Singh Private Wealth Management LLC’s (“Singh PWM” or “firm”) policy is to respond to the increase in cybersecurity breaches. We have developed this policy first and foremost to ensure the security of our clients’ information that is maintained electronically.

Acceptable Use Policy

The Chief Compliance Officer’s (“CCO”) intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to Singh PWM’s established culture of openness, trust, and integrity. The CCO is committed to protecting Singh PWM's employees, partners, and the company from illegal or damaging actions by individuals, either knowingly or unknowingly.

Internet/Intranet/Extranet-related systems, including but not limited to computer equipment, software, operating systems, storage media, network accounts providing electronic mail, WWW browsing, and FTP, are the property of Singh PWM. These systems are to be used for business purposes in serving the company's interests and our clients and customers in the course of normal operations. Please review Human Resources policies for further details.

Effective security is a team effort involving the participation and support of every firm employee and affiliate who deals with information and/or information systems. It is the responsibility of every computer user to know these guidelines and to conduct their activities accordingly.

The purpose of this policy is to outline the acceptable use of computer equipment at Singh PWM. These rules are in place to protect the employee and Singh PWM. Inappropriate use exposes the firm to risks, including virus attacks, compromise of network systems and services, and legal issues.

This policy applies to the use of information, electronic and computing devices, and network resources to conduct firm business or interact with internal networks and business systems, whether owned or leased by the firm, the employees, or a third party. All employees, contractors, consultants, temporary, and other workers at Singh PWM and its subsidiaries are responsible for exercising good judgment regarding appropriate use of information, electronic devices, and network resources in accordance with firm policies and standards, and local laws and regulation.

This policy applies to employees, contractors, consultants, temporaries, and other workers at Singh PWM, including all personnel affiliated with third parties. This policy applies to all equipment that is owned or leased by the firm.

General Use and Ownership

Singh PWM’s proprietary information stored on electronic and computing devices, whether owned or leased by the firm, the employee or a third party, remains the firm's sole property.

You have a responsibility to promptly report the theft, loss, or unauthorized disclosure of the firm’s proprietary information.

You may access, use, or share the firm’s proprietary information only to the extent it is authorized and necessary to fulfill your assigned job duties.

Employees are responsible for exercising good judgment regarding the reasonableness of personal use.

For security and network maintenance purposes, authorized individuals within the firm may monitor equipment, systems, and network traffic at any time.

Singh PWM reserves the right to audit networks and systems periodically to ensure compliance with this policy.

Security and Propriety Information

System-level and user-level passwords must comply with the Password Construction Guidelines and Password Protection Policy. Providing access to another individual, either deliberately or through failure to secure its access, is prohibited.

All computing devices must be secured with a password-protected screensaver with the automatic activation feature set to 10 minutes or less. You must lock the screen or log off when the device is unattended.

Postings by employees from a firm email address to newsgroups should contain a disclaimer stating that the opinions expressed are strictly their own and not necessarily those of Singh PWM unless posting is in the course of business duties.

Employees must use extreme caution when opening e-mail attachments received from unknown senders, which may contain malware.

Unacceptable Use

The following activities are, in general, prohibited. Employees may be exempted from these restrictions during the course of their legitimate job responsibilities (e.g., systems administration staff may need to disable the network access of a host if that host is disrupting production services).

Under no circumstances is an employee authorized to engage in any activity that is illegal under local, state, federal, or international law while utilizing Singh PWM-owned resources.

The lists below are by no means exhaustive but attempt to provide a framework for activities that fall into the category of unacceptable use.

System and Network Activities

The following activities are strictly prohibited, with no exceptions:

Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of "pirated" or other software products that are not appropriately licensed for use by Singh PWM.
Unauthorized copying of copyrighted material includes digitization and distribution of photographs from magazines, books, or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which the firm or the end-user does not have an active license is strictly prohibited.
Accessing data, a server, or an account for any purpose other than conducting firm-related business, even if you have authorized access, is prohibited.
Exporting software, technical information, encryption software or technology, in violation of international or regional export control laws is illegal. The appropriate management should be consulted prior to the export of any material that is in question.
Introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.).
Revealing your account password to others or allowing the use of your account by others. This includes family and other household members when work is being done at home.
Using a Singh PWM computing asset to actively engage in procuring or transmitting material in violation of sexual harassment or hostile workplace laws in the user's local jurisdiction.
Making fraudulent offers of products, items, or services originating from any Singh PWM account.
Making statements about warranty, expressly or implied, unless it is a part of normal job duties.
Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the employee is not an intended recipient or logging into a server or account that the employee is not expressly authorized to access unless these duties are within the scope of regular duties. For purposes of this section, "disruption" includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forged routing information for malicious purposes.
Port scanning or security scanning is expressly prohibited unless prior notification to the CCO or delegate is made.
Executing any form of network monitoring, which will intercept data not intended for the employee's host, unless this activity is a part of the employee's normal job/duty.
Circumventing user authentication or security of any host, network, or account.
Introducing honeypots, honeynets, or similar technology on the Singh PWM network.
Interfering with or denying service to any user other than the employee's host (for example, denial of service attack).
Using any program/script/command, or sending messages of any kind, with the intent to interfere with, or disable, a user's terminal session, via any means, locally or via the Internet/Intranet/Extranet.
Providing information about, or lists of, employees to parties outside of the firm.

Email and Communication Activities

When using company resources to access and use the Internet, users must realize they represent the company. Whenever employees state affiliation with the company, they must also clearly indicate that "the opinions expressed are my own and not necessarily those of the company."

The following activities are strictly prohibited:

Sending unsolicited email messages, including sending "junk mail" or other advertising material to individuals who did not specifically request such material (email spam).
Any form of harassment via email, telephone, or paging, whether through language, frequency, or size of messages.
Unauthorized use, or forging, of email header information.
Solicitation of email for any other email address, other than that of the poster's account, with the intent to harass or to collect replies.
Creating or forwarding "chain letters," "Ponzi," or other "pyramid" schemes of any type.
Use of unsolicited email originating from within the firm's networks of other Internet/Intranet/Extranet service providers on behalf of, or to advertise, any service hosted by the firm or connected via the firm's network.
Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam).

Social Media

1. Social media use by employees, whether using the firm’s property and systems or personal computer systems, is also subject to the terms and restrictions set forth in this policy. Limited and occasional use of Singh PWM’s systems to engage in social media use is acceptable, provided that it is done professionally and responsibly, does not otherwise violate this policy, is not detrimental to the firm’s best interests, and does not interfere with an employee's regular work duties. Social media use from Singh PWM’s systems is also subject to monitoring.

2. The Confidential Information Policy described herein also applies to social media use. As such, employees are prohibited from revealing any of the firm’s confidential or proprietary information, trade secrets, or any other material covered by the Confidential Information policy when engaged in social media use.

3. Apart from following all laws pertaining to the handling and disclosure of copyrighted or export-controlled materials, Singh PWM’s trademarks, logos, and any other intellectual property may also not be used in connection with any social media activity

Responsibility

The CCO or delegate will verify compliance with this policy through various methods, including but not limited to business tool reports, internal and external audits, and feedback to the policy owner.

Any exception to the policy must be approved by the CCO or delegate in advance.

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Clean Desk Policy

A clean desk policy can be an important tool to ensure that all sensitive/confidential materials are removed from an end-user workspace and locked away when the items are not in use or an employee leaves his/her workstation. It is one of the top strategies to utilize when trying to reduce the risk of security breaches in the workplace. Such a policy can also increase employee’s awareness about protecting sensitive information.

The purpose of this policy is to establish the minimum requirements for maintaining a “clean desk” – where sensitive/critical information about our employees, our intellectual property, our customers, and our vendors is secure in locked areas and out of sight. A Clean Desk policy is not only ISO 27001/17799 compliant, but it is also part of standard basic privacy controls.

This policy applies to all Singh PWM employees and affiliates.

1. Employees are required to ensure that all sensitive/confidential information in hardcopy or electronic form is secure in their work area at the end of the day and when they are expected to be gone for an extended period.

2. Computer workstations must be locked when the workspace is unoccupied.

3. Computer workstations must be shut completely down at the end of the workday.

4. Any Restricted or Sensitive information must be removed from the desk and locked in a drawer when the desk is unoccupied and at the end of the workday.

5. File cabinets containing Restricted or Sensitive information must be kept closed and locked when not in use or when not attended.

6. Keys used for access to Restricted or Sensitive information must not be left at an unattended desk.

7. Laptops must be either locked with a locking cable or locked away in a drawer.

8. Passwords may not be left on sticky notes posted on or under a computer, nor may they be left written down in an accessible location.

