2008 Business Continuity Corporate Security Crisis Management in

2008 Business Continuity & Corporate Security Crisis Management in Integrated Financial Services Organizations

Agenda u. Crisis Management Planning Chubb & Son u. Crisis Management Planning York Life u. Questions & Answers at at New

Introduction Bert Wolff Business Continuity & Security Manager, VP Chubb & Son Frederick M. Spina Corporate VP, Business Continuity & Recovery New York Life Insurance

Crisis Management Program Objectives u. The objective of our Crisis Management Program is to ensure that the required Corporate Incident Management Teams are in place and trained to: Ø Respond and Assess and Mitigate v The impact of an anticipated or unanticipated event that threatens normal operations Ø Declare v Communicate the state of the incident internal and external and to mobilize the organization in response Ø Stabilize v The incident through the invocation of the corporate incident management teams and processes designed to rapidly recover work area space and technology Ø Ensure v The appropriate levels of communication inside and outside the organization v Business interruption is minimized v Risk of legal liabilities is minimized v Funding and claim payment obligations are met v Compliance with applicable laws, regulations, insurance requirements are met

Why is Crisis Management so important

Managing the Overlap A – Hurricane Disruption Security B – Main Campus Outage F C – Simsbury Server Room Fire D – Disabled Data Center G E BCP A D B DRP C E - Cyber Attack F – International Kidnapping ERP G – Customer Information Theft 6

Enterprise Resiliency u u Resiliency Defined – “The ability to withstand bounce back” u The ability of Senior management to be prepared for and resilient against disruptions of any kind that could threaten the viability of the organization in the immediate and longer term.

Enterprise Resiliency Program Crisis Management (CIMT/EIMT) u Responding to Emergencies (ERP) u Ensuring Continuity of Operations (BCP) u Ensuring Continuity of Technology (DRP) u Security u – Protecting Corporate Assets & Employees – Risk Management & Mitigation u Facilities u IT Infrastructure/Software 8

Program Scope u Crisis Management Planning (CMP) – Create tools & training for CIMT/EIMT – Direct CIMT and EIMT Testing Activities – Monitor/Track Potential Threats u Emergency Response Planning (ERP) – Prepare/Exercise ER Strategies – Design/Implement ER Plans – Communicate to Employees ER Protocols 9

Program Scope (continued) u u u Business Continuity Planning (BCP) – Maintain BCP Methodology – Educate/Train/Assist SBU’s in Developing BCP Plans – Identify/Quantify Business Risks – Provide Recovery Strategies and Solutions – Conduct Individual and Collective Tests – Coordinate/Monitor Responses – Communicate Business Area Requirements (via BIA) Disaster Recovery Planning (DRP) – Define Schedules & Objectives for DRP Tests – Participate in DRP Tests – Review Test Results – Adjust Recovery Strategies to Align with SBU Requirements Security – Manage/Oversee Corporate Security Program – Responding to Workplace Violence Issues 10

Program Integration u These 5 program components join together to form Chubb’s unified Enterprise Resiliency Program u When integrating these components, a natural overlap of responsibilities emerges during an incident 11

Incident Response u The planning, preparation and risk mitigation management that allows us to respond quickly and efficiently to large and small incidents to minimize the effect on our business.

Incident Timeline % OPERATION Emergency Response Plan Onset of event TIME Business Continuity Plans (by area) Technology Disaster Recovery Plan Disaster Declaration Recovery Restoration Confidential & Proprietary – For Internal Use Only Transition/ ‘Return Home’

Recovery Teams u. Response Teams play a critical role in the Command Control process. They perform the following functions: Ø Assess the magnitude of an incident Ø Decide what the response will be Ø Activate the firm wide recovery infrastructure Ø Implement recovery plans Ø Resolve issues impacting rapid recovery u. Local Incident Management Teams (LIMT) Ø Consisting of members of the local offices core business areas, for example operations, loss control, claims and human resources Coordinates initial emergency response activities ► Provides initial assessment of event to senior managers ► Provides information critical to the declaration ►

Recovery Teams u. Corporate Incident Management Team (CIMT) Ø Central authority directing the response process from corporate headquarters. The CIMT is responsible for: Declaring a disaster ► Activating all other recovery teams ► Communicating to senior management, employees and stakeholders where applicable the incident status ► Coordinating recovery efforts (i. e. facility and technology) ► Implementing firm wide support recovery plans (i. e. Human Resources, Corporate Services, Finance, etc. ) ► Ø Activating Working Group Teams u. Extended ► Incident Management Team (EIMT) Consisting of key individuals who would be involved in the detail of incident resolution, assists the CIMT by responding to and activating recovery priorities at time of event

