leaving a positive legacy for our world Oversight and enablement Our Security and Network Operations Center constantly and proactively monitors our network and application landscape for threats and anomalies. We have established processes for sharing data and performing third-party risk assessment. Other recent improvements include disaster recovery planning and testing. In 2021, our entire Executive Team, including our CEO, also participated in an incident simulation exercise designed to test our readiness to respond effectively to a cyberattack. We shared what we learned from this exercise with our Board and are using those learnings to help us further mitigate risk. Ulta Beauty’s General Counsel, Chief Risk & Compliance Officer also serves as our Chief Privacy Officer and works closely with our internal data stewardship team, including our VP of IT Risk Management, Data Enterprise Officer and our IT Risk Management team, to ensure we take a holistic approach to caring for guest, associate and financial as well as other proprietary data. Security All Ulta Beauty associates have a role as stewards of company data, and it’s essential that we educate them on how to keep data safe. As part of our annual Code of Business Conduct training, we train associates on: o How to keep devices and data safe in public places o How to avoid security threats and phishing scams o How to maintain a secure workplace o Everyday practices that help maintain the security of corporate digital devices, data and systems Our security approach also includes multiple layers of defense and testing of controls. Examples of how we test our data security controls include IT-led phishing campaigns to test associates’ knowledge of avoiding phishing scams, and third-party-led network penetration testing done to test the security and robustness of our systems controls. Environment Product People Supplemental Data Community 2021 ESG Report 10 Introduction