Cyber and Technological Security

Our Information Security Policy sets out our principles for the protection of information assets and proper controls to ensure compliance with our standard

Franco-Nevada Corporation 25 Our Information Security Policy sets out our principles for the protection of information assets and proper controls to ensure compliance with our standards and external regulations. The policy is intended to define the principles and requirements of acceptable use of information assets for our personnel and describe how these will be implemented across our global operations. It also informs our personnel of our expectations and requirements for acceptable use of information assets and the role of our personnel in protecting the security and integrity of our information. The Information Security Policy is comprised of a number of policies, including our: § Password Policy § Acceptable Computer Use Policy § Removable Media Policy § Email Policy § Remote Access Policy § AI Tools in the Workplace Policy The majority of the members of our Board of Directors have skills and competencies in cybersecurity (currently, three of our Board members have expert level knowledge of cybersecurity matters, with five others having sufficient knowledge of cybersecurity-related matters to provide high-level oversight of management). The Board engages with management in matters relating to Franco-Nevada’s information and cybersecurity strategy and maintains the necessary skills and competencies in topics such as cybersecurity through ongoing education, including management presentations, conferences, consultations with experts, and offsite meetings. Board members also receive regular relevant materials from management. Our Audit and Risk Committee has general oversight over technology related risks, which includes cybersecurity and AI risk management, and oversees the Information Security Policy. Our Chief Financial Officer has been designated by the Audit and Risk Committee as the executive responsible for: establishing and maintaining the practices and procedures necessary to implement the Information Security Policy, providing training to our personnel on the substance of the Information Security Policy at least once annually, and reporting to the Audit and Risk Committee on the operation of and compliance with the policy. In addition to our annual Information Security Policy training, our IT Department also periodically sends newsletters to all personnel, highlighting key updates and developments affecting the company and its personnel from a cyber and technological security perspective. In 2024, employees also completed a comprehensive IT security awareness training program, which covered essential topics such as recognizing phishing attempts, creating strong passwords, and safely handling sensitive information. It also included interactive modules on identifying and mitigating cyber threats, ensuring employees are well-equipped to protect both personal and company data. In light of escalating global cyber threats, we continue to improve our cyber and information security measures to mitigate risks of potential cyber threats and attacks. In 2024, we made the following improvements: Cyber and Technological Security Related Policies & Statements: § Information Security Policy § Audit and Risk Committee Charter Franco-Nevada's Finance team § Strengthened cybersecurity risk management processes, with more frequent security updates to the Audit and Risk Committee; § Further enhanced password security, as part of a Zero Trust framework; § Updated and tested our disaster recovery plan; § Collaborated with third-party companies to assess risk and test our security and access controls; and § Conducted regular vulnerability assessments and penetration testing to identify and mitigate potential threats. In 2024, ISS ESG released a new Cyber Risk Score, which is a data-driven rating that provides visibility into the level of cyber readiness and resilience an organization has implemented based on its ongoing actions to identify, manage, and mitigate cyber risk across its external technology networks. Franco-Nevada currently scores 834 out of a maximum 850, indicating a low risk of a material cybersecurity breach. Message from our CEO Report Highlights About Franco-Nevada Responsible Capital Allocation Community Contributions Diversity, Inclusion and Well-Being Climate Action Transparency and Guiding Principles About this Sustainability Report Appendices Corporate Governance Good Governance and Shareholder Alignment Integrity and Compliance Shareholder Alignment Cyber and Technological Security