These Third-Party Minimum Control Requirements (“Minimum Control Requirements”) are stated at a relatively high level, and Pacific Life Insurance Company and its affiliates and subsidiaries (collectively “PL”) recognize there may be multiple approaches to accomplish a particular Minimum Control Requirement. All Minimum Control Requirements apply to any business or organization that will collect, transmit, share, store, control, process, manage or access PL data even if a business or organization is not specifically mentioned in the particular control requirement (“Third-Party”). Third-Party Subcontractors include any agents, representatives, or contractors a business or organization may engage to collect, transmit, share, store, control, process, manage or access PL Data (“Subcontractor”). Third-Party must document in reasonable detail how a particular control meets the stated Minimum Control Requirement. Third-Party must make sure that the obligations required in the Minimum Control Requirements are tested, documented, reviewed, and approved, with management oversight, on a periodic basis, following industry best practices.

PL may revise the Minimum Control Requirements from time to time, and such revisions will become effective upon receipt by Third-Party via mail, email or publication to any Third-Party management portal used by PL and Third-Party. Third-Party will comply with the revised PL Minimum Control Requirements as soon as commercially reasonable or otherwise agreed in writing by PL. The term “should” in these Minimum Control Requirements means that Third-Party will use commercially reasonable efforts to accomplish the stated Minimum Control Requirement, and will document those efforts in reasonable detail, including the rationale, if any, for deviation. This documentation may be reviewed by Auditors to assess the control and the merit of the rationale for deviation. Not all the stated Minimum Control Requirements will apply to all services or other deliverables, but Third-Party must be able to reasonably show when a Minimum Control Requirement does not apply. Third-Party will immediately notify PL in writing if it is unable to comply with the Minimum Control Requirements.

These Minimum Control Requirements do not limit Third-Party’s obligations under the Agreement or applicable Law, and do not limit the scope of an audit by PL. PL may conduct audits on its own or by using an external auditor and will provide notice to the Third-Party of the entity conducting any such audit at the time of such audit. Third-Party will cooperate with any auditor as reasonably requested by PL or any such external auditor, including entering into agreements any of them may request from time to time, fully and promptly answering questionnaires that PL or any of them may submit (including submitting information using electronic or other portals or facilities), meeting with any of them to facilitate the audit, and not requesting any of them to execute a separate non-disclosure agreement.

As used in these Minimum Control Requirements, (i) any capitalized terms not defined herein shall have the same meaning as set forth in the master agreement relating to the services and other deliverables to which these Minimum Control Requirements relate (the “Agreement”); and, (iii) “Confidential Information” is understood to include “Confidential Information”, “Personal Information”, “PL Data” or other terms used for PL information protected under the Agreement.

Risk Management

The effectiveness of controls must be regularly validated through a documented risk assessment program and appropriately managed remediation efforts.

Security Policy

A documented set of rules and procedures must regulate the receipt, transmission, processing, storage, control, distribution, retrieval, access, presentation, and protection of information and associated services. A risk-based exception management process must be in place for prioritization, approval, and remediation or risk acceptance of controls that have not been adopted or implemented. Security policies and responsibilities must be communicated and socialized within the organization to Third-Party Personnel (e.g., both employees and contractors). Third-Party Personnel must be trained to identify and report suspected weaknesses and incidents.

Organizational Security

A Third-Party’s Personnel security policy and agreements established organizational requirements to ensure proper training and competent performance, and an appropriate and accountable security organization must be in place. Training and job competence of Third-Party’s Personnel providing services to PL must be monitored using a formal performance and appraisal process. Current organizational charts representing key management responsibilities for services provided, including services provided by Subcontractors, regardless of tier, must be maintained. Background checks (including criminal) must be performed on applicable Third-Party’s Personnel. Third-Party Personnel must be subject to written non-disclosure or confidentiality obligations before being assigned to PL services and granted access to PL systems and information.

Technology Asset Management

Controls must be in place to protect assets, including mechanisms to maintain an accurate inventory of assets and handling standards for introduction and transfer, removal and disposal of all assets. Personally-owned devices are not permissible by Third-Party Personnel for business purposes unless they have been expressly approved by PL. If permitted, they must also be treated the same as other assets. A process for maintaining an inventory of hardware and software assets and other information resources, such as databases and file structures, must be documented. Procedures for disposal or reuse of equipment used for logical and physical storage must accomplish sufficient destruction of PL data.  Security controls must be documented if personal devices are used to perform business transactions or to access systems where PL data or transactions are stored or processed. Procedures must be in place to remove PL data and access rights to systems on which PL data are stored, processed, or transmitted.

