ESG PROGRESS AT MARRIOTT INTERNATIONAL → 56 2021 SERVE 360 REPORT Data Privacy and Cybersecurity Marriott has comprehensive global privacy and information security programs in place, including policies and procedures governing the collection, use, disclosure, sharing, retention, and security of its customers’ personal data. Board Oversight Board of Directors (Technology and Information Security Oversight Committee) Marriott’s Board of Directors’ Technology and Information Security Oversight Committee (established in 2021) oversees the company’s information security, privacy and technology-related risks, and assists the Board in overseeing management efforts to monitor and mitigate those risks. Global Privacy and Information Security Governance Board Marriott’s Global Privacy and Information Security Governance Board is responsible for providing executive-level oversight and strategic risk management with respect to the Global Privacy and Global Information Security Programs. Global Privacy and Information Security Oversight Committee Marriott’s Global Privacy and Information Security Oversight Committee and its Continent Committees ensure that the privacy and security risk management strategy set by the Governance Board is implemented throughout Marriott by verifying and generally ensuring that Marriott has effective policies, procedures, and practices in place. Privacy Program Marriott is committed to communicating and adhering to privacy principles that are consistent with legal and regulatory standards embedded within privacy laws around the world. Marriott has standard operating procedures, policies, and guidelines governing the collection, use, disclosure, transfer, storage, and retention of its customers’ personal data. Marriott’s Privacy Center includes the company’s Global Privacy Statement, which explains how the company collects, uses, discloses, transfers, and retains customer data. The Privacy Center also provides customers with the opportunity to exercise their privacy rights and update communication preferences. Marriott has a dedicated Global Privacy Office, which operates under the leadership of Marriott’s Global Compliance Counsel and Privacy Officer. The Global Privacy Office oversees functions such as handling customer privacy inquiries, executing Privacy Impact Assessments (PIAs), and monitoring the company’s overall compliance with evolving global privacy laws and regulations. Cybersecurity Program Marriott employs appropriate technical and organizational measures and processes to control and protect Marriott’s network, applications, and information – including customer data held on Marriott’s systems. Marriott has a dedicated Global Information Security Team under the leadership of Marriott’s Chief Information Security Officer (CISO), which focuses on application, network, and system security. This team is also responsible for information security compliance, training and awareness, monitoring, and incident response. Marriott’s information security program is designed to implement a multilayered approach to security and employs various technologies and processes to protect systems and data and includes ISO 27001 controls and ISO 27002 guidelines in its overall framework. Among other measures, Marriott is Payment Card Industry (PCI) compliant where required and maintains a documented vulnerability management program, endpoint monitoring, and alerting capabilities, along with an up-to-date global incident response plan. Information Security Risk Assessments Marriott’s Global Information Security (GIS) Risk Management Team conducts risk assessments against Marriott's critical applications at least annually and with significant changes to the internal operating or external environments. The GIS Team is also responsible for conducting third-party vendor security assessments. This includes performing security vulnerability scans on third-party vendor websites and other public-facing servers where Marriott data may be stored or transmitted. Associate Training and Awareness Marriott’s Global Privacy Office and Global Information Security Teams provide training and awareness about the importance of data privacy and information security throughout the company. On the privacy side, Marriott provides mandatory Global Privacy online training for above-property and managed hotel associates, and for franchise employees who are likely to handle personal data. On the information security side, Marriott provides a separate mandatory online Information Security & Protection Training for associates who are likely to handle personal data and enhanced targeted training for associates who handle payment card data. Additional programs include phishing simulation exercises, quarterly emails, communications on emerging risks, and annual programming during Cybersecurity Awareness month. Marriott reviews both its Global Privacy and Information Security & Protection Training online programs at least annually.