9. Printouts containing Restricted or Sensitive information should be immediately removed from the printer.

10. Upon disposal, Restricted and/or Sensitive documents should be shredded in the official shredder bins or placed in the lock confidential disposal bins.

11. Whiteboards containing Restricted and/or Sensitive information should be erased.

12. Lock away portable computing devices such as laptops and tablets.

13. Treat mass storage devices such as CDROM, DVD, or USB drives as sensitive and secure them in a locked drawer

Responsibilities

The CCO or delegate will verify compliance with this policy through various methods, including but not limited to periodic walk-thrus, internal and external audits, and feedback to the policy owner.

Any exception to the policy must be approved by the CCO or delegate in advance.

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Wireless Communication Policy

The purpose of this policy is to secure and protect the information assets owned by Singh PWM. Singh PWM provides computer devices, networks, and other electronic information systems to meet missions, goals, and initiatives. Singh PWM grants access to these resources as a privilege and must manage them responsibly to maintain the confidentiality, integrity, and availability of all information assets. This policy specifies the conditions that wireless infrastructure devices must satisfy to connect to the network. Only those wireless infrastructure devices that meet the standards specified in this policy or are granted an exception by the CCO are approved for connectivity to a network.

All employees, contractors, consultants, and temporary workers, including all personnel affiliated with third parties that maintain a wireless infrastructure device on behalf of Singh PWM, must adhere to this policy. This policy applies to all wireless infrastructure devices that connect to a network or reside on a site that provides wireless connectivity to endpoint devices, including but not limited to laptops, desktops, cellular phones, and tablets. This includes any form of wireless communication device capable of transmitting packet data.

General Requirements

All wireless infrastructure devices that reside at a site and connect to a network or provide access to information classified as Confidential or above must:

1. Abide by the standards specified in the Wireless Communication Standard.

2. Use approved authentication protocols and infrastructure.

3. Use approved encryption protocols.

4. Maintain a hardware address (MAC address) that can be registered and tracked.

5. Not interfere with wireless access deployments maintained by other support organizations.

Wireless Communication Standard

All wireless infrastructure devices that connect to a network or provide access to Confidential Information must:

1. Use Extensible Authentication Protocol-Fast Authentication via Secure Tunneling (EAP-FAST), Protected Extensible Authentication Protocol (PEAP), or Extensible Authentication Protocol-Translation Layer Security (EAP-TLS) as the authentication protocol.

2. Use Temporal Key Integrity Protocol (TKIP) or Advanced Encryption System (AES) protocols with a minimum key length of 128 bits.

3. All Bluetooth devices must use Secure Simple Pairing with encryption enabled.

Home Wireless Device Requirements

All home wireless infrastructure devices that provide direct access to the corporate network must:

1. Enable Wi-Fi Protected Access Pre-shared Key (WPA-PSK), EAP-FAST, PEAP, or EAP-TLS

2. When enabling WPA-PSK, configure a complex shared secret key (at least 20 characters) on the wireless client and the wireless access point

3. Disable broadcast of SSID

4. Change the default SSID name

5. Change the default login and password

Wireless infrastructure devices that fail to conform to the Home Wireless Device Requirements must be installed in a manner that prohibits direct access to the corporate network. Access to the corporate network through this device must use standard remote access authentication.

Responsibilities

The CCO or delegate will verify compliance with this policy through various methods, including but not limited to periodic walk-thrus, business tool reports, internal and external audits, and feedback to the policy owner.

Any exception to the policy must be approved by the CCO or delegate in advance.

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Remote Access Policy

Remote access to our corporate network is essential to maintain productivity, but in many cases, this remote access originates from networks that may already be compromised or are at a significantly lower security posture than our corporate network. While these remote networks are beyond the control of the firm’s cybersecurity policy, we must mitigate these external risks to the best of our ability.

The purpose of this policy is to define rules and requirements for connecting to Singh PWM's network from any host. These rules and requirements are designed to minimize the potential exposure to damages resulting from unauthorized use of resources. Damages include the loss of sensitive or confidential information, intellectual property, damage to public image, damage to critical internal systems, and fines or other financial liabilities incurred as a result of those losses.

This policy applies to all employees, contractors, vendors, and representatives with a firm-owned or personally owned computer or workstation used to connect to the network. This policy applies to remote access connections used to do work on behalf of Singh PWM, including reading or sending email and viewing intranet web resources. This policy covers any, and all technical implementations of remote access used to connect to networks.

