Anatomy of a Common Cyber Attack Targeted spear-phishing Privilege escalation through credential theft Installation of malware Packaging and exfiltration of targeted data Covering up of tracks

Lessons Learned: Common Failings Application Security Overall Management Infrastructure Security Identity & Access Management Overall Management Failed to address recommendations from third-party assessments Governance/senior leaders not involved Uneven security across organization Identity & Access Management Lack of control over system administrator credentials Use of default passwords for privileged accounts Improper/unnecessary access to networks by third parties Failure to use two-factor authentication for remote access Data Protection Lack or failure of encryption Incomplete inventory of sensitive data and its locations, leading to insufficient data protection Infrastructure Security Improper segmentation Failed or insufficient network monitoring Unnecessary permissions for connections between servers Failure to decommission systems no longer in use Unnecessary connection between servers and the external internet Failure to deploy purchased network security/monitoring tools Application Security Application patching and updating problems Failure to restrict permissions to install unauthorized software Failure to audit for known vulnerabilities Data Protection

Lessons Learned: Preparedness Companies that have responded effectively: Prioritize and plan: draft and exercise an incident response plan Identify single interdisciplinary team to manage the response Engage outside experts pre-incident Draft holding statements Look at third-party vendor access Connect with law enforcement Prepare and/or promptly inform the Board post-incident Assess information security practices against regulators’ publications, enforcement actions Companies that have responded effectively: Prioritize and plan: draft and exercise an incident response plan Identify single interdisciplinary team to manage the response Engage outside experts pre-incident Third-party forensics team Crisis communications team Credit monitoring / mailing vendor Law firm Draft holding statements Look at third-party vendor access Connect with law enforcement Prepare and/or promptly inform the Board post-incident Assess information security practices against regulators’ publications, enforcement actions

Lessons Learned: Coordinated Response Forensics First: Address Compromise & Understand What Happened Communications Issues Legal Issues Forensics are critical: what is known, unknown and degree of uncertainty Conduct a legally privileged investigation Reputational issues first, but be mindful of potential for litigation Consider all constituencies — ensure consistent messaging Track and coordinate communications with regulators and law enforcement Statutory and contractual notice obligations Address regulators and law enforcement Consider potential SEC disclosure issues Identify SOX systems and include in scope of forensic work Cyber Insurance Litigation Forensics First: Address Compromise & Understand What Happened: Forensics are critical: what is known, unknown and degree of uncertainty Conduct a legally privileged investigation Communications Issues Reputational issues first, but be mindful of potential for litigation Consider all constituencies—ensure consistent messaging Track and coordinate communications with regulators and law enforcement Legal Issues Statutory and contractual notice obligations Address regulators and law enforcement Consider potential SEC disclosure issues: Material? Risk factor revision? Identify SOX systems and include in scope of forensic work Cyber Insurance—notify insurer ASAP; be mindful that public statements do not undermine claims Litigation

Lessons Learned: Coordinated Response Forensics FTC/SEC Customers State AGs Employees & Directors Insurers Media Congress Interdisciplinary team managing/coordinating response Manage simultaneous work streams Ensure common and complete understanding of the facts across team Law Enforcement Litigation

Response Workstream: The Initial 24 Hours Key Tasks Comments / Points of Contact Incident response team convenes Initial meeting / call to be set up as soon as possible Incident Response Team will manage immediate response actions CISO response: containment and remediation Focus on CISO & efforts to contain/remediate incident Outside counsel Contact outside counsel Outside counsel to engage pre-arranged forensic firm(s), if necessary, in consultation with legal team and other relevant stakeholders Law enforcement Consider whether to contact FBI and/or other agencies Document preservation Consider issuing document preservation notice(s) Credit monitoring / identity protection services Confirm breach of sensitive PII (e.g., payment card data coupled with name, SSN, passport, etc.) SEC Consider need for Form 8-K filing Internal messaging Communications statements & guidance to employees Briefings to management/directors Provide briefing to key senior executives Inform Board of current status

Response Workstream: Beyond the First 24 Hours Key Tasks Comments / Points of Contact Technical response and forensics Ongoing forensic investigation, containment & remediation Audit firm requests Respond to requests for information from company auditors Evaluate data breach notice to consumers/counterparties/AGs Continually evaluate obligation to provide notice to individual consumers or contract counterparties as forensic information is developed Ensure notification complies with state-specific requirements Alert state AGs as appropriate Communications Implement external and internal communications plans as forensic information develops Investor relations Coordinate with corporate communications Board of directors Regular updates to Board or appropriate Board committee Law enforcement Outside counsel to coordinate/cooperate with law enforcement SEC Consider disclosure obligations as forensic information develops Contracts Review contracts for any notice obligations Litigation Monitor for litigation filings