0001522690 false NONE 0001522690 2022-12-10 2022-12-10 iso4217:USD xbrli:shares iso4217:USD xbrli:shares

 

 

UNITED STATES

SECURITIES AND EXCHANGE COMMISSION

Washington, DC 20549

 

 

 

FORM 8-K

 

 

 

CURRENT REPORT

Pursuant to Section 13 or 15(d)

of the Securities Exchange Act of 1934

 

Date of Report (date of earliest event reported): December 10, 2022

 

 

 

GWG Holdings, Inc.

(Exact name of registrant as specified in its charter)

 

 

 

Commission File Number: 001-36615

 

Delaware   26-2222607

(State or other jurisdiction
of incorporation)

  (IRS Employer
Identification No.)

 

325 North St. Paul Street, Suite 2650, Dallas, TX 75201

(Address of principal executive offices, including zip code)

 

(612) 746-1944

(Registrant’s telephone number, including area code)

 

Not Applicable

(Former name or former address, if changed since last report)

 

 

 

Check the appropriate box below if the Form 8-K filing is intended to simultaneously satisfy the filing obligation of the registrant under any of the following provisions:

 

Written communications pursuant to Rule 425 under the Securities Act (17 CFR 230.425)

 

Soliciting material pursuant to Rule 14a-12 under the Exchange Act (17 CFR 240.14a-12)

 

Pre-commencement communications pursuant to Rule 14d-2(b) under the Exchange Act (17 CFR 240.14d-2(b))

 

Pre-commencement communications pursuant to Rule 13e-4(c) under the Exchange Act (17 CFR 240.13e-4(c))

 

Securities registered pursuant to Section 12(b) of the Act:

 

Title of each class   Trading Symbol(s)  

Name of each exchange
on which registered

Common Stock   GWGHQ   *

 

* On May 18, 2022, Nasdaq Stock Market LLC filed a Form 25 delisting and deregistering the shares of common stock, par value $0.001 per share, of GWG Holdings, Inc. from The Nasdaq Stock Market, which became effective ten days after the filing of the Form 25. GWG Holdings, Inc.’s common stock began trading exclusively on the over-the-counter market on April 29, 2022 under the symbol GWGHQ.

 

Indicate by check mark whether the registrant is an emerging growth company as defined in Rule 405 of the Securities Act of 1933 (§230.405 of this chapter) or Rule 12b-2 of the Securities Exchange Act of 1934 (§240.12b-2 of this chapter).

 

Emerging growth company

 

If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act.

 

 

 

 

 

 

Item 5.02   Departure of Directors or Certain Officers; Appointment of Certain Officers; Compensatory Arrangements of Certain Officers

 

On December 10, 2022, Michael A. Tucker, age 59, was appointed by the GWG Holdings, Inc. (the “Company”) board of directors as Chief Financial Officer of the Company. With the support of additional personnel from FTI Consulting, Inc. (“FTI”), Mr. Tucker will perform the ordinary course duties of a chief financial officer in connection with the Company’s chapter 11 cases and related matters and report to the Chief Executive Officer. The Company intends to file a motion in the Bankruptcy Court of the Southern District of Texas in relation to Mr. Tucker’s appointment.

 

Mr. Tucker has extensive experience in advising companies, creditors and other parties in restructuring and operational improvement situations during his 37-year career. Mr. Tucker has also been part of management teams including having been appointed the Chief Restructuring Officer of Martifer Solar USA, Inc in March 2014 and then the Chief Executive Officer and Chief Financial Officer in April 2014 with all Martifer duties ending in June 2015. Mr. Tucker began his career in the audit department at PricewaterhouseCoopers (“PwC”) in 1985 and was admitted to the partnership in 1998. In 2002, FTI Consulting acquired PwC’s Business Recovery Services practice, where Mr. Tucker was a Partner. Mr. Tucker has been employed as a Senior Managing Director by FTI continuously since 2002. Mr. Tucker is a Certified Public Accountant as well as a Certified Turnaround Professional and a Certified Fraud Examiner. Mr. Tucker received a B.S., in Accounting, from the University of Illinois.

 

As of the date of this Current Report on Form 8-K, no additional compensation has been approved for Mr. Tucker in connection with his appointment to the role of Chief Financial Officer. The Company will pay FTI for Mr. Tucker’s time spent acting as Chief Financial Officer pursuant to the terms of an engagement letter, dated April 5, 2022 (the “Engagement Letter”), between FTI and the Company. Under the terms of the Engagement Letter, FTI will be entitled to compensation at specified hourly rates for the services of Mr. Tucker and other FTI personnel pursuant to the Engagement Letter, as well as reimbursement for reasonable direct expenses. Mr. Tucker’s services to the Company are billed by FTI, and he is not separately compensated by the Company for serving as its Chief Financial Officer. FTI is not an affiliate of the Company or any of its subsidiaries. In addition, Mr. Tucker is not eligible to participate in any health, welfare, retirement, or other benefit plans or policies offered by the Company to its employees. The foregoing description of the Engagement Letter is qualified in its entirety by the terms of such agreement, which is filed as Exhibit 10.1 to this Current Report on Form 8-K and incorporated herein by reference.

 

There is no family relationship between Mr. Tucker and any director or executive officer of the Company.  Other than as noted above, there is no arrangement or understanding between Mr. Tucker and any other persons in connection with Mr. Tucker’s appointment to Chief Financial Officer.

 

Item 9.01 Financial Statements and Exhibits

 

10.1   Engagement Letter, dated April 5, 2022, between FTI and the Company
104   Cover Page Interactive Data File (embedded within the Inline XBRL Document)

 

1 

 

 

SIGNATURES

 

Pursuant to the requirements of the Securities Exchange Act of 1934, as amended, the Registrant has duly caused this report to be signed on its behalf by the undersigned hereunto duly authorized.

 

  GWG HOLDINGS, INC.
     
Date: December 15, 2022 By: /s/ Jeffrey S. Stein
  Name: Jeffrey S. Stein
  Title: Chief Executive Officer

 

 

2

 

 

 

Exhibit 10.1

 

       
    227 West Monrow Street
    Suite 900
    Chicago, IL 60606
    Michael.Buenzow@fticonsulting.com
    312.252.9333
     

 

April 5, 2022

 

PRIVATE & CONFIDENTIAL

 

Mr. Murray Holland

President and Chief Executive Officer

GWG Holdings, Inc.

325 North St. Paul Street

Dallas, Texas 75201

 

Re: Financial Advisory Services for GWG  Holdings, Inc.

