Sunteți pe pagina 1din 30

Cyber-Security: Proactively

managing the cyber threat


landscape

Agenda

Understanding the cyber threat landscape


Building a resilient Cyber Risk capability
An Internal Audit approach
Closing thoughts

Understanding the
cyber threat landscape

The evolving threat landscape


Lilly scientists stole $55 million in trade secrets1
Indianapolis Business Journal, October 8, 2013

Last year, over 800 million records were breached globally, up from 250 million in 2012
The Economist, July 2014

Target missed signs of a data breach (40 million credit card numbers compromised)2
NY Times, March 13, 2014

On a scale of 1 to 10American preparedness for a large-scale cyber attack is around a 33


NY Times, July 2012

$55 million
800 million
40 million
3

Why?
Changing
regulatory
environment

Technology innovations that drive


business growth also create cyber risk.
New technology-enabled business
models create new opportunities for
malicious actors to exploit and higher
likelihood of accidental vulnerabilities.
1
2
3

Corporate
change
& innovation

Regulatory changes continue


to absorb resources and attention.

Evolving
threat
environment

Cyber threats are asymmetrical risks. Cyber crime


grows in sophistication, and attacks increase in
speed and number, while time to respond
decreases. Targeted attacks on operations, brand,
and competitive advantage are more impactful
than ever.

http://www.ibj.com/lilly-employees-stole-55-million-in-trade-secrets-indictment-alleges/PARAMS/article/43949
http://www.nytimes.com/2014/03/14/business/target-missed-signs-of-a-data-breach.html?_r=0
http://www.nytimes.com/2012/07/27/us/cyberattacks-are-up-national-security-chief-says.html?_r=0

Deloitte LLP and affiliated entities.

Cybersecurity Proactively managing the cyber threat landscape

Cyber risk
High on the agenda
Audit committees and board members are seeing cybersecurity as a top risk, underscored by recent
headlines and increased government and regulatory focus
Recent U.S. Securities and Exchange Commission (SEC) guidance regarding disclosure obligations relating to
cybersecurity risks and incidents..

Registrants should address cybersecurity risks and cyber incidents in their


Managements Discussion and Analysis of Financial Condition and Results of
Operations (MD&A), Risk Factors, Description of Business, Legal Proceedings
and Financial Statement Disclosures. SEC Division of Corporate Finance
Disclosure Guidance: Topic No. 2 Cybersecurity

Ever-growing concerns about cyber-attacks affecting the nations critical infrastructure prompted the signing of the
Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity.
The Executive Order highlights the focus on an improved cybersecurity framework and the rapid changes of regulatory
agency expectations and oversight
One of the foundational drivers behind the update and release of the 2013 COSO Framework was the need to address
how organizations use and rely on evolving technology for internal control purposes
Deloitte LLP and affiliated entities.

Cybersecurity Proactively managing the cyber threat landscape

Cyber risk (contd)


Roles and responsibilities
Effective risk management is the product of multiple layers of risk defense. Internal Audit should support the boards need
to understand the effectiveness of cybersecurity controls.
Roles and responsibilities

1st Line of defense


business and IT
functions

2nd Line of defense


information and technology
risk management
function

3rd Line of
defense
internal audit

Incorporate risk-informed decision making into day-to-day operations


and fully integrate risk management into operational processes
Define risk appetite and escalate risks outside of tolerance
Mitigate risks, as appropriate

Establish governance and oversight


Set risk baselines, policies, and standards
Implement tools and processes
Monitor and call for action, as appropriate
Provide oversight, consultation, checks and balances, and
enterprise-level policies and standards

Independently review program effectiveness


Provide confirmation to the board on risk management effectiveness
Meet requirements of SEC disclosure obligations focused on
cybersecurity risks

Given recent high profile cyber attacks and data losses, and the SECs and other regulators expectations, it is
critical for Internal Audit to understand cyber risks and be prepared to address the questions and concerns
expressed by the audit committee and the board
Deloitte LLP and affiliated entities.

Cybersecurity Proactively managing the cyber threat landscape

What are we seeing?


1

Attack vector shifting from technology to people.

Attack patterns are increasingly starting to look like normal behavior. Threats are increasingly
hiding in plain sight. Some of the threats are adaptive and have the ability to go into dormant
mode, making them difficult to detect.

