CSL Annual Report 2024

CSL partners with third parties to assess the effectiveness of its cybersecurity program and extends its cybersecurity standards and expectations to applicable third-party vendors and service providers – this includes assessing our external providers based on defined cybersecurity criteria. Over the last year, strategic investments in cybersecurity have been made to improve CSL’s threat management capabilities, proactive defense posture and rapid response to cybersecurity events. Still, despite these advancements, emerging threats – particularly those enhanced by Artificial Intelligence (AI) – pose a significant challenge by introducing a new level of complexity to cyber-attacks. To counter these threats, CSL will continue to invest in defenses, including enhanced threat detection and response, employing machine learning to identify and neutralise adversarial tactics where technically feasible, and updating our cybersecurity protocols to keep pace with new challenges. Innovations such as self-healing networks, adaptive and contextual security measures, and predictive defenses will also be crucial for mitigating risks and preemptively addressing the dynamic nature of cyber threats. CSL’s business strategy, operations, or financial condition have not been successfully affected by cyber-attack as at the date of this report. Governance Privacy Further, over the reporting period, CSL has maintained a strong commitment to the responsible use of personal data entrusted to us by patients, donors, employees and other stakeholders. Key highlights and performance during the financial year include: • New policies and practices: CSL maintains an enterprise‑wide data privacy policy as well as standards and procedures that guide the collection, maintenance, and use of personal data and considers global legal and regulatory requirements. CSL has improved its digital data privacy processes to help ensure that we are respecting the right to privacy of individuals and responsibly collecting and managing the data we collect. • Data privacy issues addressed: Significant efforts were made this year to comply with new and changing data privacy regulations, such as those in Switzerland and China. Ongoing monitoring and assurance seeks to verify that the business follows data privacy requirements and CSL’s policies and meets the standards of existing data privacy laws. • Non-compliance or breaches: CSL follows a robust Privacy Incident and Data Breach Response Procedure in dealing with possible data privacy incidents. Privacy incidents are reported to an enterprisewide data privacy team for triage and assessment. Of the privacy incidents reported this year, four were substantiated as data privacy breaches that required reporting to data protection authorities or data subjects. CSL’s dedication to data privacy is evident in the comprehensive measures taken to protect personal data and comply with regulatory standards. Data protection and cyber security CSL collects and holds personal information about its employees and key stakeholders, such as plasma donors, healthcare professionals and patients. Unauthorised access or use of this information presents a risk to its operations, and CSL’s place as a leader in the biotherapies marketplace. Data protection CSL’s cybersecurity program is an integral part of its broader enterprise risk management strategy. CSL’s Global Leadership Group (GLG) and Board of Directors provide governance of the program and provide support to ensure cybersecurity risks are appropriately managed and CSL complies with the laws and regulations of the regions in which CSL operates. CSL’s Chief Information Security Officer provides quarterly reports to the Audit & Risk Committee of the Board of Directors, ensuring top-level oversight and strategic alignment. CSL takes a risk-based approach to cybersecurity and has constructed its program around industry frameworks designed to build resilience against a dynamic spectrum of cyber threats. The system consists of cybersecurity policies, standards, processes, and practices throughout CSL’s operations that are designed to detect, prevent, contain, and respond to cybersecurity threats and incidents in a prompt and effective manner with the goals of minimising business disruption and preserving confidentiality of personal information. The program also includes monitoring, identification, assessment, and management processes, coupled with communication and escalation protocols that keep the Global Leadership Group team well-informed of potential risks. In addition, CSL’s cybersecurity program includes: • perimeter and system safeguards • incident response • awareness & training • threat Intelligence • risk assessment & security testing • identity governance • vulnerability analysis & management Read more at csl.com/we-are-csl/ corporate-governance 66 Limited Annual Report 2023/24

RkJQdWJsaXNoZXIy MjE2NDg3