Cyber Threats to the Energy Industry

Transcription

1 Cyber Threats to the Energy Industry Willis Towers Watson 2017 Energy Conference September 21 st, 2017 willistowerswatson.com 2017 Willis Towers Watson. All rights reserved.

2 Agenda 1. Today s Panel 2. Cyber Risk Exposure Environment for Energy Companies 3. Assessing Your Cyber Risk 4. Compensating Controls & Underwriting Criteria 5. Loss Recovery Strategies willistowerswatson.com 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only. 2

3 Today s Panel willistowerswatson.com 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only. 3

4 Rob Barberi Rob serves as a Cyber Security & Professional Liability risk specialist, based in Willis Towers Watson s Boston office and focuses on Cyber and Professional Liability risk advisory. He has broad experience negotiating, structuring and placing Network Security, Privacy Liability and Professional Liability insurance programs, focusing primarily on companies with large, complex exposures. Rob has a broad knowledge of insurance company claims handling for cyber insurance and has spent considerable time developing manuscript policy wording to address specific insured needs. He is a regular speaker at industry conferences and actively consults with the US Treasury regarding systemic cyber risks. Rob works closely with numerous companies in the energy sector, serving as a National Cyber Resource for Cyber Energy Risks at Willis Towers Watson. Prior to joining Willis Towers Watson in 2009, he worked at Aon Corporation as a Broker in their Financial Services Group. Previously, Rob was an Associate in Aon s Global Client Network, focusing primarily on the placement and servicing of large international property and casualty programs for Fortune 500 companies. Rob received his B.A. in International Politics & Economics from Middlebury College and his M.B.A. from Boston University with a concentration in Corporate Strategy. willistowerswatson.com 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only. 4

5 David White Founder and Chief Operating Officer, Axio Axio believes that cyber risk is solvable with an integrated approach that aligns strong cybersecurity with financial hedging strategies Developed Axio s foundational process for cyber risk management and has delivered it to many clients in critical infrastructure sectors, including energy Leads Axio s service business, focused on cybersecurity improvements and cyber risk mgmt. Collaborates on Axio s software platform development to provide security and risk leaders with actionable insight, planning, and reporting for cybersecurity and cyber risk Prior to founding Axio, was a cybersecurity researcher at Carnegie Mellon University Co-authored the CERT Resilience Management Model (RMM) a formal maturity model for managing operational risk Was chief architect on the US Department of Energy s Cybersecurity Capability Maturity Model (C2M2), which is widely used in US energy sector willistowerswatson.com 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only. 5

6 Garin Pace Garin Pace is a Cyber Product Leader at AIG, responsible for cyber exposure in the Financial Lines and Property products globally. In this role, Garin is responsible for shaping and driving the underwriting strategy for all cyber perils, and ensuring all cyber underwriting tools and processes are consistently leveraged across the portfolio. Garin joined AIG in 2005 as a Professional Liability underwriter and has held various positions of increasing responsibility since. Most recently, Garin was Head of Underwriting Excellence - Cyber, responsible for the underwriting strategy and training for the cyber insurance product in North America. Garin holds a Bachelor s of Science degree in Chemical Engineering from Tufts University. willistowerswatson.com 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only. 6

7 Michael Guy Expertise: Michael Guy is the Cyber Team Lead for Canada and has worked to develop the quality standards of the CTA Incident Management Process. His cyber practice includes oversight on incidents of malware, ransomware, phishing, whaling, fraudulent funds transfer and privacy breach related to SME commodity programs, institutional (hospitals, colleges, etc.), gaming facilities, manufacturing operations and telecom providers. He has handled notable cyber breach incidents including involvement in high value class action lawsuits. Michael started his insurance career in 1994 working as a insurance adjuster for a large national adjusting firm holding various roles including leading a team managing Corporate Accounts for specialty lines claims. Michael has also held the position of Claims Manager at a national Insurer before joining Charles Taylor Adjusting in Since 2014, he has been in the role of Vice President Branch Manager of the Toronto, Ottawa and Montreal offices. Claims handling includes numerous large and complex losses across Canada involving Commercial / Industrial Property and Business Interruption, Construction, Crisis Management, Products Liability, Pollution Liability (industrial, pipeline, rail), and Cyber.. Professional Qualifications: Bachelor of Business Administration (Hons.) Wilfrid Laurier University Fellow Chartered Insurance Professional (FCIP) - Insurance Institute of Canada Canadian Risk Management (CRM) - Global Risk Management Institute Risk Management Certificate - University of Calgary 2016 Willis Towers Watson Plc. All rights reserved. Proprietary and Confidential.

