2022 ESG Report Introduction ESG at Manulife Environmental Social Governance Corporate Governance Human Rights Risk Management Ethics and Compliance Tax Strategy Data Security and Privacy Executive Compensation Practices Responsible Product Governance Public Policy Performance Data Abbreviations and Acronyms Data Security and Privacy Summary of Our Approach • Data security and privacy is a key area of focus for our Board’s Risk Committee. • Overseen by our Chief Information Risk Officer, the enterprise-wide information risk management program establishes our information and cybersecurity framework. • We have a global framework to manage our privacy risk, which is anchored by our Global Privacy Risk Management Policy. • All policies related to data privacy and security are reviewed and updated at least every three years. Learn more: Data Security and Privacy Information and Data Security Information risk is a top enterprise risk management priority, similar to financial or credit risk. We seek to protect our data and that of our customers. Privacy Compliance and Information Risk Management teams work collaboratively to reasonably ensure a cohesive, effective, and efficient program for protecting all forms of information under Manulife’s control. Overseen by our Chief Information Security Officer, who reports to our Chief Information Risk Officer, our enterprise-wide information security management program establishes the company’s information and cyber-security framework, including governance, policies, standards, and appropriate controls to protect information and computer systems. The Information Risk Management (IRM) policies are modelled after the ISO 27001 standard and use the National Institute of Standards and Technology (NIST) security framework and other industry standards as key references. Dedicated staff develop and maintain our information risk policies and standards. They follow a robust review and update process to ensure the policies and standards remain current and respond to the latest technological changes. The process considers and incorporates the needs and expectations of our customers and other external stakeholders. Our policies and standards are reviewed and updated frequently and at least every three years. Our Information Risk Management team has a robust assurance process, which performs risk-based, objective assessments and controls testing across all segments. This verification of process and control effectiveness enables data-based insights and remediation prioritization. Manulife is constantly making investments and improvements to our company’s cybersecurity toolkit, and we stay informed on the latest potential threats. By having proficient cyber threat intelligence capabilities, we can detect trends and turn analysis into strategic and tactical actions to shield our business against potential losses. We have business continuity plans in place that are tested on an annual basis at least. Additionally, we conduct internal analysis of our strengths and vulnerabilities and run simulated hacker attacks. Manulife colleagues participate in mandatory annual security and privacy training to ensure our workforce is knowledgeable about their responsibilities to protect company and customer information. They can access related policies, standards, and procedures at any time through a centralized website. Global communication campaigns about protecting information are conducted quarterly, highlighting information protection topics and delivering simple, action-oriented messages. Simulated phishing email messages educate employees on how to recognize and address suspicious emails. Data Privacy Our global data privacy commitment is outlined within our Statement of Corporate Privacy Principles, which aligns with the Generally Accepted Privacy Principles (GAPP). Our Statement of Corporate Privacy Principles covers topics such as collection, notice and consent, use, retention, disclosure and disposal, use of third parties, safeguards, accuracy, access, and choices. This statement also includes links to country-specific data privacy notices that provide supplemental information about country-specific personal data handling practices. These notices are also available on country-specific websites. Where consent is required for personal data handling, individuals are provided with specific information at the time of data collection. Our Privacy Policy applies to all personal information under Manulife’s control, including where it is handled by a third party on our behalf. 74