Contingency Planning Considerations March 19, 2008

Critical Parts of the Survival Puzzle § Keep employees, visitors and customer sites safe § Maintain clear communication with employees and/or customers § Never lose critical communication channels that support customers § Isolate incident for access to critical facilities, inventory/assets and intellectual property § Develop cost effective solutions while turning obstacles into opportunities for greater success Image or graphic here

Critical Parts of the Disaster Puzzle § Failing to anticipate and develop controls for threats to critical/core business functions. (Risk Management/Disaster Plan) § Failing to prevent (or provide advance warning) one or more people from being seriously injured or killed. (Emergency Response Plan/CMT) § Failing to deliver a product or provide a service to a customer. (Business Continuity Plan) § Failing to communicate with our employees, visitors or customers about safety, service, billing or revenue collection. (Business Recovery Plan)

The Disaster Life Cycle Awareness Prevention Auditing/Training Risk Management Self Assessment Plan Organized Communication & Response Restore Facilities Resume Normal Operations Query Customer/Feedback Emergency Response Plan - CMT (First 24 – 72 hours) Customer Retention & Satisfaction Protect Cash Flow Protect Infrastructure & Customer Use Alternate Plans Business Continuity/Disaster Plans (48 hours – ? )

Definition of Role & Responsibility Risk Management – Self Assessment Opportunities § Oversight Committees (Pandemic, Finance, International, etc. ) § Internal Audits & Regulatory Audits § Safeguarding Intellectual Property § Records Management § Creating safety conscious culture Emergency Response § Prompt notification of employees visitors and customers using one of three Crisis Command Centers. § Impact assessment § Rerouting inbound/outbound calls § Physical security § Evacuating/relocating personnel § Employee compassion centers § Voice & data recovery & rerouting

Definition of Role & Responsibility Disaster Planning & Business Continuity § Identify and plan for maintaining core business functions § Analyze and minimize business impact § Identify resource needs § Understand how long you can operate on “artificial power” § Reroute process, product and delivery § Maintain communication, identify gaps and ensure flexible closure § Communicate with customer- pre Business Recovery § Contain the impact of the disaster § Minimize disruption in cash flow communication & service delivery § Deliver alternate ways to service customer § Prevent long term loss of market share § Communicate w/customer - post § Maintain regulatory compliance § Maintain revenue stream and other mission critical success factors

Observations/Pitfalls to Avoid Clearly define the role/responsibility of the incident/emergency management team and define the interaction at all levels of the organization, internal and external. Define assumptions and expectations on how the business will be managed during a significant disruption. Define levels of outages, accountability and ownership at the local, business unit and corporate crisis management team level. Provide training and education programs for functional managers. If they understand what is being asked and why it will enhance their understanding when and how to act during and after an emergency. Alternate operating procedures that sustain vital business functions until the data processing capacity is restored needs to be dialoged prior to an event. Avoid heavy reliance on untested plans of others. Avoid the use of excessively detailed procedures when guidelines would suffice. Make better use of Quick Plans/KISS principle in a crisis.

Contingency Plan Assumptions Providing 100% redundancy for all disaster types is not practical Documenting detailed procedures for infinite alternate plans is not cost effective, while understanding the response elements is. Functional managers must be the architects of the “what if” scenario’s that have the greatest business impact. Qualified personnel with back-up are required to execute the plan. All facilities must have a life safety emergency evacuation plan that is current and tested periodically. Communications need to be re-established in less than two hours. Inefficiencies will occur during the stabilization period. Local authorities will have the capacity to respond. (Fire/Police/Medical) Local decision making is required for managing a crisis.

Priority Task Considerations Enterprise Contingency Plan Model: Develop and communicate vision/mission defining the new/revised roles and responsibilities CMT & Employee Awareness Establish global CMT integration for escalation and notification Test Crisis Management call center support and intranet access Distribute revised employee quick reference card Create and distribute quick reference sheet for managers Risk Management – Self Assessment Opportunities Develop Contingency Plan Management System that integrates and acts on existing audit protocol and findings Develop & Deliver Self Assessment Audit with paths to solutions Develop Governance Model with Compliance Metric and Benchmark for Sr. Mgmt

Looking Back Did we develop meaningful metrics that support continuous improvement?

Crisis Management – pre-planning is critical but ……

Sometimes we get lucky

Questions? Thank you!