May 13, 2008 Craig J. Pinkerton, Director – PricewaterhouseCoopers National Conference on SAFE TRADE & AEO “CTPAT Six Years on: A Review of the Private Sector” May 13, 2008 Craig J. Pinkerton, Director – PricewaterhouseCoopers

Level of Security Prior to 9/11 The level of security for importers, carriers, truckers, etc. was determined primarily on: the value and nature of imported merchandise the level of theft and shrinkage discovered along the supply chain whether the product was considered sensitive by the government (e.g., tobacco; pharmaceutical drugs) whether the product could pose a threat to the public (e.g., firearms; chemicals; hazardous materials) 2

Threats to the Supply Chain Changed the Security Landscape 9/11 introduced tighter security into the logistics process The flow of goods from the manufacturer to the end user is now viewed as needing protection, not just the product People crossing borders into the U.S. are being monitored to minimize or eliminate the threat of danger No longer is it only value or dangers intrinsic to imported product, but the logistics function itself is being viewed as a security issue The conclusion that danger could accompany products throughout the supply chain caused a major refocus on security 3

Development of Security Initiatives ISO (International Organization for Standardization) Container Security Initiative WCO Customs-Trade Partnership Against Terrorism (C-TPAT) 10+2 Security Filing AEO (Authorized Economic Operator) FAST (Free and Secure Trade) Canadian PIP (Partners in Protection) SAFE Framework 4

What are Customs’ Expectations? Through this initiative, Customs is asking companies to ensure the integrity of their security practices and communicate their security guidelines to their business partners within the supply chain (i.e., “increased vigilance”) The primary goals of C-TPAT include: Increasing security measures, practices and procedures throughout all sectors of the international supply chain Protecting the public from terrorist activities Ensuring the flow of legitimate trade Providing Customs with a means of looking into a company’s supply chain security profile 5

WCO Standards Mirror C-TPAT Business-Customs Cooperation Conveyance/Container Security ISO Security Seals Required Physical Access Security Personnel Security Procedural Security Information Systems Security Employee Security Training Continuous Improvement Process Risk Assessment 6

Evolution of C-TPAT Launched in November 2001, with only seven major importers C-TPAT currently has more than 10,000 partners, which include United States importers, customs brokers, terminal operators, carriers, truckers and some foreign manufacturers Initially, voluntary participation and jointly developed security criteria and implementation procedures were the guiding principles As the program grew, so did the need for more clearly-defined security criteria to establish the minimum, baseline security expectations for membership In 2005, minimum-security criteria for importers was implemented and companies were required to meet the new criteria within certain timelines 7

C-TPAT Benefits Beyond the essential security benefits, Customs offers the following benefits to C-TPAT members: A reduced number of inspections (reduced border times) Priority processing for Customs inspections (Front of the Line processing for inspections when possible) Assignment of a C-TPAT Supply Chain Security Specialist who will work with the company to validate and enhance security throughout the company’s international supply chain An emphasis on self-policing, not Customs verifications 8

C-TPAT Benefits Eligible to attend C-TPAT supply chain security training seminars Access to other C-TPAT members via the Status Verification Interface Certified C-TPAT importers are eligible for access to the FAST lanes on the Canadian and Mexican borders Mitigating factor in cases of fines and penalties Demonstrates good corporate citizenship to Customs 9

Security Costs versus Benefits There have been several logistics studies published since 9/11 that detail the costs and benefits associated with the C-TPAT program, such as: Stanford Supply Chain Study - October 2003 MIT Supply Chain Study - May 2005 Stanford Innovation in Supply Chain Security - July 2006 University of Virginia Cost Benefit Survey - August 2007 10

Benefits from Investment in SAFE Trade Fewer Customs Inspections (50%) Reduction in Excess Inventory (14%) Improved on-time delivery (12%) Reduction in Theft/Loss/Pilferage (38%) Access to Shipping Data (50%) Timely Shipping Data (30%) Less Customer Attrition (26%) Increase of New Customers (20%) (Source: Stanford University Study, July 2006) 11