Criminals, state actors and even Hactivists are building better intelligence, capability and have a
wider network of resources than organizations (i.e., wideningcapability gap).

Supply chain and business partner poisoning or lateral entry are on the rise.

Advanced Threat Adversaries' Calling Card defy traditional signature-based approaches.

Deloitte LLP and affiliated entities.

Cybersecurity Proactively managing the cyber threat landscape

Incident patterns

of incidents can be
described by just
nine basic patterns

Deloitte LLP and affiliated entities.

Card skimmers
Cyber-espionage
Physical theft/loss
Point-of-sale
intrusions
Miscellaneous errors
Web application
attacks
Everything else
Insider misuse
Crimeware
Denial of service attacks

Cybersecurity Proactively managing the cyber threat landscape

of incidents in an
industry can be
described by just
three of the nine
patterns

It starts by understanding your


organizational risk appetite
What are they after
and what key business
risks must we mitigate?

Who might attack?

What tactics
might they use?

Cyber criminals

Sensitive data

Hactivists (agenda driven)

Nation states

Malicious insiders

Financial fraud
(e.g., wire transfer,
payments)

Spear phishing, drive by


download, etc.
Software or hardware
vulnerabilities

Rogue suppliers

Business disruption
(building systems, etc.)

Third party compromise

Competitors

Stolen credentials

Threats to health & safety

Skilled individual hacker

Control systems
compromise

Ultimately cyber is about brand and reputation


with your tenants and investors
Deloitte LLP and affiliated entities.

Cybersecurity Proactively managing the cyber threat landscape

Cyber
Crime

Who

Did it?

Espionage

What

Did they see & take?

Warfare

When

Do we fight back?

Terrorism

Why

Did they do it?

Security

How

Do we prevent it (again)?

What is the actual threat?

Deloitte LLP and affiliated entities.

Cybersecurity Proactively managing the cyber threat landscape

10

New technologies, new threats


What

How
Reconnaissance
Gain intelligence and identify vulnerabilities
Research the internet, call call-centers,
trawl social media etc.

Your
business

Attack
Target identified vulnerabilities
Targeted email attacks, unsuspecting
downloads from malicious or compromised
websites, exploit application or
infrastructure software vulnerabilities etc.

Strategic assets,
financial assets,
data & intelligence

Exploit
Gain broad deep access
Escalate privileges, gain increased access,
observe/control network or servers,
increase sophistication of attacks, hide
tracks, etc.

Fulfill objective
Steal/damage/disrupt
Encrypt then exfiltrate data being stolen,
stay hidden for long periods of time, erase
digital footprint
Vulnerability
Deloitte LLP and affiliated entities.

Cybersecurity Proactively managing the cyber threat landscape

Target
11

Speed of attack is accelerating

Initial attack to initial


compromise takes place
within minutes
(almost 3 of 4 cases)

72%
Data leaks occur
within minutes
(nearly half)

46%

59%
72%

Containment
(post-discovery)
requires
weeks or longer

Discovery
takes
weeks or longer

Time is of the essence


Deloitte LLP and affiliated entities.

Cybersecurity Proactively managing the cyber threat landscape

12

Case study
JP Morgan Chase & Co.
News agencies report
of FBI investigating the
bank

JP learns of attack,
closes all network
access path

JP maintains the
statement isnt
seeing any unusual
fraud activity

JP reports to USSEC, reveals


details of cyberattack

State attorneys
seek information
from JP about the
breach

Oct 2

Jan 08

JP says it isn't seeing


unusual fraud

Victim timeline

Mid-June

Mid-August

Aug 27

Aug 28

Sept 11

Attacker timeline

Attackers gain
access to JP
servers steals
Personal
information

*http://www.nytimes.com/2014/08/06/business/target-puts-data-breach-costs-at-148-million.html?_r=0
Deloitte LLP and affiliated entities.

Cybersecurity Proactively managing the cyber threat landscape

13

Building a resilient
Cyber Risk capability

Deloitte LLP and affiliated entities.

Cybersecurity Proactively managing the cyber threat landscape


14

Build a resilient cyber security


organization
This means having the agility to prevent, detect and respond quickly and effectively, not
just to incidents, but also to the consequences of the incidents
Secure

Vigilant

Resilient

Are controls in place to guard


against known and emerging
threats?