Physical and Environmental

Controls must be in place to protect against physical penetration by malicious or unauthorized people, damage from environmental factors, including, but not limited to fire detection and suppression, climate control and monitoring, power and back-up power solutions, water damage detection, and electronic penetration through active or passive electronic emissions. Third-Party may only store PL data at facilities or locations that are pre- approved by PL before use. Approval from PL must be obtained before assets with PL data are removed from the facility.

Communication and Connectivity

Third-Party must implement controls over its communication network to safeguard data. Controls must include securing network and implementation of encryption, logging and monitoring, and disabling communications where no business need exists. A network diagram, to include all devices, must be kept current to facilitate analysis and incident response. All PL data, including PL data shared with Subcontractors, must be stored and maintained in a manner that allows for its return or secure destruction upon request from PL. Firewalls must be used for the isolation of all environments, to include physical, virtual, network devices, production and non-production, and application/presentation layers. Firewall management must follow a process that includes restriction of administrative access. Network devices must have internal clocks synchronized to reliable time sources. The data flow in the remote connection must be encrypted and multi-factor authentication must be utilized during the login process. Subcontractors remote access must adhere to the same controls and any subcontractor remote access must have a valid business justification. When used to provide services for PL, wireless access to the Third-Party’s corporate network must be configured to require authentication and be encrypted. Data Loss Prevention (DLP) solutions should be deployed to protect PL data, including all points of egress, except to the extent prohibited by legal or regulatory restrictions.

Change Management

Changes to the system, network, applications, data files structures, other system components and physical/ environmental changes must be monitored and controlled through a formal change control environment and Third-Party must have a documented policy including application, operating system, network infrastructure and firewall changes. Changes materially affecting PL services must be communicated to PL prior to implementation.

Logical Access Control

Authentication and authorization controls must be appropriately robust for the risk of the data, application and platform; access rights must be granted based on the principle of least privilege and monitored to log access and security events. Documented logical access policies and procedures must support role-based, “need-to-know” access (e.g., interdepartmental transfers, terminations) and ensure separation of duties during the approval and provisioning process. Management of privileged user accounts to include service accounts, must follow a documented process and be restricted. A documented authentication and authorization policy must cover all applicable systems. That policy must include password requirements, including, but not limited to provisioning, complexity requirements, and password resets.

Data Integrity

Controls must ensure that any data stored, received, controlled or otherwise accessed is accurate and reliable.  Controls must be in place to protect the integrity of data transactions at rest and in transit.

Encryption

Data must be protected and should be encrypted, both in transit and at rest, including when shared with Subcontractors. Data protection policy must cover data classifications, encryption use, key and certificate lifecycle management, cryptographic algorithms and associated key lengths. PL data must be protected, and should be encrypted, while in transit and at rest across all systems and assets. Authentication credentials must always be encrypted in transit and at rest.

Incident Response

Third-Party must have a documented plan and associated procedures, to include the responsibilities of Third-Party’s Personnel and identification of parties to be notified in case of an information security incident in place. The incident management policy and procedures must include prioritization, roles and responsibilities, procedures for escalation (internal) and notification (to PL), tracking and reporting, containment and remediation, and preservation of data to maintain forensic integrity. Third-Party shall promptly notify PL (in no event later than 72 hours) following discovery of any security incident(s). Such notification shall include the extent and nature of such intrusion, disclosure, or unauthorized access, the identity of the compromised PL Confidential Information (to the extent it can be ascertained), how Third-Party was affected by the security incident, and its response to such security incident. Third-Party shall use continuous and diligent efforts to remedy the cause and the effects of such security incident in an expeditious manner and deliver to PL a root cause analysis and future incident mitigation plan about any such incident. Third-Party shall reasonably cooperate with PL's investigation and response to each security incident. Third-Party shall bear all reasonable and direct costs associated with the notification, to the extent the notification and corresponding actions are required by U.S. law. Without limiting the foregoing, unless otherwise required by U.S. law, no such notifications shall be made by Third-Party without PL's prior written consent and PL shall, together with Third-Party, determine the content and delivery of all such notifications.

To report a suspected or actual security incident relating to Pacific Life information email: CorpCompliancePrivacy@PacificLife.com.

Business Continuity and Disaster Recovery

Third-Party must have formal documented recovery plans to identify the resources and specify actions required to help minimize losses in the event of a disruption to the business unit, support group unit, application, or infrastructure component. Third-Party must have comprehensive business resiliency plans addressing business interruptions of key resources supporting all PL services, including those provided by Subcontractors. Third-Party must have technology recovery plans to minimize service interruptions and ensure recovery of systems, infrastructure, databases, applications, etc.

