Z ERO TRUS T N ETW ORK CONNECTIVITY Expanded the use of Zero Trust network connectivity solution across the Bank and delivered additional automated cloud controls. DE TECT A ND RE SPOND HU NT CAP AB ILITIES E xpanded Detect and Respond hunt capabilities to utilize a wealth of metadata gathered by the teams’ solutions and strengthened processes between Information Security and the Financial Crimes team to protect our customers from a rise in credential validation attacks (CV A). ATTACK SURFACE MA NAGE MENT PROGRAM Expanded the scope of the Attack Surface Management program while maintaining KRIs within ac cept able thresholds. RED UC ED CREDENTIAL VAL IDA TION AT TAC K ( CVA) AT TEMP TS Implemented new controls, successfully blocking over 10 million CVA attempts a day and reduced attack detection and response times with the addition of a second detect and respond shift to augment our 24x7 partners . 2021 ESG Report Contents Introduction Economic Environment Social Governance GOVERNANCE Customer Privacy and Information Security Privacy continues to be a high priority for customers. Fifth Third understands this because we understand the value of the data we collect. We are determined to protect this data in order to maintain our customers’ confdence and their fnancial futures. This requires a partnership among the various teams at Fifth Third. Information Security, Data Privacy and Fraud Management are some key players in the protection of data. More important are the approximate 26,000 employees and contractors who work diligently to protect data every day through their use of special tools when sharing data, restriction of access to data, and identifcation and reporting of potential phishing attacks targeted at stealing data. Protecting customer data is a team efort focused on mitigating the many evolving threats within the cyber landscape. Noting Strategic Successes Progress was made within the organization’s strategic pillars in 2021, including: CONTINUED INFORMATION PROTECTION Enhanced information protection capabilities through Bank -wide collaboration controls, new unstructured data protection solution and physical record migration. Through the implementation of a new solution and sensitive data patterns, the team is able to identify and automatically quarantine fles containing sensitive data while maintaining compliance with retention requirements. REVAMPED PROGRAM Revamped our Privileged Access Management program to include an upgraded password vault integrated into our primary active directory domain to secure our highest risk access. The team ’s attention to lean process improvements enabled several automation capabilities allowing our identity engineers to shift focus on future strategic eforts. 90