RESPONSIBLE BUSINESS PRACTICES Data Security Framework Information Technology Oversight Board The Board is responsible for the oversight of enterprise Responsible for the oversight of enterprise wide risk assessment and risk management, wide risk assessment and risk management, including our including operational infrastructure pertaining to security, data privacy and business continuity. operational infrastructure pertaining to security, data privacy and business continuity. The Chief Information Security Officer (CISO), who reports to the Chief Information Officer, provides strategic leadership and direction for Casey’s information security function and leads a cybersecurity team dedicated to safeguard IT Audit Committee and related operations across the company’s operations. Responsible for the oversight of major financial risk exposure and the steps management has In addition to overseeing security operations, incident taken to monitor and control such exposures, including cybersecurity and data privacy. management and security engineering, the CISO and security team are also responsible for certain areas of SOX and Payment Card Industry (PCI) compliance, and the CISO leads the cyber incident response governance team, a cross-functional group dedicated to rapid and coordinated recovery and response in the event of a Enterprise Risk Management (ERM) Director CEO, Senior Leadership Team suspected cyber incident. As part of their risk oversight responsibilities, the CISO regularly presents updates to the ERM Director and the SLT monthly, the Audit Committee quarterly and full Board at least one time per year. Chief Information Security Officer (CISO) Third-Party Vendor Data Governance The Information Governance Team has a formal risk assessment framework and evaluation for vendors and other third parties who may have access to Casey’s Security and Data Privacy Security Operations Vulnerability Management and confidential information or its network. We endeavor that Framework Alignment Program Benchmarking all third-party vendors who receive, manipulate, process, store, host, utilize or compile Casey’s sensitive or private business data execute a Nondisclosure Agreement (NDA). These NDAs, along with other contractual SECURITY COMPLIANCE PREPAREDNESS protections, are intended to protect from intentional and unintentional data losses or breaches of confidentiality during the entirety of the time frame of the vendor’s access to Casey’s business data or systems. 20 Casey’s 2022 ESG Report