It is the responsibility of employees, contractors, vendors, and representatives with remote access privileges to our corporate network to ensure that their remote access connection is given the same consideration as the user's on-site connection to the firm. General access to the Internet for recreational use through the network is strictly limited to employees, contractors, vendors, representatives, and clients (hereafter referred to as “Authorized Users”). When accessing the network from a personal computer, Authorized Users are responsible for preventing access to any computer resources or data by non-Authorized Users. Performance of illegal activities through the network by any user (Authorized or otherwise) is prohibited. The Authorized User bears responsibility for and consequences of misuse of the Authorized User’s access. For further information and definitions, see the Acceptable Use Policy.

Requirements

1. Secure remote access must be strictly controlled with encryption (i.e., Virtual Private Networks (VPNs)) and strong passphrases. For further information, see the Acceptable Encryption Policy and the Password Policy.

2. Authorized Users shall protect their login and password, even from family members.

3. While using a firm-owned computer to remotely connect to Singh PWM's corporate network, Authorized Users shall ensure the remote host is not connected to any other network at the same time, with the exception of personal networks that are under their complete control or under the complete control of an Authorized User or Third Party.

4. Use of external resources to conduct business must be approved in advance by CCO and the appropriate business unit manager.

5. All hosts connected to internal networks via remote access technologies must use the most up-to-date anti-virus software as indicated by the CCO; this includes personal computers.

6. Personal equipment used to connect to Singh PWM's networks must meet the requirements of firm-owned equipment for remote access as stated in the Hardware and Software Configuration Standards for Remote Access to Networks.

Responsibilities

The CCO or delegate will verify compliance to this policy through various methods, including but not limited to periodic walk-thrus, business tool reports, internal and external audits, and inspection, and will provide feedback to the policy owner and appropriate business unit manager.

Any exception to the policy must be approved by the CCO or delegate in advance.

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Digital Signature Policy

The purpose of this policy is to provide guidance on when digital signatures are considered accepted means of validating the identity of a signer in Singh PWM electronic documents and correspondence, and thus a substitute for traditional “wet” signatures, within the organization. Because communication has become primarily electronic, the goal is to reduce confusion about when a digital signature is trusted.

This policy applies to all employees and affiliates.

This policy applies to all employees, contractors, and other agents conducting firm-related business with a firm-provided digital key pair. This policy applies only to intra-organization digitally signed documents and correspondence and not to electronic materials sent to or received from non-Singh PWM affiliated persons or organizations.

A digital signature is an acceptable substitute for a wet signature on any firm document or correspondence.

Digital signatures must apply to individuals only. Digital signatures for roles, positions, or titles (e.g., the CCO) are not considered valid.

Responsibilities

Digital signature acceptance requires specific action on both the part of the employee signing the document or correspondence (hereafter the signer) and the employee receiving/reading the document or correspondence (hereafter the recipient).

Signer Responsibilities

1. Signers must obtain a signing key pair from Singh PWM. This key pair will be generated using the firm’s Public Key Infrastructure (PKI), and the public key will be signed by the firm’s Certificate Authority (CA), <CA Name>.

2. Signers must sign documents and correspondence using software approved by the firm.

3. Signers must protect their private key and keep it secret.

4. If a signer believes that the signer’s private key was stolen or otherwise compromised, the signer must immediately contact the CCO to have the signer’s digital key pair revoked.

Recipient Responsibilities

1. Recipients must read documents and correspondence using software approved by the firm.

2. Recipients must verify that the signer’s public key was signed by the firm’s Certificate Authority (CA), <CA Name>, by viewing the details about the signed key using the software they are using to read the document or correspondence.

3. If the signer’s digital signature does not appear valid, the recipient must not trust the source of the document or correspondence.

4. If a recipient believes that a digital signature has been abused, the recipient must report its concern to the CCO.

Any exception to the policy must be approved by the CCO or delegate in advance.

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Password Construction Guidelines

Passwords are a critical component of information security. Passwords serve to protect user accounts; however, a poorly constructed password may compromise individual systems or data. The purpose of this guideline is to provide best practices for creating strong, secure passwords.

This guideline applies to employees, contractors, consultants, and temporary workers. This guideline applies to all passwords including but not limited to user-level accounts, system-level accounts, web accounts, e-mail accounts, screen saver protection, voicemail, and local router logins.

Statement of Guidelines

All passwords should meet or exceed the following guidelines:

Strong passwords have the following characteristics:

· Contain at least 12 alphanumeric characters.

