To address global ESG issues that affect us and our industry, like data privacy and security, we engage with our partners and peers through industry groups, roundtables, conferences, and other forums. For example, in 2021 we engaged in forums with the Data & Trust Alliance, the Centre for Information Policy Leadership, the Future of Privacy Forum, the Bank Policy Institute, and the Business Roundtable. Protecting our corporate, customer, and colleague information is a priority for us. With cybersecurity threats on the rise, we continue to enhance our global security measures. Our information and cybersecurity program is designed to identify risks and protect the confidentiality, integrity, and availability of our data, as well as our information systems. The program is built upon a foundation of advanced security technology, a well-staffed and highly trained team of experts, and robust operations based on the National Institute of Standards and Technology Cybersecurity Framework. This consists of controls designed to identify, protect, detect, respond, and recover from information and cybersecurity incidents. Through our cybersecurity governance framework, our internal teams report to the Board on cybersecurity at least once a year and to our Risk Committee at least twice a year, including at least one joint meeting with the Audit and Compliance Committee. The full Board and committees all receive ad hoc updates as needed and the Risk Committee annually approves the company’s Information Security Program. Learn more in our 2022 Proxy Statement . Our Data Protection and Privacy Principles governs the way we collect, use, store, share, transmit, delete, or otherwise process our customer and colleague personal data globally. As we innovate in fast-developing areas such as artificial intelligence and machine learning, our Global Risk and Compliance Team oversees policies and processes that are designed to enable us to adopt these technologies responsibly and ethically. Training Every colleague at American Express is accountable for how we protect and manage personal data about our customers, prospects, and colleagues. We educate our colleagues about our Data Protection and Privacy Principles through our Code of Conduct and mandatory annual information security and privacy training across our global operations. We also run simulations that test our colleagues’ ability to detect and respond to suspicious activity. Learn more about our commitment to data protection and privacy in Protecting Our Customers. DATA PROTECTION AND PRIVACY INTRODUCTION PROMOTING DE&I ADVANCING CLIMATE SOLUTIONS BUILDING FINANCIAL CONFIDENCE OUR ESG GOVERNANCE & OPERATING RESPONSIBLY SUPPORTING DATA OUR COMMITMENT TO ESG 84 84