Benefits from Investment in SAFE Trade The primary motivation for importers to join C-TPAT is to reduce the risk of supply chain disruptions due to a terrorist attack Four out of every ten members did not have a formal supply chain security plan prior to joining the program C-TPAT moved thousands of companies to give closer scrutiny to the security of the goods they handle and review the supply chain to ensure that their overseas suppliers have implemented sound security practices Greater Supply Chain integrity (stronger seal controls) Stronger brand equity 12

Benefits from Investment in SAFE Trade The vast majority (81.3 percent) of members indicated that their ability to assess and manage supply chain risk had been strengthened as a result of joining C-TPAT C-TPAT certification requires that companies meet an extensive checklist of verifiable conditions. Nevertheless, minimum security criteria were generally viewed as very easy or somewhat easy to implement across the various sectors More than half (56.8 percent) of the members indicated that C-TPAT benefits either outweighed the costs or were about the same (Source: University of Virginia Study 2007) 13

Costs from Investment in SAFE Trade Typical implementation costs (listed from highest to lowest): Improving or implementing physical security costs (doors, windows, electronic access, cameras, fences, gates, lighting, etc.) Salaries and expenses of personnel Improving IT systems and databases Improving cargo security Improving or implementing in-house education, training, and awareness Improving personnel security procedures 14

Example of Security Procedures to be reviewed Physical Access Controls Employees, Visitors and Deliveries – identification and badge process is key; and removing unauthorized individuals Personnel Security Pre-employment verification, background checks, and termination procedures for prospective and current employees Procedural Security Documentation processing, shipping and receiving, and cargo discrepancies Container and Trailer Security Seal integrity, inspection and storage 15

Example of Security Procedures to be reviewed Physical Security Fencing, guardhouses, parking, locking devices, key controls, lighting, alarms, and video cameras Information Technology Security IT security procedures, password protection, system accountability (firewall, virus protection, monitoring service) Security training and threat awareness Focus on what types of training offered to employees and whether supply chain security training (C-TPAT specific) given 16

Business Partner Requirements Importers must have written, verifiable processes for the selection of business partners including manufacturers, product suppliers, and vendors They should also have documentation substantiating that partners throughout their supply chain are meeting C-TPAT security standards - or equivalent supply chain security program criteria e.g., supply chain assessment questionnaire, on-site audit report, written confirmation, etc. Where a company outsources or contracts elements of its supply chain, such as a foreign facility, warehouse, or conveyance, it must work with these business partners to ensure that pertinent security measures are in place and adhered to 17

Business Partner Requirements Companies now leverage their business relationships and ensure that business partners develop security processes and procedures consistent with the C-TPAT criteria Build C-TPAT/security language directly into contract Narrowing universe of business partners Periodic reviews of business partner’s processes and facilities should be conducted based on risk 18

Business Partner – Example of Risk Foreign inland freight carrier - may be the weakest link in the supply chain In certain countries, local trucking companies must be used. Additional processes may need to be set up to deal with risk 19

Common Security Shortfalls Cargo seals not used by foreign inland carriers and policy not documented Less than full truck load Air shipments No C-TPAT security-based training provided to employees, especially those with cargo handling responsibilities (warehouse, shipping, receiving, etc.) Procedures at foreign facility are commonly “patched” together from various departments, rarely mention C-TPAT related policies and procedures, and usually consist of random screen shots and dusty binders 20

Common Security Shortfalls Employees inconsistent in displaying badges, especially in cargo handling areas C-TPAT web portal not updated to reflect changes in company’s program From security standpoint, other weak areas noted included: Mail room deliveries Use of temporary agencies for labor No one actually monitoring video cameras (or, for example, 32 cameras all feeding into a 13” monitor) Collecting badges and terminating access when employees leave company 21

Common Security Shortfalls Responses received from foreign vendor during questionnaire process do not match reality. Examples: “fence around perimeter” vs. fence rusted and fell down in 1998 “pan and zoom cameras throughout facility” vs. inoperable cameras dangling from wires “truck drivers sign in/out” vs. drivers waved on through because same drivers every day Customs not asked for identification upon arrival (Note: A company is not required to implement all best practices, however, CBP may ask why certain procedures cannot be implemented) 22

