1. June 12, 2014 Morristown, New Jersey Melissa J. Krasnow, Partner, Dorsey & Whitney LLP and Certified Information Privacy Professional/US Email: krasnow.melissa@dorsey.com Cybersecurity Recommendations 1 Financial Executives International’s Committee on Finance & IT (CFIT)

2. Cybersecurity Recommendations Divided into Four Parts I.Risk Assessment and Management II.Preparation and Plans III.Governance IV.Disclosure 2

3. Part I: Risk Assessment and Management A.Review Category, Type, Format and Location of Information, Assets and Systems and Eliminate Information That is Not Needed 3

4. Part I: Risk Assessment and Management (con’t) B.Conduct a Risk Assessment i.Social Engineering Scams ii.Network Breaches iii.Physical Breaches iv.Mobile Breaches 4

5. Part II: Preparation and Plans A.Review Contracts and Policies B.Security Program C.Incident Response Plan D.Cyber Liability Insurance (Source: AIG) i.Security and Privacy Liability Insurance ii.Event Management Insurance iii.Cyber Extortion Insurance iv.Network Business Interruption Insurance 5

6. Part II: Preparation and Plans (con’t) E.Practical Steps to Minimize Risks (con’t) i.Limit Access ii.Password Procedures iii.Firewalls, Antivirus and Other Internet Security Solutions; Patches and Updates iv.Encryption 6

7. Part II: Preparation and Plans (con’t) E.Practical Steps to Minimize Risks (con’t) v.Back-up vi.Destruction vii.Training and Awareness viii.Monitoring 7

8. Part III: Governance 8

9. Part IV: Disclosure A.SEC guidance B.State Breach Notification Laws and HIPAA Breach Notification C.Breach Notification Laws in Other Countries 9

10. Part IV: Disclosure (con’t) D.Cyber Liability Insurance and Contract and Policy Provisions E.Developments 10

11. Law and Guidance Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, National Institute of Standards and Technology (NIST) (February 12, 2014) http://www.nist.gov/cyberframework/upload/cybersecurity- framework-021214.pdf Cybersecurity in the Golden State (February 27, 2014) https://oag.ca.gov/cybersecurity Mass. Regs. Code tit. 201 § 17.00 et seq. http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf Division of Corporation Finance, U.S. Securities and Exchange Commission, CF Disclosure Guidance: Topic No. 2 (October 13, 2011) http://www.sec.gov/divisions/corpfin/guidance/cfguidance- topic2.htm 11

12. Report and Articles Verizon 2014 Data Breach Investigations Report http://www.verizonenterprise.com/DBIR/2014/ Guidance for Managing Cybersecurity Risks, International Risk Management Institute (May 2014) http://www.irmi.com/expert/articles/2014/krasnow05-cyber-privacy- risk-insurance.aspx Written Information Security Programs, Practical Law Company (May 2014) http://www.dorsey.com/files/Upload/Written%20Information%20Se curity%20Programs%20Compliance%20with%20the%20Massach usetts%20%287-523-1520%29.pdf The Securities and Exchange Commission’s Guidance on Cybersecurity and Cyber Incident Disclosure, BNA Privacy & Security Law Report (October 31, 2011) http://www.dorsey.com/files/upload/BNA_Cybersecurity.pdf 12