Insurance Company, a Minnesota Corporation, ("Contractor"), and the 4 County of Fresno, a Political Subdivision of the State of California ("County"). 5 Recitals 6 A. WHEREAS, the County wishes to provide Life Insurance, Accidental Death and 7 Dismemberment (hereafter, "AD&D") Insurance, as well as an Employee Assistance Program 8 (hereafter, "EAP") to its employees and their eligible family and/or household members; and 9 B. WHEREAS, Department of Human Resources staff, with assistance from County's 10 broker of record, HUB International, solicited bids for Life Insurance, AD&D Insurance, and EAP 11 services from qualified vendors and Contractor submitted the most responsive bid; and 12 C. WHEREAS, This Agreement will provide Life Insurance, AD&D Insurance, and EAP 13 services to County employees and their eligible family and/or household members; 14 D. NOW, THEREFORE, in consideration of the mutual covenants, terms and conditions 15 herein contained, the parties hereto agree as follows: 16 Article 1 17 Contractor's Services 18 1.1 Scope of Services. The Contractor shall perform all of the services provided in 19 Exhibit A to this Agreement, titled "Scope of Services." 20 1.2 Representation. The Contractor represents that it is qualified, ready, willing, and 21 able to perform all of the services provided in this Agreement. 22 1.3 Compliance with Laws. The Contractor shall, at its own cost, comply with all 23 applicable federal, state, and local laws and regulations in the performance of its obligations 24 under this Agreement, including but not limited to workers compensation, labor, and 25 confidentiality laws and regulations. 26 Article 2 27 County's Responsibilities 28 2.1 The County shall provide the administrative services, as set forth in the 1 1 Administration Agreement, attached as Exhibit F ("Administration Agreement") and incorporated 2 herein by this reference, for the policies and services set forth in Exhibit A of this Agreement. 3 Article 3 4 Compensation, Invoices, and Payments 5 3.1 The County agrees to pay, and the Contractor agrees to receive, compensation for 6 the performance of its services under this Agreement as described in Exhibit B to this 7 Agreement, titled "Compensation." 8 3.2 Maximum Compensation. The maximum compensation payable to the Contractor 9 by County under this Agreement for Basic Life Insurance, AD&D Insurance and EAP services, 10 as described in Paragraphs A.1 through A.5 and Paragraph A.11 in Exhibit A to this Agreement, 11 is $750,000, including extension if approved by the parties under section 4.2, "Extension". There 12 is no aggregate limit on the amount that Contractor may receive from employees who purchase 13 optional life insurance from Contractor as described in Paragraphs A.6 through A.8 of Exhibit A 14 to this Agreement. The Contractor acknowledges that the County is a local government entity, 15 and does so with notice that the County's powers are limited by the California Constitution and 16 by State law, and with notice that the Contractor may receive compensation under this 17 Agreement only for services performed according to the terms of this Agreement and while this 18 Agreement is in effect, and subject to the maximum amount payable under this section. The 19 Contractor further acknowledges that County employees have no authority to pay the Contractor 20 except as expressly provided in this Agreement. 21 3.3 Invoices. 22 (A) EAP Services. Contractor shall submit a monthly electronic invoice for EAP 23 services to the Director of Human Resources, at the contact information in Article 5, 24 below. The Contractor shall submit each invoice within 60 days after the month in which 25 the Contractor performs services and in any case within 60 days after the end of the 26 term or termination of this Agreement. 27 (B) Life Insurance. An invoice is not required of the Contractor for payment of life 28 insurance premiums. 2 1 3.4 Payment. 2 (A) EAP Services. The County shall pay each correctly completed and timely 3 submitted invoice within 45 days after receipt. The County shall remit any payment to the 4 Contractor's address specified in the invoice. 5 (B) Life Insurance. Premiums for life insurance and AD&D insurance shall be 6 remitted by County to Contractor no later than 45 days after the last calendar day of the 7 month in which premiums are collected. 8 3.5 Incidental Expenses. The Contractor is solely responsible for all of its costs and 9 expenses that are not specified as payable by the County under this Agreement. 10 Article 4 11 Term of Agreement 12 4.1 Term. This Agreement is effective on January 1, 2023 and terminates on December 13 31, 2024, except as provided in section 4.2, "Extension," or Article 6, "Termination and 14 Suspension," below. 15 4.2 Extension. The term of this Agreement may be extended for no more than one, one- 16 year period only upon written approval of both parties at least 30 days before the first day of the 17 next one-year extension period. The Director of Human Resources or his or her designee is 18 authorized to sign the written approval on behalf of the County based on the Contractor's 19 satisfactory performance. The extension of this Agreement by the County is not a waiver or 20 compromise of any default or breach of this Agreement by the Contractor existing at the time of 21 the extension whether or not known to the County. 22 Article 5 23 Notices 24 5.1 Contact Information. The persons and their addresses having authority to give and 25 receive notices provided for or permitted under this Agreement include the following: 26 For the County: 27 Director of Human Resources County of Fresno 28 2220 Tulare Street, 14th Floor Fresno, CA 93721 3 1 Email: HRBenefits@FresnoCountyCA.gov Fax: (559) 455-4787 2 For the Contractor: 3 ReliaStar Life Insurance 20 Washington Ave. So. 4 Minneapolis, MN 55401 5 5.2 Change of Contact Information. Either party may change the information in section 6 5.1 by giving notice as provided in section 5.3. 7 5.3 Method of Delivery. Each notice between the County and the Contractor provided 8 for or permitted under this Agreement must be in writing, state that it is a notice provided under 9 this Agreement, and be delivered either by personal service, by first-class United States mail, by 10 an overnight commercial courier service, by telephonic facsimile transmission, or by Portable 11 Document Format (PDF) document attached to an email. 12 (A) A notice delivered by personal service is effective upon service to the recipient. 13 (B) A notice delivered by first-class United States mail is effective three County 14 business days after deposit in the United States mail, postage prepaid, addressed to the 15 recipient. 16 (C)A notice delivered by an overnight commercial courier service is effective one 17 County business day after deposit with the overnight commercial courier service, 18 delivery fees prepaid, with delivery instructions given for next day delivery, addressed to 19 the recipient. 20 (D)A notice delivered by telephonic facsimile transmission or by PDF document 21 attached to an email is effective when transmission to the recipient is completed (but, if 22 such transmission is completed outside of County business hours, then such delivery is 23 deemed to be effective at the next beginning of a County business day), provided that 24 the sender maintains a machine record of the completed transmission. 25 5.4 Claims Presentation. For all claims arising from or related to this Agreement, 26 nothing in this Agreement establishes, waives, or modifies any claims presentation 27 requirements or procedures provided by law, including the Government Claims Act (Division 3.6 28 of Title 1 of the Government Code, beginning with section 810). 4 1 Article 6 2 Termination and Suspension 3 6.1 Termination for Non-Allocation of Funds. The terms of this Agreement, and the 4 services to be provided in accordance with the issued insurance policies, are contingent on the 5 approval of funds by the appropriating government agency. If sufficient funds are not allocated, 6 the services provided may be modified, or this Agreement terminated, at any time by the County 7 giving the Contractor thirty-one (31) days advance written notice. 8 6.2 Termination for Breach. 9 (A) Upon determining that a breach (as defined in paragraph (C) below) has 10 occurred, the County may give written notice of the breach to the Contractor. The written 11 notice may suspend performance under this Agreement, and must provide at least 30 12 days for the Contractor to cure the breach. 13 (B) If the Contractor fails to cure the breach to the County's satisfaction within the 14 time stated in the written notice, the County may terminate this Agreement immediately. 15 (C) For purposes of this section, a breach occurs when, in the determination of the 16 County, the Contractor has: 17 (1) Obtained or used funds illegally or improperly; 18 (2) Failed to comply with any part of this Agreement; 19 (3) Submitted a substantially incorrect or incomplete report to the County; or 20 (4) Improperly performed any of its obligations under this Agreement. 21 6.3 Termination without Cause. In circumstances other than those set forth above, the 22 County may terminate this Agreement by giving of thirty-one (31) days advance written notice of 23 intent to terminate to the Contractor. 24 6.4 No Penalty or Further Obligation. Any termination of this Agreement by the County 25 under this Article 6 is without penalty to or further obligation of the County. 26 6.5 This Article survives the termination of this Agreement. 27 28 5 1 Article 7 2 Independent Contractor 3 7.1 Status. In performing under this Agreement, the Contractor, including its officers, 4 agents, employees, and volunteers, is at all times acting and performing as an independent 5 contractor, in an independent capacity, and not as an officer, agent, servant, employee, joint 6 venturer, partner, or associate of the County. Contractor and County shall comply with all 7 applicable provisions of law and the rules and regulations, if any, of governmental authorities 8 having jurisdiction over maters the subject thereof. 9 7.2 Verifying Performance. The County has no right to control, supervise, or direct the 10 manner or method of the Contractor's performance under this Agreement, but the County may 11 verify that the Contractor is performing it obligations according to the terms of this Agreement. 12 7.3 Benefits. Because of its status as an independent contractor, the Contractor has no 13 right to employment rights or benefits available to County employees. The Contractor is solely 14 responsible for providing to its own employees all employee benefits required by law. The 15 Contractor shall save the County harmless from all matters relating to the payment of 16 Contractor's employees, including compliance with Social Security withholding and all related 17 regulations. 18 7.4 Services to Others. The parties acknowledge that, during the term of this 19 Agreement, the Contractor may provide services to others unrelated to the County or to this 20 Agreement. 21 Article 8 22 Protected Health Information 23 8.1 The parties to this Agreement shall be in strict conformance with all applicable 24 Federal and State of California laws and regulations as further described in Exhibit E, "Protected 25 Health Information Confidentiality Agreement", attached hereto and incorporated herein by this 26 reference. 27 28 6 1 8.2 Safeguards. Contractor shall implement administrative, physical, and technical 2 safeguards as required by applicable law and as further described in the provisions of Exhibit H 3 "Data Security Agreement," attached hereto and incorporated herein by this reference. 4 8.3 Survival. The respective rights and obligations of the parties as stated in this Section 5 shall survive the termination or expiration of this Agreement. 6 8.4 No Waiver of Obligations. No change, waiver or discharge of any liability or 7 obligation hereunder on any one or more occasions shall be deemed a waiver of performance of 8 any continuing or other obligation, or shall prohibit enforcement of any obligation on any other 9 occasion. 10 Article 9 11 9.1 Hold Harmless. Contractor agrees to indemnify, save, hold harmless, and at 12 County's request, defend the County, its officers, agents, and employees from any and all costs 13 and expenses (including attorney's fees and costs), damages, liabilities, claims, and losses 14 occurring or resulting to County in connection with any negligence, including but not limited to 15 any error or omission, or wrongful conduct, by Contractor, its officers, agents, or employees 16 under this Agreement, and from any and all costs and expenses (including attorney's fees and 17 costs), damages, liabilities, claims, and losses occurring or resulting to any person, firm, or 18 corporation who may be injured or damaged by any negligence, including but not limited to any 19 error or omission, of Contractor, its officers, agents, or employees under this Agreement, except 20 to the extent COUNTY has directly caused or significantly contributed to the error or omission. 21 The County may conduct or participate in its own defense without affecting the Contractor's 22 obligation to indemnify and hold harmless or defend the County. 23 9.2 Survival. This Article 9 survives the termination of this Agreement. 24 Article 10 25 Insurance 26 10.1 The Contractor shall comply with all the insurance requirements in Exhibit D to this 27 Agreement. 28 7 1 Article 11 2 Inspections, Audits, and Public Records 3 11.1 Inspection of Documents. The Contractor shall make available to the County, the 4 Contractor's records and data with respect to the matters covered by this Agreement, excluding 5 attorney-client privileged communications. The Contractor shall, upon request by the County 6 and shall occur not more than once annually, permit the County to audit and inspect such 7 records and data to ensure the Contractor's compliance with the terms of this Agreement. For 8 the avoidance of doubt, such records will be limited to financial and administrative records directly 9 related to the insurance Policies issued to County and will not include any employee personal 10 health information or other information to which access is limited by applicable law. 11 11.2 State Audit Requirements. If the compensation to be paid by the County under this 12 Agreement exceeds $10,000, the Contractor is subject to the examination and audit of the 13 California State Auditor, as provided in Government Code section 8546.7, for a period of three 14 years after final payment under this Agreement. This section survives the termination of this 15 Agreement. 16 11.3 Public Records. The County is not limited in any manner with respect to its public 17 disclosure of this Agreement or any record or data that the Contractor may provide to the 18 County. The County's public disclosure of this Agreement or any record or data that the 19 Contractor may provide to the County may include but is not limited to the following: 20 (A) The County may voluntarily, or upon request by any member of the public or 21 governmental agency, disclose this Agreement to the public or such governmental 22 agency. 23 (B) The County may voluntarily, or upon request by any member of the public or 24 governmental agency, disclose to the public or such governmental agency any record or 25 data that the Contractor may provide to the County, unless such disclosure is prohibited 26 by court order. 27 28 8 1 (C)This Agreement, and any record or data that the Contractor may provide to the 2 County, is subject to public disclosure under the Ralph M. Brown Act (California 3 Government Code, Title 5, Division 2, Part 1, Chapter 9, beginning with section 54950). 4 (D)This Agreement, and any record or data that the Contractor may provide to the 5 County, is subject to public disclosure as a public record under the California Public 6 Records Act (California Government Code, Title 1, Division 7, Chapter 3.5, beginning 7 with section 6250) ("CPRA"). 8 (E) This Agreement, and any record or data that the Contractor may provide to the 9 County, is subject to public disclosure as information concerning the conduct of the 10 people's business of the State of California under California Constitution, Article 1, 11 section 3, subdivision (b). 