84 2021 ESG Report Healthy workforce and communities Appendices Responsible supply chain Product impact Climate change Introduction Transparency Cybersecurity governance Our approach to cybersecurity governance includes aligning cybersecurity risk management, policy and compliance initiatives with business objectives so that information assets and technologies used in BD products, manufacturing, service, enterprise IT and third-party components are secure, resilient and compliant with applicable regulatory and industry standards. This includes cybersecurity due diligence for BD mergers, acquisitions and divestitures. BD Information Security policies and procedures are reviewed annually by cross- functional stakeholders specializing in information security, integrated supply chain, enterprise IT and quality. Additionally, cybersecurity risks and their potential impact on BD, customers and patients are reviewed by the company’s central, regional and business teams, and information security provides guidance for identifying, prioritizing and mitigating such risks. Cybersecurity risks are also integrated into our approach to enterprise risk management, and significant cybersecurity risks are communicated to the Executive Leadership team and the Board of Directors through the Audit Committee and the Quality and Regulatory Committee. In addition, BD provides the Board of Directors and the Executive Leadership team with cybersecurity training. This includes annual scenario-based cybersecurity training in providing effective oversight in the event of a significant cybersecurity incident, and targeted cybersecurity training opportunities such as the National Association of Corporate Directors (NACD) Cyber-risk Oversight Certificate program, which is designed to enhance participants’ understanding of the cybersecurity threat landscape, cyber-risk oversight responsibilities and organizational preparedness for cybersecurity crises. We also provide annual cybersecurity awareness training for our 75,000 associates, comprising online cybersecurity training modules; in-person and virtual cybersecurity bootcamp classes; contextual phishing simulation exercises; mock incident response exercises; and intranet resources aimed at enhancing associates’ ongoing cyber-awareness. Cybersecurity risk management BD proactively monitors for suspicious activity, including phishing attacks, malware and ransomware attacks, insider threats and human error. Our monitoring and detection systems block an average of 14.4 million malicious activities per month. Our cybersecurity program also includes regular internal and external security audits and vulnerability assessments; penetration testing of the company’s systems, products and practices; third-party risk assessments; threat intelligence investigations; vulnerability scanning and management; and incident management. We also leverage threat modeling to uncover and examine potential cybersecurity risks during the design process and beyond. BD maintains consistent practices for reporting cybersecurity incidents to the U.S. government, including the Cybersecurity and Infrastructure Security Agency (CISA) and/or the Federal Bureau of Investigation (FBI). In addition, BD welcomes vulnerability reports from customers, security researchers, third-party component vendors and other external groups that wish to report a potential vulnerability in a BD software-enabled device. Our approach to vulnerability reporting and disclosure is publicly available at the BD Cybersecurity Trust Center and noted in the BD 2021 Cybersecurity Annual Report .