RESPONSIBLE BUSINESS PRACTICES Data Security and Customer Privacy Protecting Casey’s sensitive and private business information, as well as personal guest data, is a top priority. Our dedicated approach to protection of Casey’s information assets underscores sustainable business operations and lowered risk of data security incidents. Information Security Data Policy also exists to educate applicable team for security governance through rigorous the use of third-party, cloud-based platforms to Management members about the importance of protecting internal assessments and vulnerability provide ease of access, while holistically ensuring certain information and the processes and management testing guided by our NIST CSF data protection, resiliency and redundancy. Casey’s recognizes digital information as a valuable procedures to keep sensitive and personally risk-assessment methodology. asset necessary to our operations. We view our identifiable information (PII) secure. Security Awareness Training responsibility and oversight of enterprise data We regularly maintain ongoing review and We promote a strong culture of security security, guest privacy and business continuity Certifications and Third-Party Assessments maintenance of our technology systems to ensure awareness and readiness among our team practices as essential to ensuring our long-term Casey’s has been certified to comply with PCI compliance and safeguard our customer through training and regular communication. operational sustainability and business success. various international security certifications and cardholder data. Our internal Sarbanes-Oxley Team members whose responsibilities require standards and otherwise adopts appropriate best (SOX) compliance audit team also audits our IT email and network access must comply with our Data Governance Policy practices from industry-leading frameworks, systems and business controls at least annually. privacy and information security programs. Within During FY 2022, we established a Data such as the U.S. NIST Cybersecurity Framework During FY 2022, we received a Report on 30 days of hire and annually thereafter, all Governance Policy (Data Policy) to formalize (NIST CSF) and Payment Card Industry Data Compliance (RoC) from a qualified security qualifying team members must complete the processes and procedures for protecting our Security Standard (PCI DSS). Our IT department assessor (QSA) to validate our adherence to the mandatory information security and awareness information assets, to include guest data. This continually monitors and enhances protocols requirements of the PCI DSS. training, including in-store social engineering Quality and objective assessments are training and ongoing anti-phishing exercises. critical to the continued effectiveness of our Remedial measures are taken to address repeated Our Security Data Governance Policy cybersecurity controls. We routinely engage failures of testing requirements. Training is Management independent, licensed third-party auditors to delivered through an online portal that tracks Certifications and Third-Party Assessments perform comprehensive evaluations of our participation and includes a testing component SOX compliance, full cybersecurity program, with each training session to measure Security Awareness Training penetration testing and ransomware risk against competency. Training results are regularly Information Technology Oversight stringent standards. reported internally to the SLT and to the Audit Committee. During FY 2022, approximately 93% Third-Party Vendor Data Governance Beyond our enterprise security programs, of qualifying team members completed these tools and firewall protocols, our technology information security requirements, with the infrastructure has been strengthened through remaining 7% incomplete largely due to turnover. 19 Casey’s 2022 ESG Report