Our People and Culture 96 2021 Sustainability Report Responsible Business Practices A Modern, High-Performing Health System Introduction Performance Data Environmental Health Program evaluation We regularly evaluate the security maturity of our systems. This includes vulnerability assessments and penetration tests conducted by our internal team and qualified external assessors. These efforts allow us to identify operational and design risks and vulnerabilities in our systems. We use these tests to help us identify opportunities to address emerging security threats and improve system security as we work to enhance our ability to protect information and data. UnitedHealth Group’s IT infrastructure and information security management systems have been audited by internal and external auditors in the last fiscal year. These audits have resulted in certifications from industry-recognized certifying organizations such as HITRUST, International Organization for Standardization (ISO), System and Organization Controls (SOC) and the Payment Card Industry (PCI). UnitedHealth Group manages a robust Information Security Risk Management and Privacy Program that improves its ability to make risk-informed decisions by conducting systematic and structured reviews of information security risks. Its protocols are based on industry practices and applicable regulatory obligations such as the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), European Union General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other requirements decreed by state, federal and international authorities. Our Internal Audit team is engaged to advise on strengthening compliance with applicable laws and regulations. The team leverages a combination of auditing and security frameworks to evaluate how best practices are applied throughout our enterprise. This approach gives us the ability to address risk from multiple perspectives and implement layered remediation strategies. Furthermore, our Internal Audit team independently assesses security controls against enterprise policies to evaluate whether compliance is maintained. The results of internal audits are communicated to executive leadership and presented to the Audit and Finance Committee of the Board of Directors quarterly. Audit findings are tracked in the form of action plans and managed within an enterprise governance, risk and compliance tool. Owners are assigned, remediation timelines are established and progress is regularly reported to senior management. Risk assessment Annually, we conduct an enterprise information risk assessment (EIRA) in conjunction with UnitedHealth Group’s overall enterprise risk management assessment. In the EIRA, we complete a comprehensive review of internal and external threats and evaluate changes to the information risk landscape to inform the investments and program enhancements we will make in the coming year. There continues to be heightened risk caused by sophisticated enhancements to ransomware and the creation of criminal networks and affiliates that extend the reach and skill of attackers. We continue to engage with our suppliers and internal development teams to remediate known vulnerabilities and are keeping a close eye on upgrades that can be leveraged to mitigate future risk. UnitedHealth Group continues to monitor cyber threats and invest accordingly across our systems. We are investing in new capabilities to ensure rapid response and recovery from potential attacks, including system rebuild and recovery protocols to ensure key systems are restored fully and rapidly, a step beyond the current protocols of data center failover. Business continuity exercises are prioritized and focused on technology interruption due to ransomware.