12 (F) Any marking of confidentiality or restricted access upon or otherwise made with 13 respect to any record or data that the Contractor may provide to the County shall be 14 disregarded and have no effect on the County's right or duty to disclose to the public or 15 governmental agency any such record or data. 16 11.4 Public Records Act Requests. If the County receives a written or oral request 17 under the CPRA to publicly disclose any record that is in the Contractor's possession or control, 18 and which the County has a right, under any provision of this Agreement or applicable law, to 19 possess or control, then the County may demand, in writing, that the Contractor deliver to the 20 County, for purposes of public disclosure, the requested records that may be in the possession 21 or control of the Contractor. Within five business days after the County's demand, the 22 Contractor shall (a) deliver to the County all of the requested records that are in the Contractor's 23 possession or control, together with a written statement that the Contractor, after conducting a 24 diligent search, has produced all requested records that are in the Contractor's possession or 25 control, or (b) provide to the County a written statement that the Contractor, after conducting a 26 diligent search, does not possess or control any of the requested records. The Contractor shall 27 cooperate with the County with respect to any County demand for such records. If the 28 Contractor wishes to assert that any specific record or data is exempt from disclosure under the 9 1 CPRA or other applicable law, it must deliver the record or data to the County and assert the 2 exemption by citation to specific legal authority within the written statement that it provides to 3 the County under this section. The Contractor's assertion of any exemption from disclosure is 4 not binding on the County, but the County will give at least 10 days' advance written notice to 5 the Contractor before disclosing any record subject to the Contractor's assertion of exemption 6 from disclosure. The Contractor shall indemnify the County for any court-ordered award of costs 7 or attorney's fees under the CPRA that results from the Contractor's delay, claim of exemption, 8 failure to produce any such records, or failure to cooperate with the County with respect to any 9 County demand for any such records. 10 Article 12 11 Disclosure of Self-Dealing Transactions 12 12.1 Applicability. This Article 12 applies if the Contractor is operating as a corporation, 13 or changes its status to operate as a corporation. 14 12.2 Duty to Disclose. If any member of the Contractor's board of directors is party to a 15 self-dealing transaction, he or she shall disclose the transaction by completing and signing a 16 "Self-Dealing Transaction Disclosure Form" (Exhibit C to this Agreement) and submitting it to 17 the County before commencing the transaction or immediately after. 18 12.3 Definition. "Self-dealing transaction" means a transaction to which the Contractor is 19 a party and in which one or more of its directors, as an individual, has a material financial 20 interest. 21 Article 13 22 General Terms 23 13.1 Modification. Any matters of this Agreement may be modified from time to time by 24 the written consent of all parties without, in any way, affecting the remainder. The Contractor 25 acknowledges that County employees have no authority to modify this Agreement except as 26 expressly provided in this Agreement. 27 13.2 Non-Assignment. Neither party may assign its rights or delegate its obligations 28 under this Agreement without the prior written consent of the other party. Notwithstanding the 10 1 foregoing, Contractor may subcontract with its subcontractor ComPsych Corporation for the 2 services set forth in Exhibit A, paragraph 11, which are to be provided by subcontractor 3 ComPsych Corporation, an Illinois corporation, and Contractor shall be solely responsible for 4 ComPsych Corporation's performance under Exhibit A, paragraph 11 and for compensating 5 ComPysch Corporation for such performance. 6 13.3 Governing Law. The venue for any action arising out of or related to this 7 Agreement shall be Fresno, California. The rights and obligations of the parties and all 8 interpretation and performance of this Agreement shall be governed in all respects by the laws 9 of the State of California. 10 13.4 Construction. The final form of this Agreement is the result of the parties' combined 11 efforts. If anything in this Agreement is found by a court of competent jurisdiction to be 12 ambiguous, that ambiguity shall not be resolved by construing the terms of this Agreement 13 against either party. 14 13.5 Days. Unless otherwise specified, "days" means calendar days. 15 13.6 Headings. The headings and section titles in this Agreement are for convenience 16 only and are not part of this Agreement. 17 13.7 Severability. If anything in this Agreement is found by a court of competent 18 jurisdiction to be unlawful or otherwise unenforceable, the balance of this Agreement remains in 19 effect, and the parties shall make best efforts to replace the unlawful or unenforceable part of 20 this Agreement with lawful and enforceable terms intended to accomplish the parties' original 21 intent. 22 13.8 Nondiscrimination. During the performance of this Agreement, the Contractor shall 23 not unlawfully discriminate against any employee or applicant for employment, or recipient of 24 services, because of race, religious creed, color, national origin, ancestry, physical disability, 25 mental disability, medical condition, genetic information, marital status, sex, gender, gender 26 identity, gender expression, age, sexual orientation, military status or veteran status pursuant to 27 all applicable State of California and federal statutes and regulation. 28 13.9 No Waiver. Payment, waiver, or discharge by the County of any liability or obligation 11 1 of the Contractor under this Agreement on any one or more occasions is not a waiver of 2 performance of any continuing or other obligation of the Contractor and does not prohibit 3 enforcement by the County of any obligation on any other occasion. 4 13.10 Entire Agreement. This Agreement, including its exhibits, is the entire agreement 5 between the Contractor and the County with respect to the subject matter of this Agreement, 6 and it supersedes all previous negotiations, proposals, commitments, writings, advertisements, 7 publications, and understandings of any nature unless those things are expressly included in 8 this Agreement. If there is any inconsistency between the terms of this Agreement without its 9 exhibits and the terms of the exhibits, then the inconsistency will be resolved by giving 10 precedence first to the terms of this Agreement without its exhibits, and then to the terms of the 11 exhibits. Notwithstanding the foregoing, the parties understand and acknowledge that any 12 insurance obligations owed to County or its employee participants will be governed solely by the 13 terms of the insurance policies issued by the Contractor under the terms of this Agreement. 14 13.11 No Third-Party Beneficiaries. This Agreement does not and is not intended to 15 create any rights or obligations for any person or entity except for the parties. 16 13.12 Authorized Signature. The Contractor represents and warrants to the County that: 17 (A) The Contractor is duly authorized and empowered to sign and perform its 18 obligations under this Agreement. 19 (B) The individual signing this Agreement on behalf of the Contractor is duly 20 authorized to do so and his or her signature on this Agreement legally binds the 21 Contractor to the terms of this Agreement. 22 13.13 Electronic Signatures. The parties agree that this Agreement may be executed by 23 electronic signature as provided in this section. 24 (A) An "electronic signature" means any symbol or process intended by an individual 25 signing this Agreement to represent their signature, including but not limited to (1) a 26 digital signature; (2) a faxed version of an original handwritten signature; or (3) an 27 electronically scanned and transmitted (for example by PDF document) version of an 28 original handwritten signature. 12 1 (B) Each electronic signature affixed or attached to this Agreement (1) is deemed 2 equivalent to a valid original handwritten signature of the person signing this Agreement 3 for all purposes, including but not limited to evidentiary proof in any administrative or 4 judicial proceeding, and (2) has the same force and effect as the valid original 5 handwritten signature of that person. 6 (C)The provisions of this section satisfy the requirements of Civil Code section 7 1633.5, subdivision (b), in the Uniform Electronic Transaction Act (Civil Code, Division 3, 8 Part 2, Title 2.5, beginning with section 1633.1). 9 (D) Each party using a digital signature represents that it has undertaken and 10 satisfied the requirements of Government Code section 16.5, subdivision (a), 11 paragraphs (1) through (5), and agrees that each other party may rely upon that 12 representation. 13 (E) This Agreement is not conditioned upon the parties conducting the transactions 14 under it by electronic means and either party may sign this Agreement with an original 15 handwritten signature. 16 13.14 Counterparts. This Agreement may be signed in counterparts, each of which is an 17 original, and all of which together constitute this Agreement. 18 [SIGNATURE PAGE FOLLOWS] 19 20 21 22 23 24 25 26 27 28 13 1 The parties are signing this Agreement on the date stated in the introductory clause. 2 ReliaStar Life Insurance Company COUNTY OF FRESNO 3 4 5 Mona Zielke, ' e President Brian Pacheco, Chairman of the Board of Supervisors of the County of Fresno 6 20 Washington Ave. So. Minneapolis, MN 55401 Attest: 7 Bernice E. Seidel Clerk of the Board of Supervisors 8 County of Fresno, State of California 9 By: 10 Deputy 11 For accounting use only: 12 Org No.: 89250200 Account No.: 7295 13 Fund No.: 1060 Subclass No.: 10000 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 14 Exhibit A 1 Scope of Services 2 A.1 Contractor shall provide Class 1 Employees with $10,000 of Life Insurance coverage 3 and $10,000 Accidental Death and Dismemberment (hereafter, "AD&D") Insurance coverage, 4 with premiums paid by COUNTY. Class 1 Employees include all active County employees 5 participating in a County-sponsored Health Insurance Plan and who are not Management 6 Employees, Senior Management Employees, Department Heads or Elected Officials. 7 A.2 Contractor shall provide Class 2 Employees with $260,000 of Life Insurance 8 coverage and $260,000 of AD&D Insurance coverage, with premiums paid by County. Class 2 9 Employees include all active County Senior Management Employees, Department Heads or 10 Elected Officials who are participating in a County Sponsored Health Insurance Plan. 11 A.3 Contractor shall provide Class 3 Employees with $250,000 of Life Insurance 12 coverage and $250,000 of AD&D Insurance coverage, with premiums paid by County. Class 3 13 Employees include all active County Senior Management Employees, Department Heads or 14 Elected Officials who are not participating in a County Sponsored Health Insurance Plan. 15 A.4 Contractor shall provide Class 4 Employees with $61,000 of Life Insurance coverage 16 and $61,000 of AD&D Insurance coverage, with premiums paid by County. Class 4 Employees 17 include all active County Management Employees who are participating in a County Sponsored 18 Health Insurance Plan. 19 A.5 Contractor shall provide Class 5 Employees with $51,000 of Life Insurance coverage 20 and $51,000 of AD&D Insurance coverage, with premiums paid by County. Class 5 Employees 21 include all active County Management Employees who are not participating in a County 22 Sponsored Health Insurance Plan. 23 A.6 Contractor shall provide optional life insurance coverage to all active County 24 employees in the amount of$100,000; premiums to be paid by the covered employee. 25 A.7 Contractor shall provide optional life insurance to the spouses of active County 26 employees in the amount of$50,000. Spousal eligibility is contingent upon participation by the 27 employee in optional life insurance coverage as provided in Paragraph A.6, above; premiums to 28 be paid by the covered employee. A-1 Exhibit A 1 A.8 Contractor shall provide optional life insurance to the children of active County 2 employees in the amount of$10,000. A child's eligibility is contingent upon the child being 3 twenty-six (26) years of age or younger, and participation by the employee in optional life 4 insurance coverage as provided in Paragraph A.6, above; premiums to be paid by the covered 5 employee. 6 A.9 Contractor shall provide Level 1 Funeral Planning & Concierge Services, as well as 7 Travel Assistance Services, as set forth in Exhibit G, to all active County employees who 8 receive life insurance coverage under this Agreement. There will be no additional charge to the 9 County or its employees for these Services. 10 A.10 With regards to eligibility of coverage, in the event of a discrepancy between the 11 foregoing provisions and the terms of the Contractor's Insurance Policies, the terms of the 12 Policies will govern. 13 A.11 Contractor shall provide Employee Assistance Program (EAP) services, as set forth 14 below, through its subcontractor ComPsych Corporation. These EAP services shall be provided 15 pursuant to the terms of this Agreement. The County shall look to the Contractor for compliance 16 with this Agreement and not deal directly with any subcontractor, except as specifically provided 17 herein. 18 a. Counseling Services 19 i. Provide up to three (3) face to face counseling sessions per person per 20 issue per rolling 6-month period for the County's employees and their 21 family/household members. 22 ii. Provide unlimited telephonic consulting for the County's employees and their 23 family/household members. 24 iii. Upon request, provide or make a referral to a bilingual counselor according 25 to the language needs of the employee or family/household member. 26 Languages needed include English, Spanish, Hmong, and Laotian. 27 iv. Maintain a toll-free telephone number accessible on a 24-hour, 7 days per 28 week basis, where Professional EAP counselors shall provide live, A-2 Exhibit A 1 immediate crisis telephone counseling. These services should be provided 2 in multiple languages, including English, Spanish, and Hmong. 3 v. Maintain a website where employees may access services, information, 4 webinars, etc. 5 vi. Provide substance abuse case management and support for return-to-work 6 transition. 7 vii. Provide direct supervisory referrals for work performance problems. 8 b. Work Life Services 9 i. Provide personalized attention and resources that cover all aspects of 10 work-life needs including,: childcare, education, adoption, pet care, elder 11 care, and personal convenience services 12 ii. Provide legal information, assistance, which includes: 13 1. Immediate, confidential access to staff attorneys 14 2. Unlimited telephonic and online access to legal information from 15 licensed attorneys 16 3. Access to a credentialed national network of lawyers for in-person 17 consultation 18 4. Referral to lawyers in the community at discounted fees 19 5. Comprehensive legal resource database 20 6. Wide variety of no-cost legal options 21 iii. Provide access to financial experts in many areas of money management 22 and planning with: 23 1. Unlimited telephonic and online access 24 2. On-staff CPAs and other financial experts 25 3. Nationwide network of Certified Financial Planners 26 4. User-friendly online financial planning tools 27 5. Recommended books and articles 28 6. Student Loan resources and guidance A-3 Exhibit A 1 c. On-Site and/or Live Services 2 i. Provide a bank of 110 hours of on-site and/or live service as described 3 below. ComPsych agrees that the aforementioned bank shall not be 4 reduced by the travel time of the professionals providing the services 5 described below. 6 ii. Conduct critical incident stress debriefings for traumatic events, including 7 death of an employee, workplace accidents, natural disasters and violence 8 in the workplace within 24 hours of urgent requests or within five (5) days 9 for non-urgent requests. A minimum of two (2) hours per incident for each 10 debriefing shall be provided. 11 iii. Send, at minimum, one (1) representative to the County's annual Open 12 Enrollment fairs to assist with explanation of services and provide 13 promotional materials. Typically, the County has one (1) major health and 14 wellness fair and several satellite fairs over the course of a one-week 15 period during the Open Enrollment period. 16 iv. Provide customized on-site and/or webinar training on a variety of subjects 17 including, but not limited to, mental health, financial, legal, emotional and 18 wellness topics. 