 

Dear Mr. Holland:

 

1.Introduction

 

This letter confirms that we, FTI Consulting, Inc. (“FTI”), have been retained by you, GWG Holdings, Inc. (collectively, with its direct and indirect subsidiaries, the “Company”), to provide certain financial advisory and consulting services (the “Services”) set out below. This letter of engagement (the “Engagement”) and the related Standard Terms and Conditions constitute the engagement contract (the “Engagement Contract”) pursuant to which the Services will be provided.

 

This Engagement Contract represents the entire understanding of the parties hereto and, on a go forward basis, supersedes any and all other prior agreements among the parties, their affiliates, subsidiaries, officers, directors, shareholders, or employees regarding the subject matter hereof; shall be binding upon and inure to the benefit of the parties and their respective heirs, representatives, successors and assigns; and may not be waived, modified or amended unless in writing and signed by the Company and FTI. The provisions of this agreement shall be severable. No failure to delay in exercising any right, power or privilege related hereto, or any single or partial exercise thereof, shall operate as a waiver thereof.

 

2.Scope of Services

 

The Services, to be performed at your direction, are expected to include the following:

 

Assist the Debtors in cash forecasting and liquidity management and assist with future liquidity management, including, without limitation, the development of budgets and 13-week cash forecasts;

 

Work with the Debtors and its advisors in the preparation, design, and presentation of proposals to creditors, investors, and regulatory authorities regarding terms of potential forbearances, amendments, modifications, and/or restructuring/reorganization of the Debtors’ existing indebtedness or other financial obligations;

 

Provide periodic status reports to senior management (including the Chief Executive Officer), the Debtors’ Board of Directors, and the other advisors with respect to the progress of the overall engagement, as requested;

 

 

 

 

GWG Holdings, Inc.

April 5, 2022

Page 2

 

Analyze and evaluate the likelihood of cost savings initiatives;

 

Assist the Debtors in managing vendor and supplier related matters;

 

Assist the Debtors in the preparation of the Statement of Financial Affairs;

 

Assist the Debtors in the preparation of the Statement of Assets and Liabilities;

 

Assist the Debtors in the preparation of the Monthly Operating Reports;

 

Assist in the development and evaluation of any employee compensation and reorganization plans, if needed;

 

Assist the Debtors in responding to due diligence requests from lenders, other creditors, lessors, vendors, other professionals, investors and regulatory authorities;

 

Attend meetings, presentations and negotiations as may be requested by the Debtors;

 

Provide support and analysis related to potential asset sales, including assisting with data collection and information gathering related to third party due diligence, and advising and assisting the Debtors and other professionals in developing, negotiating, and executing sales of the Debtors’ assets;

 

Work closely and discretely with the designated parties to ensure that accurate and timely data is used in the filing documents;

 

Assist the Debtors in the preparation of financial projections and analysis for best interest of creditors’ test for a reorganization plan and/or negotiation purposes;

 

Assist the Debtors in managing and executing the claims reconciliation process;

 

Provide testimony in the chapter 11 proceedings, as necessary; and

 

Other services as may be reasonably requested by the Debtors, and as may be customary in this type of engagement.

 

The Services may be performed by FTI or by any subsidiary of FTI, as FTI shall determine. FTI may also provide Services through its or its subsidiaries’ agents or independent contractors. References herein to FTI and its employees shall be deemed to apply also, unless the context shall otherwise indicate, to employees of each such subsidiary and to any such agents or independent contractors and their employees.

 

The Services, as outlined above, are subject to change as mutually agreed between us.

 

FTI is engaged by the Company to provide financial advisory and consulting services only. Accordingly, while we may from time to time suggest options which may be available to you and further give our professional evaluation of these options, the ultimate decision as to which, if any, of these options to implement rests with the Company, its management and board of directors. FTI and its employees will not make any management decisions for the Company and will not be responsible for communicating information concerning the Company to the public, the Company’s shareholders or others.

 

 

 

 

GWG Holdings, Inc.

April 5, 2022

Page 3

 

As part of the Services, FTI may be requested to assist the Company (and its legal or other advisors) in negotiating with the Company’s creditors and equity holders and with other interested parties. In the event that we participate in such negotiations, the representations made and the positions advanced will be those of the Company and its management, not FTI or its employees.

 

If cases under the Bankruptcy Code are commenced and our retention is approved, our role will include serving as principal bankruptcy financial advisors to the debtors and debtors in possession in those cases under a general retainer, subject to court approval. Our role also will encompass all out-of-court planning and negotiations attendant to these tasks.

 

The services we will provide in connection with the Engagement will encompass all services normally and reasonably associated with this type of engagement that we are requested and are able to provide and that are consistent with our ethical obligations. With respect to all matters of our Engagement, we will coordinate closely with the Company as to the nature of the services that we will render and the scope of our engagement.

 

As usual, our Engagement is to represent the Company and not its individual directors, officers, employees or shareholders. However, we anticipate that in the course of that Engagement, we may provide information or advice to directors, officers or employees in their corporate capacities.

 

3.Fees and Cash on Account

 

Fees in connection with this Engagement will be based upon the time incurred providing the Services, multiplied by our standard hourly rates, summarized as follows:

 

United States

 

   Per Hour (USD) 
Senior Managing Directors  $975 – 1,325 
Directors / Senior Directors / Managing Directors   735 – 960 
Consultants/Senior Consultants   395 – 695 
Administrative / Paraprofessionals   160 – 300 

 

Hourly rates are generally revised periodically. To the extent this engagement requires services of our International divisions or personnel, the time will be multiplied by our standard hourly rates applicable on International engagements. Note that we do not provide any assurance regarding the outcome of our work and our fees will not be contingent on the results of such work.

 

Consummation Fee - If the Debtors succeed in obtaining: (a) a consensual restructuring, compromise and/or extinguishment of a substantial amount of its existing indebtedness or (b) a final judicial order approving a Chapter 11 plan or a sale of substantially all of the Debtors’ assets under U.S. Bankruptcy Code Section 363, then, upon the consummation of such restructuring or sale, the Debtors’ will pay FTI a Consummation Fee of $250,000.

 

In addition to the fees outlined above, FTI will bill for reasonable direct expenses which are likely to be incurred on your behalf during this Engagement. Direct expenses include reasonable and customary out-of-pocket expenses which are billed directly to the engagement, such as internet access, telephone, overnight mail, messenger, travel, meals, accommodations and other expenses specifically related to this engagement. Further, if FTI and/or any of its employees are required to testify or provide evidence at or in connection with any judicial or administrative proceeding relating to this matter, FTI will be compensated by you at its regular hourly rates and reimbursed for reasonable allocated and direct expenses (including counsel fees) with respect thereto.

 

 

 

 

GWG Holdings, Inc.

