To help employees understand and fulfill their responsibility to keep information secure, By the numbers the information security team provides awareness and training across various domains and through multiple channels. Dedicated staff tailor a mix of formal training, awareness campaigns and materials, phishing tests and other efforts based on location, level of of employees with network access interaction with systems and role, among other factors. The team focuses on different 100% expected to participate in regular delivery models, including gamification, to increase the relevance of and engagement information security training with the training content. Contractors are also made aware of and are expected to comply with GXO’s information security policies. We draw on best practices from multiple frameworks to define the elements most relevant to GXO’s business. We have a harmonized set of controls that integrates guidance from the EU’s GDPR and aligns with the U.S. National Institute of Standards and Technology’s (NIST) cybersecurity framework, among others. GXO’s controls and operating processes align to ISO27001 certification, and systems are maintained in line with this standard. In addition, we assess our practices against industry-leading frameworks, including the Internet Security Forum (ISF), to confirm our systems meet our needs and discover opportunities to improve. Our program includes multiple components that act as an additional line of defense, including regular testing, tabletop exercises, cybersecurity exercises, audit and maintenance, awareness and training and risk evaluation and controls. In 2021, we strengthened our efforts to enable a more holistic and integrated approach Learn more about how we do what we do to information security. At the beginning of the year, we also conducted a program maturity self-assessment against the NIST Cybersecurity Framework (CSF) and scored across domains to identify, analyze and enhance cybersecurity capabilities. The process Code of Business Ethics Third-Party Due Dilligence reviewed over 30 policies and procedures, included multiple stakeholder interviews and resulted in an analysis and multi-year roadmap for improvement. We will continue to refine and align our framework to ensure our program continues to integrate the best Data Protection Policy GDPR Privacy Policy guidance available. We have built-in escalation paths with dedicated leaders and legal partners in case EU Data Retention Policy incidents arise within the course of standard operations. GXO reports material data Read our policies privacy and information security breaches in our annual 10-K report. In 2021, there were none. HOME E S G ©2022 GXO Logisitcs, Inc. 2021 ESG Report | 77