To validate IBM’s security controls, we ensure that they are tested and certified regularly through a combination of frameworks and assessment activities, including ISO, System and Organization Controls (SOC), the Sarbanes-Oxley Act, the Federal Risk and Authorization Management Program, the Health Insurance Portability and Accountability Act (HIPAA), and others. IBM also undergoes numerous internal and external audits, and each services team conducts ongoing self-assessments. You can learn more about IBM’s internal IT security principles at the IBM Trust Center . Data privacy IBM believes that consumers deserve strong privacy protections, consistent across jurisdictions, and that businesses should build trust by providing those protections. IBM also advocates for policymakers to focus on constancy and compatibility when crafting new regulations, to facilitate a consistent approach to handling personal information while enabling the free and secure flow of data across regions. Improving transparency and the user experience continued to be priorities for IBM in 2021, culminating in November with the publication of a new, simplified IBM Privacy Statement . The IBM Privacy Portal was also enhanced so that users can see the status of their data subject requests and manage their company’s information more easily. IBM published a case study in 2021 detailing how our three-year effort to prepare for implementation of the EU General Data Protection Regulation (GDPR) led IBM to develop our Unified Privacy Framework. By embedding governance and privacy controls directly into systems and business processes, this framework enables a more proactive approach to compliance governance and reduces the time and effort required to comply with new regulations—for IBM as well as our clients. Learn more about this “continuous compliance” approach at the IBM Policy Lab . All IBMers, contractors, and employees of IBM subsidiaries receive annual data privacy training. In 2021, we redesigned our annual data privacy education program and deployed a new adaptive learning platform that provides more targeted role-based education based on real-world examples. Cybersecurity IBM maintains a multifaceted risk-management approach to identify and address cybersecurity risks. This includes a foundation of policies and procedures upon which IBM manages its infrastructure and data, as well as ongoing assessments of technical controls and methods for identifying emerging risks. IBM’s security monitoring program and incident response process applies to all IBM operations worldwide, identifying and responding to any threats or attacks on networks, end-user devices, servers, applications, data, and cloud solutions in IBM’s operating environment. IBM also fosters security awareness and responsibility among its workforce with online training, educational tools, videos, and other initiatives. All IBMers and contractors take cybersecurity education within 30 days of joining IBM, and repeat this training annually. IBM’s Enterprise and Technology Security group works across the company to protect against cybersecurity risks. Within that group, IBM’s chief information security officer (CISO) leads a team responsible for information security strategy, policies, standards, architecture, and processes. IBM maintains extensive internal corporate directives requiring information security activities, including the creation and implementation of standards, processes and procedures. The IBM CISO reviews and approves these directives and other corporate policies annually, while the IBM Board of Directors and its Audit Committee also receive regular updates from IBM’s security management and other cybersecurity experts. Our enterprise IT security policy and related standards are based on industry best practices, including but not limited to the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO). To maintain leading-edge security, we have implemented a set of practices, called IBM Security and Privacy by Design , that all IBM business units use to assess threats, test protections, and verify that security requirements are met. IBM Data Security and Privacy Principles (DSP) details the contractual commitments of security and data protection IBM makes to its clients. IBM has modeled the DSP to be an industry-leading collection of security terms that take into account industry standards, IBM standard practices, and regulatory requirements to craft a comprehensive set of security and privacy commitments to all our clients. 17 IBM 2021 ESG Report