8 Compliance Complexities NERC California s 20 CIS Controls GDPR Privacy Shield PIPEDA Industry Regulation HIPAA FTC & FCC HITECH Privacy Laws/ Regulations GLBA PCI-DSS Compliance US State Breach Notification Laws willistowerswatson.com 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only. 8 8

9 Advanced Persistent Threats (Examples) The Ransomware Crisis BlackEnergy Trojan Sandworm Stuxnet Shamoon 2016 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only. 9

10 Critical Infrastructure Threats DHS is responsible for safeguarding our Nation s CI from physical and cyber threats. DHS created the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) to reduce industrial control system risks within and across all critical infrastructure and key resource sectors. In 2016, ICS-CERT received and responded to 290 incidents reported by assets owners and industry partners, coordinated 390 vulnerabilities, analyzed 100 malware samples. The Energy Sector accounted for 59 of the 290 incidents. Spear Phishing was involved in 26% of the 290 incidents reported, making it the leading access vector. Also in 2016, ICS-CERT responded to the first known cyberattack to result in physical impact to a power grid. ICS-CERT Most Notable Recent Alerts Alert (ICS-ALERT C) Petya Malware Variant (Update C) Original release date: June 30, 2017 Last revised: July 10, 2017 ICS-CERT is aware of reports of a variant of the Petya malware that is affecting several countries. ICS-CERT is releasing this alert to enhance the awareness of critical infrastructure asset owners/operators about the Petya variant and to identify product vendors that have issued recommendations to mitigate the risk associated with this malware. After initial infection, the affected system scans the local network(link is external) for additional systems to infect via Port 139/TCP and 445/TCP, prior to encrypting files and overwriting the Master Boot Record (MBR) or wiping sectors of the disk drive(link is external). There are several reports(link is external) that suggest that the Petya variant s creators intend it to be destructive(link is external) in nature, rather than a traditional, economically motivated ransomware. Alert (ICS-ALERT ) SDG Technologies Plug and Play SCADA XSS Vulnerability Original release date: October 15, 2015 NCCIC/ICS-CERT is aware of a public disclosure of a cross-site scripting vulnerability with proof-of-concept (PoC) exploit code affecting SDG Technologies Plug and Play SCADA, a supervisory control and data acquisition/human-machine interface (SCADA/HMI) product. According to this report, the vulnerability is exploitable by inserting malicious script in the HTML request to web servers Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only. 10

11 IOT in the Energy Industry Increased automation Lowered drilling and transportation costs Increased productivity and safety for workers Use of robotics for efficiency and safety Convergence of Operational Technology (OT) and Information Technology (IT) Motivated by ease of remote access Costly to manage separate networks Process Control Networks (PCN) Observe and control environmental factors (air quality, detection of gases) Monitor equipment status (temperature, fuel consumption) Research and Development Designs and build plans for equipment Exploration and resource quality data Corporate communications Improved communications across geographically dispersed organizations 2016 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only. 11

12 Assessing Your Cyber Risk willistowerswatson.com 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only. 12

13 Notices Copyright 2017 Axio Global, Inc. Axio is a registered trademark of Axio Global, Inc. NO WARRANTY: THIS AXIO GLOBAL MATERIAL IS FURNISHED ON AN AS-IS BASIS. AXIO GLOBAL MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. AXIO GLOBAL DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. Internal use: Permission to reproduce this material and to prepare derivative works from this material for use inside your organization is granted, provided the copyright and No Warranty statements are included with all reproductions and derivative works. External use: This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other external and/or commercial use. Requests for such permission should be directed to info@axio.com. Axio Overview 08/17/17 13

