THE A&M WAY 2020

WORKFORCE SECURITY POLICY

CONFIDENTIAL - NOT FOR DISTRIBUTION

WORKFORCE SECURITY POLICY 2

Workforce Security Policy

Purpose 3

Confidentiality of Information 3

Heightened Security Protocol 3

Firm Approved Hardware and Software 3

Securing the Workspace 4

Inappropriate Use 5

Access Control 6

Passwords 6

Use of Encryption 7

Working Remotely 7

Information Classification 8

Information Retention 9

Security Awareness Training 9

Security Incident Reporting 10

Contact Information 11

WORKFORCE SECURITY POLICY 3

Confidentiality of Information

Heightened Security Protocol

Firm Approved Hardware

and Software

This Workforce Security Policy applies to everyone at Alvarez & Marsal Holdings, LLC and its subsidiaries (“A&M”). It is the intent of this policy to provide clear guidance with respect to the appropriate use of information systems and the shared obligation of safeguarding information from unauthorized access, use, disclosure, loss, or alteration. This policy is an abstract of a larger suite of security policies, specifically structured to communicate policy requirements applicable to all workforce members. The term “workforce” means all employees and contingent workers (e.g. contractors, subcontractors, interns, temps) with access to firm systems and/or non-public information. All workforce members are responsible for reviewing and acknowledging this policy in its entirety.

Maintaining confidentiality is essential for A&M’s professional standing, reputation, and is also fundamental to avoiding legal risk. All A&M records and information relating to A&M and its clients are considered confidential and must be treated accordingly. Confidential information is considered as any information pertaining to the business, operations, internal functions, finances or personnel of A&M and/or its clients and prospects, business partners, vendors, suppliers, or service providers that is not in the public domain.

The use of appropriate information security safeguards will help to ensure the confidentiality of information. Such safeguards are often layered, including administrative (e.g. policies and training), technical (e.g. use of encryption), and physical (e.g. shredding of printed material) protections.

A&M’s firm-wide Heightened Security process is designed to identify and prescribe security safeguards based on the nature of the client engagement where appropriate. This process considers the sensitivity of the data, contractual requirements, regulatory obligations, firm policies, and industry acceptable practices for data protection. If you are handling sensitive A&M or client data (e.g. Protected Health Information, Personal Data, or other), Heightened Security will likely apply. You are responsible for reading, understanding, electronically acknowledging, and strictly abiding by the protocol in its entirety.

A&M provides for a secure computing environment through the use of firm approved equipment and software. A&M provided computers are specifically setup with security centric configurations (e.g. disk encryption) and software to prevent the loss of data and the spread of malware. The use of public or personal non-A&M computers for the storage of confidential A&M and/or client data is strictly prohibited. A&M computers must be procured strictly by A&M IT.

Personal mobile devices, such as smartphones and tablets that meet requisite criteria (e.g. supported operating system), may be used to access firm resources once loaded with A&M’s Mobile Device Management (MDM) software, which is designed to enforce appropriate security safeguards on the device. Loading of MDM software requires your acceptance of firm policy including the ability of A&M IT to access certain device information and remotely wipe the device in case of loss or theft. Furthermore, you are responsible for complying with requests from A&M Legal and IT for corporate information stored on device.

Equally important to maintaining a safe computing environment, is the use of firm approved software. A&M as a global firm is subject to Data Protection and Privacy laws, with an underpinning in the use of reasonable and appropriate security safeguards. Under this context, you are responsible for:

WORKFORCE SECURITY POLICY 4

■ Only using firm approved web-based internet applications for the storage, processing, messaging, and collaboration of confidential A&M and/or client data. All software as a service (SaaS) cloud applications and storage platforms must be appropriately vetted by A&M’s Global Security Office and Legal functions prior to use.

■ Only using firm approved locally installed applications for business use, on your A&M computer. If you have a software request, contact A&M’s IT Service Desk for support. Business software must be appropriately licensed and subject to appropriate security review.

When storing data, refrain from using portable storage media (even for device backups as the firm handles this for your A&M laptop) or using non-A&M provided cloud services (e.g. – Google, Amazon, Yahoo, Hotmail, or others). Portable storage media includes CD, DVD, USB flash drives, external hard drives, memory cards, etc. When the use of portable media is unavoidable, the use of encryption is mandatory. If you require assistance, please seek guidance from the IT Service Desk.

