38 Industry best practices include; ISACA COBIT, ISO 27000 standards, FFIEC guidance, the Information Security Forum Standard for Good Practice, NIST SP800-53 and BSIMIM. Cybersecurity JPMorgan Chase experiences numerous attempted cyber-attacks on its computer systems, software, networks and other technology assets on a daily basis from various actors, including groups acting on behalf of hostile countries, cyber- criminals, “hacktivists” (i.e., individuals or groups that use technology to promote a political agenda or social change) and others. regulations. With a large number of employees continuing to work offsite, we are taking additional measures to mitigate cyber risks posed by our increased use of remote access and third-party video conferencing. The Global Cybersecurity and Technology Controls ("CTC") organization, working with each of our lines of business and corporate functions, identifies technology and cybersecurity risks and is responsible for the controls to manage these threats. CTC assesses changes in global threats and monitors our operations to detect and respond to them. We also conduct periodic internal assessments to identify vulnerabilities, upgrade opportunities and new defense layers, and our cybersecurity incident response plan enables us to react to attempted breaches, coordinate our response with law enforcement and notify customers, when applicable. The CTC organization’s efforts are overseen by management at multiple levels including technology management, greater Firmwide management and the Firm’s Operating Committee. The Board of Directors is updated periodically on our Information Security Program and any recommended changes, cybersecurity policies and practices, and ongoing efforts to improve security, as well as on our efforts regarding significant cybersecurity events. In addition to internal capabilities, we leverage external resources to strengthen our defenses. Our cybersecurity controls, governance and practices are based on recognized industry best practices. We also have adopted the Financial Sector Profile from the Cyber Risk Institute, which provides the framework by which these various best practices are aligned with and integrated into our technology and cybersecurity standards. These standards meet the requirements of more than 150 regulators worldwide and are periodically updated. We also engage third parties to independently evaluate our capabilities and identify areas for improvement. 38 External auditors periodically review our IT programs and processes, and regulators periodically inspect and review our program in the countries where we operate. We also discuss cybersecurity risks with law enforcement, government officials, peer groups and trade associations. Cyber-attacks are a threat not just to our Firm, but also to our clients and the global financial system. We have increased our efforts to educate shareholders and customers about the importance of disciplined cyber hygiene and protecting themselves against fraud. We also contribute to efforts to build and maintain systemic resiliency. We are a member of the Financial Services Information Sharing & Analysis Center , an intelligence-sharing cooperative for the financial services industry. Its 16,000 users in more than 70 countries share best practices and exercises to better secure the sector for the benefit of the public and the resiliency and integrity of financial institutions. Our Firm also helped create the Analysis and Resilience Center for Systemic Risk, an industry-funded nonprofit organization designed to mitigate systemic risk to the nation’s critical energy and financial infrastructure. JPMorgan Chase also participates in public-private partnerships and, over the course of 2021, was engaged on policy issues related to operational collaboration, including incident notification, software bill of materials, zero trust and evolving U.S. National Institute of Standards and Technology ("NIST") standards. We will continue to advocate for policy to protect the global financial system as a whole, as well as improving the nation’s cybersecurity. As threats to cybersecurity grow in size and sophistication, protecting our Firm, customers and vendors while enabling innovation is an important, evolving priority. When we enter new businesses and adopt new technologies, these risks and challenges multiply. This is why we devote significant, diverse resources to cybersecurity. Our efforts are designed to stop malicious actors from infiltrating our computer systems to destroy data, obtain confidential information, disrupt service, engage in “ransomware” or cause other damage. For example, through the CB we provide clients with resources and educational content to help them fight and prevent fraud losses, such as a client ransomware guide and business email compromise toolkit. To help safeguard the confidentiality, integrity and availability of our infrastructure, resources and information, we maintain a robust Information Security Program. It establishes policies and procedures to prevent, detect and respond to cyber-attacks. Because every employee serves as the first line of defense, we educate, train and test all our employees on how to identify potential cybersecurity risks, protect the Firm’s resources and information, and report any unusual activity or incidents. Every employee is required to complete cybersecurity training on an annual basis and we undertake quarterly Firmwide phishing tests. We also require certain third-party vendors to comply with minimum security and control standards, our Supplier Code of Conduct, and all applicable laws and 56 INTRODUCTION ENVIRONMENTAL SOCIAL GOVERNANCE Corporate Governance and ESG Oversight Stakeholder Engagement Risk Management Data Privacy and Cybersecurity Business Ethics Political Engagement and Public Policy ESG REPORT APPENDICES