2022 Environmental Social Governance (ESG) Report

TRAINING & ASSESSMENTS Cybersecurity awareness is key to preventing cyber threats. To that end, we require all employees to complete annual cybersecurity awareness training and regular phishing awareness exercises. We monitor and assess the success rate of employees reporting phishing scams, and the results inform the development of our data privacy and security trainings, systems and programs. Similar to how we monitor regulations at a local level, we seek to ensure that our systems and employees are compliant by offering trainings as needed within a specified geography. For example, employees in EMEA are required to complete GDPR training when it is relevant to their roles and jurisdiction. We undergo regular independent third-party assessments to certify the security of various parts of our business. As a result of our commitment and diligence, we had no formal (filed with the applicable regulator) security- or privacy-related complaints logged in 2022.

Additional components of our Information Security Program include: > Security rating and monitoring of third-party vendors, as appropriate

> Security monitoring of all critical infrastructure

> Access management and controls

> Crisis management, including incident response and disaster recovery plans > Focus on securing internal and external communications > Annual proactive awareness training for all tech-enabled employees > Additional training for individuals that handle sensitive data

116 | CUSHMAN & WAKEFIELD 2022 ESG REPORT