19 v. Provide on-site and/or web-based training to supervisors and managers on 20 employment related issues. 21 vi. Attendance minimums must be no higher than the following: 22 1. In-person trainings: 15 attendees 23 2. Webinars: 10 attendees 24 vii. Conduct biweekly live webinar orientation sessions to introduce the benefits 25 of the program to new employees. Alternatively, produce a recorded 26 orientation session, which should be no more than 15 minutes. 27 28 A-4 Exhibit A 1 d. Administration/Transition 2 i. Provide a designated account manager, who will report to the Director of 3 Human Resources or their designee. The account manager shall return 4 emergency calls/emails within 30 minutes and routine calls/emails within 24 5 hours. 6 ii. Provide quarterly utilization reports with executive overview; annual cost 7 analysis availability upon request, and full color graphs and charts that 8 display key metrics and demographic data. 9 iii. If applicable, a transition plan for services that are in progress at the time of 10 change-over from the existing employee assistance provider to the new 11 service provider shall be provided. 12 e. Program Promotion 13 i. Consult with and make recommendations to, County staff regarding the 14 implementation, promotion and administration of EAP services. 15 ii. Provide, at Contractor's expense, printed, color promotional materials as 16 well as online access to all marketing materials for electronic distribution. 17 Such materials shall include, but are not limited to, posters, brochures, 18 flyers, and wallet cards. 19 20 21 22 23 24 25 26 27 28 A-5 Exhibit B 1 Compensation 2 The Contractor will be compensated for performance of its services under this 3 Agreement as provided in this Exhibit B. The Contractor is not entitled to any compensation 4 except as expressly provided in this Exhibit B. 5 B.1 Basic Life Insurance. County shall compensate Contractor as follows: 6 a. For each Class 1 Employee, Contractor shall receive $0.38 per covered 7 employee per biweekly pay period. 8 b. For each Class 2 Employee, Contractor shall receive $9.84 per covered 9 employee per biweekly pay period. 10 c. For each Class 3 Employee, Contractor shall receive $9.46 per covered 11 employee per biweekly pay period. 12 d. For each Class 4 Employee, Contractor shall receive $2.31 per covered 13 employee per biweekly pay period. 14 e. For each Class 5 Employee, Contractor shall receive $1.93 per covered 15 employee per biweekly pay period. 16 B.2 Supplemental Life Insurance. Employees and their spouse and/or eligible children 17 who choose to enroll in a supplemental life insurance policy shall pay the insurance premium 18 subject to the following monthly rates per$1,000 of coverage, based on their age: 19 a. Under 25 years of age: $0.06; 20 b. 25-29 years of age: $0.07; 21 c. 30-34 years of age: $0.08; 22 d. 35-39 years of age: $0.11; 23 e. 40-44 years of age: $0.16; 24 f. 45-49 years of age: $0.23; 25 g. 50-54 years of age: $0.37; 26 h. 55-59 years of age: $0.60; 27 i. 60-64 years of age: $0.94; 28 j. 65-69 years of age: $1.76; and B-1 Exhibit B 1 k. 70 years of age and older: $2.85. 2 I. All children of the employee: $0.14 3 B.3 EAP Services. County shall pay Contractor for EAP services provided at the rate of 4 $0.65 per permanent, active County employee per month. 5 The compensation described in Paragraphs B.1 and B.2, above, is guaranteed in years 6 one (1) and two (2) of the Agreement and will remain unchanged in year three (3) of the 7 Agreement, if the Incurred Loss Ratio, as described in this Exhibit B, below, is 0.70 or less. If 8 the Incurred Loss Ratio is greater than 0.70, Contractor may request an increase in the 9 compensation described in Paragraphs B.1 and B.2, above. Such increase must be agreed 10 upon in writing by County and Contractor. 11 The compensation described in Paragraph B.3, above, will remain unchanged for the life 12 of the Agreement, regardless of the Incurred Loss Ratio. 13 For purposes of this Agreement, the Incurred Loss Ratio is equal to the total claims paid 14 by Contractor (total claims paid are equal to: paid life insurance claims [excluding accidental 15 death and dismemberment insurance claims paid], interest payments to beneficiaries, any 16 potential liability for employees utilizing the waiver of premium provision, and any pending 17 unpaid claims which are reported or not yet reported) divided by the total life insurance 18 premiums received by Contractor (excluding accidental death and dismemberment insurance 19 premiums) through the prior 48 months ending on March 31, 2024. 20 21 22 23 24 25 26 27 28 B-2 Exhibit C Self-Dealing Transaction Disclosure Form In order to conduct business with the County of Fresno ("County"), members of a contractor's board of directors ("County Contractor"), must disclose any self-dealing transactions that they are a party to while providing goods, performing services, or both for the County. A self-dealing transaction is defined below: "A self-dealing transaction means a transaction to which the corporation is a party and in which one or more of its directors has a material financial interest." The definition above will be used for purposes of completing this disclosure form. Instructions (1) Enter board member's name, job title (if applicable), and date this disclosure is being made. (2) Enter the board member's company/agency name and address. (3) Describe in detail the nature of the self-dealing transaction that is being disclosed to the County. At a minimum, include a description of the following: a. The name of the agency/company with which the corporation has the transaction; and b. The nature of the material financial interest in the Corporation's transaction that the board member has. (4) Describe in detail why the self-dealing transaction is appropriate based on applicable provisions of the Corporations Code. The form must be signed by the board member that is involved in the self-dealing transaction described in Sections (3) and (4). C-1 Exhibit C (1) Company Board Member Information: Name: Date: Job Title: (2) Company/Agency Name and Address: (3) Disclosure (Please describe the nature of the self-dealing transaction you are a party to) (4) Explain why this self-dealing transaction is consistent with the requirements of Corporations Code § 5233 (a) (5) Authorized Signature Signature: Date: C-2 Exhibit D Insurance Requirements 1. Required Policies Without limiting the County's right to obtain indemnification from the Contractor or any third parties, Contractor, at its sole expense, shall maintain in full force and effect the following insurance policies throughout the term of this Agreement. (A) Commercial General Liability. Commercial general liability insurance with limits of not less than Two Million Dollars ($2,000,000) per occurrence and an annual aggregate of Four Million Dollars ($4,000,000). This policy must be issued on a per occurrence basis. Coverage must include products, completed operations, property damage, bodily injury, personal injury, and advertising injury. The Contractor shall obtain an endorsement to this policy naming the County of Fresno, its officers, agents, employees, and volunteers, individually and collectively, as additional insureds, but only insofar as the operations under this Agreement are concerned. Such coverage for additional insureds will apply as primary insurance and any other insurance, or self-insurance, maintained by the County is excess only and not contributing with insurance provided under the Contractor's policy. (B) Automobile Liability. Automobile liability insurance with limits of not less than One Million Dollars ($1,000,000) per occurrence for bodily injury and for property damages. Coverage must include any auto used in connection with this Agreement. (C)Workers Compensation. Workers compensation insurance as required by the laws of the State of California with statutory limits. (D) Employer's Liability. Employer's liability insurance with limits of not less than One Million Dollars ($1,000,000) per occurrence for bodily injury and for disease. (E) Professional Liability. Professional liability insurance with limits of not less than One Million Dollars ($1,000,000) per occurrence and an annual aggregate of Three Million Dollars ($3,000,000). If this is a claims-made policy, then (1)the retroactive date must be prior to the date on which services began under this Agreement; (2)the Contractor shall maintain the policy and provide to the County annual evidence of insurance for not less than five years after completion of services under this Agreement; and (3) if the policy is canceled or not renewed, and not replaced with another claims-made policy with a retroactive date prior to the date on which services begin under this Agreement, then the Contractor shall purchase extended reporting coverage on its claims-made policy for a minimum of five years after completion of services under this Agreement. (F) Cyber Liability. Cyber liability insurance with limits of not less than Two Million Dollars ($2,000,000) per occurrence. Coverage must include claims involving Cyber Risks. The cyber liability policy must be endorsed to cover the full replacement value of damage to, alteration of, loss of, or destruction of intangible property (including but not limited to information or data)that is in the care, custody, or control of the Contractor. Definition of Cyber Risks. "Cyber Risks" include but are not limited to (i) Security Breach, which may include Disclosure of Personal Information to an Unauthorized Third Party; (ii) data breach; (iii) breach of any of the Contractor's obligations under Exhibit E of this Agreement; (iv) system failure; (v) data recovery; (vi) failure to timely disclose D-1 Exhibit D data breach or Security Breach; (vii) failure to comply with privacy policy; (viii) payment card liabilities and costs; (ix) infringement of intellectual property, including but not limited to infringement of copyright, trademark, and trade dress; (x) invasion of privacy, including release of private information; (xi) information theft; (xii) damage to or destruction or alteration of electronic information; (xiii) cyber extortion; (xiv) extortion related to the Contractor's obligations under this Agreement regarding electronic information, including Personal Information; (xv) fraudulent instruction; (xvi) funds transfer fraud; (xvii) telephone fraud; (xviii) network security; (xix) data breach response costs, including Security Breach response costs; (xx) regulatory fines and penalties related to the Contractor's obligations under this Agreement regarding electronic information, including Personal Information; and (xxi) credit monitoring expenses. 2. Additional Requirements (A) Verification of Coverage. Within 30 days after the Contractor signs this Agreement, and at any time during the term of this Agreement as requested by the County's Risk Manager or the County Administrative Office, the Contractor shall deliver, or cause its broker or producer to deliver, to the County Risk Manager, at 2220 Tulare Street, 16th Floor, Fresno, California 93721, or HRRiskManagement@fresnocountyca.gov, and by mail or email to the person identified to receive notices under this Agreement, certificates of insurance and endorsements for all of the coverages required under this Agreement. (i) Each insurance certificate must state that: (1) the insurance coverage has been obtained and is in full force; (2) the County, its officers, agents, employees, and volunteers are not responsible for any premiums on the policy; and (3) the Contractor has waived its right to recover from the County, its officers, agents, employees, and volunteers any amounts paid under any insurance policy required by this Agreement and that waiver does not invalidate the insurance policy. (ii) The commercial general liability insurance certificate must also state, and include an endorsement, that the County of Fresno, its officers, agents, employees, and volunteers, individually and collectively, are additional insureds insofar as the operations under this Agreement are concerned. The commercial general liability insurance certificate must also state that the coverage shall apply as primary insurance and any other insurance, or self-insurance, maintained by the County shall be excess only and not contributing with insurance provided under the Contractor's policy. (iii) The automobile liability insurance certificate must state that the policy covers any auto listed with the insurer and/or covered by the terms of the policy used in connection with this Agreement. (iv) The professional liability insurance certificate, if it is a claims-made policy, must also state the retroactive date of the policy, which must be prior to the date on which services began under this Agreement. D-2 Exhibit D (v) The cyber liability insurance certificate must also state includes provisions to reimburse the Contractor, to cover the full replacement value of damage to, alteration of, loss of, or destruction of intangible property (including but not limited to information or data)that is in the care, custody, or control of the Contractor, as legally required by the policy. (B) Acceptability of Insurers. All insurance policies required under this Agreement must be issued by admitted insurers licensed to do business in the State of California and possessing at all times during the term of this Agreement an A.M. Best, Inc. rating of no less than A: VI I. (C) Notice of Cancellation or Change. For each insurance policy required under this Agreement, the Contractor shall provide to the County, or ensure that the policy requires the insurer to provide to the County, written notice of any cancellation or material change in the policy as required in this paragraph. For cancellation of the policy for nonpayment of premium, the Contractor shall, or shall cause the insurer to, provide written notice to the County not less than 10 days in advance of cancellation. For cancellation of the policy for any other reason, and for any other change to the policy, the Contractor shall, or shall cause the insurer to, provide written notice to the County not less than 30 days in advance of cancellation or change. The County in its sole discretion may determine that the failure of the Contractor or its insurer to timely provide a written notice required by this paragraph is a breach of this Agreement. (D) County's Entitlement to Greater Coverage. If the Contractor has or obtains insurance with broader coverage, higher limits, or both, than what is required under this Agreement, then the County requires and is entitled to the broader coverage, higher limits, or both. To that end, the Contractor shall deliver, or cause its broker or producer to deliver, to the County's Risk Manager certificates of insurance and endorsements for all of the coverages that have such broader coverage, higher limits, or both, as required under this Agreement. (E) Waiver of Subrogation. The Contractor waives any right to recover from the County, its officers, agents, employees, and volunteers any amounts paid under the policy of worker's compensation insurance required by this Agreement. The Contractor is solely responsible to obtain any policy endorsement that may be necessary to accomplish that waiver, but the Contractor's waiver of subrogation under this paragraph is effective whether or not the Contractor obtains such an endorsement. (F) County's Remedy for Contractor's Failure to Maintain. If the Contractor fails to keep in effect at all times any insurance coverage required under this Agreement, the County may, in addition to any other remedies it may have, suspend or terminate this Agreement upon the occurrence of that failure, or purchase such insurance coverage, and charge the cost of that coverage to the Contractor. The County may offset such charges against any amounts owed by the County to the Contractor under this Agreement. Subcontractors. The Contractor shall require and verify that all subcontractors used by the Contractor to provide services under this Agreement maintain insurance meeting all insurance requirements provided in this Agreement. This paragraph does not authorize the Contractor to provide services under this Agreement using subcontractors. D-3 EXHIBIT E PROTECTED HEALTH INFORMATION CONFIDENTIALITY AGREEMENT This Protected Health Information Confidentiality Agreement (the "Agreement") is entered into as of December 31, 2018 (the "Agreement Effective Date") by and between ReliaStar Life Insurance Company or its affiliate ReliaStar Life Insurance Company of New York (the "Company"), and the County of Fresno (the "Employer"). Employer shall be referred to herein as a "Disclosing Party". RECITALS A. The Employer is seeking to purchase or has purchased a group life insurance policy which includes disability income insurance coverage (the "Policy") from the Company to cover employees. B. The Disclosing Party may provide or disclose Protected Health Information (as defined below) to the Company in connection with the underwriting or payment of claims under the Policy. C. The purpose of this agreement is to limit the use and disclosure of PHI by the Company to the purposes provided for herein and to provide reasonable assurances to Disclosing Party that the Company will maintain appropriate safeguards to protect PHI from any use or disclosure contrary to this Agreement and the Privacy Rule and Security Rule to the extent applicable (each as defined below). SECTION 1: DEFINITIONS 1.1 Breach. "Breach" shall have the same meaning given to such term in 45 C.F.R. § 164.402, as may be amended from time to time. 1.2 Data Aggregation. "Data Aggregation" shall mean, with respect to Protected Health Information received by the Company, the combining of such Protected Health Information with Protected health information received by the Company under other stop-loss policy or policies, to permit data analyses as they relate to Health Care Operations. 