Vulnerability management Our robust vulnerability identi昀椀cation, assessment and management program includes system hardening, scanning, alerting, operating system and application patch management Track, assess and Static and dynamic External penetration Patch systems remediate security security application tests of our systems regularly and track, vulnerabilities and testing is a core and applications assess for risk, emerging threats capability of our and continuous test and deploy according to risk software monitoring our patches or hot development external attack fixes to known priority lifecycle surface vulnerabilities Incident response Data Privacy A dedicated problem management team support our Unified Incident Response process for Marsh McLennan has a designated Global Chief both cybersecurity and privacy matters. This process assists the company’s Global Technology Privacy Officer who manages our global Privacy Infrastructure support teams in performing problem analysis and troubleshooting to determine team. The Global Privacy Team includes a network of the root cause of one or more incidents. The problem management process is based around dedicated Privacy Officers across various regions and Information Technology Infrastructure Library (ITIL) standards and includes development and businesses, a European Data Protection Officer and production of corrective actions plans and post-mortem reports. Depending on scope and scale, dozens of data protection coordinators across the corrective actions are prioritized as changes (following the change management process), service globe who are responsible for privacy matters in their improvement programs or formal IT projects. In the case of a data breach, we are committed to respective jurisdictions. notifying data subjects in a timely manner, in accordance with local laws and regulations. The Privacy Team is responsible for administering our Network security Privacy Program and overseeing the proper handling To meet our rigorous confidentiality, integrity and availability standards, we have in place a and use of personal information across the company. Secure Access Service Edge (SASE) architecture and a defense-in-depth approach leveraging The team works closely with IT, Information Security, the MITRE ATT&CK framework to test how our environment responds to a variety of threat Human Resources and various other functional tactics. We are actively implementing a multi-year zero-trust architecture strategy which groups in this effort. We have an established process includes workload segmentation and network access control solutions. for conducting risk-based privacy assessments for new products, services and IT initiatives that includes Compliance a review of technical, administrative and physical safeguards in order to comply with applicable Marsh Compliance with business and regulatory requirements like GLB, GDPR, HIPAA, NYDFS, CCPA and McLennan policies and regulatory regimes. Sarbanes-Oxley are assessed through internal and external audits performed on a risk basis. Senior management is updated on the outcomes. Overview Environment Social Governance Appendix 2022 ESG REPORT 55