FY21 ESG Disclosures July 2022 Unaudited 66 monitoring, testing and reporting; operational and incident response and reporting; and training and awareness. To validate the effectiveness of our systems at least annually we conduct tests of our business continuity, contingency plans and incident response procedures. We also conduct third-party vulnerability analysis including simulated hacker attacks and conduct our own monthly vulnerability assessments. All employees are required to take annual cybersecurity awareness training. New hires are also required to take cybersecurity awareness training during onboarding. Quarterly phishing campaigns are also conducted with remedial training required for failures to recognize phishing. Policies require all employees to notify Cybersecurity of any suspicious items. We do not release training results or related information on our employees due to the sensitivity and proprietary nature of the information. As part of our cybersecurity governance, we utilize a Cybersecurity Steering Committee comprising executive management, operational leaders and cross-functional teams. Generally, this committee meets quarterly, or as frequently as appropriate, to review, assess and direct decision related to cybersecurity and information systems matters. The Board recognizes the importance of maintaining the trust and confidence of our customers, contractors, partners, and employees. As a part of its objective, independent oversight of the key risks facing the Company, the Board devotes significant time and attention to data and systems protection, including cybersecurity and information security risk. Additional information on the Board’s role in cybersecurity governance can be found in the 2022 Proxy Statement Cybersecurity Governance Highlights (pp. 16–17). Jacobs respects the confidentiality and privacy rights of our customers and is committed to protecting their information. Jacobs does not sell customer information. Jacobs restricts access on a least privilege basis, allowing access only to the information required for job function. Our Privacy Notice explains that we collect and process personal information that a user provides through our services, which may include the user’s name and address, and that we may use this information to communicate with the user and provide the user with requested services. The Privacy Notice provides the user with the ability to contact us regarding data processing questions and data access rights. Jacobs policies, which address the protection, use and disposition of client data, are wholly determined by the Company and are compliant with regulatory and client requirements. The controls, programs, and practices used to secure the data conditionally vary with the categorization and classification of the data along with the project, client and regulatory requirements. Additional information can be found in our privacy policy .