1.3 Designated Record Set. "Designated Record Set" shall have the same meaning as the term "designated record set" in 45 C.F.R § 164.501, as may be amended from time to time. 1.4 Electronic Protected Health Information. "Electronic Protected Health Information" shall have the same meaning as "electronic protected health information" in 45 C.F.R. § 160.103, as may be amended from time to time. 1.5 Health Care. "Health Care" shall have the same meaning as the term "health care" in 45 C.F.R. § 160.103, as may be amended from time to time. 1.6 Health Care Operations. "Health Care Operations" shall have the same meaning as the term "health care operations" in 45 C.F.R. § 164.501, as may be amended from time to time and shall include, but not be limited to, underwriting of the Policy including activities of the Company for the reinsurance of the Policy. 1.7 Individual. "Individual" shall have the same meaning as the term "individual" in 45 C.F.R § 160.103 and shall include a person's personal representative who is treated as the Individual in accordance with 45 C.F.R § 164.502(g), as each may be amended from time to time. 1.8 Limited Data Set. "Limited Data Set" shall have the same meaning as the term "limited data set" in 45 C.F.R. § 164.514(e), as may be amended from time to time. 1IPage 1.9 Payment. "Payment" shall mean the same meaning as payment in 45 C.F.R. § 164.501, as may be amended from time to time, and shall include activities for the purpose of obtaining payment under the Policy and shall include, but not be limited to, Policy claim review, assessing primary and secondary coverage as between the Policy and the Group Health Plan under coordination of benefit provisions, pursuing subrogation claims and rights and submission of claim information under reinsurance policies or treaties between the Company and an insurance company that provides reinsurance benefits to the Company with respect to the Policy. 1.10 Privacy Rule. "Privacy Rule" shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R part 160 and part 164, subparts A and E, as may be amended from time to time, as applied to the Company's use and disclosure of PHI provided for in this Agreement. 1.11 Protected Health Information ("PHI"). "Protected Health Information" shall have the same meaning as the term "protected health information" in 45 C.F.R § 160.103, as may be amended from time to time, limited to the information received by the Company from any Disclosing Party. 1.12 Required By Law. "Required By Law" shall have the same meaning as the term "required by law" in 45 C.F.R§ 164.103, as many be amended from time to time. 1.13 Secretary. "Secretary" shall mean the Secretary of the Department of Health and Human Services or his or her designee. 1.14 Security Rule. "Security Rule" shall mean the Security Standards at 45 C.F.R. Parts 160 and Part 164, Subparts A and C, as may be amended from time to time, as applied to the Company's use and disclosure of PHI provided for in this Agreement. 1.15 Transactions. "Transactions" shall have the same meaning as the term "transactions" in 45 C.F.R. § 164.103, as may be amended from time to time. 1.16 Unsecured PHI. "Unsecured PHI" shall have the same meaning given to such term under 45 C.F.R. § 402), as may be amended from time to time. SECTION 2: LIMITED DATA SET - PERMITTED USES AND DISCLOSURES 2.1 Permitted Uses and Disclosures. The Company may use PHI provided to it in the form of a Limited Data Set solely for the underwriting of the Policy. Except as provided for in Section 3 of this Agreement, the Company shall not use or disclose PHI under this Section for any other purpose. 2.2 Identification. The Company agrees not to undertake any action during the underwriting process and the placement of the Policy which may cause the PHI, including the Limited Data Set, to identify any Individual, nor shall the Company knowingly contact any Individual whose PHI is included in the Limited Data Set. 2.3 Policy Not Issued. Upon conclusion or termination of the underwriting process in which the Policy is not issued by the Company, the Company shall destroy any property received from any party which may be in the Company's possession including all PHI, confidential information, products, materials, memoranda, notes, records, reports, or other documents or photocopies of the same, including without limitation any of the foregoing recorded on any computer or any machine readable medium. SECTION 3: PHI — PERMITTED USES AND DISCLOSURES 3.1 Purpose of PHI Disclosure. The Disclosing Party may provide and disclose PHI to the Company for underwriting of the Policy. 2 1 P a g e 3.2 Permitted Uses. The Company may use PHI received from the Disclosing Party solely for the purpose for which it is provided as specified in Section 3.1 of this Agreement. 3.3 Permitted Disclosures. The Company may disclose PHI for underwriting and the payment of claims under the Policy provided that the Company obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and will be used or further disclosed only as Required by Law or for the purpose for which it was disclosed to the person (which purpose must be consistent with the limitations imposed upon the Company pursuant to this Agreement) and the person agrees to notify the Company of any use or disclosure of PHI of which it becomes aware in which the confidentiality of the information has been breached. 3.4 Required by Law. The Company may disclose the PHI if and to the extent that such disclosure is Required by Law. 3.5 Data Aggregation. The Company may use PHI to provide Data Aggregation services, including use of PHI for statistical compilations, reports, research and all other purposes allowed under applicable law. 3.6 De-identified Data. The Company may create de-identified PHI in accordance with the standards set forth in 45 C.F.R. § 164.514(b), as may be amended from time to time, and may use or disclose such de-identified data for any purpose. SECTION 4: OBLIGATIONS OF THE COMPANY 4.1 Privacy of PHI. The Company will maintain appropriate safeguards to reasonably protect PHI from any intentional or unintentional use or disclosure contrary to this Agreement and the Privacy Rule. 4.2 Security of PHI. The Company shall ensure that its information security programs include appropriate administrative, physical and technical safeguards designed to prevent the use or disclosure of confidential information, such as the PHI received by the Company, contrary to this Agreement and the Security Rule. 4.3 Notification of Disclosures. The Company will report to the Disclosing Party any use or disclosure of PHI not provided for by this Agreement of which it becomes aware. 4.4 Notification of Breach. The Company will notify the Disclosing Party of any Breach of Unsecured PHI as soon as practicable, and no later than 30 days after discovery of such Breach. The Company's notification of a Breach will include: (a) the identification of each Individual whose Unsecured PHI has been, or is reasonably believed by the Company to have been, accessed, acquired or disclosed during the Breach; and (b) any particulars regarding the Breach that the Employer would need to include in its notification, as such particulars are identified in 45 C.F.R. § 164.404, as may be amended from time to time. 4.5 Mitigation. To the extent practicable, the Company will cooperate with the Disclosing Party's efforts to mitigate a harmful effect that is known to the Company of a use or disclosure of PHI not provided for in this Agreement. 4.6 HIPAA Compliance Support. The Company agrees to make internal practices, books, and records, including policies and procedures of its information security program, relating to the use and disclosure of confidential information, such as the PHI received by the Company, available to the Secretary, as requested by the Employer, or designated by the Secretary, for purposes of the Secretary determining the Employer's compliance with the Privacy Rule. SECTION 5: OBLIGATIONS OF THE DISCLOSING PARTIES 3 1 P a g e 5.1 Privacy Practices. The Employer will notify the Company of any changes to the limitation(s) in the Employer's notice of privacy practices in accordance with 45 C.F.R. § 164.520, as amended from time to time, to the extent that such a limitation may affect the Company's use or disclosure of PHI under this Agreement. The Employer will provide such notice no later than 15 days prior to the effective date of the limitation. The Employer confirms that the it's privacy notice discloses the use and disclosure of PHI for Health Care Operations and Payments as permitted by this Agreement. 5.2. Minimum Necessary. Disclosing Party shall limit PHI to the minimum necessary to accomplish the permitted uses and disclosures of the Company provided for in this Agreement when providing or disclosing PHI to the Company in accordance with 45 C.F.R. § 164.502(b) and 45 C.F.R. § 164.514(d), as each may be amended from time to time. 5.3. Payment and Health Care Operations Standards. Disclosing Party shall ensure that the use and disclosure of PHI by the Company complies with the standards of 45 C.F.R. § 164.506, as may be amended from time to time. 5.4 Electronic PHI. Disclosing Party shall not provide Electronic PHI to the Company in the form of "unsecured protected health information" as defined in 45 C.F.R. § 164.402, as may be amended from time to time. 6. TERM AND TERMINATION 6.1 Term. This Agreement will commence as of the Agreement Effective Date and will terminate in accordance with Section 2.3 or upon the termination of the Policy. 6.2 Termination for Cause. Upon either party's knowledge of a material breach by the other party of this Agreement, such party will provide written notice to the breaching party detailing the nature of the breach and providing an opportunity to cure the breach within 30 business days. Upon the expiration of such 30 day cure period, the non-breaching party may terminate this Agreement and, at its election, the Policy, if cure is not possible. 6.3 Effect of Termination. Upon termination of this Agreement or the Policy, the Company will: (a) extend the protections of this Agreement to all PHI retained by Company; (b) limit further uses and disclosures of such PHI to those purposes provided for in this Agreement for so long as the Company maintains such PHI; and (c) where possible, only disclose such PHI to a third party if the information has been de-identified in accordance with the standards set forth in 45 C.F.R. § 164.514(b), as may be amended from time to time. The parties acknowledge and agree that it is not feasible for the Company to return or destroy all PHI received by the Company under this Agreement; provided, however, that the Company's retention of PHI upon the termination of the Agreement or the Policy shall be solely for the purposes of complying with state record retention and insurance regulatory requirements applicable to the Policy and the Company as a licensed insurance company and for the Company's reinsurance obligations under reinsurance policies or treaties covering the Policy. SECTION 7: SURVIVAL The respective rights and obligations of the parties under Section 6.3 of this Agreement will survive the termination of this Agreement and the Policy. SECTION 8: GENERAL 8.1 Relationship of the Parties under HIPAA. Disclosing Party agrees and acknowledges that the Company does not perform any function or service on behalf of any Group Health Plan and this Agreement should not be construed and does not establish any contractual relationship for services. The Company is not an agent or sub-contractor of any Disclosing Party or any Group Health Plan. Each 4 1 P a g e Disclosing Party acknowledges and agrees that the Company does not provide Health Care to or for any Individual either directly or indirectly on behalf of any Group Health Plan. The Company does not conduct Transactions with any Group Health Plan or any Disclosing Party on behalf of any Group Health Plan and any Electronic PHI provided to the Company for the purposes of this Agreement shall not be subject to the administrative requirements of 45 C.F.R. § 162, as may be amended from time to time. Disclosing Party does not intend for the Company to maintain any PHI in a Designated Record Set. 8.2. Governing Law. This Agreement is governed by, and will be construed in accordance with, the laws of the state in which the Policy is issued. 8.3 Legal Actions. Any action relating to this Agreement must be commenced within one year after the date upon which the cause of action accrued. 8.4 Successors and Assigns. This Agreement and each party's obligations hereunder will be binding on the representatives, assigns, and successors of such party and will inure to the benefit of the assigns and successors of such party. No party may assign this Agreement without the prior written consent of Company, which will not be unreasonably withheld. 8.5 Severability. If any part of a provision of this Agreement is found illegal or unenforceable, it will be enforced to the maximum extent permissible, and the legality and enforceability of the remainder of that provision and all other provisions of this Agreement will not be affected. 8.6 Notices. All notices relating to the parties' legal rights and remedies under this Agreement will be provided in writing to a party, will be sent to its address set forth in the Policy, or to such other address as may be designated by that party by notice to the sending party, and will reference this Agreement. 8.7 Amendment and Waiver. This Agreement may be modified, or any rights under it waived, only by a written document executed by the authorized representatives of the parties. Nothing in this Agreement will confer any right, remedy, or obligation upon anyone other than the Disclosing Parties and the Company. 8.8 Entire Agreement. This Agreement is the complete and exclusive agreement between the parties with respect to the subject matter hereof, superseding and replacing all prior agreements, communications, and understandings (written and oral) regarding its subject matter. 8.9. Headings and Captions. The headings and captions of the various subdivisions of this Agreement are for convenience of reference only and will in no way modify, or affect the meaning or construction of any of the terms or provisions hereof. 