Ensuring the protection of information and systems

Ensuring the protection of our information and systems and that of our customers and other stakeholders is of critical importance. We have stringent protocols and practices addressing both cybersecurity and data privacy.

Cybersecurity

Our cybersecurity program is designed to protect and preserve the confidentiality, integrity and continued availability of all information that we own or is in our care. Our program is compliant with applicable industry standards as well as standards from the U.S. National Institute for Standards and Technology (NIST).

Our program includes a cyber incident response plan that provides controls and procedures for timely and accurate reporting of any material cybersecurity incident. For example, we provide our employees with easy-to-use tools to report potential phishing emails. Employees also receive annual security training, and we conduct periodic phishing testing to ensure our employees remain vigilant and compliant with our expectations. In addition, we are currently refining our external vendor security practices to focus on dayto- day security hygiene, in addition to point-in-time certifications.

Our vice president (VP) and chief information officer (CIO) oversees our cybersecurity program. The PPG Board of Directors’ Audit Committee, which has oversight of cybersecurity risk, receives bi-annual reports from the CIO and also briefs the full Board on these matters. In addition, the full Board receives periodic briefings from the CIO on cyber threats and our cybersecurity program to enhance director literacy on cyber issues.

The full Board and the Audit Committee also periodically receive updates about the results of exercises and response readiness assessments performed by outside advisors that provide a thirdparty independent assessment of our cybersecurity program and internal response preparedness.

We maintain insurance covering certain costs that we may incur in connection with cybersecurity incidents that we may experience.

Data Privacy

Our internal data privacy policies are designed to prevent unauthorized access to, and disclosure of, personal information using a range of operational and technological safeguards. Our employees also receive training on data privacy concepts to prevent any misuse of personal information. We closely monitor evolving data privacy and data protection legislation around the world and update our policies and procedures to comply with current regulations. In 2021, the company appointed a global privacy manager to oversee compliance.

Our privacy notices and statements outline how we collect, use and protect personal information provided to PPG. When personal information is no longer required, we destroy, anonymize or dispose of it using secure methods in accordance with applicable requirements.