A&M workforce members must secure their workspace, whether in the office or when working remotely. Adherence to “clean desk” principles, for confidential information, whether residing on paper, removable media, or equipment will reduce the risk of unauthorized access to information and the loss, theft, or damage to equipment or media containing such data. You are responsible for:

■ Locking the screen of your A&M computer when stepping away.

■ Taking appropriate steps such as the use of a privacy screen/filter on your A&M computer to prevent against unauthorized viewing of confidential information, especially in public settings.

■ Physically securing your A&M laptop computer and portable media (e.g. USB flash drives, memory cards, external hard disks, etc.) within a locked enclosure, secured room, or by using a locking cable.

■ Ensuring file cabinets storing confidential paper records are locked when left unattended.

■ Protecting passwords/pins or other sensitive information by not affixing either to the A&M computer or the surrounding workspace (e.g. don’t use a sticky note).

■ Utilizing secure printing capabilities as provided within A&M offices, and/or removing confidential material immediately from the printer.

■ Ensuring whiteboards containing confidential information are erased promptly and thoroughly.

■ Shredding paper assets containing confidential information when disposing.

■ Consulting with the IT Service Desk for the secure disposal of portable electronic media such as CD/DVDs.

■ When traveling, take reasonable precautions to physically protect your A&M computer from theft. Laptop computers, paper assets, and removable media should be stored out of sight (e.g. not in the seat of a car) when left unattended.

■ Escorting your visitors/guests when they are on-premises within an A&M office.

WORKFORCE SECURITY POLICY 5

■ Carrying and making available upon request your A&M identification card when in an A&M office. You are responsible for immediately reporting lost or stolen A&M identification cards and/or key fobs.

■ Preventing tailgating to restricted areas within A&M offices. Tailgating (piggybacking) occurs when an unauthorized individual aims to gain physical access to the office by following an authorized workforce member.

Workforce members are responsible for utilizing technology in a manner that reduces risk to the firm, which includes the appropriate use of the firm’s equipment, network, and information systems. The use of an A&M information system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to authorized A&M and law enforcement personnel. You have no personal privacy rights when using A&M information systems, except as may be provided under applicable law. Unauthorized or improper use of an A&M information system may result in disciplinary action, civil charges/criminal penalties, and/or other sanctions, up to and including termination of employment. Under this context, you:

■ May not share account system credentials (ID and/or password) with others.

■ May not install or use software applications that facilitate the unauthorized distribution of copyrighted music, software, digital images, movies, or documents. This includes but is not limited to bit-torrent clients, other peer-to-peer file sharing platforms, and/or file download repositories.

■ May not use software that disables or disrupts A&M’s ability to monitor, manage, or secure the device.

■ May not use the Internet to copy material protected under copyright law or make that material available to others. You are responsible for complying with copyright law and applicable licenses that may apply to software, files, graphics, documents, messages and other material you wish to download or copy.

■ May not circumvent or disable corporate anti-virus tools, firewall policies, deactivate laptop encryption, re-image laptops, de-install/deactivate Mobile Device Management (MDM) and other security-related applications or mechanisms that have been installed/deployed to protect A&M assets.

■ May not utilize email, text messages, instant messaging (IM) tools, web browsers, smartphones, tablets, telephones or other technology assets to consume or distribute sexually explicit, violent, hate-related, or threatening content, or any other content that may violates any A&M policy or applicable law.

■ May not store or transmit A&M and/or client confidential information via personal email accounts (including but not limited to services such as Gmail, Outlook.com, Yahoo!) or other unsanctioned text or messaging platforms/systems.

■ May not utilize personal email accounts to conduct A&M business and may not forward A&M emails to a personal email address.

■ May not store A&M and/or client confidential information on public or personal computers, non-encrypted portable media (e.g. flash drives, external USB drives, etc.), and/or unauthorized mobile devices.

Inappropriate Use

WORKFORCE SECURITY POLICY 6

■ May not utilize A&M technology to send or forward spam; engage in phishing activities; hack into another system or file share repositories, distribute malicious code, access data on the network without permission; intercept data on the network intended for others (using “sniffers” or otherwise), or use spoofing techniques to disguise email addresses or other similar network activities.