8.10. Counterparts. This Agreement may be signed in counterparts, which together will constitute one agreement. IN WITNESS WHEREOF, the parties have caused this Agreement to be signed by their duly authorized representatives or officers, effective as of the Agreement Effective Date. 5 1 P a g e ReliaStar Life Insurance Company and its County of Fresno affiliate ReliaStar Life Insurance Company of New York Address: Address: 20 Washington Avenue South 2220 Tulare Street, 14' Floor Minneapolis, Minnesota 55401 Fresno, CA 93721 Signed Signed Brian Pacheco Name Name Chairman of the Board of Supervisors of the County of Fresno Title Title Date Date 6 1 P a g e EXHIBIT F i ADMINISTRATION AGREEMENT ReliaStar Life Insurance Company, Minneapolis, MN VOVA. ReliaStar Life Insurance Company of New York,Woodbury, NY Members of the Voya°family of companies ff FINANCIAL (the "Company") Policyholder Name(the"Policyholder)County of Fresno Policy Effective Date 12/31/2 018 Insurance Contracts.The Company issues insurance policies and certificates based on your application and our state approved products(the"Policies"). Our obligations are determined solely by the terms of the policies we issue. EXCESS RISK COVERAGE Claim Administration.Upon determination of a potential claim under the Policy,you will confirm employees'eligibility for coverage and provide required eligibility and claim documentation to the Company,either directly or through your health claim administrator.The Company shall be responsible for all claim reviews,determinations and payments under the Policy. Confidentiality.We will keep confidential all information provided to us byyou or your health claims administrator in connection with the Policy,in compliance with applicable law.You authorize your health claims administrator,if any,to release to the Company information and data regarding claims paid to be used in connection with the Policy. GROUP ANNUAL TERM LIFE, PERSONAL ACCIDENT INSURANCE, DISABILITY, CRITICAL ILLNESS, ACCIDENT AND/OR HOSPITAL CONFINEMENT INDEMNITY COVERAGE Policy Administration.Your group policywill be"Self-Administered".This means thatyou or a third partythat you engage will be responsible to maintain all enrollment,beneficiary,and billing records for the Policies(as applicable).The records you keep must provide the ability for you and/or your employees to: •appropriately apply Policy limits and rules • know how much coverage the employee has at all times • provide the employee with the appropriate"Conversion"and/or"Portability"documentation(as applicable) •set up any payroll deductions correctly • pay premium to the insurance company with supporting documentation •file a claim The parties agree that the Policies will be self-administered by Policyholder and that the insurance charges reflect that arrangement. Communications.All forms and other materials we provide to you must be presented to employees without alteration.Any benefit and eligibility descriptions you or your third party service provider communicates to employees must be consistent with the materials and guidelines we provide to you.We will work carefully with you to make corrections in the case of any inadvertent error in communications. However, you are responsible for any costs incurred in correcting errors caused by incorrect data you provide to employees or to Company,including incorrect benefit descriptions and eligibility determinations. Evidence of Insurability. If evidence of insurability is required in connection with an application for coverage under the terms of a Policy,you will apply the evidence of insurability rules appropriately,obtain the necessary forms from any applicant for such coverage and provide those forms to the Company. Claim Administration.Upon receipt of notice of a potential claim under a Policy,you will confirm employees'eligibility for coverage and provide required claim documentation at the Company's request.The Company shall be responsible for all claim reviews,determinations and payments. Certificates of Insurance and Summary Plan Description. If you request that we provide Summary Plan Description(s)("SPD")for distribution to ERISA plan participants, we will provide the SPD using our standard language and format unless otherwise directed by you. If we agree to electronically post certificates of insurance and/or SPDs for access by your employees, you are responsible for assuring that each covered employee is informed how the documents can be accessed and that each employee has access or otherwise receives a copy(ies) of these documents.Any legal advice as to the style, format,content or distribution of the SPD or distribution of the certificate of insurance must be provided by your legal counsel.We are unable to provide legal advice to your plan and assume no responsibility for meeting ERISA's disclosure requirements. Self-Administered Page 1 of 2-Incomplete without all pages. Order#173385 County of Fresno 11/16/2018 GENERAL ADMINISTRATION —ALL PRODUCTS: Record Keeping.You agree to maintain accurate books and records documenting the administration of the Policies, including employee demographics, eligibility records,dependent data,coverage amounts,enrollment history,payroll deductions,benefit elections and beneficiary designations(as applicable). Such records must be maintained for a period of seven(7)years following termination of the Policies to which they relate.Upon reasonable notice,we shall have the right to review,inspect and audit,at our expense,the books, records,data files or other information maintained by you or your vendor related to the Policies. Transmission of Data.You are responsible for the accuracy and security of data transmitted to us, including data transmitted by any third party service provideryou engage to assist in administration of your benefit plans.Each partywill establish and maintain(1)administrative,technical and physical safeguards against the destruction, loss or alteration of data,and (2)appropriate security measures to protect data,which measures are consistent with all state and federal regulations relating to personal information security,including,without limitation,the Gramm-Leach-Bliley Act. Premium payment.If you engage a third party to submit premium to us,we will not consider the premium paid until it is received in our Home Office. General terms.This Agreement will remain in effect during the duration of the Policy and will terminate automatically upon termination of all Policies.This Agreement may be amended only in writing signed by both parties. In the event of any conflict or inconsistency between the terms of this Agreement and the terms of any Policy,the terms of the Policy shall control. Governing law.This Agreement shall be governed in all respects,including validity,interpretation and effect,without regard to principles of conflict of laws, by the law of the state where the Policy is issued. Accepted and Agreed to: Policyholder Name(Please print.)County of Fresno 6* Policyholder Authorized Signature Date Print signer's name and title Brian Pacheco, Chairman of the Board of Supervisors of the County of Fresno RELIASTAR LIFE INSURANCE COMPANY RELIASTAR LIFE INSURANCE COMPANY OF NEW YORK Company Authorized Signature Date Print signer's name and title Mona Zielke,Vice President Self-Administered Page 2 of 2-Incomplete without all pages. Order#173385 County of Fresno 11/16/2018 EXHIBIT G Funeral Planning & Concierge Services About Funeral Planning & Concierge Services Voya Employee Benefits works with Everest Funeral Package, LLC*to offer employer groups funeral planning and concierge services. This is a unique opportunity for employees to discuss and obtain information from independent experts regarding the planning of a funeral. With this service, employees have the ability to contact professionals who will aid them with funeral planning for themselves and eligible family members. Everest, an independent consumer advocate, helps consumers prepare for and deal with all aspects of a funeral. The funeral planning and concierge service is available in conjunction with our Group Life Insurance contracts. Employers can elect to offer one of the plan levels available for all eligible employees. Key program features Employees will receive the following benefits: Advisor Planning Assistance from highly trained advisors, 24 hours a day, 7 days a week Assistance to discuss funeral planning issues Help creating a personal funeral plan PriceFinder research reports Detailed, local funeral home price comparisons Available on demand via Everest's website Online funeral planning tools Family assistance and plan implementation Negotiation Assistance Plan Levels Employers can choose one of the following: Level 1: Employee, Spouse and Children Level 2: Employee, Spouse, Children and Parents of the Employee and Spouse * Funeral Planning and Concierge Services are provided by Everest Funeral Package, LLC, Houston TX. Page 36 PLAN ReliaStar Life Insurance Company INVESTVOVA. A member of the Voya®family of companies PROTECT FINANCIAL Travel Assistance Services About Voya Travel Assistance Travel assistance services have become increasingly important for employers looking to provide employees and their dependents a sense of security when traveling away from home or the office. For this reason, Voya Employee Benefits is pleased to announce its collaboration with Europ Assistance USA,to provide the Voya Travel Assistance Program. Voya Travel Assistance Services are provided by Europ Assistance USA, Bethesda, MD. Availability may vary by state. Services When traveling more than 100 miles from home,whether domestic or international travel, Voya Travel Assistance provides eligible participants four types of services: Emergency Transportation Services, Medical Assistance Services, Emergency Personal Services, and Pre-trip Information. These services are described in further detail below. Eligible participants will have toll-free access to the Voya Travel Assistance customer service center 24 hours a day from anywhere in the world. Emergency Transportation Services This service offers the following features: Emergency Evacuation/Medically Necessary Repatriation: In the event of a medical emergency where it is determined medically necessary for an eligible participant to be transported under medical supervision to the nearest hospital or treatment facility or to be returned to his/her place of residence for treatment,Voya Travel Assistance will arrange and pay for the transport under proper medical supervision. All decisions as to the medical need for evacuation and/or return home,the means and/or timing of any evacuation, the medical equipment and escort to be used, and the final destination are decisions which will be made by physicians designated by Voya Travel Assistance in consultation with a local attending physician based on medical factors. Visit by a Family Member or Friend: If an eligible participant is traveling alone and is likely to be hospitalized for seven (7) consecutive days, or is in critical condition, Voya Travel Assistance will arrange and pay for economy class round trip transportation for one(1)member of the eligible participant's immediate family or one(1)friend designated by the eligible participant from his or her home to the place where he or she is hospitalized. Traveling Companion Transportation: If a travel companion loses previously made travel arrangements due to an eligible participant's medical emergency, Voya Travel Assistance will arrange and pay for the traveling companion's return home by the most direct and economical route. Return of Dependent Children: If an eligible participant is traveling alone and is likely to be hospitalized for seven (7)consecutive days, or is in critical condition and dependent children traveling with the eligible participant are left unattended because the eligible participant is in the hospital, Voya Travel Assistance will arrange and pay for their economy class transportation home with a qualified escort if necessary. Return of Mortal Remains: In case of death while traveling, Voya Travel Assistance will arrange and pay for the proper return of remains to the deceased's place of residence for burial, including all necessary government authorizations and transportation. Medical Assistance Services If medical care is required while abroad, Voya Travel Assistance can assist in the following ways: Medical Referrals: Voya Travel Assistance will assist eligible participants in finding physicians, dentists, and medical facilities. Medical Monitoring: During the course of a medical emergency, professional case managers, including physicians and nurses, will make sure the appropriate level of care is maintained or determine if further intervention, medical transportation, or possible repatriation (return to U.S.) is needed. Page 37 PLAN ReliaStar Life Insurance Company INVESTVOVA. A member of the Voya®family of companies PROTECT FINANCIAL Emergency Medical Payments: When it is necessary for an eligible participant to obtain medical services, Voya Travel Assistance, upon request,will advance up to$10,000 to cover on-site medical expenses. The advance of funds will be made to the medical provider after Voya Travel Assistance has secured funds from the eligible participant or the eligible participant's family. Replacement of Medication and Eyeglasses: Voya Travel Assistance will arrange to fill a prescription that has been lost, stolen, or requires a refill, subject to local law,whenever possible. Voya Travel Assistance will also arrange for shipment of replacement eyeglasses. Costs for shipping of medication or eyeglasses, or a prescription refill, etc.are the eligible participant's responsibility. Emergency Personal Services To prepare for unexpected situations of a non-medical nature,Voya Travel Assistance offers these services: Urgent Messages: Voya Travel Assistance can send urgent messages and keep messages for eligible participants in its offices for up to 15 days. Emergency Travel Arrangements: If appropriate, Voya Travel Assistance will make new travel arrangements or change airline, hotel, and car rental reservations. Emergency Cash: Voya Travel Assistance will advance up to$500 after satisfactory guarantee of reimbursement from an eligible participant. Any fees associated with the transfer or the delivery of funds are the eligible participant's responsibility. Location Lost/Stolen Luggage/Personal Possessions: Voya Travel Assistance will assist in locating and replacing lost or stolen luggage, documents, and personal possessions. Legal Assistance/Bail: Voya Travel Assistance will locate an attorney and advance bail funds, where permitted by law,with satisfactory guarantee of reimbursement (the eligible participant must pay attorney fees). Interpretation/Translation: Voya Travel Assistance will assist with the telephone interpretation in all major languages or will refer a eligible participant to an interpretation or translation service for written documents. PreTrip Information Voya Travel Assistance offers a wide range of information services before an eligible participant leaves home, including: Visa, Passport, Inoculation and Immunization Requirements Foreign Exchange Rates Cultural Information Travel Advisors Temperature and Weather Conditions International "Hot Spots" Embassy and Consular Referrals Plan Administration In the event of an Emergency Medical situation involving an employee or their dependent, Voya Travel Assistance will need to contact the Group Policyholder to verify coverage. Voya Travel Assistance will contact in this order: The Billing Contact as identified by Voya Employee Benefits The Case Contact as identified by Voya Employee Benefits It is the responsibility of the Group Policyholder to notify both Voya Employee Benefits and Voya Travel Assistance if you change your contact person. The Contact will be required to provide verification that(a)the Group Policyholder has current coverage with ReliaStar Life Insurance Company, and (b)the employee is individually covered under the Group Policy. Payment for Services After coverage has been verified, Voya Travel Assistance will arrange and pay for the following within the guidelines previously described: Emergency Evacuation Medically Necessary Repatriation Return of Dependent Children Visit by a Family Member or Friend Return of Mortal Remains Traveling Companion Transportation These services are only eligible for payment by Voya Travel Assistance if Voya Travel Assistance is contacted at the time of service and arranged for the service. Page 38 PLAN ReliaStar Life Insurance Company INVESTVOVA. A member of the Voya®family of companies PROTECT FINANCIAL Terminations Europ Assistance USA will provide Travel Assistance services under the Voya Travel Assistance Program until the Group Policyholder's expiration or cancellation date,whichever comes first, or if Voya Employee Benefits terminates its Travel Assistance Program with Europ Assistance USA. Exclusions and Limitations A. Voya Travel Assistance shall not evacuate or repatriate an eligible participant if the individual has a)infections that are under treatment that have not yet healed or b)if the individual is pregnant and is either in or passed her sixth month of pregnancy or c) if the Voya Travel Assistance designated physician determines that such transport is not medically advisable or necessary. B. Voya Travel Assistance shall not provide benefits and/or services enumerated if the coverage is sought as a result of: Suicide or attempted suicide; Spelunking or caving, heliskiing, extreme skiing; Intentionally