2023 Sustainability Report

INTRODUCTION OUR CLIENTS OUR PLANET OUR PEOPLE AND COMMUNITIES OUR BUSINESS ACKNOWLEDGEMENTS ABOUT THIS REPORT APPENDICES

2023 SUSTAINABILITY REPORT | 72

Our Approach

Data Privacy and Security

Supply Chain Management

Governance Ethics and Compliance

Stories of Progress

Data Privacy and Security

Cushman & Wakefield is dedicated to maintaining data protection and security practices that meet market, legal and contractual requirements in the markets we serve. Staying up to date with global regulations and requirements is critical, particularly as data privacy risk has become a global concern in today’s data-driven world. Our pragmatic approach aims to mitigate risk and protect company, third-party and employee data, with a focus on confidentiality, integrity and availability. management processes include technical security controls, monitoring systems, operational processes and policies, and management oversight to assess, identify and manage risks from cybersecurity threats. We have implemented risk-based controls to protect our information, systems, and business operations. We have adopted security-control principles and standards based on the National Institute of Standards and Technology Cybersecurity Framework (NIST), other recognized global standards and client contractual requirements, as applicable. We maintain a cybersecurity program that includes physical, administrative, and technical safeguards, and we maintain plans and procedures to help us prevent, detect and timely and effectively respond to cybersecurity incidents. Through our cybersecurity risk management program, we have established Our Information Security and Risk Management team is primarily responsible for managing our practices. Our cybersecurity risk

operational processes to address issues including monitoring and patching of vulnerabilities, regularly updating of our information systems, and evaluating new countermeasures made to defend against an evolving landscape of threats. In addition, we periodically engage third-party consultants and providers to assist us in assessing, testing, enhancing and monitoring our cybersecurity risk management programs and responding to any incidents. We believe cybersecurity awareness is important in managing cyber risk. We provide annual cybersecurity awareness training and regular phishing awareness exercises to our tech-enabled employees. We assess the success rate of employees reporting phishing scams, and the results inform the development of our programs. Role-based training is provided to employees in certain higher-risk positions, which is tailored to the heightened cybersecurity risks they face. Our tech-enabled employees also complete annual mandatory privacy & data protection training.

See our 2023 Form 10-K for additional information on our cybersecurity practices and governance.

In 2023, we had no substantiated complaints concerning breach of customer privacy and no loss of customer data.