April 5, 2022

Page 4

 

Cash on Account

 

Initially, the Company will forward to us the amount of $50,000, which funds will be held “on account” to be applied to our professional fees, charges and disbursements for the Engagement (the “Initial Cash on Account”). To the extent that this amount exceeds our fees, charges and disbursements upon the completion of the Engagement, we will refund any unused portion. The Company agrees to increase or supplement the Initial Cash on Account from time to time during the course of the Engagement in such amounts as the Company and we mutually shall agree are reasonably necessary to increase the Initial Cash on Account to a level that will be sufficient to fund Engagement fees, charges, and disbursements to be incurred.

 

We will send the Company periodic invoices (not less frequently than monthly) for services rendered and charges and disbursements incurred on the basis discussed above, and in certain circumstances, an invoice may be for estimated fees, charges and disbursements through a date certain. Each invoice constitutes a request for an interim payment against the fee to be determined at the conclusion of our Services. Upon transmittal of the invoice, we may immediately draw upon the Initial Cash on Account (as replenished from time to time) in the amount of the invoice. The Company agrees that invoices are due upon receipt and will promptly wire the invoice amount to us as replenishment of the Initial Cash on Account (together with any supplemental amount to which we and the Company mutually agree), without prejudice to the Company’s right to advise us of any differences it may have with respect to such invoice. We have the right to apply to any outstanding invoice (including amounts billed prior to the date hereof), up to the remaining balance, if any, of the Initial Cash on Account (as may be supplemented from time to time) at any time subject to (and without prejudice to) the Company’s opportunity to review our statements.

 

The Company agrees to promptly notify FTI if the Company or any of its subsidiaries or affiliates extends (or solicits the possible interest in receiving) an offer of employment to a principal or employee of FTI involved in this Engagement and agrees that FTI has earned and is entitled to a cash fee, upon hiring, equal to 150% of the aggregate first year’s annualized compensation, including any guaranteed or target bonus and equity award, to be paid to FTI’s former principal or employee that the Company or any of it subsidiaries or affiliates hires at any time up to one year subsequent to the date of the final invoice rendered by FTI with respect to this Engagement.

 

In a case under the Bankruptcy Code, fees and expenses may not be paid without the express prior approval of the bankruptcy court. In most cases of this size and complexity, on request of a party in interest, the bankruptcy court permits the payment of interim fees during the case. The Company agrees that, if asked to do so by us, the Company will request the bankruptcy court to establish a procedure for the payment of interim fees during the case that would permit payment of interim fees. If the bankruptcy court approves such a procedure, we will submit invoices on account against our final fee. These interim invoices will be based on such percentage as the bankruptcy court allows of our internal time charges and costs and expenses for the work performed during the relevant period and will constitute a request for an interim payment against the reasonable fee to be determined at the conclusion of our representation.

 

In preparation for the filing of any cases under the Bankruptcy Code, we also may require an additional on account payment to supplement the Initial Cash on Account to cover fees, charges and disbursements to be incurred during the initial phase of the chapter 11 cases (the “Additional Cash on Account”). We will hold the Additional Cash on Account, as we have the Initial Cash on Account. Of course, the reasonableness of the Additional Cash on Account remains subject to review by the court in any ensuing case.

 

 

 

 

GWG Holdings, Inc.

April 5, 2022

Page 5

 

If any of the Company’s entities become a debtor in one or more cases under the Bankruptcy Code, some fees, charges, and disbursements (whether or not billed) incurred before the filing of bankruptcy petitions (voluntary or involuntary) might remain unpaid as of the date of the filing. The unused portion, if any, of the Initial Cash on Account and the Additional Cash on Account will be applied to any such unpaid pre-petition fees, charges and disbursements. Any requisite court permission will be obtained in advance. We will then hold any portion of the Initial Cash on Account and the Additional Cash on Account not otherwise properly applied for the payment of any such unpaid pre-filing fees, charges and disbursements (whether or not billed) as on account cash to be applied to our final invoice in any case under the Bankruptcy Code.

 

Post-petition fees, charges and disbursements will be due and payable immediately upon entry of an order containing such court approval or at such time thereafter as instructed by the court. The Company understands that while the arrangement in this paragraph may be altered in whole or in part by the bankruptcy court, the Company shall nevertheless remain liable for payment of court approved post-petition fees and expenses. Such items are afforded administrative priority under 11 U.S.C. § 503(b)(l). The Bankruptcy Code provides in pertinent part, at 11 U.S.C. § 1l29(a)(9)(A), that a plan cannot be confirmed unless these priority claims are paid in full in cash on the effective date of any plan (unless the holders of such claims agree to different treatment). It is agreed and understood that the unused portion, if any, of the Initial Cash on Account (as may be supplemented from time to time) and the Additional Cash on Account shall be held by us and applied against the final fee application filed and approved by the court.

 

4.Terms and Conditions

 

The attached Standard Terms and Conditions set forth the duties of each party with respect to the Services. Further, this letter and the Standard Terms and Conditions attached comprise the entire Engagement Contract for the provision of the Services to the exclusion of any other express or implied terms, whether expressed orally or in writing, including any conditions, warranties and representations, and shall supersede all previous proposals, letters of engagement, undertakings, agreements, understandings, correspondence and other communications, whether written or oral, regarding the Services.

 

5.Conflicts of Interest

 

Based on the list of interested parties (the “Potentially Interested Parties”), provided by you, we have undertaken a limited review of our records to determine FTI’s professional relationships with the Company and your lenders. As you may be aware, FTI is regularly retained by members of your lending group (or law firms retained by the administrative agent or lending group members). However, such representations are in matters unrelated to this engagement.

 

From the results of such review, we were not made aware of any conflicts of interest or additional relationships that we believe would preclude us from performing the Services. However, as you know, we are a large consulting firm with numerous offices throughout the United States. We are regularly engaged by new clients, which may include one or more of the Potentially Interested Parties. The FTI professionals providing services hereunder will not accept an engagement that directly conflicts with this Engagement without your prior written consent.

 

 

 

 

GWG Holdings, Inc.

April 5, 2022

Page 6

 

6.Acknowledgement and Acceptance

 

Please acknowledge your acceptance of the terms of this Engagement Contract by signing both the confirmation below and the attached Standard Terms and Conditions and returning a copy of each to us at the above address.

 

If you have any questions regarding this letter or the attached Standard Terms and Conditions, please do not hesitate to contract Michael Buenzow at (312) 252-9333.

 

Yours faithfully,

 

FTI CONSULTING, INC.  
     
By: /s/ Michael Buenzow  
Michael Buenzow  
  Senior Managing Director  

 

Attachment – As stated

 

 

 

 

GWG Holdings, Inc.