Can we detect malicious or


unauthorized activity, including
the unknown?

Can we act and recover quickly


to minimize impact?

Cyber governance

Cyber threat intelligence

Deloitte LLP and affiliated entities.

Cyber threat mitigation

Cybersecurity Proactively managing the cyber threat landscape

Cyber incident response

15

Changes in threat landscape versus


capability
Cat A SIEM (Near real time analysis)

Cat B Behavioral analysis and


machine learning (mid term analysis)

Cat C Cyber analytics


(long term analysis)

Signature based (e.g., correlation)

Behavioral analysis and machine learning model

Risk analytics (including BDSA)

Conventional
warfare

Conventional
(Conventional warfare, symmetric vectors)

Guerilla
(Hide among civilians (hide in plain sight))

Cyber
warfare

Infrastructure threats
(Retail threats, open toolkits, general Botnet, Distributed
denial of service)

Targeted attacks
(Hide within business traffic))

System 1 learning

Cyber-espionage
(Seek, analyze and exfiltrate)

System 2 learning
Effective

Deloitte LLP and affiliated entities.

Espionage
(Seek, analyze and exfiltrate)

Marginally effective

In-effective

Cybersecurity Proactively managing the cyber threat landscape

16

Building your defenses


Options

Insource

Deloitte LLP and affiliated entities.

Outsource

Cybersecurity Proactively managing the cyber threat landscape

Co-source

17

Operating model
Benefits and challenges
Insource

Outsource

Co-source

Industry and business alignment

Industry and risk profile alignment

Business, industry and


risk profile alignment

Level one monitoring


and management

Level one, two and three


monitoring and management

Level one, two and three


monitoring and management

Maintain and enhance existing


use cases

Alignment of use cases


to evolving threat landscape

Alignment of use cases


to evolving threat landscape

Limited threat intelligence


gathering

Proactive cyber threat intelligence

Proactive cyber threat intelligence

Resourcing required to operate


three shifts

Round the clock monitoring,


management and incident response

Round the clock monitoring,


management and incident response

Hardware, build, run and maintain


costs

Cloud based service


utility based costing

Hardware, build, run


and maintain costs

Capex

Opex

Capex and Opex

Deloitte LLP and affiliated entities.

Cybersecurity Proactively managing the cyber threat landscape

18

An internal audit
approach

Deloitte LLP and affiliated entities.

Cybersecurity Proactively managing the cyber threat landscape

19

Cyber risk Deloitte cybersecurity framework*


An assessment of the organizations cybersecurity should evaluate specific
capabilities across multiple domains

Secure

Cybersecurity risk and compliance management

Compliance monitoring
Issue and corrective action planning
Regulatory and exam management
Risk and compliance assessment and mgmt.
Integrated requirements and control framework

Secure development life cycle

Third-party management

Vigilant

Threat and vulnerability management

Incident response and forensics


Application security testing
Threat modeling and intelligence
Security event monitoring and logging
Penetration testing
Vulnerability management

Resilient

Recover strategy, plans & procedures


Testing & exercising
Business impact analysis
Business continuity planning
Disaster recovery planning

Information and asset classification and inventory


Information records management
Physical and environment security controls
Physical media handling

Data classification and inventory


Breach notification and management
Data loss prevention
Data security strategy
Data encryption and obfuscation
Records and mobile device management

Change management
Configuration management
Network defense
Security operations management
Security architecture

Account provisioning
Privileged user management
Access certification
Access management and governance
Risk analytics

Security operations

Security direction and strategy


Security budget and finance management
Policy and standards management
Exception management
Talent strategy
Identity and access management

Data management and protection

Crisis management and resiliency

Information and asset management

Evaluation and selection


Contract and service initiation
Ongoing monitoring
Service termination

Secure build and testing


Secure coding guidelines
Application role design/access
Security design/architecture
Security/risk requirements

Security program and talent management

Information gathering and analysis around:


User, account, entity
Events/incidents
Fraud and anti-money laundering
Operational loss

Security awareness and training

Security training
Security awareness
Third-party responsibilities

* The Deloitte cybersecurity framework is aligned with industry standards and maps to NIST, ISO, COSO, and ITIL.
As used in this document, Deloitte means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its
subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.

