BNY MELLON ENTERPRISE ESG 47 RESPONSIBLE BUSINESS Enterprise ESG 2025 Technology Goals Goal: Continually evolve business protocols to help ensure systems continuity in every jurisdiction in which we operate, and across borders KPI: Expand our information security management system based on an internationally recognized specification (i.e., ISO 27001) for all critical applications and business services Progress: BNY Mellon successfully recertified for a 3-year cycle the ISO 27001:2013 in 2021. We are conducting feasibility analysis of ISO27701:2019 Privacy Information Management System (PIMS) as an extension of ISO27001:2013 certification Goal: Evolve business protocols to provide technology knowledge, resilience and business continuity KPI: Cultivate a globally competitive level of workforce awareness concerning information systems security Progress: Increased the scope and cadence of experiential learning and threat simulations for staff (e.g., conducted tabletop exercise “wargames,” tested wargame audiences with individual spear-phishing emails before wargames, tested high-risk populations with in-inbox spear-phishing tests, including credential harvesting pages) Expanded written publications to reach new internal and external audiences (e.g., “Phish Catchers” series to reward best-practice staff hygiene behavior and spread security culture) Increased scope and cadence of live and recorded presentations for staff and clients (e.g., published first client-facing cyber threat and hygiene recorded presentation, trained all 18 executive assistants with 1:1 sessions) SPOTLIGHT A Catalyst for Inclusive Language Within Financial Services BNY Mellon is at the forefront of driving inclusive language throughout the field of cybersecurity and the broader realm of IT in the financial services industry. Our company served as the catalyst for raising industry awareness and driving change by initiating a recent paper on Use of Non-inclusive Language in Technology and Cybersecurity and Why It Matters . Released by UK Finance and produced jointly by EY and Microsoft, this paper encourages language neutrality by identifying and raising awareness of sensitive terms such as “repeat offenders” and “blacklisting” and replacing them with neutral terms. The concept for the paper originated with Hem Pant, Head of Information Security, BNY Mellon International and the Global Head of Cyber Third Party and Inter-Affiliates Assessments. Pant hopes that a new vocabulary will help make the field of cybersecurity more inclusive and expand the talent pipeline by removing the barrier of negative language based on race, gender or other attribute. Resiliency. Our resiliency management program focuses on: • Business continuity/technology recovery • Technology risk and control • IT service management (change/problem/incident management) • IT sourcing • Vendor risk management • Information security operations Our Cyber, Technology and Operations Center is the result of our commitment to resiliency. We have built a 360-degree watchtower with a clear view of what is happening in our systems and in the world around us. We have an optimized team representing every functional area we need to identify, and respond quickly to threats or incidents to perform better for our clients.