· Contain both upper- and lower-case letters.

· Contain at least one number (for example, 0-9).

· Contain at least one special character (for example,$%^&*()_+|~-=\`{}[]:";'<>?,/).

Poor or weak passwords have the following characteristics:

· Contain less than eight characters.

· Can be found in a dictionary, including foreign language, or exist in a language slang, dialect, or jargon.

· Contain personal information such as birthdates, addresses, phone numbers, or names of family members, pets, friends, and fantasy characters.

· Contain work-related information such as building names, system commands, sites, companies, hardware, or software.

· Contain number patterns such as aaabbb, qwerty, zyxwvuts, or 123321.

· Contain common words spelled backward, or preceded, or followed by a number (for example, terces, secret1, or 1secret).

· Are some version of “Welcome123” “Password123” “Changeme123.”

You should never write down a password. Instead, try to create passwords that you can remember easily. One way to do this is to create a password based on a song title, affirmation, or another phrase. For example, the phrase, "This May Be One Way To Remember" could become the password TmB1w2R! or another variation.

(NOTE: Do not use either of these examples as passwords!)

Passphrases

Passphrases generally are used for public/private key authentication. A public/private key system defines a mathematical relationship between the public key known by all, and the private key, which is known only to the user. Without the passphrase to unlock the private key, the user cannot gain access.

A passphrase is similar to a password in use; however, it is relatively long and constructed of multiple words, which provides greater security against dictionary attacks. Strong passphrases should follow the general password construction guidelines, including upper and lowercase letters, numbers, and special characters (for example, TheRoad2SuccessIs@lwaysUnderConstr!)

Responsibilities

Any exception to the policy must be approved by the CCO or delegate in advance.

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Password Protection Policy

Passwords are an important aspect of computer security. A poorly chosen password may result in unauthorized access and/or exploitation of firm resources. All users, including contractors and vendors with access to the firm’s systems, are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.

The purpose of this policy is to establish a standard for the creation of strong passwords, the protection of those passwords, and the frequency of change.

The scope of this policy includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Singh PWM facility, has to access to the firm’s network, or stores any non-public information.

Password Creation

All user-level and system-level passwords must conform to the Password Construction Guidelines.

1. Users must not use the same password for firm-related accounts as for other non-firm access (for example, personal ISP account, option trading, benefits, and so on).

2. Where possible, users must not use the same password for various Singh PWM access needs.

3. User accounts with system-level privileges granted through group memberships must have a unique password for all other accounts held by that user to access system-level privileges.

Password Updates

1. All system-level passwords (for example, root, enable, NT admin, application administration accounts, and so on) must be changed on at least a quarterly basis.

2. All user-level passwords (for example, email, web, desktop computer, and so on) must be changed at least every six months. The recommended change interval is every four months.

3. Password cracking or guessing may be performed on a periodic or random basis by the CCO or delegate or its delegates. If a password is guessed or cracked during one of these scans, the user will be required to change it to comply with the Password Construction Guidelines.

Password Protection

1. Passwords must not be shared with anyone. All passwords are to be treated as sensitive, Confidential information. Singh PWM recognizes that legacy applications do not support proxy systems in place. Please refer to the technical reference for additional details.

2. Passwords must not be inserted into email messages or other forms of electronic communication.

3. Passwords must not be revealed over the phone to anyone.

4. Do not reveal a password on questionnaires or security forms.

5. Do not hint at the password format (for example, "my family name").

6. Do not share Singh PWM passwords with anyone, including administrative assistants, secretaries, managers, co-workers while on vacation, and family members.

7. Do not write passwords down and store them anywhere in your office. Do not store passwords in a file on a computer system or mobile devices (phone, tablet) without encryption.

8. It is acceptable to use certain encrypted password managers available on the internet. The CCO or delegate will provide a list of acceptable providers upon request.

9. Do not use the "Remember Password" feature of applications (for example, web browsers).

10. Any user suspecting that his/her password may have been compromised must report the incident and change all passwords.

All of the rules above that apply to passwords apply to passphrases.

Responsibilities

Any exception to the policy must be approved by the CCO or delegate in advance.

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Confidentiality Policy

The firm maintains safeguards to comply with federal and state standards to guard each client's information. The firm does not share any information with any non-affiliated third parties, except in the following circumstances:

As necessary to provide the service that the client has requested or authorized, or to maintain and service the client's account;
As required by regulatory authorities or law enforcement officials who have jurisdiction over the firm, or as otherwise required by any applicable law; and

To the extent reasonably necessary to prevent fraud and unauthorized transactions.