Deloitte LLP and affiliated entities.

Cybersecurity Proactively managing the cyber threat landscape

20

Cyber risk Deloitte cybersecurity framework* (contd)


Certain cybersecurity domains may be partially covered by existing IT audits,
however many capabilities have historically not been reviewed by internal audit

Secure

Cybersecurity risk and compliance management

Compliance monitoring
Issue and corrective action planning
Regulatory and exam management
Risk and compliance assessment and mgmt.
Integrated requirements and control framework

Secure development life cycle

Third-party management

Evaluation and selection


Contract and service initiation
Ongoing monitoring
Service termination

Vigilant

Incident response and forensics


Application security testing
Threat modeling and intelligence
Security event monitoring and logging
Penetration testing
Vulnerability management

Resilient

Recover strategy, plans & procedures


Testing & exercising
Business impact analysis
Business continuity planning
Disaster recovery planning

Information and asset classification and inventory


Information records management
Physical and environment security controls
Physical media handling

Data classification and inventory


Breach notification and management
Data loss prevention
Data security strategy
Data encryption and obfuscation
Records and mobile device management

Change management
Configuration management
Network defense
Security operations management
Security architecture

Account provisioning
Privileged user management
Access certification
Access management and governance
Risk analytics

Security operations

Security direction and strategy


Security budget and finance management
Policy and standards management
Exception management
Talent strategy
Identity and access management

Data management and protection

Crisis management and resiliency

Information and asset management

Threat and vulnerability management

Secure build and testing


Secure coding guidelines
Application role design/access
Security design/architecture
Security/risk requirements

Security program and talent management

Information gathering and analysis around:


User, account, entity
Events/incidents
Fraud and anti-money laundering
Operational loss

Security awareness and training

Security training
Security awareness
Third-party responsibilities

* The Deloitte cybersecurity framework is aligned with industry standards and maps to NIST, ISO, COSO, and ITIL.

SOX (financially relevant systems only


Deloitte LLP and affiliated entities.

Penetration and vulnerability testing

Cybersecurity Proactively managing the cyber threat landscape

BCP/DRP Testing
21

Cyber risk
Assessment approach

Deliverables

Key activities

Phase

An internal audit assessment of cybersecurity should cover all domains and


relevant capabilities, and involve subject matter specialists when appropriate
Phase I: Planning and
scoping

Phase II: Understand


current state

Phase III: Risk


assessment

Phase IV: Gap


assessment and
recommendations

Activities:
Identify specific internal and
external stakeholders: IT,
Compliance, Legal, Risk, etc.
Understand organization mission
and objectives
Identify industry requirements and
regulatory landscape
Perform industry and sector risk
profiling (i.e., review industry
reports, news, trends,
risk vectors)
Identify in-scope systems
and assets
Identify vendors and third-party
involvement

Activities:
Conduct interviews and workshops
to understand the current profile
Perform walkthroughs of in-scope
systems and processes to
understand existing controls
Understand the use of third-parties,
including reviews of applicable
reports
Review relevant policies and
procedures, including security
environment, strategic plans, and
governance for both internal and
external stakeholders
Review self assessments
Review prior audits

Activities:
Document list of potential risks
across all in-scope capabilities
Collaborate with subject matter
specialists and management to
stratify emerging risks, and
document potential impact
Evaluate likelihood and impact of
risks
Prioritize risks based upon
organizations objectives,
capabilities, and risk appetite
Review and validate the risk
assessment results with
management and identify criticality

Activities:
Document capability assessment
results and develop assessment
scorecard
Review assessment results with
specific stakeholders
Identify gaps and evaluate
potential severity
Map to maturity analysis
Document recommendations
Develop multiyear cybersecurity/IT
audit plan

Deliverable:
Assessment objectives and scope
Capability assessment scorecard
framework

Deliverable:
Understanding of environment and
current state

Deliverable:
Prioritized risk ranking
Capability assessment findings

Deliverables:
Maturity analysis
Assessment scorecard
Remediation recommendations
Cybersecurity audit plan

Deloitte LLP and affiliated entities.

