Cybersecurity We recognize the increasing threat of cybercrimes and enforce comprehensive Corporate Information Security policies, standards and technical controls to protect the confidentiality, integrity and availability of the company's systems and information assets. These policies and standards, followed by all business units, align with recognized cybersecurity frameworks and industry best practices. At a corporate network level, Phillips 66 applies controls and processes to actively monitor, detect, prevent and respond to external cybersecurity threats. Every inbound email is inspected for malicious activity. External threats are mitigated through external penetration testing conducted by independent third-party specialists. For internal business-critical process control networks, specific controls are implemented to mitigate the risk of cybersecurity threats. These controls include, but are not limited to, the segregation of process control networks and systems from the Phillips 66 corporate network and external networks. The Phillips 66 Digital Security team provides information security operational support and general cyber- security guidance for all locations. The team is also responsible for general and specific employee awareness programs that promote good cybersecurity habits. A privacy program has been implemented to protect personal information assets. Phillips 66 Risk Management standards require regular information security risk assessments for business units and projects. These assessments include internal networks and systems, as well as third-party suppliers and partner assessments. We’ve also selected leading managed network service providers to deliver secure broadband network services with secure transaction and settlement processing for reliable and secure payments. These system elements are reviewed annually by third-party assessors to demonstrate ongoing compliance with the Payment Card Industry Data Security Standards. Each year, we conduct a range of IT audits across the company’s IT infrastructure, networks, systems, applications, operational processes and procedures to ensure compliance with our Information Security policies and standards. Process control network assurance audits are done on a rotating schedule with coverage at each facility on a cycle of no greater than five years. As part of the Business Continuity Plan development, all corporate IT systems are assessed for business criticality with key systems and data included in the IT Disaster Recovery Plan (DRP). The DRP supports the resumption of corporate IT services related to essential business processes in a major unplanned event causing significant damage or loss to the infrastructure. Mobile pay at Phillips 66 fuel station 44 PHILLIPS 66 2022 SUSTAINABILITY REPORT OUR BUSINESSES: TODAY AND TOMORROW ENVIRONMENT AND SAFETY GOVERNANCE STAKEHOLDER ENGAGEMENT