Cybersecurity We consider all personal information a critical asset and have a robust cybersecurity program to protect those assets accordingly. Our information cybersecurity program is tied to industry frameworks, requires training for all associates, encompasses oversight of our third-party partners, and includes a comprehensive breach response plan. The program is visible throughout the organization including updates to the Board of Directors Audit Committee on a quarterly basis and the full Board of Directors during the fourth quarter of the fiscal year. Audits & Assessments The Enterprise Risk Services (ERS) department reports to the Chief Risk and Compliance Officer and serves as an independent audit function for the company. This internal team conducts cybersecurity, privacy and environmental assessments and audits. The subject of these audits include, but are not limited to, Sarbanes-Oxley (SOX), Payment Card Industry (PCI) compliance, access controls, and other processes supporting IT infrastructure and applications. The ERS department performs audits across a variety of other compliance topics including employment, financial, credit and environmental control areas to assess compliance with regulations and internal policies. Annual Ethics Training We require associates to take annual ethics training, which is refreshed each year to cover relevant topics. Within this training are specific cybersecurity training vignettes that highlight key cybersecurity and privacy risks and reinforce associate accountability. The training helps connect cybersecurity and privacy to an associate’s day-to-day job responsibilities and promotes awareness of each associate’s role in Kohl’s cybersecurity program. Cybersecurity & Privacy 77 2021 ESG REPORT Cybersecurity & Privacy As part of our vision to be the most trusted retailer of choice for the active and casual lifestyle, we believe trust is critical to our brand. An important part of that trust is how we treat the personal information we collect. Privacy Policy Privacy We understand that customers, associates and business partners entrust their personal information with us, and we have a responsibility to those individuals to respect their privacy rights. Our Privacy Policy provides transparency into the information we collect, how we use that information and our commitment to follow all applicable laws governing that information. Additionally, our privacy program ensures individuals’ privacy rights are fulfilled to the extent required by law. Our cross-functional Privacy Committee is responsible for identifying and managing privacy risks, with oversight from senior leaders in Risk and Compliance, Technology, Financial Services, Marketing and Legal.