Cybersecurity Proactively managing the cyber threat landscape

22

Cyber risk Assessment maturity analysis


Maintaining and enhancing security capabilities can help mitigate cyber threats
and help the organization to arrive at its desired level of maturity
Stage 1: Initial

Recognized the issue


Ad-hoc/case by case
Partially achieved goals
No training, communication, or
standardization

Stage 2: Managed

Stage 3: Defined

Process is managed
Responsibility defined
Defined procedures with
deviations
Process reviews

Defined process
Communicated procedures
Performance data collected
Integrated with other
processes
Compliance oversight

Stage 4: Predictable

Defined quantitative performance


thresholds and control limits
Constant improvement
Automation and tools implemented
Managed to business objectives

Stage 5: Optimized

Continuously improved
Improvement objectives
defined
Integrated with IT
Automated workflow
Improvements from new
technology

Maturity analysis
Initial

Cybersecurity domain

Managed

Defined

Predictable

Optimized

Cybersecurity risk and compliance mgmt.

Secure

Third-party management
Secure development life cycle
Information and asset management
Security program and talent management
Current state CMMI maturity*

Resilient

Vigilant

Identity and access management


Threat and vulnerability management
Data management and protection
Risk analytics
Crisis management and resiliency
Security operations
Security awareness and training

Deloitte LLP and affiliated entities.

Cybersecurity Proactively managing the cyber threat landscape

*The industry recognized


Capability Maturity Model
Integration (CMMI) can be
used as the model for the
assessment. Each domain
consists of specific
capabilities which are
assessed and averaged to
calculate an overall domain
maturity.
23

Cyber risk Assessment scorecard


A scorecard can support the overall maturity assessment, with detailed cyber
risks for people, process, and technology. Findings should be documented and
recommendations identified for all gaps
Assessment scorecard

Capability assessment findings and


recommendations

People Process Technology

Cybersecurity domain

Threat and vulnerability managementPenetration testing

Cybersecurity risk and compliance mgmt.


Area

Secure

Third-party management

Process

The organization should


expand its penetration
testing capability to include
more advance testing,
2.6.5
2.6.5
more advanced social
engineering, and develop
greater control over the
frequency of testing

Identity and access management

Vigilant

Ref.

The organization has


limited capability to
conduct penetration
testing in a staged
environment or against
new and emerging
threats

Security program and talent management

Recommendations

People

Information and asset management

Ref.

The organization may find


it of more value and cost
benefit to utilize current
resources to conduct
internal penetration testing
2.6.4
2.6.4
on a routine and dedicated
basis since they do have
individuals with the
necessary skills to perform
this duty.

Secure development life cycle

Threat and vulnerability management

Findings
The organization has
some resources within
the ISOC that can
conduct penetration
testing, but not on a
routine basis due to
operational constraints
and multiple roles that
those resources are
fulfilling

Data management and protection


Risk analytics

The organization lacks


standard tools to perform
Either through agreement
its own ad-hoc and onwith a third-party vendor,
the-spot penetration
or through technology
Technology
tests to confirm or
2.6.6
acquisition, develop the
support potential
technology capability to
vulnerability assessment
perform out of cycle
alerts and/or incident
penetration testing.
investigation findings.

Resilient

Crisis management and resiliency


Security operations
Security awareness and training
1: Initial

2:
Managed

Deloitte LLP and affiliated entities.

3:
Defined

4:
Predictable

2.6.6

5:
Optimized

Cybersecurity Proactively managing the cyber threat landscape

24

Cyber risk
Representative internal audit plan
A cybersecurity assessment can drive a risk-based IT internal audit plan. Audit
frequency should correspond to the level of risk identified, and applicable
regulatory requirements/expectations.
Internal Audit

FY 2015

FY 2016

FY 2017

Notes (representative)

SOX IT General
Computer Controls

Annual requirement but only covers


financially significant systems and
applications

External Penetration and


Vulnerability Testing

Cover a portion of IP addresses each year

Internal Vulnerability Testing


Business Continuity
Plan/Disaster Recovery Plan

X
X

Data Protection and


Information Security

X
X

Third-party Management
Risk Analytics

Crisis Management

Social Media

Data Loss Protection (DLP)


Deloitte LLP and affiliated entities.