self-inflicted injuries; Pregnancy or childbirth (except for complications of War, invasion, acts of foreign enemies, hostilities between pregnancy); nations (whether declared or not),civil war; Curtailments or delayed return for other than medical Participation in any military maneuver or training exercise; reasons; Being under the influence of alcohol; Traveling for the purpose of securing medical treatment; Being under the influence of drugs or intoxicants unless Injury or illness which can be treated locally and does not prescribed by a physician; prevent the continuing of the trip; Commission or the attempt to commit a criminal act; Travel undertaken against the advice of a physician; Participation in bodily contact sports, skydiving, Service not shown as covered. hang-gliding, parachuting, mountaineering, any race, bungee cord jumping, or speed contest; C. The services described above currently are available in every country except Afghanistan, Somalia, Eritrea, Yemen and Eastern Timor. Voya Travel Assistance reserves the right to update the list of countries in which its services are not available. It is the responsibility of the eligible participant to inquire whether a country is"open"for assistance prior to his or her departure and during his or her stay. Voya Travel Assistance also reserves the right to suspend, curtail or limit its services in any area in the event of rebellion, riot, military uprising, war,terrorism, labor disturbance, strikes, nuclear accidents, acts of god or refusal of authorities to permit Voya Travel Assistance to fully provide services. If an eligible participant requests transport related to a condition for which a transport has not been deemed medically necessary by a physician designated by Voya Travel Assistance in consultation with a local attending physician or to any condition excluded hereunder, and the Group Policyholder agrees to be financially responsible for all expenses related to that transport, Voya Travel Assistance will arrange but not pay for such transport to a medical facility or to the eligible participant's residence and will make such arrangements using the same degree of care and completeness as if Voya Travel Assistance was providing service under this agreement. Voya Travel Assistance shall not be responsible for any claim, damage, loss, costs, liability or expense which arises in whole or in part as a result of Voya Travel Assistance's inability to contact the Group Policyholder's authorized Contact for any reason beyond Voya Travel Assistance's control or as a result of the failure and/or refusal of the Group Policyholder to authorize services proposed by Voya Travel Assistance. Page 39 PLAN ReliaStar Life Insurance Company INVESTVOVA. A member of the Voya®family of companies PROTECT FINANCIAL EXHIBIT H. Voya Data Security Addendum 1. Definitions. "Affected Persons" means Client's and its Affiliate's former and current employees whose Personal Information ("PI") may have been disclosed or compromised as a result of an Information Security Incident. "Affiliates" means any entities that, now or in the future, control, are controlled by, or are under common control with Client. An entity will be deemed to control another entity if it has the power to direct or cause the direction of the management or policies of such entity, whether through ownership, voting securities, contract, or otherwise. "Confidential Information" means (a) non-public information concerning the Disclosing Party; its affiliates; and their respective businesses, products, processes, and services, including technical, marketing, agent, customer, financial, personnel, and planning information; (b) PI; (c) trade secrets; and (d) any other information that is marked confidential or which, under the circumstances surrounding disclosure, the Non-Disclosing Party should know is treated as confidential by the Disclosing Party. Except with respect to PI, which will be treated as Confidential Information under all circumstances, Confidential Information will not include (A) information lawfully obtained or developed by the Non- Disclosing Party independently of the Disclosing Party's Confidential Information and without breach of any obligation of confidentiality; or (B) information that enters the public domain without breach of any obligation of confidentiality. All Confidential Information will remain the property of the Disclosing Party. "Information Security Incident" means any breach of security or cyber security incident impacting Voya that has a reasonable likelihood of (a) resulting in the loss or unauthorized access, use or disclosure of Client PI; (b) materially affecting the normal operation of Voya; or (c) preventing Voya from complying with all of the privacy and security requirements set forth in this Agreement. "Law" means all U.S. and non-U.S. laws, ordinances, rules, regulations, declarations, decrees, directives, legislative enactments and governmental authority orders and subpoenas. "PI" means any information or data that (a) identifies an individual, including by name, signature, address, telephone number or other unique identifier; (b) can be used to identify or authenticate an individual, including passwords, PINs, biometric data, unique identification numbers (e.g., social security numbers), answers to security questions or other personal identifiers; (c) is "non-public personal information" as defined in the Gramm-Leach-Bliley Act 15 U.S.C. § 6809(4) or"protected health information" as defined in 45 C.F.R. § 160.103; or (d) is an account number or credit card number or debit card number, in combination with any required security code, access code, or password, that would permit access to an individual's financial account. "Services" means the services that Voya provides to Client pursuant to this Agreement. "Voya Personnel" means Voya's employees and subcontractors engaged in the performance of Services. 2. Data Security. 2.1. Security Standards and Controls. (a) Voya will establish and maintain: (i) administrative, technical, and physical safeguards against the destruction, loss, or alteration of Confidential Information; and (ii) appropriate security measures to protect Confidential Information, which measures meet or exceed the requirements of all applicable Laws relating to personal information security. (b) In addition, Voya will implement and maintain the following information security controls: (i) privileged access rights will be restricted and controlled; (ii) an inventory of assets relevant to the Iifecycle of information will be maintained; (iii) network security controls will include, at a minimum, firewall and IDS services; (iv) detection, prevention and recovery controls to protect against malware will be implemented; (v) information about technical vulnerabilities of Voya's information systems will be obtained and evaluated in a timely fashion and appropriate measures taken to address the risk; PLAN I INVEST I PROTECT VOVA,, CN0427-41890-0519 FINANCIAL (vi) detailed event logs recording user activities, exceptions, faults, access attempts, operating system logs, and information security events will be produced, retained and regularly reviewed; and (vii) development, testing and operational environments will be separated to reduce the risks of unauthorized access or changes to the operational environment. 2.2. Information Security Policies. Voya will implement and maintain written policies and procedures that address the following areas: (a) information security; (b) data governance and classification; (0 access controls and identity management; (d) asset management; (e) business continuity and disaster recovery planning and resources; (f) capacity and performance planning; (g) systems operations and availability concerns; (h) systems and network security; 0) systems and application development, quality assurance and change management; 0) physical security and environmental controls; (k) customer data privacy; (1) patch management; (m) maintenance, monitoring and analysis of security audit logs; (n) vendor and third party service provider management; and (o) incident response, including clearly defined roles and decision making authority and a logging and monitoring framework to allow the isolation of an incident. 2.3. Subcontractors. Voya will implement and maintain policies and procedures to ensure the security of Confidential Information and related systems that are accessible to, or held by, third party service providers. Voya will not allow any third parties to access Voya's systems or store or process sensitive data, unless such third parties have entered into written contracts with Voya that require, at a minimum, the following: (a) the use of encryption to protect sensitive PI in transit, and the use of encryption or other mitigating controls to protect sensitive PI at rest; (b) prompt notice to be provided in the event of a cyber security incident; (0 the ability of Voya or its agents to perform information security assessments; and (d) representations and warranties concerning adequate information security. 2.4. Encryption Standards, Multifactor Authentication and Protection of Confidential Information. (a) Voya will implement and maintain cryptographic controls for the protection of Confidential Information, including the following: (i) use of an encryption standard equal to or better than the industry standards described in National Institute for Standards and Technology Special Publication 800-175B (or such higher encryption standard required by applicable Law) to protect Confidential Information in transit over un-trusted networks; (i i) use of cryptographic techniques to provide evidence of the occurrence or nonoccurrence of an event or action; (iii) use of cryptographic techniques to authenticate users and other system entities requesting access to or transacting with system users, entities and resources; and (iv) development and implementation of policies on the use, protection and lifetime of cryptographic keys through their entire lifecycle. (b) In addition to the controls described in clause (a) above, Voya will: (i) implement multi-factor authentication for all remote access to Voya's networks; (i i) ensure that no Client PI is (A) placed on unencrypted mobile media, CDs, DVDs, equipment, or laptops or(B)stored or transmitted outside the United States; and (iii) ensure that media containing Confidential Information is protected against unauthorized access, misuse or corruption during transport. PLAN I INVEST I PROTECT VOYFCN0427-41890-0519NANCIAL 2.5. Information Security Roles and Responsibilities. Voya will employ personnel adequate to manage Voya's information security risks and perform the core cyber security functions of identify, protect, detect, respond and recover. Voya will designate a qualified employee to serve as its Chief Information Security Officer ("CISO") responsible for overseeing and implementing its information security program and enforcing its information security policies. Voya will define roles and responsibilities with respect to information security, including by identifying responsibilities for the protection of individual assets, for carrying out specific information security processes, and for information security risk management activities, including acceptance of residual risks. These responsibilities should be supplemented, where appropriate, with more detailed guidance for specific sites and information processing facilities. 2.6. Segregation of Duties. Voya must segregate duties and areas of responsibility in order to reduce opportunities for unauthorized modification or misuse of Voya's assets and ensure that no single person can access, modify or use assets without authorization or detection. Controls should be designed to separate the initiation of an event from its authorization. If segregation is not reasonably possible, other controls such as monitoring of activities, audit trails and management supervision should be utilized. Development, testing, and operational environments should be separated to reduce the risks of unauthorized access or changes to the operational environment. 2.7. Information Security Awareness, Education and Training. Voya will provide regular information security education and training to all Voya Personnel, as relevant for their job function. In addition, Voya will provide mandatory training to information security personnel and require key information security personnel to stay abreast of changing cyber security threats and countermeasures. 2.8. Vulnerability Assessments. Voya will conduct monthly vulnerability assessments that meet the following criteria: (a) all production servers and network devices must be scanned at least monthly; (b) all findings must be risk rated; (0 all findings must be tracked to closure based on risk; and (d) tools used for scanning must have signatures updated at least monthly with the latest vulnerability. Voya will implement and maintain a formal process for tracking and resolving issues in a timely fashion. 2.9. Physical and Environmental Security. Voya will ensure that all sites are physically secure, including the following: (a) sound perimeters with no gaps where a break-in could easily occur; (b) exterior roof, walls and flooring of solid construction and all external doors suitable protected against unauthorized access with control mechanisms such as locks, bars, alarms, etc.; (0 all doors and windows to operational areas locked when unattended; (d) equipment protected from power failures and other disruptions caused by failures in supporting utilities; (e) closed-circuit television cameras at site entry/ exit points; badge readings/ turn styles at all site entry points, or other means to prevent unauthorized access; and (f) visitor sign-in/ mandatory escort at site. 2.10. Information Security Incident Notification. (a) In the event of any Information Security Incident, Voya will, at its sole expense: promptly(and in any event within 72 hours after Voya confirms an Information Security Incident) report such Information Security Incident to Client by sending an email to the email address designed by Client, summarizing in reasonable detail the effect on Client, if known, and designating a single point of contact at Voya who will be (i) available to Client for information and assistance related to the Information Security Incident; (ii) investigate such Information Security Incident, perform a root cause analysis, develop a corrective action plan and take all necessary corrective actions; (iii) mitigate, as expeditiously as possible, any harmful effect of such Information Security Incident and cooperate with Client in any reasonable and lawful efforts to prevent, mitigate, rectify and remediate the effects of the Information Security Incident; (iv) provide a written report to Client containing all information necessary for Client to determine compliance with all applicable laws, including the extent to which notification to affected persons or to government or regulatory authorities is required; and PLAN I INVEST I PROTECT VOYFCN0427-41890-0519NANCIAL (v) cooperate with Client in providing any filings, communications, notices, press releases or reports related to such Information Security Incident. (b) In addition to the other indemnification obligations of Voya set forth in this Agreement, Voya will indemnify, defend and hold harmless Client from and against any and all claims, suits, causes of action, liability, loss, costs and damages, including reasonable attorneys' fees, arising out of or relating to any Information Security Incident, which may include, without limitation: (i) expenses incurred to provide notice to Affected Persons and to law-enforcement agencies, regulatory bodies or other third parties as required to comply with law; (ii) expenses related to any reasonably anticipated and commercially recognized consumer data breach mitigation efforts, including, but not limited to, costs associated with the offering of credit monitoring or a similar identify theft protection or mitigation product for a period of at least twelve (12) months or such longer time as is required by applicable laws or any other similar protective measures designed to mitigate any damages to the Affected Persons; and (iii) fines or penalties that Client pays to any governmental or regulatory authority under legal or regulatory order as a result of the Information Security Incident. 