RISK MANAGEMENT continued Events that may trigger the risk • Threat actors attempting to compromise systems through social engineering, prolonged remote attacks or physical access. • Changes to operational design, bringing requirements for improvements to digital infrastructure. Potential impact • Significant loss of personal or confidential data or disruption to the corporate systems. • Reputational and/or financial damage with increased scrutiny including sanctions and fines. • Reduced benefits from operational efficiencies. How we monitor and mitigate • Defined governance structure for Information Security. • Technical security controls aligned to SANS CIS Critical Security Controls. • Penetration testing. • Security Operations Centre and Security Incident & Event Management. • Full suite of awareness and training activities. • Agreed Information Security Strategy & Technical Security Roadmap. • Information Security and Data protection policies in place. • Scheduled Internal Phishing campaigns. • Mimecast intercepts potentially harmful emails. • Monitoring of emerging cyber threats. • Information Security Incident Management procedures in place. • Programme and project-level governance, reporting and oversight. • Periodic consideration of Information Security by Audit & Risk Committee and Board. OBJECTIVE: Maintain and enhance a robust and secure IT environment that discourages attacks and informs us when issues have been detected and provides us with greater operational capacity. RISK: Significant loss of personal or confidential data, disruption to corporate systems either through cyber-attack or internal theft/error. PRINCIPAL RISK Technology 7 Increased Decreased Risk outlook No change THE UNITE GROUP PLC Annual Report and Accounts 2025 60 STRATEGIC REPORT