Lower risk due to physical access controls

Coordinate with annual 1st and 2nd line of


defense testing
Lower risk due to

Lower risk due to

Annual testing to cycle through risk areas,


and continuous monitoring

Cyber war gaming scenario planned


Social media policy and awareness program

X
Cybersecurity Proactively managing the cyber threat landscape

Shared drive scan for SSN/Credit Card #


25

Closing thoughts

Deloitte LLP and affiliated entities.

Cybersecurity Proactively managing the cyber threat landscape

26

Key considerations
1.
2.
3.
4.
5.
6.
7.
8.
9.

Know your crown jewels not just what you want to protect,
but what you need to protect
Know your friends contractors, vendors and suppliers can be security allies or liabilities
Understand the threat landscape and assess incremental threat scenarios that expose your
organization to risk
Assess controls and Identify gaps in policies, standards, processes, metrics and reporting, etc.
Maintain cyber security as an organizational priority and standing agenda item in audit
committee updates
Apprise the Audit Committee of key risks, enterprise level risk trends related to cyber security
Make awareness a priority within every internal department
and among external partners
Fortify and monitor situational awareness, diligently gather intelligence, build, maintain and
proactively monitor
Prepare for the inevitable Test your incident management process

Deloitte LLP and affiliated entities.

Cybersecurity Proactively managing the cyber threat landscape

27

For more information


If you would like more information on cyber security or how Deloitte can help your organization, please
contact one of the following professionals:
Nick Galletto
Americas Cyber Risk Leader
Deloitte
416-601-6734
ngalletto@deloitte.ca

Deloitte LLP and affiliated entities.

Michael Juergens
Managing Principal | IT Internal
Audit
Deloitte
213-688-5338
michaelj@deloitte.com |

Cybersecurity Proactively managing the cyber threat landscape

28

Cyber risk
Deloitte IT internal audit
Leading cybersecurity risk management services Specifically suited to collaborate with you
The right resources at the right time

Number 1 provider of cyber risk management solutions

Deloitte has provided IT audit services for the past 30 years and IT audit
training to the profession for more than 15 years. Our professionals
bring uncommon insights and a differentiated approach to IT auditing,
and we are committed to remaining an industry leader.

The only organization with the breadth, depth, and insight to help
complex organizations become secure, vigilant, and resilient

1000+ cyber risk management projects in the U.S. alone in 2014


executed cross industry

We have distinct advantages through:

11,000 risk management and security professionals globally across


the Deloitte Touche Tohmatsu Limited network of member firms

Access to a global team of IA professionals, including IT subject


matter specialists in a variety of technologies and risk areas

A differentiated IT IA approach that has been honed over the years in


some of the most demanding environments in the world, with tools
and methodologies that help accelerate IT audit

Assisted National Institute of Standards and Technology in


developing their cybersecurity framework in response to the 2013
Executive Order for Improving Critical Infrastructure Cybersecurity

Third-party observer of the Quantum Dawn 2 Cyber Attack


Simulation, conducted by the Securities Industry and Financial
Markets Association in July 2013

Working with government agencies on advanced threat solutions

Access to leading practices and the latest IT thought leadership on


audit trends and issues

Contributing to the betterment of cyber risk management


practices

A responsive team of cyber risk specialists with wide-ranging


capabilities virtually anywhere in the world, prepared to advise as
circumstances arise or as business needs change

Named as a Kennedy Vanguard Leader in cyber security consulting: [Deloitte] continually develops, tests, and launches methodologies that
reflect a deep understanding of clients cyber security and help the firm set the bar.
Source: Kennedy Consulting Research & Advisory; Cyber Security Consulting 2013; Kennedy Consulting Research & Advisory estimates 2013
Kennedy Information, LLC. Rreproduced under license.

Deloittes ability to execute rated the highest of all the participants


Forrester Research, Forrester WaveTM: Information Security Consulting Services Q1 2013, Ed Ferrara and Andrew Rose, February 1, 2013

Deloitte LLP and affiliated entities.

Cybersecurity Proactively managing the cyber threat landscape

29

www.deloitte.ca
Deloitte, one of Canada's leading professional services firms, provides audit, tax, consulting, and financial advisory services. Deloitte LLP, an
Ontario limited liability partnership, is the Canadian member firm of Deloitte Touche Tohmatsu Limited.
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member
firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal
structure of Deloitte Touche Tohmatsu Limited and its member firms.
Deloitte LLP and affiliated entities.