April 5, 2022

Page 7

 

Confirmation of Terms of Engagement

 

We agree to engage FTI Consulting, Inc. upon the terms set forth herein and in the attached Standard Terms and Conditions.

 

GWG Holdings, Inc.  
     
By: /s/ Murray Holland  
Murray Holland  
  President and Chief Executive Officer  
     
Date: April 19, 2022  

 

 

 

 

FTI CONSULTING, INC.

 

STANDARD TERMS AND CONDITIONS

 

The following are the Standard Terms and Conditions on which we will provide the Services to you set forth within the attached letter of engagement with GWG Holdings, Inc. dated April 5, 2022. The Engagement letter and the Standard Terms and Conditions (collectively the “Engagement Contract”) form the entire agreement between us relating to the Services and replace and supersede any previous proposals, letters of engagement, undertakings, agreements, understandings, correspondence and other communications, whether written or oral, regarding the Services. The headings and titles in the Engagement Contract are included to make it easier to read but do not form part of the Engagement Contract.

 

1.Reports and Advice

 

1.1Use and purpose of advice and reports – Any advice given or report issued by us is provided solely for your use and benefit and only in connection with the purpose in respect of which the Services are provided. Unless required by law, you shall not provide any advice given or report issued by us to any third party, or refer to us or the Services, without our prior written consent, which shall be conditioned on the execution of a third party release letter in the form provided by FTI and attached hereto as Schedule A. In no event, regardless of whether consent has been provided, shall we assume any responsibility to any third party to which any advice or report is disclosed or otherwise made available.

 

2.Information and Assistance

 

2.1Provision of information and assistance – Our performance of the Services is dependent upon your providing us with such information and assistance as we may reasonably require from time to time.

 

2.2Punctual and accurate information – You shall use reasonable skill, care and attention to ensure that all information we may reasonably require is provided on a timely basis and is accurate and complete and relevant for the purpose for which it is required. You shall also notify us if you subsequently learn that the information provided is incorrect or inaccurate or otherwise should not be relied upon.

 

2.3No assurance on financial data – While our work may include an analysis of financial and accounting data, the Services will not include an audit, compilation or review of any kind of any financial statements or components thereof. Company management will be responsible for any and all financial information they provide to us during the course of this Engagement, and we will not examine or compile or verify any such financial information. Moreover, the circumstances of the Engagement may cause our advice to be limited in certain respects based upon, among other matters, the extent of sufficient and available data and the opportunity for supporting investigations in the time period. Accordingly, as part of this Engagement, we will not express any opinion or other form of assurance on financial statements of the Company.

 

2.4Prospective financial information - In the event the Services involve prospective financial information, our work will not constitute an examination or compilation, or apply agreed-upon procedures, in accordance with standards established by the American Institute of Certified Public Accountants or otherwise, and we will express no assurance of any kind on such information. There will usually be differences between estimated and actual results, because events and circumstances frequently do not occur as expected, and those differences may be material. We will take no responsibility for the achievability of results or events projected or anticipated by the management of the Company.

 

 

 

 

3.Additional Services

 

3.1Responsibility for other parties – You shall be solely responsible for the work and fees of any other party engaged by you to provide services in connection with the Engagement regardless of whether such party was introduced to you by us. Except as provided in this Engagement Contract, we shall not be responsible for providing or reviewing the advice or services of any such third party, including advice as to legal, regulatory, accounting or taxation matters. Further, we acknowledge that we are not authorized under our Engagement Contract to engage any third party to provide services or advice to you, other than our agents or independent contractors engaged to provide Services, without your written authorization.

 

4.Confidentiality

 

4.1Restrictions on confidential information – Both parties agree that any confidential information received from the other party shall only be used for the purposes of providing or receiving Services under this or any other contract between us. Except as provided below, neither party will disclose the other party’s confidential information to any third party without the other party’s consent. Confidential information shall not include information that:

 

4.1.1is or becomes generally available to the public other than as a result of a breach of an obligation under this Clause 4.1;

 

4.1.2is acquired from a third party who, to the recipient party’s knowledge, owes no obligation of confidence in respect of the information; or

 

4.1.3is or has been independently developed by the recipient.

 

4.2Disclosing confidential information – Notwithstanding Clause 1.1 or 4.1 above, either party will be entitled to disclose confidential information of the other to a third party to the extent that this is required by valid legal process, provided that (and without breaching any legal or regulatory requirement) where reasonably practicable not less than 2 business days’ notice in writing is first given to the other party.

 

4.3Citation of engagement – Without prejudice to Clause 4.1 and Clause 4.2 above, to the extent our engagement is or becomes known to the public, we may cite the performance of the Services to our clients and prospective clients as an indication of our experience, unless we and you specifically agree otherwise in writing.

 

4.4Internal quality reviews – Notwithstanding the above, we may disclose any information referred to in this Clause 4 to any other FTI entity or use it for internal quality reviews.

 

4.5Maintenance of workpapers – Notwithstanding the above, we may keep one archival set of our working papers from the Engagement, including working papers containing or reflecting confidential information, in accordance with our internal policies.

 

4.6Data Protection - If this Engagement involves the processing of personal data (also referred to herein as personal information) (i) as governed by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, the terms of the EU Data Protection Schedule attached hereto as Schedule B shall apply to this engagement and it shall form an integral part of this Agreement and (ii) as governed by the California Consumer Privacy Act, the terms of the California Data Protection Schedule attached hereto as Schedule C shall apply to this engagement and it shall form an integral part of this Agreement. In the event of a conflict between the terms of this Agreement and the terms of Schedule B or Schedule C, the terms of Schedule B or Schedule C shall prevail in relation to the processing of such personal data. If such personal data is processed in connection with this engagement, Client shall notify FTI in writing before any personal data is disclosed to FTI.

 

-2-

 

 

5.Termination

 

5.1Termination of Engagement with notice – Either party may terminate the Engagement Contract for whatever reason upon written notice to the other party. Upon receipt of such notice, we will stop all work immediately. You will be responsible for all fees and expenses incurred by us through the date termination notice is received. If, at any time prior to twelve months after the cessation without cause of services performed by FTI under this agreement, a restructuring, reorganization, Chapter 11 Plan, or sale, as described in (a) and (b) of the Consummation Fee description, is consummated, whether or not the Debtors have then engaged the services of another professional, FTI will be entitled to payment in full of the Consummation Fee. The right to receive the Consummation Fee for the period of twelve months shall continue even if the Debtors have terminated this engagement.

 

5.2Continuation of terms – The terms of the Engagement that by their context are intended to be performed after termination or expiration of this Engagement Contract, including but not limited to, Clauses 3 and 4 of the Engagement letter, and Clauses 1.1, 4, 6 and 7 of the Standard Terms and Conditions, are intended to survive such termination or expiration and shall continue to bind all parties.

