Our data security practices comply with Sarbanes-Oxley, EU General Data Protection Regulation (GDPR) and Greif’s internal policies including 记录管理和保留政策, 数据隐私政策, information security policy and IT procurement and spend policy. Security is a shared responsibility across the entire organization, led by the Chief Technology Officer (CTO), with cybersecurity, in particular, falling under the responsibility of the Chief Information and Digital Officer. Greif’s CTO provides the Board and Audit Committee with periodic security-related updates. Greif Executives also receive updates through a cybersecurity dashboard shared quarterly with Greif’s Enterprise Risk Management Team and Board. The dashboard tracks our performance using the National Institute of Standards and Technology Cybersecurity Framework as a reference. Greif’s Information Technology Team also plays a role in overall data security, conducting annual audits for IT control processes and monthly phishing simulations and awareness articles, increasing from quarterly in 2021.

Should Greif fall victim to a cybersecurity breach, we maintain a Cyber Incident and Response Plan and an IT Services Global Business Continuity Plan, which outlines our steps to respond to and mitigate the impact of an incident quickly. Greif’s ethics hotline is available for suspect data breaches for all colleagues, and an automatic phishing report option is available to all colleagues with email access. We work with industry and regional associations and consortiums to support knowledge sharing of incident response, business continuity and cybersecurity best practices.

Training is a vital part of Greif’s cybersecurity program. Cybersecurity and awareness training helps improve our colleagues’ ability to identify and respond to potential threats and minimize risk in both digital and physical spaces. We train colleagues on phishing attacks, cybersecurity hygiene and general internet safety, among other topics. After completing the training, all colleagues must conduct a quarterly checkup, ensuring knowledge is retained and practiced. This training is compulsory for all colleagues with computer access, including our Executive Leadership Team. Our colleagues also receive quarterly newsletters promoting cybersecurity awareness, weekly security tips on topics ranging from password security to avoiding phishing scams and connections to external security speakers through Greif University. They also participate in our annual Cybersecurity Month awareness campaign each October. Greif works with a third-party partner to implement these training initiatives, and Greif’s overall phishing-prone score is 11 percent better than our industry’s average for large-scale manufacturers.

Each month, members from Cybersecurity, Human Resources and the Legal Department meet to discuss compliance with current and emerging data security and privacy regulations. We monitor regulatory changes and actions required to ensure compliance. To protect customer data, we follow a need-to-know model to limit the number of people with access to secure information, both internally and externally. Additionally, to ensure sound management of confidential data, we obtain consent through agreements and contractual clauses and comply with all relevant regulations. We implement software solutions to protect and encrypt our endpoints to limit our exposure to potential data breaches, and we continue to educate colleagues on our Records Management and Retention and Data Privacy policies. To further comply with GDPR, we have conducted GDPR training for our colleagues in Europe, the Middle East and Africa. Additionally, we routinely and securely destroy hardware and hard copies with confidential information with verified service providers.

我们通过安装标签阅读器和 PIN 码锁来保障设施的物理访问，并且我们要求从设施提货的每批货物都提供提货单。此外，整个供应链都使用防篡改外壳，让客户确信他们的产品受到保护且安全。