Employees are prohibited, either during or after the termination of their employment, from disclosing client information to any person or entity outside the firm, including family members, except under the circumstances described above. An employee is permitted to disclose information only to other employees who need to have access to such information to deliver our services to the client.

Responsibilities

Any exception to the policy must be approved by the CCO or delegate in advance.

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Data Backup Policy

The purpose of this policy is to establish the requirement that all of Singh PWM’s data is regularly backed-up and recoverable in the case of a data breach or disaster.

This policy applies to all systems and data.

1. The frequency and extent of backups must be in accordance with the importance of the information and the acceptable risk as determined by the data owner.

2. There must be multiple backups of critical information, preferably with different media, vendors, and designated personnel within each node responsible for backing up data. The persons responsible for backing up data should be independent and not have access to the other’s backups.

3. The firm’s backup and recovery process for each system must be documented and periodically reviewed.

4. Physical access controls implemented at offsite backup storage locations must meet or exceed the physical access controls of the source systems.

5. A process must be implemented to verify the success of the electronic information backup.

6. Backups must be periodically tested to ensure that they are recoverable.

7. Employees approved for access to backup media held by the offsite backup storage vendor(s) must be reviewed annually or when an authorized individual is terminated or leaves employment.

Responsibilities

Any exception to the policy must be approved by the CCO or delegate in advance.

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Data Assessment and Breach Response Policy

The purpose of the policy is to establish the goals and the vision for the breach response process. This policy will clearly define to whom it applies and under what circumstances. It will include the definition of a breach, staff roles and responsibilities, standards, and metrics (e.g., to enable prioritization of the incidents) as reporting, remediation, and feedback mechanisms. The policy shall be well-publicized and made easily available to all personnel whose duties involve data privacy and security protection.

Singh PWM’s intentions for publishing a Data Assessment and Breach Response Policy are to focus significant attention on data security and data security breaches and how the firm has established a culture of openness, trust, and integrity should respond to such activity. Singh PWM is committed to protecting its employees, partners, and the company from illegal or damaging actions by individuals, either knowingly or unknowingly.

This policy mandates that any individual who suspects that a theft, breach, or exposure of Singh PWM confidential information has occurred must immediately provide a description of what occurred via e-mail to the CCO who will investigate to confirm if a theft, breach or exposure has occurred. If a theft, breach, or exposure has occurred, the CCO will follow the appropriate procedure in place.

This policy applies to all who collect, access, maintain, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle confidential information of Singh PWM clients. Any agreements with vendors will contain similar language that protects the fund.

As soon as a theft, data breach, or exposure containing confidential information is identified, the process of removing all access to that resource will begin.

Periodic Assessments

At least annually, Singh PWM will conduct assessments to detect potential systems vulnerabilities and ensure that cybersecurity procedures and systems effectively protect confidential information. These assessments will then respond to deficiencies detected through such assessments by taking timely corrective action in response to detected deficiencies.

Breach Response

Singh PWM’s response to data breaches will depend upon the type and severity of the incident. The CCO will be notified of the theft, breach, or exposure and will analyze the breach or exposure to determine the root cause, how the incident occurred, the types of data involved, the number of internal/external individuals and/or organizations impacted, and analyze the breach or exposure to determine the root cause. In responding, Singh PWM will:

Contain and mitigate the incident/breach to prevent further damage
Evaluate the incident and understand the potential impact
Implement a disaster recovery plan (if needed)
Alert the proper authorities (regulator, local law enforcement, FBI, United States Secret Service)
Determine if the personal information of customers was compromised and notify affected customers within 30 days of the date the firm became aware of the breach
Enhance systems and procedures to help prevent the recurrence of similar breaches
Evaluate response effort and update the response plan to address any shortcomings

Responsibilities

The CCO or delegate will verify compliance with this policy through risk assessments, monitoring, business tool reports, internal and external audits, and feedback to the policy owner.

Any exception to the policy must be approved by the CCO or delegate in advance.

Any Singh PWM personnel found in violation of this policy may be subject to disciplinary action, up to and including termination of employment. Any third-party partner company found in violation may have their network connection terminated.

Approval

By:

Name:

Raman Singh

Title:

Chief Compliance Officer

Singh PWM

Phoenix, AZ 85012

CRD # 326033

Compliance