Cybersecurity and data privacy Training our colleagues to #BeCyberSmart Reliable information is at the core of the products and services we offer. Marsh McLennan As cyber-attacks become more complicated and is committed to: difficult to detect, our colleagues play an essential • Data privacy and security, establishing effective controls that comply with business role in protecting Marsh McLennan’s data, and regulatory requirements; and information, business and reputation. All new hires receive information security and confidentiality • the protection of our information systems, including the confidential and personal training, and all colleagues must complete the annual information that clients entrust to us. cybersecurity and privacy training. The interactive training underscores the importance of information We are constantly working to mature the effectiveness of our cyber program based on the classification rules, how to recognize and avoid ever-evolving threat landscape, which is informed by our cyber threat intelligence program. cybersecurity threats and how to report an incident We continuously improve our technology mix and invest in advanced cyber capabilities when something goes wrong. designed to enhance our ability to detect and prevent progressive threat adversaries from In addition to formal training, all colleagues receive impacting our systems and applications. We build key partnerships across the industry to periodic information security and compliance create and participate in cyber information sharing channels which help to inform the best, newsletters and notifications. We also conduct most proactive, threat protections possible. internal communications and education campaigns Marsh McLennan’s Global Chief Information Security Officer (CISO) oversees the company’s for Cybersecurity Awareness Month and International cybersecurity program. All policies and procedures are supported by upper management Privacy Day, including specific role-based training, a and are based on industry standards for cybersecurity, such as those outlined in the NIST series of educational games representing real-world Cybersecurity Framework (NIST CSF) and ISO/IEC:27001. In addition, our worldwide network cyberattacks and our spot the "Phish” campaign. of data centers are SOC 2 Type II certified. “In 2022 we continued to Board oversight While the Audit Committee regularly reviews Marsh McLennan’s policies and practices with strengthen our cyber capabilities respect to risk assessment and risk management, including cybersecurity and privacy risk, the and protect the company from full Board also receives regular briefings regarding cybersecurity and privacy matters. The increasingly complex threats.” company maintains a response plan for significant incidents that have the potential to cause large-scale disruption to the company’s operations, revenue or reputation. The response plan for significant incidents requires immediate notification to Marsh McLennan’s Chairman of the Je昀昀 Lund, Board and Chair of the Board Audit Committee. Chief Information Security O昀케cer Overview Environment Social Governance Appendix 2022 ESG REPORT 54