technicolor - 2020 Universal Registration Document

RISKS, LITIGATION, AND CONTROLS INTERNAL CONTROL

SECURITY OF PEOPLE AND ASSETS, INCLUDING CYBERSECURITY GRI [103-1 Customer privacy]

Operating Center (SOC) manage day to day security elements (tools, process and data). The GRC arm of the TSO manage policies, global awareness program, tools, vendor assessments and the design of new processes and/or policies, as needed. The Product Security organization establish policies, procedures and best practices around security for the product development lifecycle. The Group Security program is governed through a dedicated Security Steering Committee including each Business Heads, Head of HR, IT and TSO representatives. The Security Steering Committee meets at least twice during a twelve (12) month period. Business division/overall program security reviews take place on a quarterly basis. In 2020, over 200 site security audits were conducted across the global perimeter. These audits were performed by using a combination of internal TSO Assessment team and external audits conducted by customers, studios, MPAA and other security organizations All audit findings have been incorporated into the 3YP which are prioritized based upon risk. In addition, following the Schrems decision by European Court of Justice, the TSO has acted as the central coordination point for the remediation of the internal legal framework to reinforce the Security clauses applicable to our providers related to EU data privacy and ensure GDPR compliance. The TSO also ensures other relevant privacy laws and regulations are complied with. Employee Awareness & Safety: For all employees, security conscious behavior is key. As such, within the GRC arm of the TSO a formal awareness program was developed to include: on-line training program (GEM) with courses selected by the security working teams annually with compliance tracking metrics, Security videos and communications sent globally on key relevant topics (such as phishing, password management, etc .). These programs are regularly reviewed as part of external audits conducted by customers. Regarding travel and employee safety, updates to the process were made and administrative responsibilities were expanded to better respond to critical incidents. A supplemental procedure exists for travel to high risk countries. An employee safety program has been established with an industry leader that enables alerts and communication to employees who are traveling or are situated near or at a location where an incident such as earthquake, fire, social disturbance, etc . has been reported.

[103-2 Customer privacy] [103-3 Customer privacy]

Security is a key priority and an overall enterprise topic that affects each of our Business Groups in different ways. For Entertainment Services, Studios assign their projects only to companies that meet their content security standards. Technicolor’s facilities and digital networks must pass customer initiated, security audits to win new contracts and to maintain client relationships. The TSO (Technicolor Security Office) play a strong role in preparing and assisting in such audits. Security is also important for the Connected Home business. As devices are increasingly more open and complex, they are exposed to greater security risks. Security can be a real market differentiator. TSO helps Connected Home to deliver secure devices to their customers, and to adapt its product security posture to current threat levels. As such the TSO, was established in 2011 to define the Security Strategy at the Group level. Led by the Chief Security Officer, the TSO establishes priorities, defines best practices, monitors current implementations, develops common metrics and promotes the security tools for the Group. The key areas of focus for the TSO are physical, digital and business security, which are all covered as part of a Security 3YP that is organized around four main pillars: Protect, Detect, Respond & Recovery. Each pillar contains categories of initiatives (42 in total) that highlight the key areas of focus and progress. A cross functional security team is in place being the main contributor in executing the 3YP. This team is comprised of: TSO-Assessment Team (AT), TSO-Physical Security, Content Security, Security Operating Center (SOC), Security and Governance, Risk and Compliance (GRC), and Business/Product Security. The TSO-AT act as internal security assessors and advisors. The TSO-Physical Security team establish standards, conduct assessments and manage the global incident management processes The Content Security team provides assistance and guidance across all Production Services sites for all security initiatives. The Security

3

71

TECHNICOLOR UNIVERSAL REGISTRATION DOCUMENT 2020