■ May not connect wireless routers to A&M’s corporate network in the office. A&M provides for secure in-office Wi-Fi, that must be managed by A&M’s IT function.

■ May not use jailbroken/rooted mobile devices such as smartphones and tablets to store or access A&M and/or client confidential information.

■ May not utilize A&M technology assets in violation of any law or A&M policy.

All workforce members are responsible for ensuring that access to information in their control is limited to those with appropriate need. For example, while a third-party may have the ‘need to know,’ certain confidential information, electronic access to the relevant documents should be restricted to named individuals under the context of ‘least privilege’. Of those few individuals, some may simply require ‘read-only’ access instead of the ability to make changes.

These principles are summarized as follows:

■ Need to know – access is only granted to the information required to perform a role, and no more.

■ Least privilege – the default approach taken must be to assume that access is not required, rather than to assume that it is.

In addition to these principles, you are responsible for the periodic review of access rights to any information that you may have shared (especially externally) through A&M approved collaboration tools. Strong access control works on the basis that system accounts are never shared and is therefore prohibited. If a client insists on the use of shared accounts, consult with A&M’s Global Security Office

A password in combination with a user-id (known as credentials) identifies you on an information system. Workforce members are responsible for keeping passwords secure and confidential. As such, the following principles must be adhered to for creating and safeguarding passwords:

■ Passwords may not be shared – ever.

■ Do not re-use your A&M username/password for non-business sites/purposes. Your A&M password must be unique to A&M resources.

■ When passwords are issued, they must be changed immediately upon first-use.

■ Default passwords (e.g. set by a manufacturer or licensor) must be changed immediately.

■ Passwords should not be written down, and must not be left in a location easily accessible or visible to others.

■ Passwords should not be stored in a web browser’s password manager.

■ Storing lists of passwords in documents is not permitted. A&M can provide for the use of a firm-approved password manager. Consult A&M’s Global Security Office.

Access Control

Passwords

WORKFORCE SECURITY POLICY 7

■ In the case you are required to communicate a password to a client, it must be done so in a secure manner (e.g. over the phone such that the user-ID and password are not communicated together over email).

■ Default passwords (e.g. set by a manufacturer) must be changed immediately.

■ Password criteria (e.g. complexity and time-to-change requirements) are enforced by A&M information systems. Your adherence is required for system access.

Encryption is a cornerstone to ensuring the confidentiality of electronic information. When storing and transmitting electronic confidential information, the use of encryption is required. You are responsible for using appropriate firm-approved tools and encryption methods to securely transmit and store confidential data. For additional information or guidance, please contact the IT Service Desk.

■ A&M approved file collaboration platforms have been purpose-built to ensure this important requirement is met, with no additional steps typically required by you, other than its use.

■ Email when sent external of the firm, does not guarantee encryption by default. Therefore, if you use email to transmit sensitive data you must affirmatively encrypt the message.

■ Portable media, including USB devices containing confidential information must utilize encryption.

Whether working from home, at a client site, or in public (hotels, coffee shops, etc.), security requirements as provided within this policy apply. To the extent applicable:

■ When working from home, you are responsible for taking appropriate steps to secure your home network including upgrading your personal routers with available security updates and configuring your Wi-Fi routers to require a strong password and protocol (e.g. WPA2).

■ When working from home, use headsets instead of speakerphones, especially when on calls that will reveal material non-public information. Turn off or pause personal voice assistants while on conference calls. Use privacy screens to avoid unintentionally sharing what you are viewing. You are responsible for securing A&M equipment and the surrounding workspace, as detailed within this policy.

■ The use of virtual conferencing is integral to working remotely. Conferencing must be conducted using secure technology. A&M provides firm approved conferencing software for this purpose. Consult with the IT Service Desk. Utilize strong security options in the software, such as complex passwords and unique conference identification codes. It is important that a unique code be used for each call or meeting (rather than a general “personal room” code) to prevent unintended individuals from joining.

■ When working at a client site, specific security protocols may be required. For example, the use of client-provided equipment, software, and physical access restrictions may apply. Consult with the engagement owner ahead of time to ensure your understanding and compliance.

