NCC Group PLC

###### Stakeholder engagement

Listening to learn

We believe we have a responsibility to listen to our stakeholders, considering all their needs, and using insights and learnings to improve how we make important decisions. Our Code of Ethics guides us, informing and helping us to build enduring and trusted relationships.

Listening insights are used to inform decision making at every level of the organisation.

**Link to strategy:**

###### S

Our expertise plays a pivotal role in shaping evidence-based policy decisions. By adopting a proactive engagement approach, we harness our insights to contribute meaningfully towards a more secure digital society and differentiate ourselves in the market.

###### S

###### The opportunity
• [Building on our technology heritage and our role as trusted ]

advisors to governments and regulators we provide independent, technical expertise to improve cyber resilience policies

###### • [By understanding and shaping new and emerging regulations ]

and policy proposals we can develop the right solutions to prepare for our clients' future needs and requirements

###### How we listen and engage
• [Building alliances with global think tanks and foundations, ]

trade associations and campaign groups to pool resources, amplify our messages and maximise impact

###### • [Strategic relationships with national technical authorities, ]

and support for government initiatives across all our regions through direct engagement

###### O

###### • [Representation on senior government advisory panels]

Highlights in 2022/23
• [Engaged with regulators around the world to advocate for ]

the adoption of "Resilience by Design" shaping regulations in Canada, Switzerland, the UK and India, paving the way for our Software Resilience – Escrow services to effectively support compliance

###### • [Joined the United Nations' intersessional consultation ]

on a new cyber crime convention, making recommendations on how to improve international collaboration between law enforcement authorities, promote cyber capacity building, and protect the contribution of the industry in tackling cyber crime

###### Stakeholder engagement continued

We are committed to creating a conducive operating environment to enable our growth ambitions, and to using expertise to inform evidence‑based policy making. Only by engaging proactively can we ensure our insights and vision deliver the best societal outcomes in support of our mission.

###### Link to strategy:

###### The opportunity
• [Our expertise provides access to basic cyber knowledge for ]
our local communities

###### • [Understanding and shaping new and evolving regulations and ]
policy proposals mean we have the right solutions to address
our customers' future needs and requirements

###### • [Educating policymakers and regulators engenders trust and ]
a sense of pride

###### How we listen and engage
• [Working with colleagues to shape what we advocate for]
• [Building alliances with global think tanks and foundations, trade ]
associations, charities and campaign groups, to pool resources,
amplify our messages and maximise impact

###### • [Strategic relationships with national technical authorities, and ]
support for government initiatives across all of our regions,
including the UK National Cyber Security Centre's
Industry100 scheme

###### • [Representation on senior government advisory panels, ]
e.g. on connected places

###### • [Direct engagement with regulators, officials and politicians ]
grappling with the challenges of emerging technologies and
keeping their citizens safe

###### Highlights in 2021/22
• [Supported the UK National Cyber Security Centre's ]
flagship CyberUK conference as the inaugural Technical
Masterclass sponsor, providing real-world practical advice
to complex challenges

###### • [Cemented NCC Group's voice as the cyber security expert in ]
the UK, the Netherlands and, increasingly, wider markets: the
UK House of Lords Home Affairs and Justice Committee adopted
a significant number of our recommendations in its report on
the advent of new technologies in the justice system; and the
UK Home Office invited NCC Group to represent the private
sector perspective on ransomware at the Security & Policing
Conference 2022

###### • [NCC Group became a formal stakeholder participant in ]
UN proceedings to develop a new Cybercrime Convention,
joining the ranks of Amazon, Microsoft and Meta

###### In focus
As founders of the CyberUp Campaign to reform the
UK's Computer Misuse Act 1990 to provide better legal
protections for cyber security researchers, NCC Group is
benefiting from external recognition, and the internal sense
of pride it has generated.

NCC Group colleagues highlight that our role in the
campaign "engenders trust" from our customer base and
that protecting our colleagues is something we should all
be proud of:

###### • [We presented the CyberUp petition to provide better legal ]
protections for cyber security researchers to Number 10
Downing Street.

###### • [Engagement with Members of Parliament and Peers has ]
resulted in a core group of parliamentary supporters
advocating for reform whose political pressure has been
instrumental in securing the first debate on the Computer
Misuse Act to be held in Parliament since it was first
introduced over 30 years ago.

###### If something is really important, then we need to be seen to be trying to make a difference (as well as actually making a difference). A good example of this is the CyberUp Campaign. Seeing the team outside Number 10 was incredible. It makes me proud to know NCC Group is engaging at this level."

**Response from an NCC Group colleague to**
**the Group Public Affairs internal survey**
April 2022"
"During the year, the Board has had a number of briefings from the public affairs team, which produced its inaugural Public Affairs Impact Report, which the Board also reviewed, in particular the return on investment within stakeholder engagement, requesting that further work be done in this vital area for NCC. [...] The Board decided to improve its understanding of this important stakeholder group. The public affairs team was enhanced during the year, recognising the strategic importance of this area for future business growth. In addition, our Head of Public Affairs also takes an instrumental lead in shaping and leading on the Board strategy day, ensuring that there is appropriate linkage between this key stakeholder and the Group's overall strategy.

Consistent - [The Board's Head of the Audit Committee ] is the lead Non-Executive Director responsible for sustainability. Monthly updates are provided via the CFO report to the Board as well as directly from regular (at least twice per period) discussions with the Director of Investor Relations and Sustainability with the full Board, including an update on progress against the Group's goals and targets where appropriate [...] The Board takes overall accountability for the management of climate-related risks and opportunities and considers them as part of its overall risk review processes [...] Consistent - [The Director of Investor Relations and] Sustainability reports to the Chief Financial Officer, providing advice and updates to the Executive Committee on climate-related issues as and when relevant [...] An Executive Risk Management (ERM) Committee, established in 2021, which meets quarterly addresses climate risk as part of that process where appropriate [...] Governance continued Lynn Fordham, the lead Non-Executive Director for Sustainability, was appointed by the NCC Group Board Chair. In addition to her position as the Head of the Audit Committee, Lynn's role is to oversee the Company's sustainability strategy, ensure its integration with the overall business strategy and provide regular sustainability updates to the Board. While there is no specific Board committee for environmental issues, an Executive Risk Management (ERM) Committee chaired by the Director of Global Governance addresses these issues. The ERM meets bi-monthly and is attended by our CEO and CFO. It discusses, among other risks, sustainability and environmental challenges where relevant, which are then reported to the Board.