Cybersecurity and privacy risk management Ensuring our data is safe and properly stewarded is vital to keeping consumers protected and maintaining their trust. TransUnion maintains a dedicated TPCC as part of its Board of Directors. The TPCC assesses our risks to TransUnion’s technology and innovation strategy and approach, and monitors performance against its technology functionality and availability goals. The directors who serve in the TPCC collectively bring a wealth of experience to the Committee as data industry leaders, as well as experts in the policymaking and regulatory process. Our CISO and Chief Privacy Officer (CPO) maintain strategies and programs designed to protect consumers and data assets, align with consumer expectations, and comply with all applicable laws. The CISO and CPO have direct reporting lines to the TPCC and both report to the TPCC at every Committee meeting. Information security The security and protection of consumer information is the highest priority for TransUnion. We proactively manage our information security and cybersecurity programs, and continuously invest in improvements necessary to secure the data we hold on behalf of consumers. Our Global Information Security Department is responsible for developing, implementing and maintaining a comprehensive information security program consistent with TransUnion’s size and complexity. We employ multiple, overlapping layers of security controls to reduce risk and eliminate single points of failure. Our program focuses on risk identification and fostering resiliency, all to protect TransUnion, our assets, customers and consumers. Cybersecurity overview The objective of TransUnion’s information security plan is to maintain reasonable safeguards to: → Ensure the security and confidentiality of non-public personal information that TransUnion receives and is obligated to maintain in confidence → Protect against anticipated threats or hazards to the security or integrity of such non-public personal information → Protect against unauthorized access or use of such non-public personal information that could result in substantial harm or inconvenience to any consumer SECURITY, GOVERNANCE & COMPLIANCE TRANSUNION | 2021 SUSTAINABILITY REPORT 22