www.se.com Schneider Electric Universal Registration Document 2021 258 Chapter 3 – How we manage risk at Schneider Electric 1. Event triggered risks 1.5 Human rights, environmental, and safety issues through the value chain (continued) Risk monitoring and management Human rights are part of the Ethics & Compliance program which is managed by the Ethics & Compliance Committee, and Legal and Corporate Citizenship departments. More specifically, human rights are managed by the Corporate Citizenship department with the support of the Ethics & Compliance Committee in regards to risk identification through risk assessment as well as risk detection, with the whistleblowing system available for employees and for external stakeholders. Regarding training, e-learning on the Trust Charter is mandatory for all employees and, in 2021, focused on human rights amongst other ethics and compliance topics. 93% of employees completed the training by the end of 2021. Suppliers are selected according to the “Schneider Electric Supplier Quality Management” system, which includes sustainable development criteria weighing 15% of the total evaluation of a supplier. These criteria include human rights topics. In 2019, Schneider Electric organized the Global Suppliers Day. During this day, the Trust Charter was introduced to suppliers. As part of the Group’s five-year objective for 2021 – 2025, strategic suppliers are requested to submit themselves to an ISO 26000 evaluation. Consistent with a continuous improvement effort, these suppliers have achieved on average a +6.3 points increase between 2018 and 2020 and a +1.2 points increase in 2021 to reach an average score of 58.6. Schneider Electric has built a supplier vigilance plan in which risky suppliers are identified using criteria that take into account the geographical location of the supplier, the technologies, and the processes used. An audit plan is then built to perform either on-site supplier audits or remote self-assessments. When non- conformances are identified, corrective actions are deployed. The suppliers are then re-audited to verify that the actions have remediated the non-conformances. In 2021, in the scope of 2021 – 2025 SSE objective #17 “4,000 suppliers assessed under our ‘Vigilance Program’”, the Group conducted 180 on-site audits and 629 remote self-assessments. At the end of 2021, 94% of non- conformances from 2020 have been closed. The supplier vigilance plan also includes an internal training program for Schneider Electric Procurement teams and workshops with suppliers. The Group has also defined, in 2021, a specific program with the objective to ensure that 100% of Schneider Electric’s strategic suppliers provide decent work to their employees, in the scope of SSI indicator #6. The program will be launch in 2022. Schneider Electric is also currently developing a program to ensure “social excellence” for the Group’s suppliers. 1.6 Schneider Electric connected products used as a gateway to attack Group’s customers and partners Risk description The Energy Management and Industrial Automation sectors, like many others, are becoming more digital with pervasive IoT usage and augmented data being major accelerators for mobility, the cloud, pervasive sensing, big data, and analytics. The digitalization of products, including native connectivity, is increasing the exposure to cybersecurity risk, where connected products and digital offers (e.g., remotely managed services like “Advisor”) at Schneider Electric or customers sites could be used as a gateway for malicious cyberattacks. Schneider Electric Exchange is an ecosystem collaboration platform with over 50,000 users, approximately 300 leverageable applications, more than 150 service providers, and around 100 communities. These types of digital offers and platforms, if compromised, could negatively impact a customer’s business and consequently affect the service quality, profitability, and reputation of Schneider Electric. Risk monitoring and management The Product & Systems Security Office (PSO) is reinforced with a strong mandate of developing products and securing the ecosystem in conformity with cybersecurity standards (such as the ISO 27000 suite and IEC 62443). As an illustration, the IoT Cloud Platform (EcoStruxure ™ Technology Platform) has implemented controls that are mappable against the ISO 27001 standard. Schneider Electric follows a Secure Development Lifecycle process to build cybersecurity into its products, even before the design stage. In 2019, security and privacy design were enhanced with a new Secure Development Lifecycle and certified to IEC 62443-4-1. Since 2020, all digital offers (mainly “Advisor” software suites) were assessed in the framework of digital security and privacy conformance. Schneider Electric enforces digital security and privacy conformance for products, systems, software, platforms, applications, and digital offers through security reviews and, when applicable, the Digital Certification process. Schneider Electric addresses cybersecurity vulnerabilities affecting products, software, and systems to support the security and safety of our customers. Schneider Electric works collaboratively with researchers, Cyber Emergency Response Teams (CERTs), and asset owners to ensure that accurate information is provided in a timely fashion to adequately protect customer installations. In case of a cyber incident, a process of response, connecting, and debriefing is organized with partners and customers. 3.4 Key risks