Cyber threat and intelligence Our Cyber Threat and Intelligence function tracks and classifies potential information security-related events. Within our 24/7/365 Security Operations Center, TransUnion associates monitor for any attempts to access our systems or data. We deploy industry-leading security solutions to manage the vulnerability and threat environment affecting our businesses across the globe. Internal and external vulnerability management solutions are used to monitor our networks, including our connections with customers and partners. Our applications and networks undergo internal and external, third-party penetration tests on an annual basis — or more frequently contingent on the threat environment. TransUnion participates in the Financial Information Sharing and Analysis Council (“FS-ISAC”) where companies — including other US nationwide consumer credit reporting companies — share information regarding cyber threats, attacks and solutions to understand the evolving threat environment. We regularly test, update and revise our incident response plans based on the behavior of threat actors attempting to access our computer systems, software, networks, data and other technology assets on a daily basis. Physical and personal security Physical security is a crucial component of information security and worker safety. In our most sensitive sites, TransUnion employs stringent physical security controls limiting access to our facilities, including biometric and badge access, and security guards at external entry points. In addition, we employ automated mechanisms to recognize potential intrusions and initiate designated response actions. Through the Corporate Security Program, TransUnion continuously assesses security risks confronting our global assets, products and people, and works to reduce the security risks to which we are exposed. At the same time, we guard against complacency and enable each employee to first and foremost contribute to their own security. Through this work, we develop and maintain a culture that is recognized globally as one that prioritizes security as a business value and is unwilling to compromise on the safety and security of our employees and the data we steward. Third-party risk management We regularly work with third-party vendors, suppliers and partners. Our Third-Party Risk Management (“TPRM”) program sets forth requirements and guidelines for the third parties with whom we do business. As part of our TPRM program, TransUnion uses an Enterprise Security Ratings Platform which gathers terabytes of data from security sensors around the world, and provides insights concerning potential risks emanating from infected machines, improper configuration, poor security hygiene and harmful user behavior. Each third-party company receives a security rating based on the severity, frequency and duration of security incidents. When third parties do not meet our standards, we terminate our relationship with them and look for new partners that meet our security and stewardship requirements. SECURITY, GOVERNANCE & COMPLIANCE TRANSUNION | 2021 SUSTAINABILITY REPORT 25