30 DATA PRIVACY & SECURITY PFG adopts a layered defense with an in-depth, risk-based approach to identifying and addressing data security risks. PFG’s Information Security Program proactively assesses security trends, current gaps and our business strategy to manage a three-year rolling cybersecurity strategy. This strategy considers existing risks or those likely to be encountered based on our industry, company profile and business objectives. The strategy also considers shifting technology trends that could have a material impact on our security infrastructure (e.g. third- party hosted/dependent and a mobile workforce). PFG maintains several administrative and technical controls and capabilities to both prevent and detect associated security risks. Our security capabilities and controls include a combination of internally defined policies and standards, technical solutions, operational processes and staff training to address potential operational, reputational, financial and regulatory risks. PFG’s control environment and strategy is aligned with the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Security. In addition, PFG’s Chief Information Officer and Chief Information Security Officer provide quarterly updates to the Technology and Cybersecurity Committee of the Board on progress of security initiatives, strategy, operational performance indicators, risks and notable incidents. Preventive and detective controls are augmented by both technical and administrative capabilities to identify gaps in existing controls or vulnerabilities in information systems. PFG uses independent service providers to test PFG’s network and select applications for vulnerabilities, at least annually. We also maintain an internally managed vulnerability program which regularly assesses PFG systems and reports to our IT team and business leadership for awareness, action and/or acknowledgment/acceptance of associated risks. PFG also implements a Risk Management program to identify and track information risks from myriad sources, including third parties, technology projects, acquisitions, ad-hoc risk assessments and external audits, adjudicating them based on severity. The company has a documented Security Incident Response Plan, which is routinely updated and includes steps to triage multiple types of security incidents of varying magnitudes. Tabletop exercises are performed periodically to prepare response teams and leadership in the event of a significant incident. The response plan ensures we have the adequate processes and resources in place for the identification, containment, and eradication of incidents, as well as for the notification of related parties and the restoration of affected systems back into the business environment. As part of the incident response process, incident investigations are conducted and procedural, operational, technological and/or training improvements are implemented to address root causes. PFG is subject to external audits in alignment with the Internal Controls Over Financial Reporting (ICOFR) review process. This includes yearly Information Technology General Control Testing and periodic reviews of risks and controls related to cybersecurity items that may impact financial reporting control objectives. PFG maintains an Information Security Training Program that combines several forms of training across user types. Training methods include general ad-hoc advisories, computer- based training/e-Learning and mock phishing exercises. Computer-based training is tailored for general end users and targeted training is provided to users in inherently higher risk positions, those subject to specific regulatory requirements or enrolled based on performance of mock phishing exercises.