SP Plus : 2022 ESG Report

ESG REPORT 2022

About SP+

SP+ develops and integrates industry-leading technology with best-in-class operations management and support to deliver mobility solutions that enable the efficient and time- sensitive movement of people, vehicles, and personal travel belongings. With over 19,000 team members located throughout North America, Europe, and India, SP+ is committed to providing solutions that make every moment matter for a world on the go.

Our Promise

Making Every Moment Matter

for a World on the Go

OUR PROMISE & CORE VALUES

We began a journey in 2022 at SP+, seeking to better understand how our people, capabilities, and technology solutions can move the company forward at an accelerated pace and continue evolving.

Through conversations with our clients, customers, and employees, we uncovered that SP+ provides so much more than mobility services. Every interaction - from traveling through an airport, visiting a loved one at a hospital, or enjoying a ballgame with friends - presents an opportunity to make that singular moment as stress-free, and enjoyable as possible.

The result of this work is the introduction of Our Promise: Making Every Moment Matter for a World on the Go. By embracing Our Promise, we have a roadmap for how SP+ can create something truly exceptional for clients, customers, and employees alike.

We are excited to show you how we're bringing Our Promise to life through the lens of our three core values: Integrity, Ingenuity, and Diversity.

Integrity: We say what we're going to do, and we can always be counted on to do the right thing.

Ingenuity: We solve complex problems and create new opportunities to deliver exceptional experiences.

Diversity: We bring people together who represent all backgrounds, perspectives, and expertise to enhance our services and improve the communities we serve.

Information Security Management

SP+ maintains an Information Security Management System (ISMS) program using a combination of governance, risk management, identity & access management and operations-based teams. When enforcing the ISMS within the organization, we maintain policies, standards, controls and procedures aligned to the National Institute of Standards and Technology (NIST) 800-53 framework. The security controls at the core of our program represent a holistic view of Information Security that comprises twenty-three (23) security domains, each containing security controls applicable to that security discipline. SP+ utilizes a holistic approach to the identification, prioritization and remediation of Information Security risk. We operate a dynamic and living risk register utilizing the NIST Risk Management Framework (RMF) methodology. Our methodology utilizes both process and automation related tools to evaluate any application or system that houses employee, client or customer information. All policies and standards, along with security control adherence guidelines, are distributed to applicable Business Units to ensure on-going compliance with program requirements. SP+ continuously presents key risk findings and program updates to Executive Management, the Audit Committee and Board of Directors.

Our migration to a cloud-based model for storing and managing data has advanced our efforts to secure informational assets by adhering to the policies and guidance set forth by Amazon Web Services (AWS), Google and other partners. Through a combination of cloud security best practices, industry standards and third-party assessments, SP+ maintains a robust cloud security posture to ensure data protection is at the forefront of our Information Security program. SP+ maintains cloud security standards, baselines and configurations aligned to Information Security policy that are regularly reviewed, approved, tested and enforced.

DATA BREACHES

In 2022, SP+ had no data breaches, resulting in zero confidential business or personally identifiable information from our customers or employees being affected.

GOVERNANCE

6

Data Security

As the importance of a robust approach to Information Security management continues to increase, we recognize the importance of fortifying our information system environment against malicious actors in order to safeguard our informational assets. Utilizing a combination of administrative, logical/technical and physical security controls, SP+ ensures that all proprietary, confidential, employee and customer data is identified, categorized, prioritized and protected at all times. We as an organization maintain a robust application and data inventory ensuring that industry best practices and regulatory compliance obligations are adhered to. As part of our Data Privacy program at SP+, we maintain compliance with the following regulations:

1. General Data Protection Regulation (GDPR)
2. California Consumer Privacy Act (CCPA)
3. Sarbanes Oxley Act (SOX)
4. Fair and Accurate Credit Transactions Act (FACTA)
5. Payment Card Industry - Data Security Standards (PCI-DSS)
6. Enacted US Privacy Law Legislation (Colorado, Connecticut, Utah, Virginia)

INFORMATION SECURITY EDUCATION: TRAINING AND AWARENESS

The SP+ Information Security team, in conjunction with the SP+ Learning & Development team, requires all users (Employees, Contractors, Consultants, Temporary Employees, Third-Parties) who have access to the SP+ network, to complete Annual Information Security Training. All users must also acknowledge the SP+ Acceptable Use Policy upon assignment of SP+ network credentials and then subsequently annually to ensure adherence with SP+ Information Security policy and standards. In addition to the Annual Information Security Training Course, users must also complete Information Security training modules pertaining to Phishing Awareness and regulatory compliance obligations. As part of our on-going awareness campaign, the Information Security team consistently alerts and reminds employees of current and potential cyber risks, provides direction and tips for mitigating any infiltration of our systems using the company email and intranet platforms. Phishing simulations are conducted monthly across our network user base to help educate employees. Results are reported to SP+ Executive and Leadership teams with additional training provided as needed.

GOVERNANCE

7

Business Ethics &

Professional Integrity

CODE OF CONDUCT

SP+ employees play an integral role in maintaining our reputation as an industry-leading service provider that prioritizes our customers and clients to meet their business needs seamlessly. Each employee is entrusted with the responsibility of upholding our reputation.

Our Code of Business Conductprovides employees guidelines for conducting company business and explanations of policies, procedures and ethical standards that guide our business practices. Topics include: Accounting, Auditing and Financial Matters; Antitrust Laws; Gift & Entertainment Policy; Lobbying & Political Contributions; and Conflicts of Interest, among others.

ETHICS & COMPLIANCE HOTLINE

SP+ wants to know about any issues that obstruct our commitment to providing a safe and ethical work environment that is free from harassment and discriminating conduct. We encourage every employee to report potentially fraudulent, illicit, or dangerous activities.

Employees can speak with a live specialist or report their concerns via a hotline which gives employees the option to anonymously and confidentially ask policy questions or report incidents via phone, text, or online.

Hotline access information-including a toll-free number, mobile number for texting, QR code and a website with an online form is posted at staffed locations and is also available through online internal sites.

SP+ investigates all reported allegations and appropriate action is taken when necessary. The number of concluded cases concerning corrupt practices brought against SP+ or its employees during the 2022 fiscal year was zero.

ENVIRONMENTAL COMPLIANCE

SP+ has a designated Environmental Compliance Officer (ECO) who is responsible for the development and dissemination of our environmental policies and establishing standards for hiring vendors/suppliers to perform environmentally sensitive activities on behalf of SP+. The ECO develops standards for contracts and procedures involving water use and also serves as a resource for SP+ University's Environmental Compliance Training Program and addressing Compliance issues.

Additional disclosures relating to regulatory environment and environmental compliance can be found in the company's Annual Report on Form10-K.

The number of concluded cases

concerning corrupt practices brought against SP+ or its employees during 2022 was zero.

GOVERNANCE

8