ITEM 1C. CY BERSECURITY RISK MANAGEMENT AND STRATEGY Microsoft plays a central role in the world’s digital ecosystem. We have made it the top corporate priority to protect the computing environment used by our customers and employees and to support the resiliency of our cloud infrastructure and services, products, devices, and our internal corporate resources from determined adversaries. In response to the evolving cybersecurity threat landscape, we launched the Secure Future Initiative (“SFI”) in November 2023 and expanded the scope of SFI in May 2024. The SFI focuses our business strategy and efforts on continual improvement in cybersecurity protection, and is aligned around three security principles: • Secure by Design: Security comes first when designing any product or service. • Secure by Default: Security protections are enabled and enforced by default, require no extra effort, and are not optional. • Secure Operations: Security controls and monitoring will continuously be improved to meet current and future threats. We operate a cybersecurity program and governance framework designed to protect our computing environments against cybersecurity threats, and we have controls, policies, and procedures to identify, manage, and mitigate cybersecurity threats. Annually, we assess our cybersecurity program’s alignment with the National Institute of Standards & Technology’s Cyber Security Framework (“NIST”) and other applicable industry standards. We also undertake integrated planning and preparedness activities to support business continuity and operational resiliency. We assess our program's effectiveness through various exercises, including tabletop simulations and production environment tests, penetration and vulnerability tests, red team exercises, and other related activities. We conduct mandatory cybersecurity training, provide employees with tools to report suspected incidents and assess their own security posture, and conduct real-time simulated employee education exercises, such as phishing email campaigns designed to emulate real-world attacks. We also engage in robust cybersecurity assessments and remediation efforts for acquired companies. Our computing environments, products, and services are reviewed by our internal audit teams as well as independent third-party assessors. We are committed to managing the most significant risks to our strategies and ambitions, including cybersecurity risks. The Enterprise Risk Management (“ERM”) organization supports management in this commitment by facilitating the semiannual risk assessment, which documents the priority and status of these risks and aligns them with our strategic mitigation efforts. ERM is structured using a framework based on the Committee of Sponsoring Organization (“COSO”) guidance on Enterprise Risk Management Integrating Strategy with Performance and it also aligns with the International Organization for Standardization 31000:2018 Risk Management Standard. We continuously monitor our computing environments, products, and services for vulnerabilities and signs of compromise, and we utilize our own security products to combat cybersecurity threats. We integrate security into our computing environments, products, and services through our Security Development Lifecycle (“SDL”). Our SDL introduces security and privacy considerations throughout all phases of our development process and through the adoption of zero-trust end-to-end architecture. We utilize machine learning and AI-powered security tools to gain insights from 84 trillion signals per day. We track over 1,500 unique threat actors, including more than 600 nation-state actors, 300 cybercriminal groups, 200 influence operation groups, and hundreds of others. To support our efforts, we operate a Cyber Defense Operations Center connected to over 10,000 security and threat intelligence experts, including engineers, researchers, data scientists, cybersecurity experts, threat hunters, geopolitical analysts, investigators, and frontline responders across the globe. 30 --- PART I