 

6.Indemnification, Liability Limitation, and Other Matters

 

6.1Indemnification - The Company agrees to indemnify and hold harmless FTI and any of its subsidiaries and affiliates, officers, directors, principals, shareholders, agents, independent contactors and employees (collectively “Indemnified Persons”) from and against any and all claims, liabilities, damages, obligations, costs and expenses (including reasonable attorneys’ fees and expenses and costs of investigation) arising out of or relating to your retention of FTI, the execution and delivery of this Engagement Contract, the provision of Services or other matters relating to or arising from this Engagement Contract, except to the extent that any such claim, liability, obligation, damage, cost or expense shall have been determined by final non-appealable order of a court of competent jurisdiction to have resulted from the gross negligence or willful misconduct of the Indemnified Person or Persons in respect of whom such liability is asserted (an “Adverse Determination”). The Company shall pay damages and expenses, including reasonable legal fees and disbursements of counsel as incurred in advance. FTI agrees that it will reimburse any amounts paid in advance to the extent they relate directly to an Adverse Determination.

 

6.2Limitation of liability - You agree that no Indemnified Person shall be liable to you, or your successors, affiliates or assigns for damages in excess of the total amount of the fees paid to FTI under this Engagement Contract. Without limiting the generality of the foregoing, in no event shall any Indemnified Person be liable for consequential, indirect or punitive damages, damages for lost profits or opportunities or other like damages or claims of any kind.

 

7.Governing Law, Jurisdiction, WAIVER OF JURY TRIAL, and Compliance with Law

 

7.1Governing Law The Engagement Contract shall be governed by and interpreted in accordance with the laws of the State of New York, without giving effect to the choice of law provisions thereof.

 

7.2Jurisdiction. - The Bankrutpcty Court having jurisdiction over the Client’s Bankruptcy case shall have exclusive jurisdictrion in relation to any claim, dispute or difference concerning the Engagement Contract and any matter arising form it. The parties submit to the jurisdiction of such Courts and irrevocably waive any right they may have to object to any action being brought in these Courts, to claim that the action has been brought in an inconvenient forum or to claim that those Courts do not have jurisdiction.

 

-3-

 

 

7.3WAIVER OF JURY TRIAL – TO FACILITATE JUDICIAL RESOLUTION AND SAVE TIME AND EXPENSE, THE COMPANY AND FTI IRREVOCABLY AND UNCONDITIONALLY AGREE TO WAIVE A TRIAL BY JURY IN ANY ACTION, PROCEEDING OR COUNTERCLAIM ARISING OUT OF OR RELATING TO THE SERVICES OR THIS ENGAGEMENT CONTRACT.

 

7.4Compliance with Laws - The Company agrees that it will comply with all anti-corruption, anti- money laundering, anti-bribery and other economic sanctions laws and regulations of the United States, United Kingdom, European Union and United Nations (collectively, the “ABC/AML/Sanction Laws”) in connection with this Engagement. The Company further agrees that it shall not, and it shall procure its employees not to, pay or cause other person(s) to pay FTI using any funds that would result in a violation of any of the ABC/AML/Sanction Laws by either Company or FTI, or otherwise take any action that would result in a violation of any of the ABC/AML/Sanction Laws by either Company or FTI. The Company shall promptly notify FTI in the event of any violation or failure to comply with ABC/AML/Sanction Laws in connection with this Engagement, or allegations relating thereto, by the Company or its directors, officers, employees or agents.

 

FTI CONSULTING, INC

 

-4-

 

 

Confirmation of Standard Terms and Conditions

 

We agree to engage FTI Consulting, Inc. upon the terms set forth in these Standard Terms and Conditions as outlined above.

 

GWG Holdings, Inc.  
     
By: /s/ Murray Holland  
Murray Holland  
  President and Chief Executive Officer  
     
Date: April 19, 2022  

 

 

 

 

SCHEDULE A

STANDARD RELEASE LETTER

 

 

[Nonclient Recipient Letterhead]

 

[Date]

 

FTI Consulting, Inc.

 

Dear Mr./Ms. _____________:

 

__________________ (“Client”) has informed [name of recipient] that FTI Consulting, Inc. (“FTI”) has performed certain procedures to assist Client in connection with the ______________________. We understand that the work performed by FTI was performed in accordance with instructions provided by Client and was performed exclusively for Client’s sole benefit and use.

 

Client has requested that FTI provide [name of recipient] access to the report of its findings dated [date]. [name of recipient] acknowledges that this report was prepared at the direction of Client and may not include all procedures deemed necessary for the purposes of [name of recipient] and that certain findings and information may have been communicated to Client that are not reflected in the report. [name of recipient] further acknowledges that (a) the report is being provided for informational purposes only; (b) the report shall not constitute, either expressly or impliedly, any representation or affirmation by FTI as to the accuracy, completeness and/or fairness of presentation of the Report or any statements or information contained therein; and (c) [name of recipient] will make any decisions based on its own investigation, due diligence and analysis, independent of, and without reliance on or reference to, the contents of the report or any other opinions or conclusions of FTI.

 

In consideration of FTI allowing [name of recipient] access to the report and, if requested by [name of recipient], discussing the report, [name of recipient] agrees that it does not acquire any rights as a result of such access that it would not otherwise have had and acknowledges that FTI does not assume any duties or obligations to [name of recipient] in connection with such access.

 

[name of recipient] agrees to release FTI and its personnel from any claim by [name of recipient] that arises as a result of FTI permitting [name of recipient] access to the report. Further, [name of recipient] agrees not to disclose or distribute the report, or information received, orally or in writing from FTI to any other parties without FTI’s prior written consent.

 

Acknowledged by [name of recipient] representative:

 

By:    
(Name of Company official  
     
Title:    
     
Date:    

 

-2-

 

 

SCHEDULE B

 

FTI CONSULTING DATA PROTECTION SCHEDULE

 

This Data Protection Schedule (“Schedule”) forms part of the contract for services to which it is an attachment (the “Contract”) between the client party identified in the Contract (the “Client”) and the relevant FTI Consulting group entity identified in the Contract (“FTI”).

 

1.Definitions

 

1.1In this Schedule, unless otherwise defined herein, all defined terms shall have the meaning set out in the Contract.