Benchmarking - Best Practices from Industry Security measures: Exceed the C-TPAT Security Criteria Incorporate management support Have written policies and procedures that govern their use Employ a system of checks and balances C-TPAT is an on-going program! Companies continually update their supply chain security program (e.g., new factories, business partners) Periodic assessment is part of corporate manual Verify procedures to ensure they are being followed and make modifications as necessary Ownership at each entity level responsible for maintenance 23

Benchmarking - Best Practices from Industry Since C-TPAT is a Customs program, it is typically managed by a company’s global customs compliance group along with legal oversight C-TPAT “Champion” provides oversight Importer has sound compliance program in place Opportunity to provide additional on-site training Ability to tie into other security initiatives (e.g., 10+2 requirement) Senior Management Support and Buy-in An absolute must Lack of support at top levels - failure is imminent! 24

Benchmarking - Best Practices from Industry Do not assume business partners will not be visited – especially foreign business partners. Example: Tier 3 U.S.-based customs broker in Philippines is visited an average of two times per month by CBP SCSS As a result of numerous visits, virtually every best practice has been implemented (clearly evident) GPS on all trucks to monitor real-time movements Security personnel accompany shipment from factory to airport (customs bonded facility) High security seals and padlocks utilized Comprehensive policies and procedures 25

Recommended Workplan for Security Program Review global supply chain to verify your business partners, such as foreign manufacturers, carriers and brokers Conduct analysis based on volume and risk Identify which business partners are already in the C-TPAT program or other supply chain program such as AEO, and which partners have already participated in a supply chain documentation process or have undergone an on-site audit Determine best application strategy 26

Recommended Workplan for Security Program Conduct domestic reviews at headquarters and distribution facilities Conduct comprehensive self-assessment of supply chain security (based on the C-TPAT/AEO security guidelines) Document current supply chain security procedures Develop and implement a program to enhance security throughout the supply chain in accordance with guidelines Communicate supply chain security guidelines to other partners in supply chain 27

How has C-TPAT evolved? Already in progress: Detailed verifications of applications Revalidations of certified companies Tighter container seal control Tighter documentation control New security criteria - importers now seeking to join the C-TPAT program will need to meet or exceed the new security criteria before they will be certified 28

How has C-TPAT evolved? Companies beginning to implement: Smart containers and tracking systems Extensive screening (initial & ongoing) of personnel. This includes both foreign and domestic locations Security/C-TPAT requirements for their entire supplier base and logistics providers Security audit as part of normal periodic audit of foreign entities Best Practices to obtain Tier 3 status As of March 2008, only 243 Tier 3 companies 29

Moving Forward: 2008 and Beyond The SAFE Port ACT signed in 2007 has codified C-TPAT and CSI and calls for mandatory use of ISO 17712 compliant seals on all containers by October 2008 Canadian PIP program members will gain reciprocity status with C-TPAT program members TSA will announce air cargo security guidelines deferring to many C-TPAT guidelines WCO will expand the AEO program in the European Union, Asia and Latin America Greater use of electronics in cargo protection 30

Moving Forward: 2008 and Beyond More frequent reviews of company’s security procedures and policies (even after validation/revalidation) C-TPAT members continue conducting audits of foreign vendors regardless of whether in another program C-TPAT members are conditioning contractual business relationships with their service providers and vendors based on C-TPAT participation and/or adherence to C- TPAT security guidelines Mutual Recognition and Reciprocity with other countries Global buy-in to security Additional X-ray screening and data mining 31

Moving Forward: 2008 and Beyond Congress pressuring Customs to implement 100% container screening. Customs potentially trying to counter with C-TPAT program and cargo screening software Customs reducing timeline for validations from 3 years to 1 year, and revalidating each company every 3 years instead of the specified 4-year schedule Third-party validations: Customs currently accepts only in China. Other AEO programs may allow selected third parties to conduct validations in any country 32

CONTACTS Craig J. Pinkerton – PricewaterhouseCoopers Los Angeles Tel: (213) 256-6037 Email: craig.j.pinkerton@us.pwc.com Dennis Caronan – PricewaterhouseCoopers Manila Tel: 632 845 2728, Ext. 2118 Email: dennis.anthony.p.caronan@ph.pwc.com John S. Kwak – PricewaterhouseCoopers Hong Kong Tel: (852) 2289 3331 Email: john.sh.kwak@hk.pwc.com