Airbus - 2022 Universal Registration Document

1. Information on the Company’s Activities / 1.2 Non-Financial Information

Cyber Security

GRI

SASB

SDGs

Others

Data Security

9, 12

Highest governance body(ies) involved

Corporate Security Council; Digital Security Team (Cyber Security Validation Body)

Airbus Company Security Policy Security Requirements for Company Information & Data Classification and Protection Security Requirements for Information Systems Management Security Requirements for Affiliates Security Requirements for Industrial Automation and Control Systems Requirements for Product Security Requirements on Information Security for Suppliers Specific Requirements on Information Security for IT Service Providers

Related corporate policies and directives

Manage Airbus Company Security – aligned to ISO 27001 standard Monitor, Identify & Report Company Asset vulnerabilities Assess & Treat Company Asset Security Risk

Management system

Key metrics

2022

2021

Number of data breaches reported to data authorities

1

0

Percentage involving confidential information

100%

N/A

Cyber security awareness training e-learning participation (started 1 Jan. 2020, reporting period 1 Oct.-30 Sep.)

67,475 107,808

Corporate and IM Cyber Security headcount

290

437

II. Governance The Company has undertaken a cyber security transformation since 2019 with the establishment of a federated model of digital security encompassing accountable leaders in respective organisational structures such as IT, engineering and operations. A dedicated team for security governance was established, reporting to the Company Chief Security Officer (CSO), responsible for the definition and audit of cyber security directives and methods aligned to major industry standards such as ISO 27001 or IEC62443. The Company Chief Information Security Officer reports to the CSO with a direct reporting line to the CEO. Such an approach ensures localised accountability and reactivity to cyber risks with centralised governance, reporting, technical standards, and processes. Cyber security governance encompasses both Divisions and global operations plus affiliates. Corporate Security Council The Company has established a Corporate Security Council, chaired by the Chief Security Officer, for the coordination of security governance and to ensure consolidated security risk reporting from each of the four asset clusters: IT, industrial, product and services, and people and workplace domains. Security Governance Directives Security directives are published and audited to ensure the Company business follows the same standards for data protection and systems security. Key cyber security directives include the ones listed in the table above (Related Corporate Policies and Directives).

III. Risk Management Confidentiality, integrity and availability are known to define cyber security objectives when thinking about systems risks. Corporate Security is accountable for security risk management and is in charge of defining cyber security risks taxonomy and managing the lifecycle in ERM, including strategy, organisation, roadmap and initiatives at company-wide level. In terms of cyber security, risk management is the aggregation of continual risk reporting, cyber security validation processes embedded within security by design principles for projects, applications and infrastructures – in addition to the implementation of digital security controls aligned to the Company’s enterprise security architecture standards. Risk mitigation measures follow the principle of people, process, and technology controls to reduce the likelihood and/or impact of cyber incidents. The Company incorporates mandatory cyber security training and awareness for all employees with additional engagements for employees in higher risk categories or where additional regulatory stipulations apply. Security processes are fixed through security governance directives, business management processes ( e.g. MC.AS.01 Vulnerability Management), and operating models. Technical security controls are implemented and measured in accordance with ISO 27001 and other industry standard information security management standards. The Company implements a number of key technical security controls in the reduction of cyber incident likelihood including the rollout of endpoint protection and data loss prevention tools, the implementation of multi-factor authentication, and the adoption of enterprise security architecture approaches. To reduce impact from cyber events, it operates in-house security operations centres covering both commercial and national activities; plus a Computer Emergency Response team (“ CERT ”) analysing cyber security threat intelligence and rapidly investigating and containing cyber security incidents.

96

Airbus / Universal Registration Document 2022