■ The use of public Wi-Fi hotspots should be avoided, such as at coffee shops, retail

Working Remotely

WORKFORCE SECURITY POLICY 8

stores and public transport hubs at any time when using an A&M computer, but specifically when accessing firm resources or client data. Tethering to your smartphone is advised where feasible. Additional alternatives (e.g. corporate approved hotspots) may be available. Consult with A&M’s IT Service Desk for additional information.

Classifying information is foundational to its protection. The classification of data allows the firm to understand the type of information it has, the systems in which it is stored, the context in which it is made accessible; and to support the ability to apply appropriate safeguards. An example is the scenario in which a firm produced report has been labeled as confidential and is found to be accessible on a non-A&M public website. In this case, since the report has been classified as confidential, appropriate actions can be determined.

As a workforce member, you are responsible for classifying and labeling information accordingly. Given the nature of A&M’s business, by default, all information is classified as ‘Confidential’ unless otherwise designated. A&M prescribes to the following data classifications:

■ NON-BUSINESS/PERSONAL - Information that does not pertain to the business, operations, internal functions, finances or personnel of A&M or its clients and prospects, business partners, vendors, suppliers or service providers, and which A&M personnel store on and/or transmit using A&M’s IT systems and assets for their own personal, non-business use. This category of information may include, but is not limited to, the A&M user’s own “personally identifiable information (PII)” or other “personal data.” In the event of a security breach, there would be no impact to A&M or its clients and prospects, business partners, vendors, suppliers or service providers. Examples include personal documents (e.g. spreadsheets, audio/video files, images) which may include personally identifiable information or other personal confidential information.

■ PUBLIC - Information that is in the public domain or acceptable for public distribution without restrictions. In the event of a security breach, there would be no impact to A&M, its personnel, A&M or its clients and prospects, business partners, vendors, suppliers or service providers. Examples include marketing materials, press releases, job postings, public directories, and content on A&M’s website or social media pages.

■ INTERNAL USE ONLY - Information pertaining to the business, operations, internal functions or personnel of A&M, which (i) is not in the public domain or generally known by third parties, (ii) is not subject to legal or regulatory restrictions, (iii) may be used and distributed internally, and (iv) should not be distributed externally except where appropriate controls are in place. In the event of a security breach, there would be minimal impact to A&M, and no impact to A&M personnel, or its clients and prospects, business partners, vendors, suppliers or service providers. Examples include organizational charts, firm directories, and internal announcements.

■ CONFIDENTIAL - Information pertaining to the business, operations, internal functions, finances or personnel of A&M and/or its clients and prospects, business partners, vendors, suppliers or service providers, which (i) is not in the public domain or generally known by third parties without a nondisclosure agreement or other duty of confidentiality, (ii) may be subject to legal, regulatory and/or A&M policy or compliance restrictions, (iii) should be used and distributed internally only on a need-to-know basis as defined by recipients’ roles and responsibilities generally, and (iv) should not be distributed externally except where appropriate controls are in place. A security breach may result in regulatory

Information Classification

WORKFORCE SECURITY POLICY 9

investigations and/or oversight, litigation, legal liabilities, low to moderate financial harm (including sanctions, fines, damages, costs and expenses, loss of business and lost revenue), and low to moderate reputational harm, each affecting A&M or its clients and prospects, business partners, vendors, suppliers or service providers, or both. Examples include client data (e.g. data received by A&M in connection with services provided to its clients), business information (e.g. business strategies and relationships with third parties, operating methodologies, and records such as contracts, tax/accounting, insurance, due diligence, etc.), and non-sensitive personal data (e.g. name, personal or business contact details, job title and responsibilities, etc.).

■ SECRET/HIGHLY SENSITIVE - Information pertaining to the business, operations, internal functions, finances or personnel of A&M and/or its clients and prospects, business partners, vendors, suppliers or service providers, which (i) is not in the public domain or generally known by third parties without a nondisclosure agreement or other duty of confidentiality, (ii) is subject to heightened legal, regulatory and/or A&M policy or compliance restrictions, and (iii) should not be used or distributed internally or externally except to specifically-named individuals, in each case where heightened controls are in place. All trade secrets, material nonpublic information and sensitive personal data must be classified as ‘Secret/Highly Sensitive’. A security breach would result in a high likelihood of regulatory investigations and/or oversight, litigation, legal liabilities, significant / severe financial harm, including sanctions, fines, damages, costs and expenses, loss of business and lost revenue, and significant / severe reputational harm, each affecting A&M or its clients and prospects, business partners, vendors, suppliers or service providers, or both. Examples include material non-public information (e.g. trade secrets, mergers & acquisition data, earnings, regulatory actions, etc.), and sensitive personal data (e.g. age, gender, race, ethnicity, religion, health information including medical claims/payment/insurance data, genetic data, biometric data, precise location data, credit and debit card numbers, financial account numbers, and government-issued ID numbers).

