2021 SUSTAINABILITY HIGHLIGHT REPORT: Forward As One GOVERNANCE 35 We recognize the importance of managing cybersecurity risks. We gain awareness and support from senior leaders through governance practices including but not limited to providing cybersecurity updates to the Board of Directors and senior executives, establishing and leveraging an Executive Privacy and Security Council, and integrating cyber-related efforts into broader enterprise risk management practices. CYBERSECURITY The cybersecurity landscape is rapidly evolving with new and emerging threats and our cybersecurity teams are proactively monitoring our environment, adapting our defenses and implementing new capabilities Our defense strategy uses multiple security measures to protect the integrity of the company’s information The strategy aligns to the National Institute of Standards and Technology (NIST) Cyber Security Framework requirements for financial services companies providing preventative, detective and responsive measures that collectively protect the company Here are some of the ways we strengthen the company’s enterprise-wide cybersecurity program: • Actively participating with industry-wide information sharing forums, regularly monitoring threat intelligence sources and leveraging industry expertise to understand and adapt to emerging threats • Strengthening defenses against malicious software; advancing identity and access management practices; and enhancing network security monitoring, data loss prevention capabilities, data backup and recovery, and third-party security management processes • Maintaining comprehensive data security policies and systems that are assessed and tested at least annually Our program is evaluated annually by an independent external third-party auditing firm, including technical and red-team reviews to assess and test our defenses • Developing and testing our detailed response plan to ensure timely and accurate resolution in the event of a cybersecurity incident The collective results of these risk assessment activities inform our cybersecurity program priorities. CUSTOMER PRIVACY In addition to testing our systems, employees also receive training on how to protect data and maintain customer privacy: If an employee identifies a privacy or security incident, they’re directed to report it through an escalation process detailed in our Code of Ethics and Business Conduct We have a dedicated team with a robust process in place to handle consumer privacy right requests Additional information regarding the risks associated with customer privacy and cybersecurity, and how we manage those risks, is available on pages 32 and 98, respectively, of The Hartford's 2021 10-K OF EMPLOYEE EMAILS are governed under a data classification standard to identify and protect personally confidential information and highly restricted documents. OF OUR EMPLOYEES receive annual privacy and security training. 100% 100% Assessing Our Compliance Risk We routinely conduct compliance risk assessments across the company's business areas. Primary goals include: • Identifying the most significant compliance risks. • Performing analysis to detect, prevent and remediate compliance gaps. • Creating and implementing action plans for continuous improvement.