14 Example Cyber Events

15 Petya/Nyetya/Not Petya 27 June 2017 Data wiper disguised as a ransom-worm Originated in Ukraine but spread globally Exploited the Eternal Blue vulnerability (NSA) 2M computers within 2 hours of release Many prominent firms were impacted; Cyence estimates $850M in damages Motive and origin are a mystery, but many believe that it was targeted to damage Ukraine or serve as a smokescreen [Sulleyman 2017], [Polityuk 2017], [Moise 2017], [Loftus 2017], [Frenkel 2017], [Perlroth 2017], [Barlyn 2017] KUB Workshop 15

16 Coordinated Attack Ukrainian Power Outage, Dec 2015 Highly coordinated manual efforts were synchronized against three power distribution utilities 225,000 customers lost power for < 6 hrs 135 MW 1. SCADA hijack with malicious operation to open breakers 2. Disconnected backup power & flooded call centers to delay outage response 3. Corrupted firmware on communication devices at substations and wiped workstations & servers to amplify attack Results could be more impactful in US due to our heavy reliance on automation and relative inexperience with manual operations. Axio Overview 08/17/17 16

17 Ukrainian Power Outage 2016 Automated transmission attack 1.25-hour outage at one transmission substation outside Kiev, Dec MW power loss = 1/5 of power necessary for Kiev Automated, modular attack tools indicate a dramatic increase in sophistication Attacks at the transmission level have more widespread impact Axio Overview 08/17/17 17

18 Axio Foundation Three simple steps to better understand and address cyber risk

19 RISK Risk Reduction Curve Optimizing the next investment Invest in Capability Sustain Capability Invest in Transfer 1. Early capability improvements have high payoff in risk reduction 2. Payoff flattens as capability increases CYBERSECURITY CAPABILITY 5. Invest accordingly 4. Insurers want insureds to be on the flatter part of the capability curve 3. Insurance transfers impact and results in a quantum risk reduction Axio Overview 19

20 Solving Cyber Risk TM Foundational Process Exposure Quantification Answering Three Fundamental Questions What is my cyber exposure? What is at risk? Cyber Program Evaluation Insurance Analysis and Stress Test Are my cyber defense and response capabilities mature? Do I have the financial ability to recover from an event? Axio Overview 08/17/17 20

21 Tangible Impacts Financial Impacts Develop & Quantify Cyber Loss Scenarios Identify several high-impact, notional, feasible cyber loss scenarios specific to your organization/operations First Party Third Party Estimate impact for selected scenarios using a structured impact taxonomy Four quadrant model All impacts from any cyber event can be categorized into these quadrants Exposure Quantification Axio Overview 08/17/17 21

22 Top Quadrants: Financial Impacts Some of these impacts are data-breach centric; many could apply to any event. Financial Impacts First Party Impacts Response costs: forensics, notifications, credit monitoring Legal expenses: advice and regulatory filings Lost income from network or computer outages, including cloud Theft of funds or securities Cost of restoring lost data Cyber extortion expenses Value of stolen Exposure Quantification intellectual property Other financial Third Party Impacts Consequential lost income Restoration expenses Legal defense Civil fines and penalties Shareholder losses Other financial damages Axio Overview 08/17/17 22

23 Bottom Quadrants: Tangible Impacts These impacts are of increasing concern to all companies, especially critical infrastructure Tangible Impacts First Party Impacts Mechanical breakdown of your equipment Destruction or damage to your facilities or other property Environmental cleanup of your property Lost income from physical damage to your (or dependent) equipment or facilities (business interruption) Bodily injury to your employees Other tangible damages Third Party Impacts Mechanical breakdown of others equipment Destruction or damage to others facilities or other property Environmental cleanup of others property Bodily injury to others Product liability Product recall expenses Other tangible damages Exposure Quantification Axio Overview 08/17/17 23

24 Cybersecurity Program Evaluation Are my cyber defense and response capabilities mature? Program Element Maturity Use a framework or model to evaluate cyber security program Consider multiple evaluations in large organizations for internal benchmarking Use results to identify and prioritize improvements The C2M2 is a solid resource for efficient programmatic review Cyber Program Evaluation Axio Overview 08/17/17 24

