Great American Title Company is hereinafter referred to as "the company".

1.0POLICY

A.It is the policy of the company that data or information, as defined hereinafter, in all its forms--written, spoken, recorded electronically or printed--will be protected from accidental or intentional unauthorized modification, destruction or disclosure throughout its life cycle. This protection includes an appropriate level of security over the equipment and software used to process, store, and transmit that data or information.

B.All policies and procedures must be documented and made available to individuals responsible for their implementation and compliance. All activities identified by the policies and procedures must also be documented. All the documentation, which may be in electronic form, must be retained for at least 7 (seven) years after initial creation, or, pertaining to policies and procedures, after changes are made. All documentation must be periodically reviewed for appropriateness and currency, a period of time to be determined by each entity within the company.

C.At each entity and/or department level, additional policies, standards and procedures will be developed detailing the implementation of this policy and set of standards, and addressing any additional information systems functionality in such entity and/or department. All departmental policies must be consistent with this policy. All systems implemented after the effective date of these policies are expected to comply with the provisions of this policy where possible. Existing systems are expected to be brought into compliance where possible and as soon as practical.

2.0SCOPE

A.The scope of the Information Security Policy includes the protection of the confidentiality, integrity and availability of data or information.

B.The framework for managing information security in this policy applies to all company entities and workers, and other Involved Persons and all Involved Systems throughout the company as defined below in INFORMATION SECURITY DEFINITIONS.

C.This policy and all standards apply to all protected title and closing information and other classes of protected information in any form as defined below in

INFORMATION CLASSIFICATION.

3.0RISK MANAGEMENT

A.A thorough analysis of all company information networks and systems will be conducted on a periodic basis to document the threats and vulnerabilities to stored and transmitted information. The analysis will examine the types of threats – internal or external, natural or manmade, electronic and non-electronic-- that affect the ability to manage the information resource. The analysis will also document the existing vulnerabilities within each entity which potentially expose the information resource to the threats. Finally, the analysis will also include an evaluation of the information assets and the technology associated with its collection, storage, dissemination and protection.

From the combination of threats, vulnerabilities, and asset values, an estimate of the risks to the confidentiality, integrity and availability of the information will be determined. The frequency of the risk analysis will be determined at the entity level.

B.Based on the periodic assessment, measures will be implemented that reduce the impact of the threats by reducing the amount and scope of the vulnerabilities.

C.Management, at least annually, will confirm that only authorized employees have access to customer information and customer information systems to perform job functions.

3.1Cyber Security

The more we rely on technology to collect, store and manage information, the more vulnerable we become too severe security breaches. Human errors, hacker attacks and system malfunctions could cause great financial damage and may jeopardize our company’s reputation. For this reason, we have implemented a number of cyber security measures.

3.1.1 Phishing

Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication. The word was created as a reference to fishing due to the similarity of using bait in an attempt to catch a victim.

Scammers also use phishing emails to get access to your computer or network then they install programs like ransomware that can lock you out of important files on your computer.

Phishing scammers lure their targets into a false sense of security by spoofing the familiar, trusted logos of established, legitimate companies. Or they pretend to be a friend or family member.

Phishing scammers make it seem like they need your information or someone else’s, quickly – or something bad will happen. They might say your account will be frozen, you’ll fail to get a tax refund, your boss will get mad, even that a family member will be hurt or you could be arrested. They tell lies to get to you to give them information.

Be cautious about opening attachments or clicking on links in emails. Even your coworkers, friends or family members’ accounts could be hacked. Files and links can contain malware that can weaken your computer's security.

Do your own typing. If a company or organization you know sends you a link or phone number, don’t click. Use your favorite search engine to look up the website or phone number yourself. Even though a link or phone number in an email may look like the real deal, scammers can hide the true destination.

Make the call if you’re not sure. Do not respond to any emails that request personal or financial information. Phishers use pressure tactics and prey on fear. If you think a company, friend or family member really does need personal information from you, pick up the phone and call them yourself using the number on their website or in your address book, not the one in the email.

Report phishing emails and texts. Forward suspected phishing emails to IT for review. Never forward a suspect email to coworkers. Never forward a suspect email to an internal distribution account (i.e. Kingwood@greatamtitle.com).

