Barnai Asset Management’s top priority is the security and privacy of clients’ personal information, and cybersecurity plays an essential role in protecting clients’ nonpublic information. BAM continually researches and reviews potential threats and recommended precautions to protect against those threats, from credible sources including Guidance Updates from the US Securities and Exchange Commission, and the Colorado Division of Securities. In accordance with our priority to protect client privacy and the security of their personal information, we have developed this Cybersecurity Policy.

ELECTRONIC FILES & DATABASES

BAM does not permanently store any client information on internal servers, computer hard drives or external hard drives. All client information and records are stored at Redtail Technology data centers and Carbonite data centers.

BAM utilizes Redtail Technology’s Customer Relations Manager service as well as their cloud-based file storage service, called Imaging. All client information and records are organized, stored and archived in these two platforms. BAM has reviewed and approved Redtail Technology’s security and privacy policies, as well as their back-up and recovery plan.

BAM performs monthly back-ups of all Imaging files to Carbonite, a secure online backup service. BAM has reviewed and approved Carbonite’s security and privacy policies, as well as their back-up and recovery plan.

BAM  will retain records for at least 5 years, or as otherwise required by applicable state or federal law. With respect to disposal of nonpublic personal information, BAM  will take reasonable measures to protect against unauthorized access to or use of such information in connection with its disposal.

PASSWORD POLICY & 2-STEP VERIFICATION

BAM employees and access persons are required to use different alphanumeric passwords to access every system associated with the business and clients. In addition, each person is required to change the passwords of all systems either quarterly or annually based upon the individual system and the client information stored within. Passwords are changed quarterly, at a minimum, for all online services that contain sensitive client information. The passwords for all other online services subscribed to by BAM are changed annually or as needed. BAM also educates employees and access persons on the importance of enabling multi-authentication login for all subscribed services that offer it.

BAM subscribes to LastPass, a password manager, to create and change strong alphanumeric passwords regularly. All employees and access persons are required to use 2-step verification for LastPass through the LastPass Mobile Authenticator to access all online and cloud-based systems utilized by BAM.

INTERNET CONNECTION

BAM utilizes secure, private internet connections to operate business. All BAM employees and access persons have been educated about the risks of accessing the firm’s systems or conducting business via insecure internet connections while traveling or out of the office.

ANTIVIRUS SOFTWARE & FIREWALL PROTECTION

All BAM computers have up-to-date McAfee antivirus software and/or use a firewall to prevent unauthorized applications, programs, or services from accepting incoming connections. All employees and access persons conduct security screenings of their computers on a quarterly basis.

CLIENT COMMUNICATION

BAM Initiated Communication: BAM communicates with clients regularly by email, phone, video meetings and face-to-face meetings. The only employees of BAM that will contact clients are Adam Barnai and Caitlin Erwin. If an information request appears suspicious, BAM advises clients to contact Adam Barnai or Caitlin Erwin to verify that it is a legitimate BAM request before providing any information. BAM never requests or sends sensitive client information by email. BAM may gather sensitive client information through forms sent via DocuSign, secure electronic platforms, or by phone. Every e-mail sent contains a disclosure which addresses any persons who may receive the message in error and includes instructions to contact BAM and properly dispose of the data.

Clients Contacting BAM: BAM only responds to emails in which the email address and client are recognized. If an email is received that is not recognized as belonging to a client or if the email is suspicious in nature, BAM will call the client to verify the authenticity of the email. BAM will not email requested confidential information such as account numbers, social security numbers, and passwords. BAM initially verifies client phone calls by telephone numbers on record and/or voice recognition. If BAM is uncertain to the identity of the caller, BAM will verify identity by asking for the client’s date of birth, address, and/or the last four digits of their social security number. If the phone call is considered suspicious it will be documented in the “Red Flag” reviews in the AML section.

Shareholders Service Group: SSG is the brokerage firm BAM uses for all client accounts. From time to time, SSG may require additional client information or may need to verify client information; SSG will contact clients directly for such information. If a client is uncertain as to the validity of the request, BAM encourages the client to refrain from providing information until contacting BAM. SSG regularly emails clients notifications of quarterly statements, trade confirmations, and other account information.

Phishing: “Phishing” is an illegal attempt to acquire personal, sensitive information such as passwords and financial information, and/or money by masquerading as a trustworthy entity. In defense against phishing, BAM will not disclose clients’ personal, sensitive information via email; nor will BAM ever request client’s personal information via email. If BAM employee has reasonable doubt concerning a client identity over the phone, the client may be requested to verbally confirm identity by answering security questions regarding information they have shared with BAM previously. If the email or phone call is considered suspicious it will be documented in the “Red Flag” reviews in the AML section.

