CORPORATEGOVERNANCE BoardOversight • overseesandmonitorstheCompanysstrategiesrelatedtotalentmanagement,includingtherecruitmentandretentionof keytalent, pay equity, corporate culture, DIE&B and other key human capital management programs and initiatives; and • overseesexecutivesuccessionplanning. GovernanceCommittee TheGovernanceCommitteeisprimarilyresponsibleforthefollowingareasandreportstothefullBoardonthesematters onaregularbasis: • overseesandreviewstherisksassociatedwithouroverallcorporategovernanceframework,principles,policiesand practices; • overseesESGmattersgenerally,includingoverallESGstrategy,risksandopportunities,stakeholderengagementand reporting, programsandinitiativesin social innovationand environmentalsustainabilityand the Companysannual GlobalImpactReport;and • overseespoliticalactivitiesand expenditures. ManagementsRiskandComplianceFramework ManagementregularlyreviewsanddiscusseswiththeARCCommitteetheoveralleffectivenessof,andongoing enhancementsto,theERCMProgram. Managements Risk and Compliance Framework Managements risk and compliance framework is designed to enable the ARC Committee to effectively oversee the Companys risk management practices and capabilities. • The Companys risk management committees, including the Enterprise Risk Management Committee (“ERM Committee”), oversee the implementation and execution of the ERCM Program. • The ERM Committee is the highest-level risk management committee, is co-chaired by PayPals Chief Risk and Compliance Ofcer and Chief Enterprise Services Ofcer and reviews periodic reports from management regarding the effectiveness of the ERCM Program. • The ERCM Programs objectives are to identify, measure, manage, monitor and report key risk factors facing our Company including: — Financial crime and regulatory compliance risk — Technology, cybersecurity and privacy risk — Operational, portfolio and capital risk — Strategic, reputational and third-party risk • Key ESG considerations are integrated into our ERCM Program and emerging ESG trends are regularly reported to a subcommittee of the ERM Committee. Effectively managing privacy and cybersecurity risks is paramount and an integral component of the ERCM Program Our Global Privacy Program is based on eight data Our Information Security Program is designed to management principles, including choice and enable robust cybersecurity management across our consent, notice and transparency, security and data lifecycle global enterprise and support the Company in identifying, management, that serve as the basis for enterprise-wide protecting, detecting, responding to and recovering from standards, programs and trainings. cybersecurity threats. —Our Global Privacy and Data Management Team, led by our —The risk-driven program, led by our Chief Information Security Chief Privacy Officer and Global Head of Data Management, Officer, is ISO 27001 certified and aligned with other industry collaborates with dedicated teams integrated throughout our frameworks and best practices. business to foster a “Data Hygiene by Default” and “Privacy by —We institute 24/7 monitoring and measurement through our Design” culture throughout the Company. PayPal Command Center and PayPal Cyber Defense Center, —This includes mandatory employee and contractor training and require employee and contractor training and promote regular education, issue management and privacy risk assessments. cybersecurity awareness and educational programs for our employees, customers and broader ecosystem. 28 •2023ProxyStatement