This is a template that can be used as a Technology Usage Agreement between an SEC or FINRA registered firm and their employees. We recommend that you have your employee sign this document during onboarding and also attest to it annually. This document should accompany a firm-level cybersecurity policies and procedures manual.
This policy sets forth a basic set of standards for the use and protection of {FIRM NAME} computer assets.
This policy relates, but is not limited to,computer workstations, servers,laptop computers, electronic mail, databases, networks, and connection(s) to the intranet,internet, and any other information technology services databases, networks and connection(s)to the intranet, internet and an available both now and in the future.Information and Information Technology Systems including the computers, networks,applications (both third party and proprietary), technology facilities and the data housed therein, permit individuals, including all officers and directors, full-time, part-time and temporary employees, interns, consultants, independent contractors and other non-{FIRM NAME}personnel (collectively. “Users”) to perform their duties at {Firm Name}.
Users are not allowed to remove any “Confidential Information” as described in the Code of Ethics from {FIRM NAME} networks or property by any means (including, but not limited to,internet, email, CD/DVD, disk, printed page), without the approval of their Chief Compliance Officer.{FIRM NAME}’s Information and Information Technology Systems are intended solely for {FIRMNAME} business purposes. Personal use is not permissible. You are required to make sure your use:
(i) does not involve a significant amount of resources that could otherwise be used forbusiness purposes;
(ii) does not interfere with a User’s productivity;
(iii) does not preemptany business activity;
(iv) is not contrary to any other {FIRM NAME} policy;
(v) does not intentionally make {FIRM NAME} susceptible to excessive spam or unsolicited requests; and(vi) does not disparage or diminish the reputation of {FIRM NAME} or its employees, officers,directors, shareholders and clients.
It is the responsibility of each User to ensure that{FIRM NAME} Information and Information Technology Systems are used properly.
Users should not expect electronic communications made or received using {FIRM NAME}’s Information Technology Systems to be private.
{FIRM NAME} expressly reserves the right to without notice access and examine {FIRM NAME} computer systems and networks and all information stored or transmitted through these systems and networks including, but not limited to, all electronic mail.
As such, Users should have no expectation of privacy in the use of {FIRM NAME}’s Information Technology Systems.
{FIRM NAME} may monitor all activity on {FIRM NAME} technology systems, including but not limited to personal uses such as online banking, online health information, shopping, or personal email. This monitoring may include keystroke logging, screen captures, and Internet activity monitoring, which may reveal personal information such as bank account information, passwords, medical information, or other personal information. Any information obtained by {FIRM NAME} during such monitoring may be used for any appropriate purpose as determined by {FIRM NAME} in its sole and exclusive discretion.
All electronic communications (e.g., email, IM, etc.) made using {FIRM NAME}’s networks,computers, systems or other property will be deemed the exclusive property of {FIRM NAME}. All electronic communications are to be written in English. If there is a legitimate business need to send a non-English email or communication, a translation must be provided to Compliance at the time the email is sent. The Compliance Department conducts regular reviews of email, instant message communications, and network security.
The purpose of these reviews is to ensure that {FIRM NAME} is complying with its regulatory obligations as well as its own internal policies including the requirement that all electronic communications be consistent with the professional environment that we strive to maintain.All Users are reminded that such reviews will take place and to carefully consider the appropriateness of any statements made by them in any email communication. Users are further reminded that any personal emails sent via {FIRM NAME}’s electronic communication facilities will be retained and are subject to review by {FIRM NAME} compliance personnel’s well as our regulators.
The use of web-based email sites (e.g., Gmail, Hotmail, university email, etc.), file upload sites such as Yahoo, or Xdrive personal/home websites, and other web-based publishing sites including blogs is prohibited.
Notwithstanding the above, all electronic business communications must go through the {FIRM NAME} email servers, with the exception of Bloomberg instant messages. In the event of a {FIRM NAME} declared emergency, the use of personal, web-based email sites (e.g., Gmail, Hotmail, etc.) may be used, however, in all cases Compliance must be carbon copied on every email.All information received, stored or transmitted on behalf of {FIRM NAME} is to be treated as Confidential Information. As such, no internal email may be forwarded outside of {FIRM NAME} unless:
(i) there is a special business reason to do so; or
(ii) the forwarded emails about specific {FIRM NAME} benefits or events available only to your family (or similar close relationship), e.g., emails regarding the company Christmas party.
All electronic communications form a part of {FIRM NAME}’s company records. As such,electronic communications may be subject to disclosure to law enforcement or government officials or to other third parties through subpoena appropriate and lawful or otherwise. Users must ensure that business information contained in electronic communications is accurate. Moreover, the Investment Advisers Act of 1940 (the “Act”) requires that {FIRM NAME} maintain the originals of all written communications (including email) received and copies of all written communications sent to any party, including persons that are not clients of {FIRM NAME}, relating to the business of providing investment services. It is our policy to retain all internal and external email and internal instant messages, as well as all Bloomberg messages. Users must conduct themselves in a courteous and professional manner when using {FIRMNAME}’s Information Technology Systems, including when using all email and other electronic communications. Users should write all email and other electronic communications with the same degree of responsibility that they would employ when writing letters or internal memorandum on {FIRM NAME}’s letterhead.
