2021 Environmental Social Governance (ESG) Report

Our minimum-security requirements across the organization are aligned to ISO 27002 control categories and the NIST Cybersecurity Framework. We undergo several independent third-party assessments to certify the security of various parts of our business, and we had zero formal security- or privacy-related complaints logged in 2021.

Additional components of our Information Security Program include: • Security rating and monitoring of third party vendors

• Security monitoring of all critical infrastructure

• Access management and control

• Crisis management including incident response and disaster recovery plans

• Secure internal and external communications

• Annual proactive awareness training for all tech-enabled employees • Additional training for individuals that handle sensitive data

• GDPR training where relevant

92 | CUSHMAN & WAKEFIELD 2021 ESG REPORT