25 Tangible Financial Review & Stress Test Insurance Portfolio Review all insurance policies to understand cyber coverage or exclusion Stress test insurance portfolio with the loss scenarios Affirmative (favorable) 1 st Party 3 rd Party Cyber Inclusion Silence Policy Languag e Silence Uncertainty Cyber Exclusion Partial Strong/clear (i.e., CL 380) Insurance Analysis and Stress Test Axio Overview 08/17/17 25

26 Tangible Impacts Financial Impacts Stress Testing Informs Balance Sheet Impact First Party Third Party Quadrant impact: $55,000,000 Insurance: $20,000,000 Balance sheet impact: $35,000,000 Quadrant impact: $5,000,000 Insurance: $5,000,000 Balance sheet impact: $0 Event Totals Gross impact: $295,000,000 Quadrant impact: $175,000,000 Insurance: $150,000,000 Balance sheet impact: $25,000,000 Quadrant impact: $60,000,000 Insurance: $50,000,000 Balance sheet impact: $10,000,000 Insurance: $225,000,000 Balance sheet impact: $70,000,000 Insurance Analysis and Stress Test Axio Overview 08/17/17 26

27 Tangible Impacts Financial Impacts Cyber Peril Coverage Options First Party Intellectual Property Third Party Traditional Cyber Insurance Broad market Important for all firms with a data breach exposure Forensics, data restoration, PR, and extortion coverage are more broadly applicable Exclusion buyback, DIC, & Standalone Coverage Emerging market Important for firms with exclusions in property or casualty coverage Affirmative coverage for bricking of computers is also available Insurance Analysis and Stress Test Axio Overview 08/17/17 27

28 Compensating Controls & Underwriting Criteria willistowerswatson.com 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only. 28

29 Willis Towers Watson 2017 Energy Conference 2017

30 Tangible Financial Cyber Coverage is Evolving Lines between policies are blurring 1 st Party Damages 3 rd Party Damages Newer Property Policies Newer FL offerings, including AIG s CyberEdge Plus Casualty Property policies are increasingly providing coverage for data, even when there is no real property damage (FM, and AIG s Property Performance forms starting in 2014). Some FL-based Cyber policies are extending cover to bodily injury and tangible property damage. AIG s CyberEdge Plus extends the CyberEdge coverage down to the lower left and right quadrants (to cover cyber physical ) 30

31 3 1 Underwriting Criteria 1 2 Submission requirements & underwriting standards vary: From Insurer to Insurer different Insurers see different risk indicators From risk to risk, including: By size By threat/industry By asset applicability (e.g., ICS vs PoS) By coverage (cyber-physical vs non-physical, 1 st vs 3 rd, etc) Most underwriting involves: Evaluation of threat: how much does applicant deviate from Insurer s baseline threat assessment Evaluation of impact: type of data, criticality of systems Evaluation of risk reduction efforts: infosec maturity/governance, control effectiveness, passive safety controls for cyber-physical

32 Controls What Underwriters Look For Governance, Culture & Training Who is the org s information security leader? Do they have adequate resources and authority? How is information security measured and communicated to the BoD? Does the org have an information security management system? Do employees receive security awareness training? How does the org practice incident response? Technical Controls Does the org: manage all devices on the network? manage the security configuration of devices? log important events, and analyze those logs for unusual behavior/signs of attack? use MFA to authenticate users for critical systems and remote access? have a process to secure data at rest? segment critical systems? 32

33 Segmentation Traditionally air gapped OT is increasingly joined to IT for automation Flat networks expose OT environment to IT environment s risk No opportunity to apply OT-specific ACLs Any failure in IT environment malicious or not likely to impact OT environment Easier for attackers to pivot to their goal 3 rd -Party Control Network (OT) RISK Business Network (IT) PLC PLC HMI Control Server RISK Workstations, servers, databases, printers Internet 33