2.11. Risk Assessments. Upon Client's request no more than once per year, Voya will complete an industry standard information security questionnaire and provide relevant Service Organization Control ("SOC") audit reports, when available. Voya's standard security requirements are set forth in Exhibit A. Voya represents and warrants that, as of the Effective Date, the statements in Exhibit A are true and correct in all material respects. 2.12. Penetration Testing. If any Services to be provided by Voya include the hosting or support of one or more externally facing applications that can be used to access systems that store or process Client data, the terms of this Section will apply. (a) At least once every 12 months during the Term and prior to any major changes being moved into production, Voya will conduct a Valid Penetration Test (as defined below) on each internet facing application described above. As used herein, a "Valid Penetration Test" means a series of tests performed by a team of certified professionals, which tests mimic real-world attack scenarios on the information system under test and include, without limitation, the following: (i) information-gathering steps and scanning for vulnerabilities; (ii) manual testing of the system for logical flaws, configuration flaws, or programming flaws that impact the system's ability to ensure the confidentiality, integrity, or availability of Client's information assets; (iii) system-compromise steps; (iv) escalation-of-privilege steps; and (v) assignment of a risk rating for each finding based on the level of potential risk exposure to Client's brand or information assets. (b) Upon Client's request, Voya will review the results of the most recent Valid Penetration Test with Client and provide the following documentation for Client's review: (i) the penetration test management summary(which may be redacted to ensure confidentiality of the technical details of the flaws in the system under test) showing the testing methodology used for performing the testing, which report will include information-gathering steps, vulnerability scanning, manual testing, system compromise, and escalation of privilege steps. 3. Privacy and PH. 3.1. With respect to any PI, Voya will: (a) process all PI accessed by Voya only to perform its obligations under this Agreement; (b) not use such PI for any other purpose, including for its own commercial benefit; (0 treat all PI as Confidential Information; (d) comply with the provisions of this Agreement to return, store or destroy the PI; and (e) comply with all applicable Laws with respect to processing of PI. PLAN I INVEST I PROTECT VOYFCN0427-41890-0519NANCIAL 3.2. As needed to comply with applicable Laws concerning the processing of PI or personal information security, or to the extent required by any changes in such Laws or the enactment of new Laws, the Parties agree to work cooperatively and in good faith to amend this Agreement in a mutually agreeable and timely manner, or to enter into further mutually agreeable agreements in an effort to comply with any such Laws applicable to the Parties. If the Parties cannot so agree, or if Voya cannot comply with the new or additional requirements, Client may terminate this Agreement upon written notice to Voya. 4. Confidential Information. 4.1. Confidential Information. Either Party ("Disclosing Party") may disclose Confidential Information to the other Party("Non-Disclosing Party") in connection with this Agreement. 4.2. Use and Disclosure of Confidential Information. The Non-Disclosing Party agrees that it will disclose the Disclosing Party's Confidential Information only to its employees, agents, consultants, and contractors who have a need to know and are bound by obligations of confidentiality no less restrictive than those contained in this Agreement. In addition, Voya agrees that it will use the Disclosing Party's Confidential Information only for the purposes of performing its obligations under this Agreement. The Non-Disclosing Party will use all reasonable care in handling and securing the Disclosing Party's Confidential Information and will employ all security measures used for its own proprietary information of similar nature. These confidentiality obligations will not restrict any disclosure of Confidential Information required by Law or by order of a court, regulatory authority or governmental agency; provided, that the Non-Disclosing Party will limit any such disclosure to the information actually required to be disclosed. Notwithstanding anything to the contrary, Client may fully comply with requests for information from regulators of Client and the Client Affiliates. 4.3. Treatment of Confidential Information Following Termination. Promptly following the termination or expiration of this Agreement, or earlier if requested by the Disclosing Party, the Non-Disclosing Party will return to the Disclosing Party any and all physical and electronic materials in the Non-Disclosing Party's possession or control containing the Disclosing Party's Confidential Information. The materials must be delivered via a secure method and upon such media as may be reasonably required by the Disclosing Party. Alternatively, with the Disclosing Party's prior written consent, the Non-Disclosing Party may permanently destroy or delete the Disclosing Party's Confidential Information and, if requested, will promptly certify the destruction or deletion in writing to the Disclosing Party. Notwithstanding the foregoing, if the Non-Disclosing Party, due to requirements of applicable Law, must retain any of the Disclosing Party's Confidential Information, or is unable to permanently destroy or delete the Disclosing Party's Confidential Information as permitted above within 60 days after termination of this Agreement, the Non-Disclosing Party will so notify the Disclosing Party in writing, and the Parties will confirm any extended period needed for permanent destruction or deletion of the Disclosing Party's Confidential Information. All Confidential Information in the Non-Disclosing Party's possession or control will continue to be subject to the confidentiality provisions of this Agreement. The methods used to destroy and delete the Confidential Information must ensure that no Confidential Information remains readable and cannot be reconstructed so to be readable. Destruction and deletion must also comply with the following specific requirements: MEDIUM DESTRUCTION METHOD Hard copy Shredding, pulverizing, burning, or other permanent destruction method Electronic tangible media, such as disks and Destruction or erasure of the media tapes Hard drive or similar storage device Storage frame metadata removal to hide the organizational structure that combines disks into usable volumes and physical destruction of the media with a Certificate of Destruction (COD) 4.4. Period of Confidentiality. The restrictions on use, disclosure, and reproduction of Confidential Information set forth in this Section will, with respect to PI and Confidential Information that constitutes a "trade secret" (as that term is defined under applicable Law), be perpetual, and will, with respect to other Confidential Information, remain in full force and effect during the term of this Agreement and for three years following the termination or expiration of this Agreement. PLAN I INVEST I PROTECT VOYFCN0427-41890-0519NANCIAL 4.5. Injunctive Relief. The Parties agree that the breach, or threatened breach, of any of the confidentiality provisions of this Agreement may cause irreparable harm without adequate remedy at law. Upon any such breach or threatened breach, the Disclosing Party will be entitled to injunctive relief to prevent the Non-Disclosing Party from commencing or continuing any action constituting such breach, without having to post a bond or other security and without having to prove the inadequacy of other available remedies. Nothing in this Section will limit any other remedy available to either Party. 5. Cyber Liability Insurance. During the Term, Voya will, at its own cost and expense, obtain and maintain in full force and effect, with financially sound and reputable insurers, cyber liability insurance to cover Voya's obligations under this Addendum. Upon execution of the Agreement, Voya will provide Client with a certificate of insurance evidencing the following coverage and amount with such insurer: Risk Covered: Network Security(a.k.a. Cyber/IT) Limits: >$55,000,000 Policy dates: May 2, 2018— May 2, 2019 6. Disaster Recovery and Business Continuity Plan. Voya maintains, and will continue to maintain throughout the Term, (a) a written disaster recovery plan ("Disaster Recovery Plan"), which Disaster Recovery Plan is designed to maintain Client's access to services and prevent the unintended loss or destruction of Client data; and (b) a written business continuity plan ("BCF) that permits Voya to recover from a disaster and continue providing services to customers, including Client, within the recovery time objectives set forth in the BCP. Upon Client's reasonable request, Voya will provide Client with evidence of disaster recovery test date and result outcome. PLAN I INVEST I PROTECT VOY CN0427-41890-0519 NANCIAL Exhibit A Security Requirements FC: Foundation Controls FC-1: Information Asset Management FC-1.1 Voya implements and maintains an inventory list and assigns ownership for all computing assets including, but not limited to, hardware and software used in the accessing, storage, processing, or transmission of Client PI. FC-1.2 Voya reviews and updates the inventory list of assets for correctness and completeness at least once every 12 months and updates the inventory list as changes are made to the computing assets. FC-2: Data Privacy and Confidentiality FC-2.1 Voya will maintain an Information and Risk Management policy that is reviewed and approved by management at least every 2 years. FC-2.2 Voya protects the privacy and confidentiality of all Client PI received, disclosed, created, or otherwise in Voya's possession by complying with the following requirements: FC-2.2A Such information is encrypted at rest on mobile devices (including mobile storage devices), portable computers, and in transit over un-trusted networks with an encryption standard equal to or better than AES 256 bit encryption or such higher encryption standard required by applicable Law. FC-2.213 All hardcopy documents and removable media are physically protected from unauthorized disclosure by locking them in a lockable cabinet or safe when not in use and ensuring that appropriate shipping methods (tamper-proof packaging sent by special courier with signatures) are employed whenever the need to physically transport such documents and removable media arises. FC-2.2C All media is labeled and securely stored in accordance with Voya policies. FC-2.2D All electronic media is securely sanitized or destroyed when no longer required in accordance with industry standards. FC-3 Configuration Management FC-3.1 Voya implements and maintains accurate and complete configuration details (e.g., Infrastructure Build Standards) for all computing assets used in accessing, storing, processing, or transmitting Client PI. FC-3.2 Voya reviews configuration details of the computing assets at least once every 12 months to validate that no unauthorized changes have been made to the assets. FC-3.3 Voya updates the configuration details of all computing assets used to access, process, store, or transmit Client PI as configuration changes take place. FC-4: Operating Procedures and Responsibilities FC-4.1 Voya implements and maintains operational procedures for information processing facilities and designates specific roles or personnel responsible for managing and maintaining the quality and security of such facilities, including, but not limited to, formal handover of activity, status updates, operational problems, escalation procedures and reports on current responsibilities. Voya IT policies and standards document the policies and procedures for job scheduling processes and tools. FC-4.2 Voya updates the operational procedures as changes take place and performs a comprehensive review and update of the procedures at least once every 2 years. FC- Security Awareness and Training FC-5.1 Voya performs pre-employment background checks, including criminal history for 7 years, drug screening, credit score and history (if applicable), credentials verification (if applicable), and educational background. FC-5.2 Voya implements and maintains a documented security awareness program for all Voya Personnel which covers access to Client PI. PLAN I INVEST I PROTECT VOVA,, CN0427-41890-0519 FINANCIAL I AM A" FC-5.3 Voya's security awareness program includes security requirements, acceptable use of computing assets, legal responsibilities, and business controls, as well as training in the correct use of information processing facilities and physical security controls. FC-5.4 Voya ensures that all Voya Personnel complete security awareness training prior to being provided access to Client PI and at least annually thereafter. Voya provides mandatory annual training programs that include security awareness training to all Personnel. UA: User Access Controls UA-1: User Access Controls UA-1.1 Voya implements and maintains identity management system(s) and authentication process(es) for all systems that access, process, store, or transmit Client PI. UA-1.2 Voya ensures that the following user access controls are in place: UA-1.2A The "Least Privilege" concept is implemented ensuring no user has more privileges than they require in performing their assigned duties. UA-1.213 Users requiring elevated privileges as a normal part of their job responsibilities have a regular, non-privileged account to perform regular business functions. UA-1.2C All users have an individual account which cannot be shared. UA-1.21D Account Names/IDs are constructed not to reveal the privilege level of the account or position of the account holder. UA-1.2E System-or application-level service accounts are owned by a member of management or an IT system administration delegate and only have the privileges necessary to function as required by the application, system, or database the account has been created for. UA-1.21F Network access is disabled within 24 hours of termination. Automated nightly processes disable access upon termination and initiate manager review on employee position changes, in accordance with Voya policies. UA-2. Access Control Management UA-2.1 Voya maintains a comprehensive physical security program. Access to Voya facilities is restricted and logs are maintained for all access. Physical security and environmental controls are present in Voya buildings. UA-2.2 Voya ensures that access to systems that access, process, store, or transmit Client PI is limited to only those personnel who have been specifically authorized to have access in accordance with the user's assigned job responsibilities. UA-2.3 Voya ensures that accounts for systems that access, process, store, or transmit Client PI are controlled in the following manner: UA-2.3A Users must provide a unique ID and Password for access to systems. Access to applications/systems is limited to a need-to-know basis, and is enforced through role based access controls. UA-2.3I3 Accounts are protected on computing assets by screen-savers that are configured with an inactivity time-out of not more than 15 minutes. UA-2.3C Accounts are locked after no more than 10 consecutive failed Iogon attempts, depending upon the system and platform. UA-2.31D Accounts remain locked until unlocked by an Administrator or through an approved and secure end-user self-service process. UA-2.3E Accounts are reviewed on a periodic and regular basis (semi-annually for non-privileged and privileged accounts)to ensure that the account is still required, access is appropriate, and the account is assigned to the appropriate user. UA2.4 Voya ensures that wireless mobile devices are secured against threats coming from these wireless networks and wireless connections are required to be encrypted. UA-3: User Access Management UA-3.1 Voya ensures that passwords for all accounts on systems that access, process, store, or transmit Client PI are configured and managed as follows: PLAN I INVEST I PROTECT VO CN0427-41890-0519 FINANCIAL UA-3.1A Passwords are stored using one-way encryption (e.g. cryptographic hash with a unique salt) in a secure file system or directory. UA-3.1 B Passwords for all accounts have a minimum length of eight characters, a maximum age of 60 days for non-privileged accounts and 30 days for privileged accounts, and a password history equal to six or the maximum value allowed by the system. UA-3.1 C Passwords have a complexity of at least one digit, one uppercase and one lowercase letter, contain no common