Information is to be retained in alignment with firm policies and contractual, regulatory, statutory and/or other legal requirements. With respect to client files, you are responsible for reviewing and complying with A&M’s Document Retention Policy for Client Engagements and any such policies and/or schedules applicable to your division. The secure disposal of electronic information may be subject to specific protocols; consult the engagement owner and/or A&M’s Global Security Office as appropriate.

On an annual basis, as an A&M workforce member, you are required to complete Security Awareness Training as provided by the firm. The intent of this training is to provide you with useful knowledge as it relates to information security hygiene and to communicate respective firm policies. Your participation will be electronically recorded. Based on your role, additional training may be required.

Information Retention

Security Awareness

Training

WORKFORCE SECURITY POLICY 10

A “security incident” is any unexpected or unwanted IT system, service or network event that indicates a possible failure of security controls or a policy violation that may compromise A&M’s business operations or threaten the confidentiality, integrity or availability of data. A “personal data breach” is a type of security incident that impacts personal data –- i.e., the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data. The occurrence of a security incident may not be apparent at first glance. When in doubt, seek guidance from A&M’s Global Security Office. Security incidents may require A&M to notify data subjects, regulators, clients and other third parties, sometimes within (72) hours or less of discovery. Therefore, if you discover or suspect a security incident (including but not limited to a personal data breach), you must report it promptly (as soon as possible, and within one hour) to the IT Service Desk.

Examples of security incidents include:

■ Loss or theft of A&M equipment (including computers and portable media such as CD/DVD & USB flash drives), and/or printed material.

■ Incidentally receiving regulated data from a client when such information is not expected.

■ Unauthorized disclosure or access to confidential information.

■ Malicious software on your computer such as ransomware or other forms.

■ Social engineering tactics including email phishing and phone calls designed you to obtain your network credentials.

A security incident does not imply a breach has occurred (statutory, regulatory, and/or contractual). Such a determination will be made by A&M’s Global Security Office in consultation with Legal and other professionals where necessary. Any communication regarding a security incident (both internally and to external parties) must be coordinated with A&M’s Global Security Office.

Security Incident

Reporting

WORKFORCE SECURITY POLICY 11

References*

Contacts

A&M Code of Conduct

A&M Document Retention Policy for Client Engagements

A&M Employee Handbook (contains Acceptable Use Policy)

A&M Global Data Protection Policy

*Many of these policies are available on Workday, on the Policies and Procedures page.

A&M Security Polices are located: https://itinfoalvarezandmarsal.sharepoint.com/sites/GlobalSecurityPortal/SecurityPolicies/

Global Security Office: gso@alvarezandmarsal.com

IT Service Desk: help@alvarezandmarsal.com

Data Protection Office: data.protection.office@alvarezandmarsal.com

Follow A&M on:

ABOUT ALVAREZ & MARSAL

Companies, investors and government entities around the world turn to Alvarez & Marsal (A&M) for leadership, action and results. Privately held since its founding in 1983, A&M is a leading global professional services firm that provides advisory, business performance improvement and turnaround management services. When conventional approaches are not enough to create transformation and drive change, clients seek our deep expertise and ability to deliver practical solutions to their unique problems. With over 5,000+ people across four continents, we deliver tangible results for corporates, boards, private equity firms, law firms and government agencies facing complex challenges. Our senior leaders, and their teams, leverage A&M’s restructuring heritage to help companies act decisively, catapult growth and accelerate results. We are experienced operators, world-class consultants, former regulators and industry authorities with a shared commitment to telling clients what’s really needed for turning change into a strategic business asset, managing risk and unlocking value at every stage of growth.

To learn more, visit: AlvarezandMarsal.com

© 2

020

Alva

rez

& M

arsa

l Hol

ding

s, L

LC. A

ll rig

hts

rese

rved

. 117

498