REPORTING & DISCLOSURE TRACKING OUR PROGRESS DOW | REPORTING & DISCLOSURE | 178 Dow Disclosures – GRI Content Index Cybersecurity Dow also prepares for potential cybersecurity incidents and has an established and mature information and cybersecurity process and training program, consisting of security policies and procedures, immediate notification system, simulation drills and formal training programs for all with access to the company’s network. Protocols and trainings exist to recognize, communicate and escalate suspicious activities including phishing, viruses, insider threats, suspect human behaviors or safety issues. Dow’s cybersecurity practices contribute to Dow’s overall emergency response readiness objectives – to prevent harm to the community, environment and workers; to minimize loss; and to preserve critical business continuity. The effectiveness of Dow’s information security controls is regularly assessed to ensure that the monitoring and governance of security processes and controls are in place and are effective. Some of these assessments include internal and external audits, vulnerability testing, governance processes over outsourced information technology (IT) cloud service providers, active risk management and benchmarking against peers in the industry. Dow leverages multiple external cybersecurity performance rating agencies, such as Security Scorecard, to validate our security posture and continually ranks in a leadership position compared to industry peers. Management Approach Components Description Commitments Dow has established robust information security standards that dictate technical security requirements for various information technologies in use at Dow, including standards for access control, the cloud, network security, identification and authentication and role-based security. A formal governance process has been established to ensure that these standards adequately address the latest IT threats. Responsibilities Dow’s IT Security Policy identifies the roles of users, data owners and information systems and further mandates a high level of due care from users of Dow systems. Information protection and data privacy policies have been established to govern the generation, storage, processing and use of data, including the Dow Code of Conduct, Information Handling Policy, Data Protection/Privacy Policy and Dow Record Management Policy. Annual training for these policies and their procedures is required for all employees. An on-site, enterprise-class Security Operations Center (SOC) provides end-to-end operations for purposes of monitoring, detecting, alerting and responding to cyber-incidents. Dow has also established formal Crisis and Incident Management Programs, which respond to critical events at a geographic, business and functional level. These programs are periodically tested to ensure their effectiveness in the event of a real crisis or significant incident. Full disaster recovery exercises are conducted on a regular basis and business continuity programs are in place. Specific Actions • The company has an established Global Security Operations Center (GSOC) to provide 24-hours-a-day, seven-days-a-week, real-time monitoring of global risks to Dow assets and people. The GSOC employs state-of-the-art social media monitoring, threat reporting and geo-fencing capabilities to analyze global risks and report those risks, facilitating decision-making and actions to prevent Dow crises. • Enhanced cybersecurity monitoring has been established to reduce cyber risks and data accessibility disruptions due to remote working arrangements that resulted from the COVID-19 pandemic. • Recent external benchmarking conducted by EY ranked Dow as a leader against industry peers in all elements of the NIST Cybersecurity Framework. • Dow has established robust Security by Design & Privacy by Design training programs to ensure that security and data privacy principles are built into our culture as IT solutions are being designed. 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data Dow is not aware of any material incidents relating to information systems security affecting the safety of Dow’s operations or ability to serve customers or significant breaches of personal information. Additional cybersecurity and information security information can be found on pages 34-35 of the 2022 Proxy Statement  filed with the SEC on March 4, 2022.