Our People and Culture 95 2021 Sustainability Report Responsible Business Practices A Modern, High-Performing Health System Introduction Performance Data Environmental Health Governance UnitedHealth Group’s chief information officer, chief compliance and ethics officer, chief privacy officer and chief information security officer are responsible for administering our data privacy and security programs at the executive management level. The Audit and Finance Committee of the Board of Directors reviews and assesses the effectiveness of UnitedHealth Group’s policies, procedures and resource commitments in the areas of compliance, ethics, privacy and cybersecurity. The committee receives regular updates covering critical issues related to one or more of the following topics: our information security risks, cybersecurity strategy and business continuity capabilities. In 2021, we established a Cybersecurity Leadership Council (CLC) to enable aligned executive ownership and delivery of information security initiatives across UnitedHealth Group. The chief information officer of each line of business or a chief information security officer will sponsor each initiative and lead implementation. The CLC will oversee analysis, risk tolerance, policy, funding and implementation of information security initiatives, and the transition to standard operating processes to ensure sustainability. UnitedHealth Group manages cybersecurity and data protection through a robust framework that provides our team members with training and resources that support their day-to-day activities, assesses the risks our company faces, and establishes policies and safeguards to protect our systems and the information of those we serve. Programs and resources UnitedHealth Group’s data protection policy applies to all lines of business and subsidiaries. Data is assigned a classification based on its sensitivity level and protected by security requirements defined by the policy. Data sent externally must meet security requirements outlined by our enterprise data-sharing processes such as management approval and strong encryption. Our Code of Conduct outlines our commitment to protecting the information entrusted to us. Supported by a comprehensive set of principles, our policies and programs describe appropriate uses of data and the safeguards that protect the confidentiality and integrity of our systems, including: • Enterprise inf ormation security policies. • An enterprise r esiliency and response program. • An incident management pr ogram that encompasses cybersecurity, privacy and compliance obligations. • Priv acy and data protection policies, including guidance on information handling. • An enterprise dat a governance program, including related policies. • Enterprise risk management and inf ormation risk analysis programs. • The Saf e and Secure with Me employee training and awareness program – required annually for employees who handle Protected Health Information.