Responsible Capital Allocation Community Contributions Good Governance & Shareholder Alignment Diversity, Inclusion & Well-Being Climate Action Transparency & Guiding Principles Appendices 27 Information Security We have an Information Security Policy that sets Several members of our Board of Directors out our principles for the protection of information (six of nine or 67% of our Board, as of our assets and our proper controls needed to ensure May 2, 2023 annual general meeting) have compliance with our standards and external skills and competencies in cybersecurity and regulations. The policy is intended to define the Board engages with management in matters the principles and requirements of acceptable relating to Franco-Nevada’s information and use of information assets for our personnel cybersecurity strategy. and describe how these will be implemented across our global operations. It also informs our Our Audit and Risk Committee oversees the personnel of our expectations and requirements Information Security Policy and has designated for acceptable use of information assets and the our Chief Financial Officer as the executive role of our personnel in protecting the security responsible for: establishing and maintaining and integrity of our information. The Information the practices and procedures necessary to Security Policy is comprised of a number implement the Information Security Policy, of policies, including our: providing training to our personnel on the substance of the Information Security Policy • Password Policy at least once annually, and reporting to the • Acceptable Computer Use Policy Audit and Risk Committee on the operation • Removable Media Policy of and compliance with the policy. • Email Policy • Remote Access Policy Given the increased global threat of cyberattacks, • Incident Logging Policy we endeavour to improve our cyber and information security, including our processes and infrastructure in place to mitigate risks of Related Policies and Statements: cyberthreats and attacks, whenever possible. In 2022, we made the following improvements • Information and Security Policy to our cyber and information security: “Given the increased global • We enhanced cybersecurity risk management processes, with more threat of cyberattacks, frequent security updates to the Audit and Risk Committee; we endeavour to improve • We enhanced password security; • We updated and tested our disaster our cyber and information recovery plan; and Equinox Gold employees at Greenstone project, Canada • We engaged third-party companies security whenever possible.” to test our security and access.