PENSKE AUTOMOTIVE / 2021 ESG REPORT 31 2020 SASB Index SASB Sector Standards 2018* 2020 SASB INDEX Multiline and Specialty Retailers & Distributors Sector Standards 2018* SASB Code Accounting Metric Answer, Cross-Reference, Ommissions, and Explanations Energy Management in Retail & Distribution CG-MR-130a.1 (1) Total energy consumed, (2) percentage grid electricity, (3) percentage renewable 2020 Performance Data , pp. 29-30 Data Security CG-MR-230a.1 Description of approach to identifying and addressing data security risks We are aware of the increased incidence of internet-based attacks and their potential impact on cybersecurity and data protection. Our control processes constantly evaluate service attacks for origination. In order to secure all of our systems that store or transmit electronic information, we have implemented multi-layered preventive controls, such as web and cloud application firewalls, which use aggregated intelligence to proactively detect and block an overwhelming majority of attacks. We identify vulnerabilities in our information systems through proactive scanning of system assets for known vulnerabilities published by the National Institute of Standards and Technology (NIST). Our outsourced managed security source operates 24/7, identifying threats and vulnerabilities. Additionally, we proactively manage vulnerabilities from major software publishers through a global patching program. We continue to monitor and enhance our internal processes and conduct an annual security assessment performed by a third party. In order to prevent unauthorized access to our information systems, we have a system of controls in place to manage user access under auditing from a third party and as part of management’s Sarbanes-Oxley (SOX) controls. Our employees acknowledge an acceptable use policy and are trained on how to identify information security risks in the workplace and in their personal lives. Our information security policy is aligned with the NIST, COBIT and the Center for Internet Security (CIS) as it relates to procedures, processes, training and awareness and critical technology controls. *Penske Automotive Group’s 2021 ESG Report applies the 2018 version of the Multiline and Specialty Retailers & Distributors Sustainability Accounting Standards; “2018” refers to the Standards issue date, not the date of information presented in this report.