Our impact Helping employees stay cyber-aware We work to help every Cisco employee understand their role in the security and privacy equation through awareness and education. Security for all Cisco-managed devices reflects guidance adopted by NIST, ISO, and other organizations, including mandatory software updates and multifactor authentication (MFA) to help protect employees and the company from ransomware and other cybersecurity attacks. The Keep Cisco Safe campaign includes messaging and interactive training modules that address cyberrisk, security, and privacy concepts. We also educate our people through SecCon, our annual internal security conference, the Privacy Assessors & Champions curriculum, and internationally recognized Certified Information Privacy Professional training and certifications. End-to-end security and privacy Cisco’s business model is not about monetizing customer or personal data, but protecting it. We embed security and privacy by design with the Cisco Secure Development Lifecycle (CSDL), which includes a Rapid Risk Assessment for security and privacy and detailed assessments such as the Privacy Impact Assessment. The CSDL is a repeatable and measurable process that is now unified across all solutions and services we offer, and has expanded to consistently manage our cloud solutions. This combination of tools, practices, and awareness increases the resiliency and trustworthiness of Cisco solutions throughout their lifecycles. Learn more about the CSDL on the ESG Reporting Hub . In addition, our cloud offers are backed by third-party certifications, copies of which are available on Cisco’s Trust Portal . Being transparent about what we disclose We follow our Principled Approach to Government Requests for Data and are committed to transparent disclosure of the types of government data requests we receive and how we respond to them. We believe that governments should go directly to our customers, not Cisco, to request data. Cisco releases a Transparency Report every six months to document the data requests we receive from law enforcement and national security agencies around the world. The most recent report, published in July 2021, includes a new interactive map that allows users to sort data by region and timescale. While Cisco respects efforts by governments to thwart bad actors and deter criminal activity, we are also committed to ensuring that access to our solutions and services is free from unlawful or overbroad intrusion. In fiscal 2021, we published law enforcement guidelines that inform customers and law enforcement agencies about the ways we protect customer data. It outlines the legal burden required of law enforcement agencies and governments when requesting customer data and the laws to which these requests are subject. Responding to global privacy requirements We work closely with regulators and standards bodies worldwide to drive consistency in our approach to protecting and respecting privacy. To demonstrate our compliance capabilities and adherence to global privacy principles, we have certified our enterprisewide program to EU Binding Corporate Rules, APEC Cross-Border Privacy Rules system and Privacy Recognition for Processors, and the EU/UK/Swiss-U.S. Privacy Shield. In the United States, we continue to call for federal privacy legislation to establish a consistent baseline of protection for all users. Privacy is much more than just a compliance obligation. It is a fundamental human right and business imperative that is critical to building and maintaining customer trust. The core privacy and ethical principles of transparency, fairness, and accountability will guide us in this new, digital-first world. ” — Harvey Jang, Vice President, Chief Privacy Officer FUTURE INTRO POWER INCLUSIVE 2021 Cisco Purpose Report | csr.cisco.com | ESG Reporting Hub 18