Our cybersecurity management system has been certified compliant with both national and international cybersecurity standards and frameworks, including ISO 27001 and the UAE Information Assurance Standards. We have adopted or aligned with a range of other international standards and best practices, such as IEC 62443 (cybersecurity for operational technology in industrial automation and control systems), ISO 22301 (business continuity), ISO/IEC 20000 (service management), and ISO 27701 (privacy information management). We regularly assess and monitor our digital footprint and posture, as well as the performance of our cyber defense, and implement proactive measures to mitigate any potential digital risks or gaps. Investment in our IT infrastructure is a priority, to ensure effective and robust security measures are in place. We continuously monitor and evaluate the performance of our security systems, routinely testing their effectiveness and adapting them to enhance our capabilities and sustain our business resilience. We foster a culture of innovation in the cybersecurity domain, where we combine innovative technologies and solutions with modern processes, build new cyber capabilities, and create a more resilient digital environment. Our people are the strongest link in our cyber defense, and we continuously invest in training them in the best practices to prevent, protect against and respond to emerging cyber threats and risks. Our training and awareness programs include regular phishing simulations, people engagement through internal ‘cyber events,’ specialized on-the-job training programs, tabletop exercises, e-learning and gamification, as well as a community and family cyber outreach program. To ensure critical components of our supply chain are protected and resilient to cyber threats, we are extending the coverage of our cyber defense and response capabilities to our supplier network. Companies that wish to conduct business with us must register and comply with specific cybersecurity controls under our policies. We have formed alliances, both regionally and internationally, to collaborate with key industry partners to share and act on cyber threat signals. Data privacy We collect, process, and store personal data where necessary for our operations. We are committed to respecting the privacy of individuals and recognize that processing of personal data may impact on their rights, so we take the utmost care to manage personal data appropriately and in compliance with applicable laws. In November 2021, the UAE issued Federal Law No. 45 of 2021 (the UAE Data Protection Law). In line with the law’s requirements, we have undertaken a comprehensive review of our personal data processing activities to ensure we continue to handle personal data in an ethical and lawful manner. As a result, we are currently drafting a new global privacy and data protection standard and procedures, which will build on the commitments enshrined in our Code of Conduct. Companies that wish to conduct business and register with us must comply with all controls under our Data Management Policy. ESG in our supply chain From the outset of any business relationship, we strive to uphold and embed the principles of responsible business partnering. This is governed by our procurement policy and due diligence and evaluation programs, stipulated by our Supplier and Partner Code of Ethics and the terms of our supplier contractual agreements. We operate initiatives and programs to screen for and monitor contractor compliance with safety, environment, health, and labor requirements, and to support improvements in contractor employees’ working conditions, wellbeing, and the timely payment of salaries. In 2023, we rolled out our strategy and implementation roadmap to embed additional ESG performance factors in our suppliers’ qualifications and auditing processes. As part of the rollout and to evaluate their current ESG performance, we requested 30 of our major suppliers to complete a self-assessment questionnaire. Furthermore, we have engaged our strategic suppliers in several workshops and hosted ADNOC’s Energy Forum, which aims to enhance the awareness of ESG in our supply chain and to share best practices. Enterprise risk management We manage risks through a system based on ISO 31000 (Risk Management) principles and guidelines, where we integrate and manage strategic, operational, compliance and financial risks within an annual planning cycle. To drive consistency in our risk management practices, we operate a unified enterprise risk management framework and standard that brings together issues related to health, safety, environment, financial and operational risks, within one management system. This includes an updated risk breakdown structure and defines the risk categories and themes applicable across our entire business operations. We maintain continuous visibility of the top risks across the Group through quarterly reporting from Group companies to their respective business directorates, along with the progress made on the associated risk mitigation action plans. The ADNOC Board of Directors provides ultimate risk oversight, with a committee dedicated to overseeing the risk management framework and corporate risk register, and monitoring specific risks. The primary role of the committee is to monitor overall management of risks and activities relating to physical and transition climate risks, health, safety, and the environment, and to assist with oversight with respect to the company’s risk tolerance and management processes. The Board Audit Committee focuses on financial risks, including financial reporting and treasury risks, as well as on internal and external compliance. Risk management functions include HSE; Sustainability and Climate; Information Security; Corporate Emergency Management and Continuity; Corporate Compliance; and Financial Risk Management; as well as the Corporate Enterprise Risk Management group. Our operating businesses are responsible for identifying and managing risks. We have aligned our corporate risk matrix with the concerns of stakeholders involved in our risk assessment activities. In parallel, we have established a digital risk platform that integrates risks with our corporate strategic goals, enabling better insights and management of risks through enhanced monitoring of our risk mitigation plans. To ensure the credibility of our risk identification process, a dedicated in-house enterprise risk management training program has been established. Cybersecurity As we continue our digital transformation journey and further embed digitalization and information technology in our operations, it becomes increasingly vital that we protect our digital assets from cyber incidents that could harm our people, disrupt our processes, and affect our systems. We are committed to building a resilient organization that can withstand and recover from any cyber incident. To this end we have established a robust threat intelligence function that monitors the cyber landscape and provides timely and actionable insights on the threats or risks that may affect our business. Our cybersecurity operations center monitors and investigates suspicious activity around the clock. We also have a dedicated incident response team, ready to respond to and contain cyberattacks, and a business continuity plan that ensures business operations are not disrupted or affected by adverse events. 102 103 Energy for Life