#24651 Cybersecurity Section of Procedure Manual

Created from Lead: https://artichoke.shield.syncromsp.com/leads/21488392/convert

[Peet—I’m doing our annual review of our Policies & Procedures Manual here at the office and was wondering if you could please read through our
historical language re: cybersecurity (pasted below). Especially with an eye toward changes needed after our recent departure from Bubba to Microsoft 365—also zero trust set-up. As well as our now more formalized service with your firm. I’ve highlighted
a few parts below that might need changes? Would like your opinion, please.]

Jill

Cybersecurity

Policy

As a matter of policy and practice, the Firm guards its clients’ information from cybersecurity threats.

Background

Information security has become a critical issue in the financial services industry and protecting data from a myriad of threats is a necessity. Threats can be categorized as either
internal or external. Internal threats include the theft or malicious destruction of data by a disgruntled employee as well as accidental data loss due to human error or equipment malfunction. Examples of external threats are hackers, natural disasters or
compromised vendor access. Although the threats are varied the protections involve controlling access to information, protecting the information from use (encryption) and having redundant systems.

Responsibility

The CCO or his designee has the responsibility for the implementation and monitoring of our policies and procedures related to cybersecurity.

Procedures

The Firm has adopted various procedures to implement the policy, conducts reviews to monitor and ensure the cybersecurity policy is observed, properly implemented and amended or
updated, as appropriate which include the following:

- Password protection - All computers
(especially laptops) must have robust passwords to access the system. Robust passwords are at least 10 characters and contain alphanumeric characters with no personally identifiable information. Employees not allowed to share passwords or IDs.

- Individual Employee Login – Employees are not allowed to share login usernames and passwords, with the exception that some software used by all employees only permits one username and password, in which case that username and
password would be shared.

- Encryption – Clients’ personal nonpublic information stored on mobile devices must be encrypted and data stored on a file server must be protected with a firewall.

- Software Updates – All firm devices must have updated software.
The firm will update software on at least a quarterly basis, but software is typically set to automatically update.

- Antivirus, Firewall and Spyware Protection –
All computers must have up-to-date antivirus and spyware protection. The firm will update software on at least a quarterly basis, but software is typically set to automatically update.

- Open WiFi Networks [–]The Firm does not allow employees to access non-public client information on non-password protected open WiFi networks.

- Remote Access of Server –
Remote access to the Firm’s server must be made only on a password-protected WiFi network and using the Kerio Control VPN Client.

- Backups – Any data stored on local hard drives or file servers
must be backed up to a remote location. The firm backs up all local hard drives on at least a monthly basis.

- Smartphones – All smartphones that contain client information must be encrypted, password protected and have tracking software.

- Locked Door and Clean Desk – All office doors must be locked and secured on a nightly basis. Only authorized personnel will have a key to the office. All file cabinets are locked on a nightly basis. Additionally, all desks
must be cleaned of any client information on a nightly basis.[][]

-
Vendor Access – Employees must obtain written permission from the firm prior to engaging any vendor that will have access to the firm’s books and
records. This will typically include performance reporting, financial analysis and forms utilities vendors. The vendor contract must have a confidentiality clause and all data must be maintained in compliance with SEC rules. If the contract does not have
a confidentiality clause a separate confidentiality agreement is required.

Hey Peet—along with the issue below, I also need you to look over an application for cyber insurance with me too. Any chance we could do a zoom or teams meeting for 30 minutes sometime soon? Tomorrow, maybe? Thank you!

Jill

From: Artichoke Consulting <[email protected]>
Sent: Monday, October 9, 2023 6:03 PM
To: Jill Tripp <[email protected]>
Subject: Thanks, we got your information! (message id: 73686561)

Sending this first ... sorry for the delay here.

• Password protection -- Passwords are now enforced at the M365/AzureAD level. For some unknown reason Microsoft has not created a way to manage password requirements directly within Azure. You must have a local Active Directory controller to do so. That said, the technical requirements for passwords on AzureAD are:

Passwords must be at least eight characters long and be made up of three out of these four items: lowercase letters, uppercase letters, numbers and symbols

You can, however, have a password policy that is employee-based and you all are using better than the above for passwords.

• Software Updates -- Software Updates are handled automatically for the OS and standard apps (Office, browsers, etc). Your LOB apps like MorningStar are automatically updated as well correct? If not we can get something in place if you’d like.

• Antivirus, Firewall and Spyware Protection — In place and kept up to date automatically.

• Remote Access of Server — This is not an issue with Sharepoint. Here, however, we can limit access to the Sharepoint service more aggressively. Let’s chat about it when we are on a call.

• Backups –– Backups of your M365 environment are stored locally on your Synology NAS as well as with Backupify. Your workstations are backed up with Crashplan. All are automatic. And there are two full backups of your most critical data (m365).

You can always schedule me with https://artichoke.consulting/schedule/peet . That said I'm catching up from taking a bit of a break last week to visit family. If you have time today still. I'm happy to jump on a call to answer any other questions.

Cheers.Peet

Edits made via Bulk Update Tool - see change log for this timestamp