Data Privacy and Cybersecurity As digital solutions play an ever-larger role in financial services and the economy as a whole, the risk of cyber-attacks and other threats to information security continues to evolve and grow. In addition, the individuals with whom the Firm interacts expect that our data practices are safe and lawful. Data privacy and cybersecurity therefore remain top priorities for our Firm. At the same time, greater reliance on remote work due to the COVID-19 pandemic has only further underscored the importance of safe digital solutions and data practices. and remediation activities in the Firm. The Firm’s privacy framework outlines roles and responsibilities, sets compliance risk management controls in the form of policies and standards, directs advisory requests, and provides protocols for monitoring, reporting and escalation of key privacy risks and issues. The program reports periodically to our management, including our Board of Directors. Our multi-stakeholder approach to oversight and governance is embedded in our three lines of defense and supported by dedicated data and privacy teams around the world. We provide regular training and awareness to our workforce, not only on core privacy obligations and how to meet them, but also on emerging risks, trends and new developments. Information on how we collect, process, use, share and disposition personal information, as well as rights that individuals may have with respect to their personal information and how to exercise them, is available on our websites and upon request through multiple channels. In addition to traditional privacy notices, we often publish related materials such as frequently asked questions and tips for keeping personal financial information safe. We have a wide range of technological, administrative, organizational and physical security measures designed to safeguard the confidentiality, integrity and availability of personal information. Our Code of Conduct and related policies include specific guidelines on how employees should protect customers’ confidential information. We have established processes and procedures to report and respond to suspected or actual data privacy incidents that may compromise the confidentiality, integrity or availability of personal information. We provide our employees the ability to make reports through our internal systems. Our centralized process requires escalation to a dedicated incident response team for severity assessment, mitigation, root cause analysis and corrective action. In accordance with the Firm's policies, we notify individuals and our regulators of data incidents. Data Privacy As a global financial institution, our Firm collects, processes, uses, shares and dispositions all manner of personal information and financial data every day, and we have processes to manage that data in accordance with the laws, rules and regulations of the countries in which we operate. We take a multi-faceted approach to addressing privacy and data protection risks, including maintaining and evolving our internal controls, establishing policies covering all stages of the data lifecycle and deploying appropriate technology. Our Firmwide internal policy on personal information applies globally to our legal entities as well as third parties that handle personal information on our behalf. The policy sets forth minimum requirements including that personal information is processed for defined purposes. The policy also specifies the use of privacy by design principles, designed to ensure that privacy is taken into account throughout the data lifecycle. Data protection and privacy are key components of our global data risk management program. That program focuses on execution of the compliance and operational risk oversight of data management and privacy governance, controls 55 INTRODUCTION ENVIRONMENTAL SOCIAL GOVERNANCE Corporate Governance and ESG Oversight Stakeholder Engagement Risk Management Data Privacy and Cybersecurity Business Ethics Political Engagement and Public Policy ESG REPORT APPENDICES