General Rules Governing IT Usage
The following are some basic rules governing the use of Information and Information Technology Systems at {FIRM NAME}A.
HARDWARE AND SOFTWARE
{FIRM NAME} provides each User with job appropriate hardware and software. The hardware and software are owned and maintained by {FIRM NAME}, which has the right at any time,without notice, to examine and/or confiscate any hardware, software or data maintained on such hardware and/or {FIRM NAME}’s Information Technology Systems. If there is technology device that has not been provided to you that you believe will help you to be more productive in performing your duties, please have it approved by the firm’s Chief Compliance Officer.
No unapproved information technology devices should be used in conjunction with {FIRMNAME}’s Information Technology Systems. This includes, but is not limited to, other computers, laptops, ZIP drives, Thumb drives, USB drives, memory sticks, CDR/CDRW drives or any other mass storage devices. Exceptions will only be granted on a case-by-case basis, in writing, by the Chief Compliance Officer.
Any software installed or data files stored on a {FIRM NAME} computer must be approved in advance. This includes software and data files downloaded from the internet. Using,downloading, installation and/or storage of illegal or pirated software or files are not permitted in any form. In general, the software will be approved if it is properly licensed, intended for a legitimate business purpose, and does not expose {FIRM NAME} to security risks. Non-business related software should not be installed on {FIRM NAME}computers. If you are unsure of what is considered prohibited, please contact the Chief Compliance Officer.
EVERY EMPLOYEE IS RESPONSIBLE FOR THEIR COMPUTER BEING PATCHED AND UPDATED AT ALL TIMES
USER ID AND PASSWORD
Each User must have a User-ID and password prior to being able to use any {FIRM NAME}computer or Information Technology System. A User-ID and a password, both of which are unique to an individual, will be supplied to each user upon on boarding. Strong Passwords are Required at All Times.
Passwords must be at least 13 characters long and contain at least 1 of each:
- Upper Case Letter,
- Lower Case Letter,
- Symbol,
- and a Number.
Each User is responsible for all activity that occurs on his or her User-ID unless such ID is stolen and it is demonstrated that the User was not negligent in having allowed such theft to occur. User- ID’s are revoked when a User is no longer authorized to access {FIRMNAME}’s Information Technology Systems. User-ID’s are also subject to suspension if not used regularly or if an incorrect password is entered repeatedly.It is the responsibility of each User to protect the confidentiality of his or her password. Passwords must not be shared with others or recorded in any places where they might be found. All User must log ALL passwords in LastPass. Users are responsible to protect it and report promptly if it is lost or stolen. Users who are provided with other authentication hardware such as a Securld token, Yubikey or smartcard must take care to protect it and report it lost or stolen immediately.Users must not allow others to use their access without supervision.
REMOTE DIAL UP, VPN ACCESS, RESIDENTIAL CONNECTIONS
{FIRM NAME} provides VPN access to the Information Technology Systems to facilitate work while away from the {FIRM NAME} premises. Users must not share their remote access or allow others to use it.
If accessing firm network from residential locations, User’s must allow {FIRM NAME} to ability to scan externally for cybersecurity weaknesses. It User is determined to be a high risk employee, it may be necessary to perform internal vulnerability scans in addition to the external scans.
Otherwise, it is the User’s responsible to monitor internal network security within the residence and to report and known breaches to the CCO
DAILY BACKUPS
The firm is required to conduct periodic backups of all information that resides on its central computer systems, servers, and networks in order to protect {FIRM NAME}’s information resources from loss or damage. Maintenance of information stored on a User’s personal computer or laptop hard drive (e.g., C: drive) is the responsibility of the User and is not included in normal backup procedures and recovery capabilities. In case of equipment failure or upgrade, any information on local system may be lost.
VIRUS-SCREENING SOFTWARE
Virus-screening software has been and will continue to be installed on {FIRM NAME} desktop and laptop computers and must not be disabled for any reason. No User may take any steps to disable any firewalls, filters or similar protections which have been installed by {FIRM NAME}. Users may not load onto the Information Technology Systems or transmit any disabling software, such as Trojan horses, viruses, worms, time bombs or any other form of disabling code.
EVERY USER MUST ENSURE THEIR VIRUS SCREEN SOFTWARE IS ACTIVE AND UP TO DATE
LOCK COMPUTER
{FIRM NAME} computers must utilize a screen-saver with password protection, configured to activate after no more than 5 minutes of inactivity unless an exception is approved by the Chief Compliance Officer.Each User must lock his or her computer (Windows Key + L) before leaving at the end of the workday. Users should never leave their computers logged in and unattended.Users entrusted with {FIRM NAME} computer assets, including desktops, laptops, Blackberries, and software, must exercise due diligence at all times to prevent theft, destruction or other misuses of the assets.Portable laptops, notebooks. palmtops and other transportable computers containing sensitive {FIRMNAME} information must be treated with the same care provided to {FIRM NAME} documents. If a {FIRMNAME} computer or Information Technology device is lost or stolen, the Chief Compliance Officer must be notified immediately.
THIRD PARTY SOFTWARE
No User should include any code that is subject to any open source license without the approval of the Chief Compliance Officer.
By signing below, you acknowledge the receipt of this policy and attest that you will follow all rules set within.
———————————————— Employee Signature:
Date :
———————————————– Chief Compliance Officer
Date :