01 Introduction and strategy 02 Measuring and managing sustainability 03 Climate change related disclosure 04 Strengthening our foundation 05 Our universal principles 04.1 Cybersecurity We continuously adapt our approach to manage cyber risk for our company and customers through targeted insurance solutions and knowledge-sharing. 04.1.1 Information security Information Security is the application of technologies, processes and controls to protect systems, networks, programs, devices and data from unauthorized access and against cyberattacks, as well as meeting related regulatory requirements and raising employee awareness about these matters. Our dedicated Information Security function aims to ensure the confidentiality, availability and integrity of information across Allianz Group. As a core business discipline, information security is managed globally through a robust and mature governance framework aligned with international standard ISO 27001. Our approach is closely monitored by a dedicated Chief Information Security Officer (CISO) function and the Allianz Group Board of Management. An executive accountability regime supports the enforcement of the governance framework for all entities. The Allianz Information Security governance framework comprises multiple layers of corporate rules and processes. An overall policy establishes core principles, roles and responsibilities and the organizational framework for Information Technology and Information Security within Allianz Group. More detailed functional rules provide further details and specific implementation guidelines for operating entities. The functional rules are complemented by detailed descriptions of best practices to be followed across 14 defined topics to ensure the ‘security by design’ principle. Information Security is regularly audited, both internally and externally, and regular training is provided through dedicated exercises across all layers of the organization. Managing cyber risk in our business Cyber risk is assessed and tracked as one of the top risks faced by Allianz. It is closely managed along key risk indicators covering security maturity, risk exposure and security operations across the Allianz Group, following the defined cyber risk management strategy. Performance against these indicators is discussed, reviewed and reported quarterly to the Board of Management and Supervisory Board. Monitoring cyber incidents and measures to prevent them is implemented at a global level and supplemented locally where required, together with the local Chief Information Security Officers (CISOs) that exist in all Allianz operating entities. Actions to improve security controls are continuously evaluated and developed with priorities assigned on a global, risk-based view that is informed by the current and expected threat landscape. Actions to achieve our cyber risk targets focus on five key risk areas: reducing the likelihood of incidents; increasing detection likelihood; reducing damage from incidents; streamlining compliance; and training/educating the organization to further improve security awareness. All employees are required to participate in cyber-awareness training at least quarterly. These include activities like simulated phishing e-mails, awareness campaigns or regularly offered dedicated Information Security trainings. We also participate in industry and global/regional initiatives to support the security of the overall internet ecosystem. 04.1.2 Data privacy The Allianz’s privacy strategy and framework enable our businesses to maintain the trust and confidence of customers, employees and other stakeholders in our handling of personal data. Protecting personal data and maintaining trust in our processes are high priorities. Our customers, employees and other stakeholders expect their personal data to be treated with the utmost care and we take this responsibility extremely seriously. We are committed to the highest standards of data protection and privacy compliance by handling personal data responsibly, transparently, with due care and in a fair and lawful manner. We use it only for specified and legitimate purposes and only keep it for as long as is needed. We never share it with anyone who is not authorized to access it. We strive to communicate honestly and openly about actions that involve the personal data we process. We integrate data protection into the design of our products (privacy by design) and take appropriate steps to protect personal data and keep it secure. We also cooperate closely with other stakeholders involved in the updating and modernization of European privacy legislation including industry associations, members of parliament and authorities. Allianz Group Sustainability Report 2022 120