Clear Provisions on the Use and Sharing of Information   Compliance with Records Retention and Destruction,
          and Confidentiality                                   Privacy and Information Security Laws
          Empower’s contracts contain confidentiality and       Personal identifiable information is stored in the U.S. and is
          nondisclosure provisions that fully address these     encrypted at rest and in transit when on public networks.
          obligations. In addition, these provisions also address   Records are retained for up to seven years in accordance
          the organizational, technical and procedural safeguards   with corporate policies and regulatory compliance laws
          used to protect the confidential information of our clients.   as well as contractual agreements. All workstation and
          Empower handles participant data in accordance with all   server hard drives are wiped by Empower personnel, then
          applicable privacy and data protection laws.          destroyed by a contracted disposal vendor.

          Notification of Cybersecurity Breaches                Insurance
          Plan sponsor notification of security breaches is     Empower carries Commercial General Liability, Financial
          coordinated through the Empower legal department in   Institution Bond and Electronic and Computer Crime
          accordance with applicable contracts and state and federal   Policy, Insurance Company and Asset Management/
          law requirements.                                     Investment Company Professional Liability (also known as
                                                                errors and omissions), and Cyber Liability Insurance.




     14
                                 FOR FINANCIAL PROFESSIONAL AND PLAN SPONSOR USE ONLY.