2021 ESG Report GOVERNANCE Our First Line of Defense Our employees and contractors are a key component in our frst line of defense. Keeping them informed and educated helps them to make the right decisions when it comes to protecting the information they work with every day. To do this, we have a mature security awareness and education program. All employees and contractors are required to complete privacy and information security training on an annual basis, including privacy compliance, information lifecycle governance, managing information and data, creating a safe cyber environment and business continuity. In 2021, 99.9% of all required compliance training modules were completed by employees. All information owners are made aware of the expectation to protect data through appropriate retention and defensible deletions once it has reached the end of its lifecycle based on the Corporate Records Retention Schedule. Application owners and managers are required to provide access to data through least privilege and certify that access on an annual basis. To support the Bank’s objective of protecting data, the Information Security team has established and maintains a qualifed and representative workforce, ensuring that the right people with the right skills are in place to achieve our business goals. To that end, the organization invests heavily in ongoing training and certifcations for its team members. This includes technical boot camps as well as online and classroom training and conferences. The inventory of training is extensive, aligns with certifcation opportunities and is provided via various mediums. Over 52% of the Information Security organization holds advanced certifcations. Business Continuity Management Business Continuity Management (BCM) operates as an enterprise-wide program and encompasses an integrated approach in providing for the safety and wellbeing of the employees, customers, shareholders, and resiliency of operations . The BCM program is guided by a Board of Director-approved policy and BCM Program Framework which provides a holistic approach for identifying threats, assessing risks and impacts, and responding commensurate with safeguarding the interests Contents of Fifth Third’s stakeholders, reputation, brand and value creating activities. The program’s objective is to enable Fifth Third to efectively prepare for and respond to threats such as natural disasters, data breaches, cyberattacks, and/or technical outages. In support of this objective the BCM team continues to capitalize on its enterprise risk management solution which was implemented in 2019. The fexible and integrated platform capabilities enable the Bank to achieve resilience with greater speed and efciency. Noted improvements in 2021 included notifcations now triggered by BC plan managers, notifcation recaps submitted for approval, enhanced annual BC Plan owner review and approval process, as well as disaster recovery exercise recaps with associated approval process workfows. To assess the Bancorp’s cyber response posture, BCM facilitated a Cyber War Game exercise in the frst quarter of 2021. The game, which was conducted virtually, involved many areas Introduction Economic Environment Social Governance of the Bancorp including executive leadership and Board members. While opportunities for improvement were captured, none were considered signifcant in nature. In the second quarter of 2021, BCM facilitated the largest integrated Disaster Recovery exercise to date with 739 applications and 383 third party service providers being included in the scope. Additionally, in 2021, BCM coordinated responses to hurricanes Elsa, Henri and Ida with regional presidents and retail executives. Ultimately, there was minimal impact to our customers along with no Fifth Third employees, facilities or business processes being directly afected. BCM and Global Solutions continue to monitor and oversee response to COVID mandates and subsequent impacts on ofshore third-party service providers and their resources. Additionally, our awareness and education program includes: • Other information security training modules . • Targeted security awareness training for high-risk audiences. • Quarterly lunch and learns. • Monthly simulated phishing exercises. • Weekly security awareness communications. • Data Loss Prevention Consequence Program should a user fail to appropriately protect data. • A variety of activities, including a conference, during October’s Cybersecurity Awareness Month. BUSINESS CONTINUITY MANAGEMENT PROGRAM G O V E R N A N C E R E G U L A T I O N S & C O M P L I A N C E C O L L A B O R A T I O N B U S I N E S S R E Q U I R E M E N T S 1. CULTIVATE A BCM CULTURE WITHIN 5/3 2. UNDERSTAND THE BUSINESS 3. CREATE BCM STRATEGIES 4. CREATE BCM PLANS & SOLUTIONS 5. DESIGN & IMPLEMENTATION 6. CONDUCT BCP & DR EXERCISE MAINTENANCE 7. CONDUCT SELF ASSESSMENT & ANALYSIS 8. MAINTAIN & AUDIT Business Continuity Management Lifecycle The BCM Program functions within an integrated 8 -step lifecycle. The following steps outline the approach that is taken to defne, implement, mature, and evaluate the BCM program. 92