Email and Instant Messaging (IM)

Policies and procedures must be established and adhered to that ensure proper control of an electronic mail and/ or instant messaging system that displays and/ or contains PL Data. Access to non-corporate/ personal email and instant messaging solutions must be restricted. Controls must be in place to prevent Confidential Information from being sent externally through email or instant messaging without encryption. Preventive controls must block malicious messages and attachments. Controls must be in place to prevent auto-forwarding of emails.

Back-Up and Offsite Storage

Third-Party must have policies and procedures for back-up of PL data. Back-up media must be protected in storage, offsite storage, and sanitized prior to disposal or reuse. Third-Party must have processes enabling full restoration of all systems, applications, and data. Back-up media must be rendered unreadable when no longer required. Back-up storage devices must be encrypted. Secure transportation procedures of media to and from offsite locations must be defined.

Media and Vital Records

Policies for handling and storing electronic media containing PL data and paper records must be in place, including secure disposal of media and secure transport and transmission to and from Third-Party and Subcontractors. Electronic media and paper records must be stored in secure bins. Retention procedures for all paper and electronic records must be in accordance with PL record retention requirements. Document destruction or shredding must be performed in a secure manner. Controls must be in place to safeguard electronic media and paper records during transportation.

Subcontractor Relationships

All Subcontractors must be identified, assessed, managed and monitored. Subcontractors that provide material services, or that support Third-Party’s provision of material services to PL, must comply with all control requirements applicable to any such services. Third-Party must establish contracts with Subcontractors providing material services. Third-Party must have a process to identify all Subcontractors providing services to Third-Party. Risk assessments of each Subcontractor’s control environment must be performed.

Standard Builds

Information systems must be deployed with appropriate security configurations and reviewed periodically for compliance with Third-Party’s security policies and procedures. Configurations must include security patches, vulnerability management, default passwords, registry settings, file directory rights and permissions. Systems must be configured to provide only essential capabilities. Policy must prohibit storing of confidential information on desktops. The ability to write to electronic media must be limited to documented exceptions.

Application

Third-Party must have an established software development lifecycle for defining, acquiring, developing, enhancing, modifying, testing or implementing information systems. Third-Party must ensure that all web-based and mobile applications used to store, receive, send, control or access PL data are monitored, controlled and protected. Applications must implement controls that protect against known vulnerabilities and threats. Third-Party must have a Software Development Life Cycle (SDLC) methodology, including release management procedures. SDLC methodology must include requirements for documentation and be managed by appropriate access controls. Software executables related to client/ server architecture that are involved in handling PL data must undergo vulnerability assessments and penetration tests. Where PL production data is used in a test environment, the level of control must be consistent with production controls. Production data must be sanitized (e.g., masking of all Personal Information) before use in non-production environments.

Vulnerability Monitoring

Third-Party must continuously gather information and analyze vulnerabilities considering existing and emerging threats and actual attacks. Processes must include vulnerability scans, anti-malware, Intrusion Detection Systems, Intrusion Prevention Systems, logging and security information and event management analysis and correlation.

Cloud Technology

In addition to the other requirements listed elsewhere, adequate safeguards must ensure the confidentiality, integrity, and availability of PL data stored, processed or transmitted using cloud technology.

Privacy and Regulatory Compliance

Processes must be in place to ensure the protection of PL data and compliance with legal and regulatory requirements applicable to the Services and other Deliverables. Third-Party shall notify PL if the Third-Party receives a notification: (i) that Third-Party has allegedly failed to comply with applicable data security or privacy laws, (ii) that Third-Party is the subject of a regulatory inquiry relating to data security and privacy practices or requirements, and/or (iii) of any actual or threatened legal claims against Third-Party relating to data security and privacy practices or activities.

Business Practices

Third-Party must have policies and procedures addressing standard business operations, including, but not limited to, the handling of non-public information, and change control. Third-Party must have a fraud detection, prevention and mitigation program, processes and procedures for monitoring and reporting actual and suspected instances of fraud, and specific notification and communication, internally and to PL.

Data Use

Third Parties who receive, send, transmit, store, create, generate, collect, control, process or have access to PL data, must do so in a manner solely to provide services to PL. Policies and processes covering data use and restrictions, including for PL data shared with Subcontractors, must include that they shall only use the Confidential Information as necessary to provide services to PL.