Regulation S-P (“Reg S-P”) requires registered investment advisers to adopt and implement policies and procedures that are reasonably designed to protect the confidentiality of sensitive customer information. This includes data that, without any other context, could result in substantial harm or inconvenience to an individual, as well as combinations of information that could create a substantial risk of harm or inconvenience. Reg S-P does not explicitly apply to the records of companies, investors in a private fund, or individuals acting in a business capacity on behalf of the registered investment adviser, but corresponding Federal Trade Commission (“FTC”) rules may impose similar disclosure and safeguarding obligations. Kosmos is committed to protecting the confidentiality of all nonpublic information regarding its Investors, prospective investors, and Employees.
Reg S-P requires investment advisers to provide their customers and certain consumers with certain notices describing their privacy policies and procedures (“Privacy Notice”). Among other requirements, Reg S-P requires financial institutions to send initial Privacy Notices to their customers and certain consumers and provide both the opportunity to opt out of the disclosure of any Nonpublic Personal Information about them to certain nonaffiliated third parties. Reg S-P further states that investment advisers are required to send annual Privacy Notices to customers unless the adviser (i) only shares Nonpublic Personal Information with nonaffiliated third parties in a manner that does not require an opt-out right be provided to customers; and (ii) has not changed its policies and procedures with regard to disclosing Nonpublic Personal Information since it last provided a Privacy Notice to customers.
Although Reg S-P does not require the distribution of Privacy Notices to companies, to investors in a private fund, or to individuals acting in a business capacity, the Company provides initial Privacy Notices, revised Privacy Notices, and, when appropriate, annual Privacy Notices to all Investors as a best practice.
Regulation S-AM (“Reg S-AM”) prohibits a registered investment adviser from using information about an individual consumer that has been obtained from an affiliated entity for marketing purposes unless the information sharing practices have been disclosed and the consumer has not opted out.
In addition to Reg S-P, Reg S-AM and Reg S-ID, certain states and non-U.S. jurisdictions have adopted consumer privacy laws that may be applicable to investment advisers with investors, service providers, and in the situation of Kosmos insureds/policy holders, who are residents of those states or jurisdictions.
Risks
In developing these policies and procedures and the firm’s Written Information Security Policy (WISP) and Incident Response Plan (IRP), Kosmos considered the material risks associated with privacy protection and cybersecurity. This analysis included risks such as:
• Sensitive Personal Information is not recorded accurately or protected from inadvertent alteration or destruction;
• Sensitive Personal Information is not protected from unauthorized access by Employees or third party service providers;
• Sensitive Personal Information can be accessed, copied, or destroyed by physical or electronic intrusions;
• False or misleading disclosures are made to Investors and/or insured/policy holders about the use or protection of Sensitive Personal Information;
• Third-party service providers have adopted inadequate policies and procedures to protect Sensitive Personal Information;
• Kosmos fails to detect, respond to, and recover from unauthorized access to or use of Sensitive Personal Information;
• Kosmos disposes of Sensitive Personal Information without taking reasonable measures to protect against unauthorized access to or use of the same;
• Kosmos fails to comply with applicable state privacy laws; and
• Kosmos uses information obtained from affiliates for marketing purposes without ensuring that affected individuals have been given adequate notice and an opportunity to opt out.
Kosmos has established the following guidelines to mitigate these risks.
Guiding Principles
Kosmos will seek to limit its collection of Sensitive Personal Information to that which is reasonably
necessary for legitimate business purposes. Kosmos will not disclose Sensitive Personal Information except
in accordance with these policies and procedures, as permitted or required by law, or as authorized in
writing by the Investor. Kosmos will never sell Sensitive Personal Information.
With respect to Sensitive Personal Information, Kosmos will strive to: (a) ensure the security and
confidentiality of the information; (b) protect against anticipated threats and hazards to the security and
integrity of the information; and (c) protect against unauthorized access to, or improper use of, the
information. The Chief Compliance Officer is responsible for administering these policies and procedures.
All Employees and contractors should notify the Chief Compliance Officer promptly of any suspected
unauthorized access to, unauthorized use or improper disclosure of Sensitive Personal Information.
Although these principles and the following procedures apply specifically to Sensitive Personal Information
(unless stated otherwise), Employees must be careful to protect all of Kosmos’s proprietary information.
Protecting Confidential Information
Employees will maintain the confidentiality of information acquired in connection with their employment,
with particular care being taken regarding Sensitive Personal Information. Improper use of Kosmos’
proprietary information, including Sensitive Personal Information, is cause for disciplinary action, up to
and including termination of employment for cause and referral to appropriate civil and criminal legal
authorities.
Sensitive Personal Information will be restricted to Employees who have a need to know such information.
All requests by third parties to review compliance testing results, correspondence between Kosmos and
regulators and other compliance-related documents should be forwarded to the CCO. Employees and other
Supervised Persons are not authorized to respond to such requests without the prior approval of the CCO.
For the avoidance of doubt, nothing in this policy prohibits Employees from reporting potential violations
of federal law or regulation to any governmental agency or entity, including but not limited to the
Department of Justice, the SEC, or any agency’s inspector general, or from making other disclosures that
are protected under the whistleblower provisions of federal law or regulation. Employees/Supervised
Persons do not need prior authorization from their supervisor, the CCO, or any other person or entity
affiliated with Kosmos to make any such reports or disclosures, and do not need to notify Kosmos or any
person or entity affiliated with Kosmos that they have made such reports or disclosures. Additionally,
nothing in this Policy prohibits Employees/Supervised Persons from recovering an award pursuant to a
whistleblower program of a government agency or entity.
