INTRODUCTION PEOPLE COMMUNITY PLANET GOVERNANCE APPENDIX Each of these lists, as well as our other chemical Security & Privacy Steering Committee (EISPSC). This Cybersecurity Compliance standards, are communicated and made available to our Steering Committee leverages a top-down approach We are compliant with the Payment Card Industry (PCI) vendors during the onboarding process as part of our to information security initiatives to optimize spending, Data Security Standards, the Sarbanes Oxley Act (SOX), comprehensive Product Safety & Compliance (“PS&C”) manage information and information assets, and reduce and California Consumer Privacy Act (CCPA). Manual. Vendors are required to acknowledge compliance risk to the organization. We perform periodic incident with our PS&C Manual at the time of onboarding. These response procedural reviews and exercises to ensure Our information security program is aligned with lists are reviewed and updated as necessary, and at least on adequate response and timely reporting of incidents to key recognized information security management system an annual basis, and were last updated in 2022. stakeholders for appropriate disclosure. standards (ISO/IEC 27001) and cybersecurity frameworks (NIST SP-800 series), and related policies are annually As part of our testing program from direct import Over the last year, we conducted two reviews, facilitated approved, continuously reviewed, and made available and owned brands products, we engage a third-party by independent parties, to assess our current data to Associates. A targeted security awareness training independent lab to test and evaluate these products for protection and cybersecurity programs. The first of these program is administered annually to all Associates to compliance with applicable laws, regulations, industry reviews focused on baselining and benchmarking our reinforce proper identification and reporting of social safety standards and certain Company policies. current process against best practices in information engineering attempts. In 2019, we committed to eliminating chemicals on the PCL security controls. The second review consisted of a business continuity maturity assessment based on the Our Security Operations Center continuously monitors from private label baby personal care products by the end of internationally accepted security framework ISO 27000. external threats, defends against malicious activity, and 2020. We achieved this goal, together with our vendors, as of We are actively working on addressing improvements that ensures all Company assets are enabled with multiple the target date. In addition, Bed Bath & Beyond and buybuy resulted from these assessments. layers of protection. A dedicated information security BABY owned brand textile products are certified to, at a incident response team addresses security incidents ® minimum, the OEKO-TEX STANDARD 100, which certifies Data Protection concerning malicious intent, data exfiltration, policy that products have been tested for harmful substances. We maintain a risk-based framework to protect the violation, and confidential Company information. cybersecurity confidentiality, integrity, and availability of customer Annual audits, performed by internal and external and Associate data. We continue to advance our data resources, and penetration tests are conducted on We recognize the ever-increasing need to protect all protection capabilities to address the continuously our systems and applications to continually monitor Associates, customers, and business partners against evolving threat landscape. We are focusing on embedding vulnerability and compliance with governmental and potential data and cybersecurity risks. Our cybersecurity security and privacy by design in our Company processes industry regulations. programs are overseen by the Audit Committee of the and technology solutions. Board. Our cybersecurity strategy, investments, and defenses are reviewed by the full Board of Directors at least Our Senior Director, Information Security Officer, operates once per year. as our Chief Information Security and Privacy Officer and is responsible for overseeing information risk governance and Our information security and privacy programs are our privacy functions. functionally managed by the Executive Information Bed Bath & Beyond 2021 ESG Report 35