6. Assets or data stored in a cloud or managed by a third-party service provider are subject to
          appropriate security reviews and independent security assessments
          We leverage a hybrid cloud data center strategy that utilizes multiple Tier IV data centers and providers. We remain in
          full control of our industry-leading security requirements for cloud and third-party managed data and services within
          this strategy. We determine how the data/services are stored and secured and who has access to the data/services.
          Best practices include


                         DOL cybersecurity
                         best practices                        Empower protocols


                                                               Prior to contracting with critical suppliers, we conduct
                                                               third-party vendor risk assessments that include reviews
                                                               of financial, technical and operational controls. In addition,
                                                               security requirements are included in contract language, and
                                                               audits are performed at least annually.
                        Requiring a risk assessment of third-party   Physical and environmental security controls of our hybrid
                         service providers
                                                               cloud strategy are evaluated within our SOC 2 Type 2 audits
                                                               by independent AICPA auditors. These facilities are also
                                                               compliant with all required regulatory compliance laws and
                                                               cloud provider compliance standards associated with the
                                                               services performed.

                                                               Our service vendors maintain the same level of security
                                                               and privacy controls required of Empower based on
                        Defining minimum cybersecurity practices   the confidentiality category of the information shared.
                         for third-party service providers
                                                               Requirements are governed by contractual agreements and
                                                               regulatory compliance law.


                        Periodically assessing third-party service   Third-party due diligence evaluations are performed at least
                                                               annually for all partners who have access to NPI/PII.
                         providers based on potential risks.
                         Ensuring that guidelines and contractual
                         protections at minimum address
                         the following:

                         •  The third-party service provider’s access
                           control policies and procedures, including
                           the use of multi-factor authentication
                        •  The third-party service provider’s   Confirmed

                           encryption policies and procedures
                         •  The third-party service provider’s
                           notification protocol for a cybersecurity
                           event that directly impacts a
                           customer’s information system(s) or
                           nonpublic information











                                                                                                                     7
                                 FOR FINANCIAL PROFESSIONAL AND PLAN SPONSOR USE ONLY.