Skip to the main content.

SS&C DORA Supplemental Letter Agreement– Additional Security Provisions (Schedule 3)

This Schedule 3 was prepared for the purpose of documenting SS&C’s additional security provisions in the SS&C DORA supplemental letter agreement entered between SS&C and its relevant clients.

The terms used in this Schedule 3 have the meaning given to them in SS&C DORA supplemental letter agreement (schedule 2).

1. Operational Resilience and Risk Management

1.1 Risk Management Framework

SS&C will maintain a Risk Management Framework (in accordance with SS&C’s own policies) that identifies, assesses, and mitigates ICT (Information and Communication Technology) risks that could disrupt the services provided. SS&C will make commercially reasonable efforts to ensure operational resilience.

1.2 Business Continuity and Crisis Management

SS&C will implement and maintain commercially reasonable Business Continuity/Crisis Management policies and procedures for managing disruptions with respect to the services. SS&C will ensure its business continuity procedures are tested at least annually. SS&C will prioritize efforts to restore services in a timely and reasonable manner.

2. Security Controls and Safeguards

2.1 Security Management Framework

SS&C will implement and maintain policies and procedures that are reasonably designed to protect against unauthorized access to or modification of Client data and Confidential Information maintained by SS&C.

2.2 Security of ICT Systems

SS&C will employ appropriate and commercially reasonable security measures designed to protect SS&C ICT systems and infrastructure, including but not limited to firewalls, encryption, and intrusion detection systems (IDS).

2.3 Data Encryption and Integrity

SS&C will use commercially reasonable encryption protocols to protect Client data in transit and at rest.

3. Third-Party Risk Management

3.1 Third-Party Service ICT Providers and Subcontractors

To the extent that any third party and subcontractor is engaged by SS&C to provide services to Clients and has access to Client data, or receives data from or on behalf of Client, SS&C will use commercially reasonable efforts to ensure that any third-party providers that perform critical or important ICT functions adhere to similar operational resilience and cybersecurity standards as required under DORA.

3.2 Due Diligence and Oversight

SS&C will conduct due diligence on subcontractors and third-party providers before engaging them in services with access to Client data. SS&C will implement reasonable policies and procedures to oversee third-party providers.

4. Incident Detection, Response, and Reporting

4.1 Incident Detection, Monitoring and Reporting

SS&C will maintain an Incident Response Plan (IRP) and will implement monitoring systems to detect, identify, report and appropriately respond to potential ICT incidents. However, SS&C is not responsible for incidents that occur due to actions or failures by the Client, including inadequate security measures on the Client's side. SS&C will notify the Client of any material incidents without undue delay and as required by DORA.

SS&C will inform the Client if an ICT incident materially affects services received from SS&C and will reasonably cooperate with the Client’s reporting efforts to the extent required by law.

5. Operational Resilience Testing and Assurance

5.1 Operational Resilience Management Framework

SS&C has implemented and maintains policies and procedures that are reasonably designed to conduct comprehensive operational resilience testing to ensure its systems, processes, and teams can effectively withstand and recover from disruptions, maintaining continuity and reliability.

5.2 Threat-Led Penetration Testing

SS&C will cooperate with the Client in threat-led penetration testing to the extent that the regulatory authority deems SS&C, as a third-party, in scope as part of its risk assessment, and within the scope of services offered and subject to agreed terms.

5.3 Audit and Compliance Checks

Once per year, and within 45 days of receiving a written request from the Client, SS&C will provide the following:

  • (i) A copy of its Standard Information Gathering SIG questionnaire or a custom questionnaire (which will be in lieu of other questionnaires that may be requested);
  • (ii) If applicable, the most recent relevant Service Organization Controls (SOC) 1, Type 2 Audit, issued under SSAE 18, covering SS&C controls;
  • (iii) An executive summary of its information security policy.
  • (iv) An opportunity to discuss SS&C’s Information Security measures with a qualified member of the SS&C security team

6. Data Protection and Privacy Compliance

See SS&C data protection due diligence questionnaire which is available in connecting directly with your SS&C Account Manager

7. Cyber Security Measures

7.1 Cyber Security Framework

SS&C will maintain a commercially reasonable cybersecurity framework to address key risks reasonably designed with recognised standards.

7.2 Cyber Security Awareness Training

SS&C will provide basic cybersecurity awareness (in accordance with their own training schemes) and digital operational resilience training on at least an annual basis to its personnel.

Date Last Updated: January 16, 2025