PREVENTION OF UNAUTHORIZED FUNDS TRANSFERS

BAM has implemented the following firm-wide information security polices to help prevent unauthorized funds transfers:

• 3^rd party wire requests by clients are generally not accepted by BAM due to the heightened security risks of fraudulent requests or scams.
• All wire requests should be reviewed for suspicious behavior (e.g., time of request, atypical amount of request, etc.)
• Outgoing client account transfers through Shareholders Service Group are monitored daily. If the transfer is unknown to the advisor or seems fraudulent the client will be notified. If the transfer is confirmed fraudulent by the client, BAM will notify SSG and the proper authorities.

BAM is particularly aware of the risk caused by fraudulent emails, purportedly from clients, seeking to direct transfers of customer funds or securities and will train all staff members to properly identify such fraudulent emails.

CLIENT CYBERSECURITY EDUCATION

BAM takes client privacy and security seriously and initiates all necessary cybersecurity precautions, including educating clients. BAM encourages clients to: change their passwords regularly; not use the same password for multiple accounts; not share their passwords with anyone; and keep social media profiles private BAM includes a Client Cybersecurity Information section in the annual Client Reviews for educating clients on the importance of cybersecurity and the dangers of Phishing, and outlines how BAM and SSG will communicate with the client.

SOCIAL MEDIA SECURITY

BAM, as a business entity, does not have or utilize any social media accounts currently. All BAM employees and access persons have been educated on the importance of keeping personal social media profiles private in order to protect their personal information and keep it out of reach of attackers that may try phishing for information to answer security questions and breach a secure system used by BAM.

SECURITY & PRIVACY REVIEW OF THIRD PARTIES

BAM subscribes to services of third parties to provide more secure and efficient service to clients. Some of these third parties either have direct access to client information or store it securely on their servers. Therefore, BAM obtains and reads all security and privacy policies before subscribing to individual services of third-party providers to ensure that they take necessary and recommended precautions to protect clients’ security and privacy. In addition to initial reviews of these third-party policies, BAM reviews third party privacy policies and technology services security annually

DATA BACK-UP & RECOVERY

BAM business data and client information is backed up by the individual systems subscribed to, at a minimum, daily. In addition, BAM manually backs-up Redtail Imaging file storage contents monthly to Carbonite, a secure cloud storage service. Recovery of backed-up information is provided per request by the individual systems subscribed to and BAM employees are able to access back-ups from Carbonite at any time via secure log-in. BAM’s business continuity plan addresses Data Back-up and Recovery.

CYBERSECURITY RISK ASSESSMENT

BAM conducts annual information technology security risk assessments to prevent cyber-attacks or security breaches, and to identify any deficiencies or develop any improvements. This includes interviewing employees and access persons to confirm they are following all BAM security policies regularly. It also includes reviewing the security and privacy statements for all applicable third parties to ensure they are taking necessary precautions to ensure cybersecurity.

CYBERSECURITY TESTING AND REVIEW

On an annual basis, BAM will test its current information security policy and capabilities. The test conducted will include the following activities:

• Attempt to access a random sample of firm devices to ensure that proper passwords are in place to prevent access.
• Attempt to access a random sample of users accounts with the proper passwords to ensure that two-factor authentication prevents system access.
• Attempt to restore a sample of files and records from Carbonite to ensure that the restoration process is sufficient and properly configured.

The results from the annual test and review will be documented and utilized to update and improve the Cybersecurity Policy.

CYBER-ATTACK SECURITY PLAN

Cyber-attack (breach of client info) Security Plan

1. Upon discovering a cyber-attack or breach of sensitive client information, BAM and all its employees and access persons will immediately change passwords to all systems, including password to subscribed password manager.
2. Upon discovering a cyber security attack or breach of sensitive client information, BAM will notify clients in a professional manner and instruct them to change all their passwords, especially that of the custodian client portal. In addition, BAM will continually update clients with important information regarding the attack and the aftermath.
3. Contact proper law enforcement and/or regulatory agencies as required by state and Federal law.
4. Determine if any 3rd party vendors were involved in the incident.
5. After a cyber-attack has occurred, BAM will, in a timely manner, review their Cyber Security Policies and Procedure and update and improve it to prevent future cyber-attacks or security breaches.

Please call if you have any questions. Your personal information security, our professional ethics, and the ability to provide you with quality financial services are very important to us.