 

1.2In this Schedule, the following terms shall have the meanings set out below:

 

  1.2.1 Data Protection Laws” means all legislation protecting the personal data of natural persons that is applicable to the processing of Personal Data under this Schedule, including (without limitation) the GDPR and any national legislation which supplements the GDPR, and the data protection laws of any other country, state or territory which apply to such processing;
     
  1.2.2 “EEA Standard Contractual Clauses” means the Standard Contractual Clauses set out in the European Implementing Decision (EU) 2021/914 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, as updated, amended, replaced or superseded from time to time by the European Commission;
     
  1.2.3 GDPR” means the General Data Protection Regulation (EU) 2016/679;
     
  1.2.4 “Restricted Transfer” means a transfer of Personal Data from Client to FTI in circumstances where such transfer would be prohibited by Data Protection Laws in the absence of the EEA or UK Standard Contractual Clauses;
     
  1.2.5 “Standard Contractual Clauses” means either the EEA or UK Standard Contractual Clauses, as applicable to a Restricted Transfer;
     
  1.2.6 “UK Standard Contractual Clauses” means the standard contractual clauses for the transfer of personal data to Processors established in third countries which do not ensure an adequate level of protection as set out in Commission Decision 2010/87/EU, as updated, amended, replaced or superseded from time to time by the UK government; “UK GDPR” means the GDPR as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019; and
     
  1.2.7  Personal Data”, “Process”, “Controller”, “Processor”, “Data Subject”, “Supervisory Authority” and “Personal Data Breach” shall have the meanings given to them in the Data Protection Laws.

 

2.Controller Terms

 

2.1FTI and the Client will each act as separate and individual Controllers in relation to any Personal Data (including, without limitation, Personal Data relating to any of the Client’s workers, FTI’s workers, any litigation or arbitration opponent or customer or vendor or transaction partner) Processed by the Client or FTI to deliver the services set out under the Contract.

 

-3-

 

 

2.2FTI and the Client will each comply with its own respective obligations under the Data Protection Laws in relation to their Processing of Personal Data under the Contract. In particular, the Client will ensure that any disclosures of Personal Data to FTI are lawful, and, in each case where necessary under the Data Protection Laws, the Client has notified and secured the consent of the relevant Data Subjects.

 

2.3FTI may appoint Processors as required to deliver the services, who will process the Personal Data on FTI’s behalf and at FTI’s direction. Further, FTI may disclose Personal Data to other Controllers:

 

2.3.1where necessary to deliver the services (including, but without limitation, law firms, accountants, other third party experts and any member of FTI’s group of companies); or

 

2.3.2pursuant to a legally binding written request, an order or request of a court of competent jurisdiction or any governmental or regulatory authority or where disclosure is required by applicable law or regulation (“Legal Process”). In relation to any Legal Process, FTI shall assess the lawfulness of the request before responding, and shall take any steps required by Data Protection Laws to protect Personal Data prior to its disclosure (including, without limitation, with respect to data minimization and data security);

 

2.4In respect of any Restricted Transfer subject to the GDPR, the parties hereby enter into Module 1 of the EEA Standard Contractual Clauses (with Client as data exporter and FTI as data importer), which is hereby incorporated by reference into this Schedule and which shall come into effect upon the commencement of a Restricted Transfer. The parties make the following selections for the purposes of Module 1:

 

  2.4.1Clause 7 – Docking clause shall apply;

 

  2.4.2Clause 11(a) – Redress the optional language shall not apply;

 

  2.4.3Clause 13(a) – Supervision

 

 2.4.3.1Where Client is established in an EU Member State, the following shall apply: “The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer shall be the supervisory authority of the Member State in which Client is established or (if different) the lead supervisory authority of the Client in respect of a cross-border processing activity”. OR

 

 2.4.3.2Where Client is not established in an EU Member State, but falls within the territorial scope of application of the GDPR in accordance with Article 3(2) and has appointed a representative pursuant to Article 27(1) of the GDPR the following shall apply: “The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, shall act as competent supervisory authority.” OR

 

 2.4.3.3Where Client is not established in an EU Member State, but falls within the territorial scope of application of the GDPR in accordance with Article 3(2) without however having to appoint a representative the following shall apply: “The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.”

 

-4-

 

 

  2.4.4Clause 17 – Governing law “Option 1” shall apply and the “Member State” shall be the Republic of Ireland;

 

  2.4.5Clause 18 – Choice of forum and jurisdiction the Member State shall be the Republic of Ireland;

 

  2.4.6Annex 1 – the data exporter is Client and the data importer is FTI (in each case as identified, including in relation to their places of establishment, in the Principal Agreement) and the description of transfer is deemed to be as described in Annex 1 to this Schedule;

 

  2.4.7Annex 2 – the technical and organizational security measures are deemed to be as described in Annex 2 to this Schedule; and

 

  2.4.8Annex 3 – not applicable.

 

2.5In respect of any Restricted Transfer subject to the UK GDPR, the parties hereby enter into the UK Standard Contractual Clauses (with Client as data exporter and FTI as data importer), which are incorporated by reference into this Schedule and which shall come into effect upon the commencement of a Restricted Transfer. For the purposes of clause II h) of the UK Standard Contractual Clauses, the Parties shall be deemed to have selected option (iii). Annex 2 to the UK Standard Contractual Clauses shall be deemed to be prepopulated with the relevant sections of the Annex to this Schedule. If at any time the UK government approves the EEA Standard Contractual Clauses for use under the UK GDPR, the provisions of paragraph 2.4 shall apply in place of this paragraph 2.5 in respect of Restricted Transfers subject to the UK GDPR, subject to any modifications to the EEA Standard Contractual Clauses required by the UK GDPR (and subject to the governing law of the EEA Standard Contractual Clauses being English law).

 

2.6The Client acknowledges and agrees that certain Processors or Controllers engaged by FTI under paragraph 2.3 may be located in places that may require cross-border transfers of Personal Data. In respect of transfers by FTI to such Controllers or Processors, FTI will take steps in accordance with the Data Protection Laws to ensure an adequate level of protection for the Personal Data Processed by such Processors or Controllers. Where such a Controller or Processor notifies FTI that it may no longer be able to provide an adequate level of protection in accordance with Data Protection Laws, FTI shall independently assess the level of protection provided and, where necessary, shall take mitigating steps to improve the level of protection or, where this is not possible, terminate the transfer.

 

2.7The Client acknowledges that FTI’s email records are replicated onto a Microsoft 365 Cloud system in the United States of America and the Client hereby consents that any Personal Data that is provided to FTI by email will be replicated accordingly. To the extent that the Client wishes to transmit certain information or data to FTI and the Client objects to that data being replicated in accordance with this paragraph, the Client will use a communication or transmission method other than e-mail or will use an alternative e-mail system.

 

-5-

 

 

SCHEDULE C

 

FTI CONSULTING CALIFORNIA DATA PROTECTION SCHEDULE

 

This California Data Protection Schedule (“Schedule”) forms part of the contract for services to which it is an attachment (the “Contract”) between the client party identified in the Contract (the “Client”) and the relevant FTI Consulting group entity identified in the Contract (“FTI”). FTI will be functioning as a service provider.

