Cybersecurity is important to the integrity of the market system and customer data protection. Gainy, Inc.’s cybersecurity policies and procedures are designed to:
1. Identify and control cybersecurity risks;
2. Protect the Company's networks and client information;
3. Curb risks arising from remote customer access and funds transfer requests;
4. Mitigate risks related to vendors and other third parties; and,
5. Detect and report unauthorized activity on our network.
Access to and Security of Electronic Records
Gainy has implemented the following cybersecurity procedures to protect NonpublicPersonal Information and the Company's proprietary information. This policy shall apply to allelectronic devices (i.e. computers, laptops, tablets, smartphones, and other similar devices),whether Company or employee owned, which are used to conduct Company business (hereafter "electronic devices"):
1. Associated Persons are prohibited from using any electronic device for Company business unless issued or approved by the Company;
2. Gainy uses passwords to protect electronic devices and systems utilized on such devices. Associated Persons must never share their passwords or store passwords in a place that is accessible to others;
3. Associated Persons should shut down or lock their computer when they leave the electronic device for any extended period of time;
4. Associated Persons should change passwords periodically. If a password is compromised, the Associated Person must change his or her password immediately and promptly notify the CCO of the breach;
5. The CCO should seek to ensure that the Company's electronic devices require relatively"strong" passwords, such as those that contain combinations of lower case letters, uppercase letters, and numbers or symbols;
6. Associated Persons should refrain from using passwords that would be easily guessed,such as children's names, birthdays, or commonly used strings like "password" or"12345";
7. Any theft or loss of an electronic device must immediately be reported to the CCO;
8. All laptops and portable storage devices containing Nonpublic Personal Information should be encrypted;
9. The CCO is responsible for implementing and maintaining appropriate protections for electronic devices and the systems utilized on such devices, including:
i. Anti-virus software;
iii. Prompt implementation of system patches and updates;
iv. Encryption of all wireless data transmissions;
v. When technically feasible, encryption of files containing Nonpublic PersonalInformation and the Company's proprietary information traveling across publicnetworks, and
vi. Monitoring of the Company's electronic devices and taking appropriate action inresponse to intrusion and unauthorized use;
10. To the extent practicable, Nonpublic Personal Information and the Company's proprietaryinformation will be kept on portions of the network that are only available to AssociatedPersons with a legitimate need to access the information;
11. The CCO is responsible for setting Associated Persons' access permissions on theCompany's computer network, assigning unique identifications and passwords to each person with computer access, to the extent feasible, network users should be restricted to those network resources necessary for each Associated Person's business functions;
12. Secure connections shall be established, such as through a "VPN", when accessing theCompany's network remotely;
13. The CCO will promptly disable system access for any terminated employee;
14. To the extent technically feasible, system access shall be blocked after multiple unsuccessful attempts to gain access or limitations placed on access for particular systems; and
15. Prior to sale or disposal, electronic devices will be permanently erased or destroyed. The CCO, who oversees this process, is aware that information can be retained onconventional media, such as laptops and compact discs, as well as electronic equipmentsuch as fax machines and photocopiers.
Online Account Access
Many cybersecurity experts have identified account takeovers as the top risk facing investment advisers and their clients. If the Company provides clients with online account access to virtual private networks, the Company will create books and records to preserve the following information:
1. The name of any third party managing the service;
2. An explanation of the functions that can be performed online, such as withdrawals or other external transfers of funds and/or securities;
3. How the client is authenticated for online account access and transactions;
4. Any software or alternative methods used to detect unusual transaction requests;
5. How clients' PIN numbers are protected; and
6. Any information provided to customers to reduce cybersecurity risks.Gainy uses either single-factor or two-factor authentication before permitting access to the account. Single-factor authentication is a user name and password. Two-factor authentication requires a client to answer a question or provide additional information before gaining access to the account.
Detection of Unauthorized Access to Company Networks
Gainy restricts access to network resources to the extent necessary to accomplishtheir business functions. The Company may detect unauthorized access to its network through the following means:
1. Utilization of software to detect malicious code on the Company's networks and mobiledevices;
2. Maintaining statistical baseline information about anticipated events on the Company'snetwork;
3. Aggregating and correlating event data from multiple sources;
4. Establishing written incident alert thresholds;
5. Monitoring the Company's network environment to detect potential cybersecurity events;
6. Monitoring the Company's physical environment to detect potential cybersecurity events;
7. Monitoring the activity of third party service providers with access to the Company's networks;
8. Monitoring the presence of unauthorized users, devices, connections, and software on the Company's networks;
9. Evaluating requests initiated remotely to identify potentially fraudulent requests;
10. Utilization of data loss prevention software;
11.Conducting penetration tests and vulnerability scans; and,
12.Testing the reliability of event detection processes.
Relationship to Other Company Programs
This policy incorporates by reference other policies intended to protect the Company and its clients from cyber threats, including, for example, Regulation S-P and Business Continuity Plan.
Identification of Risks/Cybersecurity Governance
Gainy conducts periodic risk assessments to identify cybersecurity threats, vulnerabilities, and potential business consequences. Gainy documents the date on which the risk assessment took place. Gainy has taken the following steps to identify and control risks:
1. Gainy has prepared a list of all computers and devices connected to its network, as well as an inventory of every application supported on our networks;
2. Connections to the Company's network from external sources are catalogued; and
3. Login and log-out practices are assessed for adequacy, appropriate retention and secure maintenance.
Incident Response Plan
If any Associated Person becomes aware of an actual or suspected privacy breach, including any improper disclosure of Nonpublic Personal Information and the Company's proprietary information, that Associated Person must promptly notify the CCO. Upon becoming aware of an actual or suspected breach, the CCO will investigate the situation and take the following actions, as appropriate:
1. To the extent possible, identify the information that was disclosed and the improper recipients;
2. To the extent possible, categorize the incident based on operational impact and sensitivity of information involved;
3. Take any actions necessary to prevent further improper disclosures;
4. Take any actions necessary to reduce the potential harm from improper disclosures thathave already occurred;
5. Review the data breach notification laws by state for additional information on jurisdictional reporting requirements, Data Breach Notification Laws by State;
6. Consider discussing the issue with counsel, regulatory authorities, and/or lawenforcement officials;
7. Evaluate the need to notify affected clients and make any such notifications;
8. Collect, prepare, and retain documentation associated with the inadvertent disclosure and the Company's response(s), including post-incident review of events and actions taken, if any; and
9. Evaluate the need for changes to the Company's privacy protection policies and procedures in light of the breach.
Associated Person Training Program
The Company provides guidance and periodic training to employees relating to information security risks and their responsibilities. The Company retains books and records to document the agenda of those training sessions and the topics covered. The Company also retains a list of the employees who attended these training sessions.This section provides additional details about the personal information we collect about California residents and the rights afforded to them under the California Consumer Privacy Act (“CCPA”). CCPA provides California residents the right to request more details about the categories and specific elements of personal information we collect, to delete their personal information, to opt-out of any “sales” that may be occurring, and to not be discriminated against for exercising these rights. We do not sell information about you to third parties. In order to help Gainy deliver advertising and marketing on other platforms, we do allow third parties to collect information through our Services. Please see the “Third-Party Tracking and Online Advertising” section above for more details, including choices available to you.
California residents may make a consumer rights request for access to certain personal information subject to the CCPA by sending an email to firstname.lastname@example.org. We may verify the request by asking you to provide information that matches the information we have on file about you. You can also designate an authorized agent to exercise these rights on your behalf, but we will require proof that the person is authorized to act on your behalf and may also still ask you to verify your identity with us directly.