34 Segmentation Segmentation provides enhanced security visibility Easier to pick out unusual traffic Sneakernet still a risk, but likely less dependency on removable media Solutions such as data diodes can allow one way flow of data for reporting Control Network (OT) Monitoring system SIEM: security information and event management Business Network (IT) 3 rd -Party PLC PLC HMI Control Server DMZ Workstations, servers, databases, printers Internet 34

35 American International Group, Inc. (AIG) is a leading international insurance organization serving customers in more than 130 countries and jurisdictions. AIG companies serve commercial, institutional, and individual customers through one of the most extensive worldwide property-casualty networks of any insurer. In addition, AIG companies are leading providers of life insurance and retirement services in the United States. AIG common stock is listed on the New York Stock Exchange and the Tokyo Stock Exchange. Additional information about AIG can be found at YouTube: LinkedIn: AIG is the marketing name for the worldwide property-casualty, life and retirement, and general insurance operations of American International Group, Inc. For additional information, please visit our website at All products and services are written or provided by subsidiaries or affiliates of American International Group, Inc. Products or services may not be available in all countries, and coverage is subject to actual policy language. Non-insurance products and services may be provided by independent third parties. Certain property-casualty coverages may be provided by a surplus lines insurer. Surplus lines insurers do not generally participate in state guaranty funds, and insureds are therefore not protected by such funds. The data contained in this presentation are for general informational purposes only. The advice of a professional insurance broker and counsel should always be obtained before purchasing any insurance product or service. The information contained herein has been compiled from sources believed to be reliable. No warranty, guarantee, or representation, either expressed or implied, is made as to the correctness or sufficiency of any representation contained herein. American International Group, Inc. All rights reserved. 35

36 Loss Recovery willistowerswatson.com 2017 Willis Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only. 36

37 Charles Taylor Adjusting -Cyber Overview -Incident Response Plan willistowerswatson.com

38 Charles Taylor Group - global insurance sector focused The leading specialist provider of professional services to clients throughout the global insurance market Professional Services Management Services provides end-to-end management of insurance companies and associations Adjusting Services provides loss adjusting services across the aviation, energy, marine, property, casualty and special risks sectors Insurance Support Services provides a range of outsourced professional, technology and support services Life Owns and consolidates international life insurance businesses, which are primarily in run-off 1884 CT established 71 Offices 169m 2016 revenue 1,800 Employees 28 Countries 100 % Focus willistowerswatson.com 38

39 CTA Loss Adjusting Business Model Knowledge Offer unmatched level of deep technical expertise across all four of the main product areas in insurance. Talent Identify and develop next generation of loss adjusting talent. Global Network Expand geographic footprint to maintain local presence whilst connected to the global insurance hubs. Client Centricity Ensure we remain client centric and that both client service and value are at the heart of all the things that we deliver. Innovation Use the best of Charles Taylor to develop innovative solutions that improve our efficiency and advance the technological capabilities of our client. willistowerswatson.com Market Relevant Services Use our extensive network to identify emerging risks and invest in market relevant services e.g. cyber risk. Copyright 2017 Charles Taylor plc All Rights Reserved. 39

40 What is Cyber all about? Cyber Agenda Review Cyber Risk Exposure compliance, persistent threats, critical infrastructure threats, IOT Assessing Cyber Risk The Axio Foundation Exposure Quantification Cyber Program Evaluation Insurance Analysis and Stress Test Financial / Tangible Compensating Controls & UW Criteria evolving cyber coverage, blurred lines, UW risks What does it all mean? Resiliency solutions to inside and outside threats Protecting digital assets, physical assets, and information Ensuring business continuity Understanding what the wizard does behind the curtain! willistowerswatson.com 40

41 Severity Historical State of Cyber Vandalism / Disruption Worms Viruses Cybercrime Spyware / Bots Cyberespionage and Cybercrime APT Zero-Day Targeted Attacks Dynamic Trojans Stealth Bots POS Ransom-ware ICS/ SCADA Weaponized Malware Manufacturing Power grids Time Frame willistowerswatson.com Source WGM Holdings LLC Cyber Security Information Security and Risk Management 41