Disclosure of Sensitive Personal Information
Sensitive Personal Information may only be provided to third parties under the following circumstances:
• To Investors, accountants, lawyers, and others as directed in writing by Investors or Fund
documents;
• To third-party service providers, as necessary to service Investors accounts, assess Kosmos’
compliance with industry standards, protect the confidentiality and security of Kosmos’ records,
and protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other
liability;
• To insurance companies, Investors, and third-party service providers as necessary to originate,
manage, maintain and service a life insurance policy or annuity; and
• To regulators and others, as required by law.
Employees should take reasonable precautions to confirm the identity of individuals requesting Sensitive
Personal Information. Employees must be careful to avoid disclosures to identity thieves, who may use
certain Sensitive Personal Information, such as a social security number, to convince an Employee to divulge additional information. Any contacts with suspected identity thieves must be reported promptly to
the CCO.
To the extent practicable, Employees will seek to remove nonessential Sensitive Personal Information from
information disclosed to service providers. Social security numbers must never be included in widely
distributed lists or reports.
Kosmos’s WISP establishes policies and procedures for the oversight of such service providers and
ensuring that such service providers take appropriate measures to timely notify Kosmos of any unauthorized
access to customer information systems maintained by such service providers.
Access to Kosmos’ Premises
Kosmos’s premises will be locked outside of normal business hours. The Office Manager will review the
privacy policies and procedures of third-party service providers, such as building custodians, which have
access to Kosmos’ facilities.
Meetings with Investors, outside service providers, and other visitors should be held in conference rooms
or other locations where Sensitive Personal Information is not available or audible to others, and such
visitors will not be left in Kosmos’ offices unattended.
On an annual basis the CCO assesses whether information security risks associated with Kosmos’ physical
offices have changed in material ways. The Office Manager and the CCO work together to address any
newly identified vulnerabilities.
Information Stored in Hard Copy Formats
Kosmos has implemented the following procedures to protect Sensitive Personal Information stored in hard
copy formats:
• To the extent practicable, Sensitive Personal Information that is in hard copy format will be kept in
lockable filing cabinets;
• All Sensitive Personal Information, as well as Kosmos’ proprietary information, that is in hard copy
format should be locked up at the end of each workday;
• Hard copy documents containing Sensitive Personal Information must never be left unattended in
public spaces, such as lobbies or conference rooms;
• Documents being printed, copied, or faxed must not be left unattended;
• Employees will exercise due caution when mailing or faxing documents containing Sensitive
Personal Information to ensure that the documents are sent to the intended recipients; and
• Employees may only remove documents containing Sensitive Personal Information from Kosmos’
premises for legitimate business purposes. Any documents taken off premises must be handled with
appropriate care and returned as soon as practicable.
Working in Public Places
Employees should avoid discussing Sensitive Personal Information in public places where they may be
overheard, such as in restaurants and elevators. Employees should be cautious when using laptops or
reviewing documents that contain Sensitive Personal Information in public places to prevent unauthorized
people from viewing the information.
Discarding Information
Employees may only discard or destroy Sensitive Personal Information in accordance with the firm’s WISP
and the Records Retention Schedule contained in the Books and Records Policy portion of the Compliance
Manual. Employees are reminded that electronic and hard copy media containing Sensitive Personal
Information must be destroyed or permanently erased before being discarded.
Privacy Policy Notices
Kosmos will provide a Privacy Notice to all Investors upon establishment of an investment in a Private
Fund.
Investors acknowledge receipt of the initial Privacy Notice when completing fund agreements.
Kosmos will provide Investors with prompt notice of any change to the privacy policies and will give
Investors sufficient opportunity to opt out of any new disclosure provisions. On an annual basis, the CCO
will review the privacy policies and confirm that Kosmos (i) only shares Sensitive Personal Information
with nonaffiliated third-parties in a manner that does not require an opt-out right be provided to Investors;
and (ii) has not changed its privacy policies with regard to disclosing Sensitive Personal Information since
it last provided a Privacy Notice to Investors. If Kosmos cannot confirm the aforementioned two conditions,
Kosmos will provide a copy of the Privacy Notice to all Investors describing Kosmos’ privacy policies. The
CCO will retain a copy of the Privacy Notice sent and will make and retain a record of its distribution.
Responding to Privacy Breaches
If any Employee becomes aware of an actual or suspected privacy breach, including any improper
disclosure of, or unauthorized use or access to, Sensitive Personal Information, that Employee must
immediately notify the Information Security Team (consisting of the CCO and the CEO), as provided in
the firm’s IRP. Any instance of unauthorized access to or use of customer information will trigger the
Incident Response Plan to contain, mitigate, and resolve the incident.
Privacy Protection Training
The CCO will ensure that all new Employees have received, reviewed, and understand their obligations to
protect Sensitive Personal Information. The CCO will also remind all Employees of their privacy protection
obligations during the third or fourth quarter of each year. If the privacy protection program appears to be
functioning well and has not undergone material changes, then this reminder might appropriately take the
form of a broadly distributed annual email. The CCO may provide training more frequently and/or in person
to individuals or groups if:
• Kosmos’ policies and procedures, or the threats to Sensitive Personal Information, change in a
material way;
• Kosmos experiences a privacy breach; and/or
• One or more Employees do not appear to understand their obligations regarding privacy protection.
Kosmos may use information about individuals that was obtained from affiliates for any marketing
purposes.
Kosmos may provide information about individuals to affiliates for marketing and other investment
purposes.
“Sensitive Personal Information” means any record containing “nonpublic personal information” about a
“customer” of a “financial institution” (each as defined in Reg S-P), whether in paper, electronic or other
form, that is in the possession of Kosmos or that is handled or maintained by Kosmos, or on its behalf,
regardless of whether such information pertains to (i) individuals with whom Kosmos has a customer
relationship or (ii) customers of other financial institutions where such information has been provided to
Kosmos.
Updated 04/24/2026