pg. 5

“Supplier relationships will be reviewed for inherent risk domains such as compliance, cyber security, business resiliency, fourth party, geopolitical and solvency. Suppliers will be classified with a low, medium, high or critical risk rating. The Vendor Risk team will determine which risk assessments are required based on the classification. Monitoring activities will be driven by the risk classification associated with the suppliers. Suppliers with high-risk profiles will be more actively monitored than suppliers with low-risk profiles.”