Cybersecurity & Privacy Transformative innovations—self-driving vehicles, combined with electrification and connectivity—are changing the nature of transportation and our relationships to the vehicles that move us. As the automotive industry continues to mitigate risks in the physical world, such as crashes, emissions and congestion, new risks are emerging in the virtual world, including cybersecurity and privacy risks. Cybersecurity and data protection are critical to the digital transformation of the auto industry. Cybersecurity Risks Software and connected services are key to GM’s vision of zero crashes, zero emissions and zero congestion, and with the increasing connectivity of GM vehicles, cybersecurity risks continue to evolve. Already, GM offers OnStar and connected services to more than 22 million connected vehicles globally through subscription-based and complimentary services. Safely and securely delivering these services has been possible due to a strong cybersecurity focus and priority throughout the company. GM’s organizational focus and oversight of cybersecurity is well-developed. This structure includes a dedicated Risk and Cybersecurity Committee of the Board, cybersecurity leadership tied directly to the CEO and Senior Leadership Team and a vice president of global cybersecurity who serves as a single- point senior executive. This vice president leads a dedicated organization that focuses on protecting against unauthorized access to vehicle safety systems and customer data. Leveraging well-established risk frameworks and standards, GM is focused on cybersecurity risk throughout the entire company, including information technology and intellectual property protection, vehicle and connected services, manufacturing safety and operations, supply chain and third-party security, merger and acquisition risks and the secure integration of all new business models. Cybersecurity remains a core focus and a high priority at GM in the development of advanced driving features, semi and autonomous systems, in-market enhancements, connected services and many other software-defined services. Hardware and software protective measures are employed and a key focus of our Product Cybersecurity organization. Privacy Protection GM relies upon information technology systems and networked products, some of which are managed by third parties, to process, transmit and store electronic information, and to manage or support a variety of our business processes, activities and products. Additionally, GM collects and stores sensitive data, including personally identifiable information of our customers and employees, in data centers and across information technology networks. Robust privacy policies and processes are critical to protecting GM’s employees and customers, and our business. GM’s Privacy Center publishes a Global Privacy Policy that covers all GM operations. We also have a Third-Party Information Security Requirements Exhibit and Privacy Exhibit with specific additional privacy obligations that are required for all contracts involving personal information (PI). Our contracts lay out requirements for compliance with data protection and privacy laws and regulations, and for managing PI in a manner that reinforces customer and employee trust and confidence in GM and our products and services. We keep these documents updated to address changes in laws and regulations, changes in our business and products, and changes in consumer expectations. In addition, the Board has approved the adoption of Global Privacy Principles, and GM continues to be committed to the Alliance for Automotive Innovation’s Consumer Privacy Protection Principles. Privacy Program The Privacy Center has a privacy program framework that focuses on policies, procedures, tools, guidance and training. This framework also includes a Privacy-by-Design program that requires all data-dependent initiatives to receive a privacy-focused consultation through their life cycle. The Privacy Center resides within our legal staff, and additional non-legal resources Skip Navigation Introduction Reducing Emissions Design for Environment Technology Customers Safety Diverse Workforce Human Rights Supply Chain Communities Governance 2021 SUSTAINABILITY REPORT 109