42 Success in Mitigation and Handling Losses/Incidents Cyber Early enactment of the Cyber Response Plan Contingency planning to maintain operations Tight contractual wordings for risk avoidance / risk transfer with customer / suppliers Adequate financial resources to respond swiftly internal coffers Corporate culture of protection with BOD buy-in Early FNOL engagement of Incident Response Team Pre-loss working relationship with Incident Response Team vendors Skilled Incident Response Team vendor panel Well defined and understood insurance program / coverage willistowerswatson.com 42

43 Cyber Response Plan and Additional Actions Preparedness Cyber Response Plan Avoid dwell time Extensive encryption Back-up, back-up, back-up People = greatest risk Invest Employee training Budget for IT systems and safeguards Procure specific insurance protection or finance for coverage shortfalls Pre-selected and vetted vendors willistowerswatson.com 43

44 Cyber Response Plan and Additional Actions Notification / Legal Arena When and how to notify: Clients Regulators Third Parties New legislation Class Actions Sanctions Fines and Penalties Protect Reputation Risk Competitors pounce to take market share Competing / Overlapping coverage Assess priority and multi-policy involvement pre-incident willistowerswatson.com 44

45 Lessons Learned Experience from Cyber Incident Handling Claims under Traditional Cyber Products Cost benefit analysis needs to be part of the Cyber Response Plan Buy coverage for business needs Communication is key Timely root cause investigation by an IT Forensic expert Evolving Product Considerations Report losses to all insurers silent cyber risk Standard wording and terminology sought by the marketplace Plain language policy wording is more flexible Compensating Contracts and SLAs willistowerswatson.com 45

46 CTA Cyber Expertise Key Points More than 35 specialist adjusters / Incident Managers (IMs) in the world to assist Recognized global expertise Multilingual claims / IM response Focal points in Asia, Australia and New Zealand, USA, Canada and Europe, with one global point of contact Dedicated triage call centre Dedicated address ( cyber@ctplc.com) linking the specialist adjusters 24/7/365 response willistowerswatson.com 46

47 CTA Cyber Incident Management Process IM Notification Stage 1 Global Notification to CTA Andrew Shepherd & Laetitia Fouquet Charles Taylor Adjusting Ltd 88 Leadenhall Street London, UK EC3A 3BA T: +44 (0) E: cyber@ctplc.com Canada Michael Guy Charles Taylor Adjusting Ltd 700, 260 Bay Street Toronto, Ontario, T: E: cyber@ctplc.com / michael.guy@ctplc.com willistowerswatson.com 47

48 Incident Manager Role IM Preliminary Investigation Stages 2 to 4 Incident Manager - coordinate and communicate the information to the vendors Contingency Planning Source Consulting Vendors IT Forensics, PR, Forensic Accounting, Quantity Surveyors, Legal, etc. Assess current legal and regulatory obligations Understanding of financial and tangible / physical exposures across multiple industry sectors. Swift management to avoid issues with the media. Stage 4 CTA appoints relevant vendors Stage 3 CTA contacts insured Stage 2 CTA allocate Incident Manager willistowerswatson.com 48

49 Incident Management Process IM Stages 1 to 9 Stage 9 Wrap up/ Further Actions Stage 8 Conference call CTA, Legal, IT, Forensics Stage 7 Legal & CTA liaise Stage 6 IT Forensics & CTA liaise Stage 5 IT Forensic contacts Insured Stage 4 CTA appoints relevant vendors Stage 3 CTA contacts insured Stage 2 CTA allocate Incident Manager Stage 1 Notification to CTA willistowerswatson.com 49

50 Why CTA? Recognized name trusted and accepted by the global Insurance industry including underwriters, claims personnel, brokers and third party administrators. Unrivalled breadth and depth of expertise across Property, Casualty, Technical & Special Risks, Energy, Marine and Aviation. Extensive network of global offices strategically placed where our clients need us. Flexible commercial arrangements aligned to the value we provide to your Business. We enhance the claims experience of your clients through our technology powered solutions and service delivery. Viable long term partner to both Procurement and the Business - we combine breadth of services, product expertise and geographic reach, with the next generation of adjusting talent. willistowerswatson.com 50