 

1.Processing of Personal Information.
   

In connection with FTI’s provision of services to Client under the Contract, if FTI receives any personal information (as such term is defined under the California Consumer Privacy Act) from or on behalf of Customer, then FTI:

 

 (a)will only process such personal information for the purpose of providing the services;

 

 (b)will not retain, use, or disclose such personal information for any purpose other than to perform the services or outside of the direct business relationship between FTI and Client;

 

 (c)will not sell, rent, release, disclose, disseminate, make available, transfer or otherwise communicate such personal information to any third party for monetary or other valuable consideration; and

 

 (d)certifies that it understands the restrictions on its processing of such personal information as set forth in this sentence, and will comply with them.

 

FTI may disclose personal information to FTI’s service providers in connection with such service providers providing services to FTI, and FTI may permit such service providers to process personal information as necessary for FTI to provide the services to Client.

 

-6-

 

 

Annex 1: Description of Personal Data Processing

 

This Annex includes certain details of the Processing of Personal Data by FTI under the Principal Agreement.

 

1.Subject matter and duration of the Processing of the Personal Data

 

The subject matter and duration of the Processing of the Personal Data are set out in the Principal Agreement and this Schedule.

 

2.The nature and purpose of the Processing of the Personal Data

 

FTI is engaged to provide Services to Client which involve the Processing of Personal Data. The scope of the Services are set out in the Principal Agreement, and the Client Personal Data will be Processed by FTI for purposes determined by it, in connection with the delivery of those Services and compliance with the terms of the Principal Agreement, including this Addendum, as well as applicable laws.

 

3.The types of the Personal Data to be Processed

 

Client customer or employee information which may be collected in the course of delivering consulting and advisory services to Client, including name, title, gender, personal contact details (address, telephone number, email address), work address, work email, work telephone numbers, job title, and other types of Personal Data supplied by the Client to FTI pursuant to the Principal Agreement.

 

4.The categories of Data Subject to whom the Personal Data relates

 

The categories of Data Subjects are determined by the nature of the client engagement, the details of which are covered in the Principal Agreement.

 

5.The obligations and rights of Client

 

The obligations and rights of Client are set out in the Principal Agreement and this Schedule.

 

6.Frequency of Restricted Transfers (where applicable):

 

As necessary to deliver Services for the duration of the Principal Agreement.

 

7.The period for which Personal Data subject to Restricted Transfers will be retained (where applicable):

 

In accordance with FTI’s data retention policies, copies of which are available upon request.

 

-7-

 

 

Annex 2: Technical and Organizational Security Measures

 

FTI Consulting maintains the following technical and organizational security measures when processing Personal Data for its clients.

 

Measures of pseudonymisation and encryption of personal data

 

When data at rest leaves our direct control (such as backup tapes, removable hard drives, etc.) the data is encrypted using AES 256-bit encryption. All laptops utilize full disk encryption. Data that is in transit over public circuits is encrypted in transit using SSL. FTI Consulting additionally deploys firewalls throughout its networks to allow and deny specific network traffic using key indicators such as source/destination address, source/destination port, etc.

 

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

 

FTI requires new employees/contractors to acknowledge receipt of the following policies including: Code of Ethics and Business Conduct, Anti-Corruption Policy, Acceptable Use of Technology Resources, Confidentiality Agreement, Employee Handbook Policy on Inside Information & Insider Trading, and Time Recording Policy.

 

FTI Consulting has a documented policy for business continuity and disaster recovery that has been approved by management, communicated properly and is maintained and reviewed. The general details are reflected in the FTI Consulting Information Security Policy. The recovery point objective exceeds 4 hours and the recovery time objective exceeds 24 hours. The specific tools used for backups vary by region.

 

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing

 

FTI has access to all major vendor security bulletins and have controls over identifying, scheduling, testing, and deploying patches. The deployment time is 14 days for high and within 24 hours for critical/emergency patches.

 

FTI has controls over identification of vulnerabilities, risk ranking, reporting, and remediation. This includes perimeter vulnerability scans that must be performed at least quarterly and semi-annual internal vulnerability scans that cover workstations, servers, and network devices.

 

FTI performs internal penetration test to identify flaws in the internal security controls that could allow an attacker to surreptitiously gain access to sensitive data and/or disrupt critical business systems. The organization must also perform external network penetration test to identify potential vulnerabilities which could be exploited to gain access to systems and data or to establish a foothold into internal network from which to launch further attacks.

 

FT’s cybersecurity team tracks the resolution of vulnerabilities. Vulnerabilities that are not resolved as part of patching cycles must be tracked on a vulnerability log or similar mechanism.

 

Measures for user identification and authorization

 

FTI uses unique IDs and if generic IDs should be disabled unless there is an approved security exception. FTI users authenticate through Active Directory (AD), SSO used when possible, and remote connection requires two factor authentication and leverages FTI’s Corporate DUO two factor technology. Duo Security generates passcodes (similar to a PIN Code) to mobile devices for login and can receive push notifications for easy updates. Duo Security is integrated with OneLogin (our SSO platform) providing a unified authentication solution.

 

-8-

 

 

Privileged and remote access must include multi-factor authentication and secure mechanisms (e.g., TACACs+, RADIUS) must be used on all network devices.

 

FTI password complexity (i.e. characters, length), lockout settings, expiration settings meets the following requirements:

 

.Contain both upper and lower case characters (e.g., a-z, A-Z)
  
·Have digits and punctuation characters as well as letters e.g., 0-9,!@#$%^&*()_+|~-=\’{}[]:”;‟<>?,./)
  
·Contains at least 12 characters for standards accounts and 15 characters in length for admin accounts
  
·Must be changed at least every 90 days
  
·Are not words in any language, slang, dialect, jargon, etc.
  
·Are not based on Confidential Information, names of family, etc.
  
·User accounts are locked after 10 unsuccessful logins. Account lockout for 30 mins. Reset after 30 mins.
  
·Password history - 24 passwords remembered

 

Passwords are stored protected in an encrypted format.

 

Measures for the protection of data during transmission and measures for the protection of data during storage

 

FTI has Data Loss Prevention (DLP) and extrusion prevention tools that restrict sending sensitive data over unsecure mail. Anomalies that exceed the normal traffic patterns are noted and appropriate action is taken to address them.

 

FTI protects data in transmission which include the following acceptable methods:

 

 Email: Transport Layer Security (“TLS”) Internet protocol, which provides security for all email transmissions over the public Internet may be setup with using opportunistic or mandatory TLS connections. Only TLS 1.2 or TLS 1.3 is acceptable.

