www.se.com Schneider Electric 28 2021 Sustainable Development Report Risk description and impact Policies Main actions and 2021 performance Opportunity created Cybersecurity and data privacy (continued) Damage to customers assets Field services operations & remote customer support Risk of malware distribution into the production environment of a customer through compromised Field Service end-point or on-site activities • Impact on customer assets and production • Reputational impact Cyber Badge Principles Third-Party Security Principles Network Security Policy Malicious Software Policy • Cybersecurity contact identified, ad hoc and periodic assessments for strategic ones For our customer-facing employees: • Deployment of Cyber Badges across 20,000+ customer- facing employees. • Compliance monitoring of Cyber Badge deployment For our customer-facing suppliers: • Consistent Cybersecurity and Privacy Terms & Conditions developed for all suppliers Increase sentiment of trust for our customers, partners and larger community • Absolute requirement • Global Action Plan Customer staging and project commissioning Risk of compromised customer assets having an impact at site level, as a result of a failure in the control environment of Schneider Electric • Reputational Impact • Repairment cost Security Principles Cybersecurity Policy for Products & Systems Network Security Policy Malicious Software Security Policy Source Code Security Policy • Deployment of an end-to-end Project Supply Chain Security methodology • Datamining for preparing recommendations Greater confidence of our customers in our products Market access to critical infrastructures Advanced discussions with authorities and greater collaboration on safety and security Fulfillment of contract requirement opening the door for additional or further opportunities. On-time with tendering process IP theft and loss R&D repositories and source code compromise • Compromise, deterioration or exfiltration of R&D repositories and source code • Jeopardizing Intellectual Property availability, integrity and confidentiality Source Code Security Policy Cybersecurity Policy for Products and Systems Information Security Charter Sensitive Source Code Security and Confidentiality Affidavit • Site security controls compliance, training and awareness deployed • Assets inventory, topography of R&D sites • Protection against vulnerabilities or malware • Pen tests conducted • Least Privileged Access Control, Disaster Recovery Plan, Network Segmentation, Port Management, and Protocol Hardening applied • Source code reality checks conducted on code content, code engineering, governance, etc. • Threat detection of signals on the surface web, the dark web, social media etc. to spot cracked software, Source Code and IP exposed etc. Effective visibility for risk management and proper actionable outcomes Perceived as a trusted partner Reducing risk through advance detection of exposure of sensitive code or potentially compromised or modified applications which could facilitate criminal activity or customer compromise 1 Sustainability at the heart of our strategy