words, and do not use a repetitive string of characters. UA-3.1 D Initial passwords are different from the name of user account, communicated to users in a secure manner, and required to be changed the first time the user logs in. UA-4:IIIIIIIIIIIIIIIIIIIIIII Information Access Restriction UA-4.1 Voya implements information access restrictions on all systems used to access, process, store, or transmit Client Information. UA-4.2 Voya ensures the following Information Access Restrictions are in place: UA-4.2A Access to underlying operating systems and application features that the user does not require access to in the performance of their assigned responsibilities are strictly controlled. UA-4.213 Access to source code and libraries are restricted to only those individuals who have been specifically approved to have access. A person who develops code changes cannot be the same person who migrates the code change into production. UA-4.2C Access between Development, Test, and Production environments are strictly controlled. The version management system provides segregation of code, data and environments. UA-4.2D Temporary privileged access to production data is granted to authorized personnel based on job function for emergency support and only via access control and logging security tools. PS: Platform Security Controls PS-1: Computer System Security(Servers and Multi-user Systems only) PS-1.1 Voya implements and manages a formal process for ensuring that all computer systems that access, process, store, or transmit Client PI are protected and configured as follows prior to and while remaining in a production status: PS-1.1A Systems are assigned to an asset owner within Voya's organization. PS-1.1 B Systems are located in a data center or similarly controlled environment with appropriate physical security mechanisms and environmental controls to ensure systems are protected from theft, vandalism, unplanned outages, or other intentional or unintentional hazards. PS-1.1C All systems are configured to meet Voya standards, monitored to ensure a compliant state, and patched as required to maintain a high degree of security. Issues found to be out of compliance are required to be tracked to closure. PS-1.1 D Systems are configured with commercially available and licensed anti-virus software which is set to perform active scans, perform scans of uploaded or downloaded data/files/web content, and is updated on at least on a daily basis. PS-1.1 E System clocks are configured to synchronize with a reputable time source (e.g., NTP). PS-1.1 F Systems display a warning banner to all individuals during the logon process that indicates only authorized users may access the system. PS-1.1 G Systems that have been implemented into a production environment are routinely tested for vulnerabilities and risks using industry best practice tools and methods. PS-1.1 H All high and medium vulnerability and risk issues identified are remediated utilizing a risk based approach and in alignment with application team code release schedules. PS-1.11 Voya ensures that only authorized and trained personnel have access to configure, manage, or monitor systems. PS-2- Network Security PS-2.1 To ensure systems accessing, processing, storing, or transmitting Client PI are protected from network related threats, Voya implements the following network security controls prior to connecting any network component to a production network and for the duration that the component remains in a production status: PLAN I INVEST I PROTECT VO CN0427-41890-0519 FINANCIAL PS-2.1A Networks are constructed using a defense-in-depth architecture, are terminated at a firewall where there are connections to external networks, and are routinely scanned for unapproved nodes and networks. PS-2.1 B Business-to-Business (13213) and Third Party network connections (Trusted)to systems accessing, processing, storing, or transmitting Client PI are permitted only after a rigorous risk assessment and formal approval by Voya management. Network connections from en- trusted sources to internal resources are not permitted at any time. PS-2.1C Network components (switches, routers, load balancers, etc.) are located in a data center or a secure area or facility. PS-2.1 D Voya systems are configured to provide only essential capabilities and restrict the use of any unneeded functions, ports, protocols and services. PS-2.1 E Intrusion detection/prevention technologies, firewalls, and proxy technologies are implemented, monitored and managed to ensure only authorized and approved traffic is allowed within and between segments of the network. PS-2.1 F Internal Voya wireless networks are configured with the most robust security standards available, including but not limited to, 802.11i/n, strong authentication, IP/MAC address filtering, firewall protection, and intrusion detection/prevention. PS-2.1G Wireless networks are not used to access Client Information unless the information is encrypted at either the file or transport level. PS-2.1 H Network components that have been implemented into a production environment are routinely tested for vulnerabilities and risks using industry best practice tools and methods. PS-2.11 Voya ensures that only authorized and trained personnel have access to configure, manage, or monitor network components. PS-3: Generic Application and Database Security PS-3.1 Voya implements and maintains an application security certification and assurance process that ensures that all applications that access, process, store, or transmit Client PI provide the following: PS-3.1A Application and database design ensures security, accuracy, completeness, timeliness, and authentication/authorization of inputs, processing, and outputs. PS-3.1 B All data inputs are validated for invalid characters, out of range values, invalid command sequences, exceeding data limits, etc. prior to being accepted for production. Voya implements static source code analysis tools to validate data inputs. PS-3.1C Application source code developed in house by Voya is protected through the use of a source code repository that ensures version and access control. The version management system provides segregation of code, data and environments. PS-3.1 D Applications and databases are tested for security robustness and corrective measures are applied prior to the application being placed into a production environment. All systems are configured to meet Voya standards, monitored to ensure compliance state, and patched as required to maintain a high degree of security. PS-3.1 E Applications and databases are implemented into a production environment with minimal privileges and critical configuration files and storage subsystems are protected from unauthorized access. PS-3.1 F Applications and databases that have been implemented into a production environment are routinely tested for vulnerabilities and risks using industry best practice tools and methods. PS-3.1G Voya ensures that Consumer/Internet facing applications have been designed and implemented using multi-factor authentication architecture. Web sessions require the use of an HTTPS (encrypted) connection, as well as authorization to approved data and services. PS-3.1 H Voya ensures that only authorized and trained personnel have access to configure, manage, or monitor applications and databases. PS-4: Workstation and Mobile Devices Security(End User Devices) PS-4.1 Voya ensures that the following security controls have been implemented and are maintained to protect Client PI accessed, processed, stored, or transmitted on workstations and mobile devices. PLAN I INVEST I PROTECT VOYFCN0427-41890-0519NANCIAL PS-4.1A Workstations are located in a physically secure environment with mechanisms in place to prevent unauthorized personnel from accessing data stored on the device, reconfiguring the BIOS or system components, or from booting the device from unauthorized media. Portable devices are configured for boot-up encryption. PS-4.1 B Laptops/portable computers and other mobile devices are assigned to an owner who is responsible for physically securing the device at all times, and the owner of the device must receive adequate awareness training on mobile device physical security. PS-4.1 C Portable devices are configured for boot-up encryption. All laptop hard drives are encrypted using AES 256. Any device deemed "remote" requires hard drive encryption. PS-4.1 D All workstations, laptops/portable computers and other mobile devices (where applicable) are configured with commercially available and licensed anti-virus software which is set to perform active scans, to perform scans of uploaded or downloaded data/files/web content, and is updated on at least a daily basis. PS-4.1 E All workstations, laptops/portable computers and other mobile devices (where applicable) are configured with a commercially available and licensed operating system, patched according to manufacturer's recommendations, hardened according to best industry practices and standards and configured so that regular users do not have administrative privileges PS-4.1F Laptops/portable computers and other mobile devices (where applicable) are configured with personal firewall technology. PS-4.1G All Client PI stored on a workstation, laptop/portable computer or mobile device is backed up to an alternate storage area. PS-4.1 H Workstations, laptops/portable computers and other mobile devices (where applicable) display a warning banner to all individuals during the Iogon process that indicates that only authorized users may access the system or device. PS-4.1 I Voya implements and maintains processes for recovering laptops/portable computers and mobile devices from terminated Voya Personnel. PS-5: Backup and Restore PS-5.1 Voya implements and maintains backup and restore procedures to ensure that all Client PI received, disclosed, created, or otherwise in the possession of Voya is appropriately protected against loss. PS-5.2 Voya ensures that backups are securely stored and storage systems are physically and logically protected. PS-5.3 Voya implements a backup and availability schedule to meet business and regulatory requirements. PS-6: Remote Network Access Controls PS-6.1 Voya implements and maintains a remote network access control strategy or process. PS-6.2 Voya ensures the following remote network access controls are in place: PS-6.2A Users requiring remote access are appropriately authorized by Voya management. PS-6.26 Remote access connections are established through the use of Virtual Private Networking (VPN) or secure VDI mechanisms that provide transmission security, encryption and connection timeout (e.g. split-tunneling disabled.) PS-6.2C Only Voya- approved and controlled (managed) computing devices are used when remotely accessing (where applicable) Voya's computing environments where Client PI is held. Any device deemed "remote" requires data encryption. Encrypted communications are required for all remote connections. PS-6.2D Users are thoroughly authenticated using multi-factor authentication prior to being provided remote access. PLAN I INVEST I PROTECT VOVA CN0427-41890-0519 FINANCIAL ITR: IT Resilience Controls Architecture ITR-1.1 Voya ensures that the architecture of computing environments where Client PI is accessed, processed, stored, or transmitted incorporates reasonable industry best practices for authentication/authorization, monitoring/management, network design, connectivity design, firewall and intrusion prevention technologies and storage and backup capabilities. ITR-2: Hardware and Software Infrastructure Resilience ITR-2.1 Voya ensures all hardware and software components classified with an availability rating of "critical" used in the accessing, processing, storage, or transmission of Client PI is: • Identified and cataloged • Supported by the manufacturer of the component (or if developed in-house, follows Voya's SDLC Policy which includes quality/security) • Applications and systems classified as A4 may be designed with high availability features and have no single point of failure • Reviewed on a regular basis for capacity implications (at minimum once every 12 months) ITR-2.2 Voya maintains Business Continuity Plans to address business unit and departmental actions to be undertaken before, during and after an incident or disaster. Voya's Disaster Recovery Plan addresses the recovery and availability of systems and data. ITR-3: Capacity Assurance ITR-3.1 Voya ensures that computing environments used to access, process, store, or transmit Client PI are assessed for capacity and performance on a periodic basis (at minimum once every 12 months) and appropriate corrective actions are taken to make the environment sufficiently robust enough to perform its stated mission. CM: Change Management Controls CM-1: Change Management Process CM-1.1 Voya implements and maintains a change control process to ensure that all changes to the environment where Client PI is accessed, processed, stored, or transmitted is strictly documented, assessed for impact, approved by personnel authorized by Voya to provide approval for such changes, thoroughly tested, accepted by management, and tracked. CM-1.2 Voya implements an emergency change control process to manage changes required in an emergency situation where a computing system is down or there are imminent threats/risks to critical systems involving Client PI. CM-2: Separation of Environments CM-2.1 Voya maintains physically and/or logically separate development, test, and production computing environments. Development, testing, and acceptance environments are separate from the production environment. CM-2.2 Voya ensures that Client data used for development or testing purposes is completely depersonalized/desensitized of confidential values prior to entering a development or test environment. Data is depersonalized in non-production controlled environments for testing purposes with required approvals. PI elements are required to be depersonalized in non- production environments. SM: Security Monitoring Controls SM-1: Security Event Monitoring and Incident Management SM-1.1 Voya implements and maintains a security event monitoring process and associated mechanisms to ensure events on computing systems, networks, and applications that can impact the security level of that asset or the data residing therein are detected in as close to real-time as possible for those assets used to access, process, store, or transmit Client PI I. SM-1.2 Voya implements and maintains an incident management process to ensure that all events with a potential security impact are identified, investigated, contained, remediated, and reported to Client effectively and in a timely manner. PLAN I INVEST I PROTECT VOY CN0427-41890-0519 NANCIAL SM-1.3 Voya has implemented monitoring controls that provide real-time notifications of events related to loss of confidentiality, the integrity, or the availability of systems. SM-1.4 Event logs (audit trails) are stored for analysis purposes for a minimum period of 90 days. SM-2: Technical State Compliance SM-2.1 Voya ensures computing environments that access, process, store, or transmit Client PII are continually in compliance with quality and security requirements including, but not limited to, authentication/authorization, monitoring/management, network design, connectivity design, firewall and intrusion prevention technologies, and storage and backup capabilities. SM-2.2 Voya ensures IT Risk Management facilitates risk assessments of information technology processes and procedures in accordance with the annual IT Risk Assessment Plan approved by the IT/Privacy Risk Committee. Risk Assessment results are communicated to management for awareness and resolution or risk acceptance of findings based on management's risk appetite. SM-3: Security and Penetration Testing SM-3.1 Voya implements and maintains vulnerability and penetration testing (Ethical Hacking) processes to ensure the computing environment where Client PII is accessed, processed, stored, or transmitted is continually protected from internal and external security threats. SM-3.2 Voya implements and maintains a process for vulnerability scanning on at least a monthly basis and ensures issues are remediated utilizing a risk based approach within a reasonable timeframe. SM-3.3 Penetration testing (Ethical Hacking) of Internet facing systems or systems exposed to en- trusted networks is conducted prior to the system being deployed into a production status, after any significant changes, and then at least once every 12 months thereafter. PLAN I INVEST I PROTECT VOY CN0427-41890-0519 NANCIAL