3.1.2 Wire Fraud

Refer to Incoming Wire - Fraud Prevention Policy and Outgoing Wire – Fraud Prevention Policy (available upon written request)

3.1.3Password requirements Refer to Password Policy

3.1.4Email standards

Refer to Email Policy (available upon written request)

3.1.5Handling of sensitive data Refer to NPI or Confidential Data Policy

3.1.6Company email on personal devices

Refer to Mobile Device Security Policy (available upon written request)

4.0 INFORMATION SECURITY DEFINITIONS

Availability: Data or information is accessible and usable upon demand by an authorized person.

Confidentiality: Data or information is not made available or disclosed to unauthorized persons or processes.

Integrity: Data or information has not been altered or destroyed in an unauthorized manner.

Involved Persons: Every worker at the company -- no matter what their status. This includes employees, contractors, consultants, temporaries, etc.

Involved Systems: All computer equipment and network systems that are operated within the company environment. This includes all platforms (operating systems), all computer sizes (personal digital assistants, desktops, mainframes, etc.), and all applications and data (whether developed in-house or licensed from third parties) contained on those systems.

Risk: The probability of a loss of confidentiality, integrity, or availability of information resources.

5.0INFORMATION SECURITY RESPONSIBILITIES

5.1Information Security Officer

The Information Security Officer (ISO) is responsible for working with user management, owners, custodians, and users to develop and implement prudent security policies, procedures, and controls, subject to the approval of the IT manager and management team. Specific responsibilities include:

1.Ensuring security policies, procedures, and standards are in place and adhered to by entity.

2.Providing basic security support for all systems and users.

3.Advising owners in the identification and classification of computer resources. See Section VI Information Classification.

4.Advising systems development and application owners in the implementation of security controls for information on systems, from the point of system design, through testing and production implementation.

5.Educating custodian and user management with comprehensive information about security controls affecting system users and application systems.

6.Providing on-going employee security education.

7.Oversee security audits that are performed by non-bias personnel.

8.Reporting regularly to the company’s Oversight Committee on entity’s status with regard to information security.

5.2User Management

Company management who supervise users as defined below. User management is responsible for overseeing their employees' use of information, including:

1. Reviewing and approving all requests for their employees’ access authorizations.

2.Promptly informing appropriate parties of employee terminations and transfers.

3.Revoking physical access to terminated employees, i.e., confiscating keys, changing combination locks, etc.

4.Providing employees with the opportunity for training needed to properly use the computer systems.

5.Reporting promptly to the ISO the loss or misuse of company information.

6.Initiating corrective actions when problems are identified.

5.3User

The user is any person who has been authorized to read, enter, or update information. A user of information is expected to:

1.Access information only in support of their authorized job responsibilities.

2.Comply with Information Security Policies and with all controls established.

3.Keep personal authentication devices (e.g. passwords, SecureCards, PINs, etc.) confidential.

4.Report promptly to the ISO the loss or misuse of company information.

5.Initiate corrective actions when problems are identified.

6.0INFORMATION CLASSIFICATION

Classification is used to promote proper controls for safeguarding the confidentiality of data and information. Regardless of classification the integrity and accuracy of all classifications of data or information must be protected. The classification assigned and the related controls applied are dependent on the sensitivity of the information. See Data Classification Policy.

7.0 COMPUTER AND INFORMATION CONTROL

All involved systems and information are assets of the company and are expected to be protected from misuse, unauthorized manipulation, and destruction. These protection measures may be physical and/or software based.

7.1 Ownership of Software

All computer software developed by company employees or contract personnel on behalf of the company or licensed for company use is the property of the company and must not be copied for use at home or any other location, unless otherwise specified by the license agreement and approved by the IT Manager.

7.2 Installed Software

All software packages that reside on computers and/or networks within the company must comply with applicable licensing agreements and restrictions.

7.2.1 Change Management Policy

Planned and unplanned changes to the IT environment occur when technology and/or business functions change.

7.2.1.1 Request

Requests for changes to hardware and/or software shall be submitted in writing to the IT manager.

7.2.1.2. Review

The IT manager first reviews the request to determine impacts on existing systems, as well as compatibility with the FAST operating system.

