PILLAR 3: CORPORATE PERFORMANCERisk ManagementESR Group LimitedEnvironmental, Social and Governance Report 202472At the governance and management structure level, the Group IT department reports to the Group Head of IT, who implements the information security plans and initiatives, enforces central IT controls and coordinates the identification, assessment and monitoring of information security risks to enhance the Group%u2019s resilience. ESR effectively manages cybersecurity risks through the implementation of an ISO 27001:2022 based Information Security Management System (%u201cISMS%u201d), which includes a comprehensive set of IT policies and procedures dedicated to risk, technology and data security controls. The ISMS Committee, headed by the Group Chief Operating Officer, consists of senior IT leaders from various business units within the Group. This committee is responsible for establishing the information security governance framework, monitoring the system%u2019s functionality and ensuring the implementation of suitable safeguards to enhance the resilience of our IT operations against cyberattacks. In 2024, Group IT has undergone certification audits for ISO 27001:2022 certification and cleared the audits with no compliance findings. ESR was awarded the ISO 27001 certificate by the British Standards Institute (BSI), an ISO certification organisation in March 2025. This accreditation is a testament to ESR%u2019s commitment to our digital transformation. It provides confidence and assurance to our investors, customers, and regulators that ESR is dedicated to maintaining the highest IT security standards. This certification not only enhances our reputation but also gives ESR Group IT a framework for continuous improvement in our IT security standards, processes, and procedures.IT and CybersecurityThe Group recognises the increasing threats posed by cyberattacks, which are becoming more prevalent and sophisticated. ESR is committed to staying ahead of cyber threats and implements enhancements to various platforms, given the growing reliance on technology to enhance operational efficiency and ensure effective internal governance. ESR has a cyber resilience infrastructure and network, which safeguards against technology-related risks originating from both internal and external sources. Additionally, ESR has comprehensive information technology policies and procedures in place, governing information availability, confidentiality and security, to prevent any unauthorised disclosure of sensitive information. The Group understands the importance of the increasing and intricate cyber threats on a global scale. As we expedite our digitalisation efforts to enhance business operations, we acknowledge that technologyrelated risks from both internal and external origins are fundamental components of our primary business risks.