Information
Security Policy.

Why this policy exists.

Scout Gaming Group AB (SGG) is a multi-award-winning licensed and regulated provider of B2C and B2B sports and fantasy sports betting and gaming solutions. The company offers a flexible, customisable network-based fantasy sports solution, coupled with sports games innovations such as Player Matchups, Players Odds and Pick'em Jackpot. The Scout Gaming Platform (SGP) supports all major sports and leagues through an in-house StatCenter, which also provides real-time information to players. SGG is listed on the Nasdaq First North Growth Market and is the parent company of seven subsidiaries.

Scout holds B2B licenses with the Malta Gaming Authority and the Hellenic Gaming Authority, and B2C licenses with the Malta Gaming Authority and the United Kingdom Gambling Commission. Scout Ltd is based in Malta and holds the remote gambling license for FanTeam. Scout & Co has an agreement with Scout Ltd that grants it the right to operate in the UK using Scout's license.

Whilst the UK Gambling Commission requires licensed gaming operators to complete an annual audit of the gambling system's information-security arrangements against its Remote Gambling and Software Technical Standards (GC RTS), other gambling authorities — for example in Greece — require license holders to secure certification to ISO/IEC 27001:2013, the international standard for information security management. To support its growth ambitions and remain compliant with all relevant licence conditions, SGG has determined to secure certification to ISO 27001.

What this covers.

Information takes many forms. The scope of this Information Security Policy includes, but is not limited to:

• All information processed by SGG in pursuit of its operational activities, regardless of whether it is processed electronically or in paper form — including external customer information; operational documents, plans and minutes; financial, compliance and other company records; and employee records.
• All information processing facilities used in support of SGG's operational activities to store, process, transmit or otherwise interact with information.
• All external organisations that provide services to SGG in respect of information processing facilities.

This Policy applies to all employees, consultants, contractors and third parties engaged by SGG (collectively referred to as "users").

The CIA triad.

Information security is aimed at protecting the following three attributes of SGG's information:

• Information asset — any information and information processing facility that has value to SGG.
• Information owner — an individual accountable for the information asset.
• Information processing facilities — any information processing system, service, or infrastructure, or the physical locations housing them.

What we're guarding against.

A lack of information security can lead to incidents such as breaches of confidentiality, corruption of information and availability issues — which could adversely affect the reputation of SGG and its customers, along with its ability to meet contractual, legal and regulatory obligations. Without defined and measurable objectives, it is not possible to determine whether SGG's information-security activities meet their intended outcomes.

What good looks like.

The objective of this Information Security Policy is to enable SGG to effectively manage any identified and relevant information-security threats in order to meet its strategic business goals and to maintain its legal, regulatory and contractual compliance obligations. SGG's security controls are designed to mitigate all information-security-related threats — external or internal, deliberate or accidental.

Compliance with this Policy is necessary to ensure business continuity and to minimise business damage by preventing or reducing the likelihood of information-security incidents occurring, and minimising their impact should they occur.

In support of this Policy, SGG's Senior Management Team (SMT) accepts its role in being fully accountable for information security and is committed to:

• Managing and reducing information-security risk in an informed manner.
• Minimising the impact on SGG when information-security incidents occur.
• Ensuring SGG has identified applicable legal, regulatory and contractual requirements and that they are complied with.

Who is accountable.

The Management of SGG shall be accountable for ensuring that appropriate security and compliance controls are identified, implemented and maintained by information-asset owners. It is supported in this task by the Information Security Forum (ISF).

SGG's ISMS Manager — a role currently performed by the Chief of Production (CoP) — shall be responsible for managing information security at an operational level. The CoP has direct responsibility to the SMT for maintaining this Policy, providing advice and guidance on its implementation, and is responsible for:

• Ensuring this Policy is reviewed at least every 12 months and in response to any significant change. Where significant changes occur, they shall be made known to all users.
• Establishing procedures to implement this and other policies within the company, and monitoring compliance.
• Ensuring appropriate training is provided to information-asset owners, custodians and users, as well as network and system administrators.

Unless explicitly delegated to another position, the CTO is the appointed decision-maker (Manager) for risk and vulnerability analysis as well as the management of information and incidents. For each of these areas, dedicated policies and procedures provide greater detail on role requirements.

In the absence of the ISMS Manager, all of their responsibilities are transferred automatically to the CTO, unless explicitly delegated to another role.

Information-asset owners (listed in the Scout Gaming Group Assets Inventory) shall be responsible for the identification, implementation and maintenance of controls commensurate with the value of the information assets they own and the risks to which they are exposed — and for periodical review identified in the Assets Inventory based on asset value.

It is the responsibility of all users to adhere to this Policy and to report information-security incidents and events to their closest leader and the CTO as soon as possible. Non-compliance with this or any related policy may result in disciplinary action.

The fifteen requirements.

Under this Information Security Policy, SGG shall ensure that the following information-security requirements are complied with:

• Information assets and information-processing facilities are protected against unauthorised access.
• Information is protected from unauthorised disclosure.
• Confidentiality of information assets is maintained.
• Integrity of information assets is maintained.
• SGG requirements, as identified by information owners, for the availability of information assets and information-processing facilities required for operational activities are met.
• Statutory and expressed or implied legal obligations are met.
• Regulatory, contractual and internal compliance obligations are met.
• Requirements for the continuity of information security are determined and maintained within SGG's business-continuity arrangements.
• Unauthorised use of information assets and information-processing facilities is prohibited; the use of obscene, racist or otherwise offensive statements is dealt with in accordance with other appropriate policies published by SGG.
• This Policy is communicated to all users, for whom information-security training is provided where necessary.
• A systematic approach to information-security risk management is followed, as a continual and dynamic process.
• Information security is managed through a formal Information Security Management System (ISMS) defined within a documented framework.
• The performance of the ISMS and the effectiveness of information-security controls is continuously improved.
• All breaches of information security, actual or suspected, are reported and investigated in line with SGG's published policies and procedures.
• Controls are commensurate with the risks faced by SGG.

In support of this Policy, more detailed operational security policies and processes shall be developed for users, information assets and information-processing facilities. These supporting policies shall be reviewed at planned intervals — or if significant changes occur — to ensure their continued suitability, adequacy and effectiveness.

How we measure it.

Information-security objectives shall be agreed on an annual basis, supported by a set of key performance indicators (KPIs), with milestones and targets being set as appropriate. These measures shall be reported to the ISF for review.

How this document evolves.

This Information Security Policy shall be reviewed on an annual basis by the ISF. The Policy may also be updated periodically when necessary to ensure that it remains up to date, appropriate and consistent with SGG's strategic business objectives.

Changes to this Policy shall be communicated to all users.