2021 SUSTAINABILITY PROGRESS REPORT | Cummins Inc. GETTING THE MESSAGE OUT Cummins designates October as Cybersecurity Awareness Month. Global Cybersecurity team members and leaders go out and speak about the importance of cybersecurity in a variety of settings and multiple locations across the company. The team has also established a Cybersecurity Ambassador program, providing participants with the information they need to talk to their co-workers about the importance of protecting Cummins’ digital resources and information. 60 INNOVATIVE INITIATIVES Anyone with a Cummins account, including contract and joint venture workers, also has the ability at the press of a button to report suspicious emails. The company is constantly testing and implementing tools to detect anything outside of normal operations such as malware. In addition to new tools, the cybersecurity team collaborates with the business to conduct vendor security assessments to ensure vendors have adequate security measures in place before being entrusted with Cummins data. Finally, in a world that is increasingly interconnected, Cummins Global Cybersecurity is engaged in product development early on to maintain the highest levels of protection for the company’s products against cyber threats. TRAINING AND EDUCATION In addition to implementing the hardware and software necessary to protect the company from cyber threats, Cummins Global Cybersecurity has also worked to engage Cummins employees in its efforts through training and education, starting from revised global onboarding materials, where new employees first learn about the importance of protecting the company’s data and information. Employees who receive access to Cummins’ digital network receive training on the devices they use, including cybersecurity training, and the company is expanding training to employees who don’t have direct access to the network. Cummins expanded its required online training for employees with access to the company’s digital network. In 2021, more than 28,000 employees completed mandatory online training on data privacy. Global Cybersecurity also began sending out monthly emails to the more than 65,000 people enrolled in its training and awareness program testing whether they can successfully identify phishing attempts. Based on actual emails Cummins employees received, the exercise includes links to additional training for those who need it. A SOLID FOUNDATION Cummins Global Cybersecurity starts with a solid foundation, built on 21 separate policies governing different aspects of cybersecurity at the company. The function reports to Cummins’ Chief Information Officer, who regularly updates the company’s Board of Directors. Cummins is aligned to the cybersecurity framework developed by the U.S. Commerce Department’s National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). All Cummins personnel, including temporary employees, contractors, and business partners handling information on the company’s behalf, are required to follow the data protection requirements contained in Cummins’ policies and procedures. The company has used outside experts to review its operations and evaluate Cummins Global Cybersecurity’s maturity and goals in alignment with NIST. Cummins benchmarks the function against peer companies and continually enhances its cybersecurity operations to meet the changing security landscape. CYBERSECURITY KEY COMPANY PRIORITY With much of the Cummins workforce working remotely in 2021, the company spared no efforts to keep its computer systems secure. Cummins is committed to protecting its intellectual property, customer data, and employee data, as well as the data increasingly important to product innovation and reliability, and the computer systems and networks critical to keeping nearly 65,000 global members of the Cummins workforce (employees, contractors and others) aligned and moving forward. As a global power technology leader, Cummins believes its holistic approach to cybersecurity, including advanced technologies, good governance, extensive employee training, and innovative programming, is the best approach to achieving its goals of protecting the company from increasingly sophisticated attacks. CYBERSECURITY //