7.2.1.3 Test

The IT manager or designee shall test hardware and/or software changes prior to implementation. Testing of hardware will be accomplished in a secure environment. Testing of software will first be accomplished in a secure environment. Field testing of software changes must also be accomplished to ensure compatibility with the G+FAST operating system.

7.2.1.4 Documentation

Each phase of the change shall be documented and said documentation shall be maintained by the Company for a period of one year.

7.3 Approved Software List

An approved software list will be maintained by the IT manager.

7.4 Virus Protection

Virus checking systems approved by the Information Security Officer must be deployed using a manner that ensures all electronic files are appropriately scanned for viruses. Users are not authorized to turn off or disable virus checking systems.

7.5 Access Controls

Physical and electronic access to NPI, Confidential and Internal information and computing resources is controlled. To ensure appropriate levels of access by internal workers, a variety of security measures will be instituted as recommended by the Information Security Officer and approved by the company.

7.5 .1 Remote Access

Access into the company network from outside will be granted using company approved devices and pathways on an individual user and application basis. All other network access options are strictly prohibited. Further, NPI, Confidential and/or Internal Information that is stored or accessed remotely must maintain the same level of protections as information stored and accessed within the company network. Refer to the Remote Access Policy.

7.5.2 Physical Access

Access to areas in which information processing is carried out must be restricted to only appropriately authorized individuals. The following physical controls must be in place:

A.Workstations or personal computers (PC) must be secured against use by unauthorized individuals. Safeguards must include procedures that will:

1.Position workstations to minimize unauthorized viewing of NPI or confidential information.

2.Grant workstation access only to those who need it in order to perform their job function.

3.Use automatic screen savers with passwords to protect unattended machines.

B.Facility access controls must be implemented to limit physical access to electronic information systems and the facilities in which they are housed, while ensuring that properly authorized access is allowed.

7.6Evaluation

The company requires that periodic technical and non-technical evaluations be performed in response to environmental or operational changes affecting the security of electronic information to ensure its continued protection.

7.7 Contingency Plan

Controls must ensure that the company can recover from any damage to computer equipment or files within a reasonable period of time.

7.6.1 Disaster Recovery and Continuity Plan

A disaster recovery plan must be developed and documented which contains a process enabling the entity to restore any loss of data in the event of fire, vandalism, natural disaster, or system failure. Refer to the individual Disaster Recovery and Contingency Plans.

7.8 Removable Media

The use of mass media (i.e. CD-ROM, USB drive, flash drive, or thumb drive) is strictly prohibited on an employee’s PC without written consent of management.

8.0 COMPLIANCE

The Information Security Policy applies to all users of the company information including: employees and outside affiliates. Failure to comply with Information Security Policy by employees and outside affiliates may result in disciplinary action up to and including dismissal in accordance with applicable company procedures, or, in the case of outside affiliates, termination of the affiliation.

9.0 Enforcement

This policy will be enforced by the Manager and/or Executive Team. Violations may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities or theft of company property (physical or intellectual) are suspected, the company may report such activities to the applicable authorities.

10.0 Definitions

Cyber Security Computer security, also known as IT security, is the protection of information systems from theft or damage to the hardware, the software, and to the information on them, as well as from disruption or misdirection of the services they provide.

Antivirus Software An application used to protect a computer from viruses, typically through real time defenses and periodic scanning. Antivirus software has evolved to cover other threats, including Trojans, spyware, and other malware.

Firewall A security system that secures the network by enforcing boundaries between secure and insecure areas. Firewalls are often implemented at the network perimeter as well as in high-security or high-risk areas.

IDS Stands for Intrusion Detection System. A network monitoring system that detects and alerts to suspicious activities.

Phishing A fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising as a trustworthy entity in an electronic communication. Typically carried out by email spoofing or instant messaging, it often directs users to enter personal information at a fake website, the look and feel of which are identical to the legitimate site

Malware Any software intentionally designed to cause damage to a computer, server or computer network.

11.0 Revision History

Revision 1.0, 10/13/2012

Revision 2.0, 09/01/2014

Revision 3.0, 08/11/2015

Revision 4.0, 10/20/2015

Revision 5.0, 11/05/2015

Revision 6.0, 11/17/2015

Revision 7.0, 12/02/2015

Revision 8.0, 05/08/2018

Revision 9.0, 11/21/2018

Revision 10.0, 01/07/2021