Cybersecurity JPMorgan Chase experiences numerous cyber-attacks on its computer systems, The Global Cybersecurity and Technology Controls ("CTC") organization, working Cyber-attacks are a threat not just to our Firm, but also to our clients and the global software, networks and other technology assets on a daily basis from various with each of our lines of business and corporate functions, identifes technology and fnancial system. We have increased our eforts to educate shareholders and cus- actors, including groups acting on behalf of hostile countries, cyber-criminals, cybersecurity risks and is responsible for the controls to manage these threats. CTC tomers about the importance of disciplined cyber hygiene and protecting them- “hacktivists” (i.e., individuals or groups that use technology to promote a political assesses changes in global threats and monitors our operations to detect and selves against fraud. agenda or social change) and others. respond to them. We also conduct periodic internal assessments to identify vulnera- We also contribute to eforts to build and maintain systemic resiliency. We are a As threats to cybersecurity grow in size and sophistication, protecting our Firm, cus- bilities, upgrade opportunities and new defense layers. Our cybersecurity incident member of the Financial Services Information Sharing & Analysis Center, an intelli- tomers and vendors while enabling innovation is an important, evolving priority. response plan is designed to allow us to react to attempted breaches, coordinate gence-sharing cooperative for the fnancial services industry. Its more than 22,000 When we enter new businesses and adopt new technologies, these risks and chal- our response with law enforcement and notify customers, when applicable. users in more than 75 countries share best practices and exercises to better secure INTRODUCTION lenges multiply. This is why we devote signifcant, diverse resources to cybersecu- The CTC organization’s eforts are overseen by management at multiple levels, the sector for the beneft of the public and the resiliency and integrity of fnancial ENVIRONMENTAL rity. Our eforts are designed to stop malicious actors from infltrating our computer including technology management, greater Firmwide management and the Firm’s institutions. Our Firm also helped create the Analysis and Resilience Center for Sys- systems to destroy data, obtain confdential information, disrupt service, engage in OC. The Board is updated periodically on our Information Security Program and any temic Risk, an industry-funded nonproft organization designed to mitigate systemic SOCIAL “ransomware” or cause other damage. For example, through the CB, we provide cli- recommended changes, cybersecurity policies and practices, and ongoing eforts to risk to the nation’s critical energy and fnancial infrastructure. ents with resources and educational content to help them fght and prevent fraud improve security, as well as on our eforts regarding signifcant cybersecurity events. JPMorgan Chase also participates in public-private partnerships and, over the GOVERNANCE losses, such as a client ransomware guide and business email compromise toolkit. In addition to internal capabilities, we leverage external resources to strengthen course of 2022, was engaged on policy issues related to operational collaboration, To help safeguard the confdentiality, integrity and availability of our infrastructure, our defenses. Our cybersecurity controls, governance and practices are based on including incident notifcation, software bill of materials, zero trust and evolving Corporate Governance & recognized industry best practices47 U.S. National Institute of Standards and Technology ("NIST") standards. We will con- resources and information, we maintain a robust Information Security Program. It . We also have adopted the Financial Sector ESG Oversight establishes policies and procedures to prevent, detect and respond to cyber-at- Profle from the Cyber Risk Institute, which provides the framework by which these tinue to support policy that protects the global fnancial system as a whole, as well Stakeholder Engagement tacks. Since our employees serve as the frst line of defense, we educate, train and various best practices are aligned with and integrated into our technology and as improving the nation’s cybersecurity. Political Engagement and test our employees on how to identify potential cybersecurity risks, protect the cybersecurity standards. These standards meet the requirements of more than 150 Public Policy Firm’s resources and information, and report any unusual activity or incidents. regulators worldwide and are periodically updated. We also engage third parties to Managing Environmental and Employees are required to complete cybersecurity training and complete quarterly independently evaluate our capabilities and identify areas for improvement. Exter- Social Risks Firmwide phishing tests. nal auditors periodically review our IT programs and processes, and regulators Human Rights We also require certain third-party vendors to comply with minimum security and con- periodically inspect and review our program in the countries where we operate. We Data Privacy & Cybersecurity trol standards, our Supplier Code of Conduct, and all applicable laws and regulations. also discuss cybersecurity risks with law enforcement, government ofcials, peer Business Ethics groups and trade associations. APPENDICES 47 Industry best practices include; ISACA COBIT, ISO 27000 standards, FFIEC guidance, the Information Security Forum Standard for Good Practice, NIST SP800-53 and BSIMIM. 58