Options Capital Group

Information Security & Data Protection Policy

Effective Date: May 11, 2026

Policy Owner: Options Capital Group Management

Applies To: All employees, contractors, vendors, consultants, temporary workers, and third-party service providers.

 

1. Purpose

Options Capital Group (“the Company”) is committed to protecting customer, employee, dealer, investor, and company information from unauthorized access, disclosure, alteration, misuse, or destruction.

This Information Security & Data Protection Policy establishes the administrative, technical, and physical safeguards designed to:

• Protect confidential and non-public personal information (“NPI”)

• Comply with applicable federal and state laws

• Reduce cybersecurity and fraud risks

• Maintain customer trust

• Ensure operational continuity

This policy supports compliance with:

• Gramm-Leach-Bliley Act (GLBA)

• FTC Safeguards Rule

• Fair Credit Reporting Act (FCRA)

• Red Flags Rule

• State privacy and data breach notification laws

• Applicable CFPB requirements

 

2. Scope

This policy applies to all:

• Company-owned devices

• Cloud systems and software

• Customer data

• Employee records

• Loan files

• Dealer information

• Vendor systems connected to Company operations

• Physical records and storage locations

The policy applies whether information is stored:

• Electronically

• Physically

• In transit

• In cloud environments

• On mobile devices

 

3. Definitions

Non-Public Personal Information (NPI)

Information that identifies an individual and is not publicly available, including:

• Social Security numbers

• Driver’s license numbers

• Date of birth

• Credit reports

• Bank account information

• Income documentation

• Loan applications

• Payment history

Confidential Information

Any proprietary or sensitive company information not intended for public disclosure.

Authorized User

Any employee, contractor, or vendor approved to access Company systems or data.

 

4. Information Security Program

Options Capital Group maintains a written Information Security Program designed to:

• Identify internal and external risks

• Protect customer information

• Detect unauthorized access

• Respond to cybersecurity incidents

• Continuously improve security controls

Management shall review the program annually.

 

5. Access Control Policy

5.1 Least Privilege Access

Employees shall only have access to systems and information necessary to perform their job responsibilities.

5.2 User Accounts

• Unique user IDs are required for all personnel.

• Shared logins are prohibited.

• User access must be reviewed periodically.

• Access shall be revoked immediately upon termination.

5.3 Multi-Factor Authentication (MFA)

MFA is required for:

• Email systems

• Cloud platforms

• Remote access

• Financial systems

• CRM and servicing systems

5.4 Password Requirements

Passwords must:

• Be at least 12 characters

• Include complexity requirements

• Not be reused across systems

• Be changed immediately if compromised

Passwords may not be shared or stored insecurely.

 

6. Data Classification & Handling

6.1 Data Classification

Company data shall be classified as:

1. Public

2. Internal Use Only

3. Confidential

4. Restricted

Customer NPI shall always be treated as Restricted information.

6.2 Data Transmission

Sensitive information must only be transmitted using:

• Encrypted email

• Secure portals

• Approved secure file-sharing platforms

• VPN connections

Transmission of customer NPI through unsecured channels is prohibited.

6.3 Data Storage

Restricted information must:

• Be encrypted when stored electronically

• Be stored in approved systems only

• Not be stored on personal devices without authorization

 

7. Physical Security

The Company shall implement physical safeguards including:

• Locked offices and file storage

• Visitor controls

• Alarm systems where applicable

• Secure shredding procedures

• Controlled access to records

Loan files and customer records must be secured when unattended.

 

8. Endpoint & Device Security

All company devices must:

• Use approved antivirus/anti-malware software

• Maintain current security patches

• Use device encryption

• Use screen-lock timeouts

• Be protected by passwords

Employees may not install unauthorized software.

Lost or stolen devices must be reported immediately.

 

9. Email & Phishing Protection

Employees shall:

• Exercise caution with links and attachments

• Verify unusual payment requests

• Report suspected phishing attempts immediately

• Avoid sending NPI through unsecured email

Regular phishing awareness training may be conducted.

 

10. Vendor & Third-Party Security

Third-party vendors with access to Company or customer data must:

• Maintain appropriate security controls

• Sign confidentiality agreements

• Comply with applicable privacy laws

• Notify the Company of security incidents

The Company reserves the right to review vendor security practices.

 

11. Incident Response

11.1 Reporting

All suspected security incidents must be reported immediately to management.

Examples include:

• Unauthorized system access

• Phishing attacks

• Malware infections

• Lost devices

• Data leaks

• Ransomware events

11.2 Investigation

The Company shall:

• Investigate incidents promptly

• Contain affected systems

• Preserve evidence where appropriate

• Determine the scope of exposure

• Implement corrective actions

11.3 Notification

If required by law, the Company shall provide breach notifications to:

• Affected consumers

• Regulators

• Law enforcement

• Credit bureaus

within applicable legal timelines.

 

12. Data Retention & Disposal

Customer and company records shall be retained according to:

• Legal requirements

• Regulatory obligations

• Operational needs

When records are no longer needed, they shall be securely destroyed through:

• Shredding

• Secure deletion

• Certified destruction services

 

13. Remote Work Security

Employees working remotely must:

• Use secure internet connections

• Use Company-approved devices where possible

• Avoid public Wi-Fi unless using VPN

• Protect physical documents from unauthorized access

• Maintain confidentiality at all times

 

14. Employee Training

All employees shall receive training regarding:

• Data protection

• Privacy obligations

• Cybersecurity awareness

• Phishing prevention

• Fraud prevention

• Incident reporting

Training shall occur:

• At onboarding

• Periodically thereafter

• Following material policy updates

 

15. Compliance Monitoring

The Company may conduct:

• Access reviews

• Security assessments

• Vulnerability scans

• Vendor reviews

• Internal audits

Failure to comply with this policy may result in disciplinary action up to and including termination.

 

16. Business Continuity & Backup

The Company shall maintain reasonable procedures for:

• Data backup

• Disaster recovery

• System restoration

• Business continuity

Critical data should be backed up regularly and tested periodically.

 

17. Encryption Standards

The Company shall use commercially reasonable encryption standards for:

• Data at rest

• Data in transit

• Portable devices

• Backup systems

 

18. Monitoring & Logging

The Company may monitor:

• Network activity

• User access

• Login attempts

• File access

• Security alerts

for security, compliance, and operational purposes.

Employees should have no expectation of privacy regarding use of Company systems.

 

19. Policy Review

This policy shall be reviewed:

• At least annually

• Following material business changes

• Following major security incidents

• As laws and regulations evolve

 

20. Management Approval

This Information Security & Data Protection Policy is approved by the management of Options Capital Group.

 

Authorized Representative

Options Capital Group

Date: May 11 2026