Data Privacy & Cybersecurity As digital solutions play an ever-larger role in fnancial services and the economy as Data protection and privacy are key components of our global data risk manage- We have established processes and procedures to report and respond to suspected a whole, the risk of cyber-attacks and other threats to information security contin- ment program. That program focuses on execution of the compliance and opera- or actual data privacy incidents that may compromise the confdentiality, integrity INTRODUCTION ues to evolve and grow. In addition, the individuals with whom the Firm interacts tional risk oversight of data management and privacy governance, controls, and or availability of personal information and provide our employees the ability to expect that our data practices are safe and lawful. Data privacy and cybersecurity remediation activities in the Firm. The Firm’s privacy framework outlines roles and make reports through our internal systems. Our centralized process requires escala- ENVIRONMENTAL therefore remain top priorities for our Firm. At the same time, greater reliance on responsibilities, sets policies and standards, directs advisory requests, and provides tion to a dedicated incident response team for severity assessment, mitigation, root remote work given our hybrid working model has only further underscored the protocols for monitoring, reporting, and escalation of key privacy risks and issues. cause analysis and corrective action. SOCIAL importance of safe digital solutions and data practices. The program reports periodically to our management, including our OC and Board In accordance with the Firm's policies, we notify individuals and our regulators of of Directors. Our multi-stakeholder approach to oversight and governance is embed- data incidents. GOVERNANCE Data Privacy ded in our three lines of defense and supported by dedicated data and privacy teams around the world. We provide regular training and awareness to our work- JPMorgan Chase regularly engages with lawmakers and civil society on policy issues force, not only on core privacy obligations and how to meet them, but also on related to data protection and privacy, including the development and moderniza- Corporate Governance & As a global fnancial institution, our Firm collects, processes, uses, shares and dis- ESG Oversight emerging risks, trends and new developments. tion of U.S. federal and state privacy laws. We will continue to support policy that positions all manner of personal and fnancial information every day, and we have protects people and their personal information, promotes organizational account- Stakeholder Engagement processes designed to manage that data in accordance with the laws, rules and reg- Information on how we collect, process, use, share and disposition personal infor- ability and enables benefcial data-driven innovation. Political Engagement and ulations of the jurisdictions in which we operate. We take a multi-faceted approach mation, as well as rights that individuals may have with respect to their personal Public Policy to addressing privacy and data protection risks, including maintaining and evolving information and how to exercise them, is available on our websites and upon Managing Environmental and our internal controls, establishing policies covering all stages of the data lifecycle request through multiple channels. In addition to traditional privacy notices, we Social Risks and deploying appropriate technology. often publish related materials such as frequently asked questions and tips for Human Rights keeping personal fnancial information safe. Our Firmwide internal policy on personal information applies globally to our legal Data Privacy & Cybersecurity entities, as well as third parties that handle personal information on our behalf. We have a wide range of technological, administrative, organizational and physical Business Ethics The policy sets forth minimum requirements, including that personal information is security measures designed to safeguard the confdentiality, integrity and availabil- processed for defned purposes. The policy also specifes the use of privacy by ity of personal information. Our Code of Conduct and related policies include spe- APPENDICES design principles, designed to ensure that privacy is taken into account throughout cifc guidelines on how employees should protect the confdential information of the data lifecycle. those we have relationships with, including consumers, employees, service provid- ers, commercial businesses or government bodies. 57