Contents Sustainable Impact Footprint Integrity and human rights Supply chain responsibility Operations Products and solutions Appendix Privacy-related complaints, longer relies on the Privacy Shield framework emerging threats, and new practices. We Board, which includes our Chief Security Advisor for data transfers. We are working to strengthen regularly update our policies and standards as well as industry-recognized external experts, breaches, and requests* our committed transparency on this topic to to reflect new processing activities and and hosts HP’s Bug Bounty program. our customers, and to the EU data protection regulatory developments. 2019 2020 2021 authorities who authorize our BCRs, which permit Certification, audits, Substantiated complaints regarding ongoing data transfers outside the EU. We are Cybersecurity Organization and assessments breaches of customer privacy and also in the process of applying for BCRs in the UK losses of customer data at HP following Brexit. Our Cybersecurity Organization, led by HP’s Chief The Cybersecurity Organization regularly Substantiated complaints 14 22 37 Information Security Officer (CISO), maintains conducts audits of HP cybersecurity systems and from outside parties (including governance, processes, resources, and IT performs annual risk assessments of related HP customers) Cybersecurity partner and vendor relationships to help identify systems and processes, including our information Substantiated complaints from 1 2 4 and prevent unwanted access, security threats, security management system (ISMS). It also regulatory or other official bodies Cybersecurity is a key pillar of our digital and cyberattacks. It also provides extensive drives third-party risk assessments into our Data breaches (total)** 28 33 transformation and a high priority for HP, our incident response, vulnerability management, procurement process. Data breaches (reportable)** 1 4 customers, and other stakeholders. Our holistic and business continuity and disaster recovery approach integrates cybersecurity across the programs across HP, to support best-in-class end- Our risk-based ISMS maintained ISO 27001 Data requests made to HP*** value chain, including in the design, development, to-end security throughout HP’s supply chain. certification during 2021, assuring that HP Right to access/know (completed) 137 156 and delivery of our products, services, solutions, meets the international standard for information 1 Right to access/know (rejected) 36 49 and operations. We build resiliency into our Worldwide Security and systems security. We regularly commission business model, and work to avoid cybersecurity Analytics Practice internal and external audits by independent Right to erasure/be forgotten 2,195 4,400 incidents. When issues do occur, we rapidly assessors, and conduct an annual NIST (completed) Our Worldwide Security and Analytics Practice, framework assessment. Right to erasure/be forgotten 961 2,596 identify and resolve them, protecting individuals, (rejected) our customers, and HP. led by HP’s Chief Security Advisor, advances security within HP’s business units and products The Worldwide Security and Analytics Practice * Breaches of customer privacy cover any noncompliance with and collaborates with customers and clients. audits HP’s customer-facing cybersecurity existing legal regulations and voluntary standards regarding Policies and standards The Security Practice leads efforts to educate systems and conducts annual risk assessments the protection of customer privacy related to data for which of related systems and processes to help HP is the data controller. Substantiated complaints are written We maintain consistent, rigorous cybersecurity our employees and clients about cybersecurity, statements addressed to the organization by regulatory or policies, standards, and procedures to give our conducts related risk assessments, establishes establish baselines and drive improvement in similar official bodies that identify breaches of customer cybersecurity postures. privacy, or complaints lodged with the organization that have customers, employees, and partners confidence baselines, and creates cybersecurity roadmaps been recognized as legitimate by the organization. when sharing data with us. The HP Cyber Security for HP and our clients. ** Reportable data breaches are those that are required to be Policy Suite provides a framework for the Incident response reported by law. 2020 was the first year that HP disclosed this The Security Practice also drives alignment with data in this report. The majority of the total data breaches were company, informs overarching governance in this We have formal processes to address caused by human error or technical glitches and not a failure of area, and underpins cybersecurity company-wide. regulatory and compliance requirements such as our product or services security infrastructure. HIPAA, the Payment Card Industry Data Security cybersecurity events associated with our *** These data relate to requests made to HP by individuals globally. We educate employees about our policies and Standard, and various privacy laws. The Security worldwide client base that include customer 2020 was the first year that HP disclosed this data in this report. support and mechanisms to escalate issues as The median number of days taken to respond to right to access/ standards, as well as regulatory requirements, Practice coordinates the HP Security Advisory know requests and right to erasure/be forgotten requests in 2021 was 15. 26 2021 HP Sustainable Impact Report www.hp.com/sustainableimpact