2022 Environmental Social Governance (ESG) Report

GOVERNANCE

DATA PRIVACY AND SECURITY [418-1] Cushman & Wakefield is committed to continually enhancing our global Data Privacy and Security program to align with evolving regulatory requirements. As a global business, managing risk and staying up to date with global regulations and requirements is critical, particularly as data privacy risk has become a global concern in today's data-driven world. Our pragmatic approach aims to mitigate risk and protect our company data, third-party data and employee data, with a focus on confidentiality, integrity and availability. We are dedicated to maintaining data protection and security practices that meet market, legal and contractual requirements in the various markets we serve. Our Information Security and Risk Management team is responsible for compliance and awareness training, client and data security, technical security, and data privacy. We also have dedicated Global and Regional Risk Committees responsible for overseeing risk governance, internal audit, control and compliance, and a Security Compliance Committee that is responsible for overseeing our security program governance.

To set best practice security policies and standards, our organization works to align with the ISO 27002 control categories and the NIST Cybersecurity framework. These include but are not limited to the following global policies: > Information Security Policy Defines the principal requirements of our Information Security Program > Appropriate Use Policy Defines how technology and information should be used > Security Standards Defines the minimum security requirements for each geography > Global Workplace Privacy Policy Describes the ways we handle and protect the personal information of our staff members At Cushman & Wakefield, we are committed to safeguarding our data and our clients' data. Our teams work proactively to identify and manage potential vulnerabilities through cloud security, screen locking, encryption, and other risk management mechanisms. We also partner with our clients to provide technical security for their infrastructure systems, applications and data. Our vulnerability management works to respond efficiently to risks based on the criticality of the vulnerability. This includes developing security monitoring and controls for key risk areas.

CUSHMAN & WAKEFIELD 2022 ESG REPORT | 115