 

 “Mailbox to mailbox” encryption that secures email messages and electronic files (using 256-bit AES encryption).

 

 Secure FTP: FTP utilizes TLS or SSH to allow us to share data with clients securely over the Internet. Only TLS 1.2 or TLS 1.3 is acceptable.

 

 External Encrypted Drive: Must use FIPS 140-2/AES 256-bit encryption or stronger.

 

 File Stores: Matter/Engagement related files stored centrally on the network are secured so that only those explicitly authorized can access the files.

 

FTI stores data in an environment that is not internet facing and segregated from the demilitarized zone by a firewall. The data must be logically segregated from other client or corporate data. Different tools may be employed depending upon the nature and/or location of the work.

 

Measures for ensuring physical security of locations at which personal data are processed

 

Specific physical security provisions vary depending on office location, however, as per the Information Security policy, access to company premises, including delivery and loading areas, must require badge access. Badge access is managed by local facilities or ITG, who use a badge kiosk to produce access badges. All badge issuances and updates require management approval.

 

Measures for ensuring events logging

 

-9-

 

 

FTI logs activity which is stored for 7 years. Data is logged at sufficient level (i.e. user ID, activity) and logging is enabled for the entire environment. The logging must provide relevant information (i.e. authorized & unauthorized attempts, remote access). System event and audit logs should capture the following events as applicable:

 

 Authentication failures

 

 Software or service failures

 

 Logon and use of privileged IDs

 

 Database changes

 

 Adding/deleting users

 

 Password Changes

 

 Adding/deleting groups and/or users associated with groups

 

 Changing audit log configuration or disabling audit subsystem

 

FTI uses SecureWorks which provides a Security Incident and Event Management (SIEM). The foundation of the SIEM includes Red Cloak endpoint event logs analysis, which includes an industry-leading assessment of current and zero-day threats and vulnerabilities.

 

Measures for ensuring system configuration, including default configuration Measures for internal IT and IT security governance and management

 

FTI has processes in place to confirm compliance with configuration standards. This includes a process for newly created device (i.e., checklist), at least annual reviews and hardening, removal of unnecessary / insecure services, and alarms set for key events (i.e. change in security group, configuration).

 

Measures for certification/assurance of processes and products

 

FTI holds the Certified Enterprise designation from Verizon Cybertrust and participates in their Security Management Program (SMP). The SMP is a comprehensive security risk reduction and certification program that addresses all aspects of proactive information security, from network and system analysis to physical and policy inspection. The cornerstone of SMP is the International Standards Organization (ISO) standard 27002.

 

As part of the Cybertrust Third Party assessment schedule, FTI Consulting’s Global Cybersecurity and Privacy function undergoes the following reviews by the Verizon Security Certification organization:

 

 Policy Review — evaluates the documentation and inspects the contents of key security policies — Annually.
     
 Process and Procedure Validation — Annually.
     

 Physical Inspection — evaluates the implementation of security controls in the physical environment surrounding critical network infrastructure, including doors, HVAC, entry logs, power redundancy, etc. — Annually.
     
 External Risk Assessments (Network and System-level scans) — Quarterly identifies possible risk areas in an organization’s external network infrastructure and assesses its consistency with key controls.
     
 Penetration testing (External and Internal – Network and System-level) is conducted by a separate third-party — Annually.

 

-10-

 

 

Individual business units may hold additional certifications or use tools that are supported by additional certifications.

 

Measures for ensuring data minimisation

 

FTI only acquires data for the intended purpose by working with the client or business partner to ensure only the minimum amount of necessary data is obtained.

 

Measures for ensuring data quality

 

FTI Consulting is dedicated to providing its clients with high quality services that meet our standards of excellence and integrity. The quality of the work for each of our clients is monitored by the Senior Managing Directors responsible for each engagement along with the highly qualified colleagues in their practice teams and business segments. On a broader level, FTI sets the tone for our global organization in our Code of Conduct (https://www.fticonsulting.com/~/media/Files/us- files/our-firm/guidelines/fti-code- of- conduct.pdf) which discusses our commitment to quality throughout, and in particular in our Statement of Values.

 

FTI takes into account the principle of purpose limitation, while making sure that the data is adequate, relevant and not excessive for the legitimate purpose. FTI enables data subjects to exercise their rights, including the rights of access and, as appropriate, the rectification, erasure or blocking of Personal data and keep data accurate, and not retain it any longer than necessary.

 

Measures for ensuring limited data retention

 

FTI has a records retention policy that ensures records are retained for required and necessary periods of time; providing that records which are no longer useful are properly destroyed; and providing that records to be retained are stored methodically and economically. FTI uses their reasonable and best efforts to prevent the premature destruction of Records. The organization must have processes to return data upon end of contract and destroy data using appropriate mechanisms upon Department of Defense (DoD) and National Institute of Standards and Technology (NIST) standards for all data bearing devices.

 

Measures for ensuring accountability

 

FTI has a defined process to resolve complaints about privacy and its collection or use of personal information in compliance with the EU-US Privacy Shield Principles. FTI has measures in place to ensure complaints are resolved within 1 month. Unless otherwise dictated by local law, the exact number of days to comply with a request varies, depending on the month in which the request was made and is calculated based on the day the request is received plus one (regardless of whether the day is a working day or not) until the corresponding calendar date in the next month.

 

Measures for allowing data portability and ensuring erasure

 

FTI receives requested Personal Data directly or provide access to a tool which allows the requestor to extract the information themselves using a self-service type model.

 

The Personal Data requested is required to be provided in a format and structure which is commonly used and machine-readable. The following machine-readable formats:

 

 CSV: (Comma separated values) a format that stores tabular data (numbers and text) in plain-text form;
     
 PDF: (Portable Document Format) a file format used mainly to represent documents such that layout will stay the same independent of the system environment;

 

-11-

 

 

 XML: (eXtensible Markup Language) a markup language that defines a set of rules for encoding documents in a format that can be both human and machine readable;
     
 JSON: (JavaScript Object Notation) a machine-readable data format derived from the JavaScript language used for representing simple data structures and associative arrays; or
     
 HTML: (HyperText Markup Language) the main markup language for displaying web pages and other information in a web browser.

 

FTI has a data erasure process in place to track and manage responses, and, as necessary, provide updates to the relevant regulatory authority and/or input into management reports. The organization must verify the identity of the data subject before disclosing any personal information. The organization should only refuse to comply with an erasure request if it is “manifestly unfounded or excessive” or, alternatively may elect to charge a “reasonable fee.” The response is in written communication together with the documents containing the proper erasure of data.

 

 

-12-