2021 ESG Report GOVERNANCE Privacy and Data Security The Bank’s privacy and data security controls have been built to meet regulatory requirements, industry best practices and customer expectations . These controls, whether technical solutions or processes, are assessed regularly by industry and governmental experts to ensure they meet the challenge of protecting the privacy of customers and their data. The cyber and regulatory landscape is constantly evolving, as do our dynamic defenses. We have implemented measures designed to secure customer information from loss or unauthorized access, use, alteration, or disclosure. Information is stored on secured servers behind frewalls, and all data transported on our website and mobile applications is encrypted. To further help protect information, the Bank requires employees to PRIVACY COMMITMENT DATA SECURITY COMMITMENT Fifth Third’s commitment to data security and privacy are available on 53.com . review and know information security and privacy policies, as well as complete all assigned security and privacy training. Our privacy policy defnes our practices on protecting personal information, from the information we collect, how it is shared, to how customers can choose to limit the sharing of data based on state, federal and international regulations . A signifcant factor in the success of the Information Security Program relies on the third parties with whom we have chosen to partner. These partners assist in our data loss prevention, DDoS protections, document lifecycle management, cyberattack response services, threat intelligence, endpoint security, secure development and more. As the threat landscape evolves so does third- party risk. Providing appropriate oversight to the Bank’s third parties to reduce risk is critical. Onboarding new suppliers requires a vendor due diligence efort to ensure that new vendors meet the Bank’s control requirements. In 2021, Information Security improved its ability to quickly identify risk associated with a compromised third party and to respond accordingly before it’s too late. Our Extended Security Program team supports Third Party Management and Third-Party Risk Management in an advisory capacity, assisting in the development of due diligence surveys, handling of escalated due diligence reviews, and reviews of cyber-related incidents and threat management. Contents The Bank’s Master Services Agreement articles outline the expectations, including, but not limited to: • What the supplier’s information security program should include. • Who needs to review and approve their information security program. • What safeguards need to be in place. • How the Bank should be notifed of a breach. • How proprietary information should be handled. We work with our third-party suppliers to ensure they have appropriate information security programs and capabilities in place to protect any data we entrust to them. Ensuring our third-party suppliers are doing all they can to protect the Bank and our customers is another way we keep the customer at the center of everything we do . Information sharing with other signifcant players in the industry is also a key enabler of what we do. We closely partner with law enforcement agencies, cyber security industry leaders, direct peer relationships in other fnancial institutions and global cyber intelligence sharing communities, such as FS-ISAC. We have been a member of FS-ISAC since 2010 with some of our team members having held Board positions. We have representation on many Communities of Interest and have previously won the FS-ISAC Excellence in Sharing Award. Introduction Economic Environment Social Governance The Value of Strong Leadership and Governance • Information security and privacy teams regularly report to executive leadership and the Board to ensure everyone is aligned to the Bank’s priorities and focus. • The Chief Information Security Ofcer and Privacy Ofce report regularly to the Board or Board committees to keep abreast of all eforts to prevent, detect and respond to risks. • The Technology Committee , a committee of the Board established in 2020, is comprised of Board members with extensive technology backgrounds. Its primary purpose is to assist the Board in its oversight of technology and innovation strategies, plans and operations, information, cybersecurity and data privacy risk management, as well as third-party technology risk management. CONTINUED 91