Acceptable Use Policy Information Security

January 3, 2022

INTRODUCTION
The Company provides a variety of technology resources to support its initiatives and daily operations. All Users
play an important role in maintaining the Confidentiality, Integrity, and Availability of RCG Information Assets
and Systems. Therefore, it is the responsibility of Users to exhibit and maintain appropriate use of RCG
Information Assets and Systems in accordance with this Acceptable Use Policy (“Policy”).

1. Policy Detail

1.1. Scope
This Policy applies to all Users who interact with RCG Information Assets and Systems. It is the responsibility of
every RCG Employee who engages Third Parties to perform services involving RCG Information Assets and
Systems to work with Information Security and Legal to ensure that such Third Parties are contractually
obligated to comply with this Policy and other applicable policies and standards.

1.2. Purpose
This Policy establishes the acceptable use of RCG Information Assets and Systems. Users must use RCG
Information Assets and Systems in a manner consistent with this Policy and are responsible for exercising good
judgement and exhibiting ethical and lawful behavior during the use of the provided technologies.

2. Rules and Guidelines

The following rules and guidelines provide a framework to guide Users in the proper understanding of the
activities of acceptable use. This Policy is by no means all-inclusive, and Users are expected to exercise good
judgement while using RCG Information Assets and Systems. If unsure about certain actions, Users should check
with their manager or Information Security.

2.1. General Requirements

All RCG Systems are provided for the primary purpose of conducting job duties and responsibilities.
Usage should not expose RCG Systems to unnecessary cyber threats and/or risks, such as impacting the
Company’s Network ability/capability (e.g., slows down the Network, causes a disruption in service, or causes
a security breach); and does not fall within the excluded uses in this Policy or otherwise violate any other
policy, standard or applicable law or regulation.

In general, Users are required to:

• exercise good judgement regarding reasonableness of their personal use of RCG Devices and Systems.
If there is any uncertainty, Users should consult RCG policies, their manager or Information Security.
• safeguard their credentials, including and not limited to username, passwords, pins, and tokens. Users
must not write down or share their passwords with anyone.
• immediately reset and change their password if it has been or they suspect it has been compromised.
• use a mixture of upper and lower alpha-numeric and special characters when creating their password.
The use of common passwords, such as “Password123” or ship and brand names are prohibited.
• take care of all equipment provided by RCG. RCG reserves the right to reclaim any costs incurred for
damaged equipment, whether negligently or intentionally damaged; and
• work with IT to ensure RCG Information Assets on Mobile Devices are maintained in a secure manner to
protect from potential threats and vulnerabilities.

2.2. Desktops and Laptops

The following should be adhered to when using the RCG Desktops and Laptops:

• Desktops and Laptops must be locked or logged off when left unattended.
• Laptops left at an RCG office overnight must be secured in a locked office, drawer, cabinet or docked
on a locked docking station. Keys to the locked area must not be left in the lock.
• Laptops taken off-site must not be left unattended in public places and not left in sight in a car.
• Laptops must be carried as hand luggage when travelling.

1
Acceptable Use Policy Information Security
January 3, 2022

• If a laptop is lost or stolen, Users are required to report it to their manager and the RCG Support Desk
or Shipboard IT Manager as soon as possible.

2.3. Mobile Devices

Mobile Devices (e.g., smartphones, tablets, etc.) that have access to Information Assets and Systems or are
used to conduct RCG business are subject to this Policy, the Global Information Security Policy, and all other
applicable policies and standards. Mobile Devices used for RCG business must adhere to the requirements below.

2.3.1. Company-Owned Mobile Devices

The following requirements shall apply to Company-Owned Mobile Devices:

• Mobile Devices must have the Company approved mobile device management application enabled on the
device, and Users are not to disable the application unless Authorized.
• Appropriate safeguard practices should be implemented on the company-owned Mobile Device to protect
RCG Information Assets and Systems, including and not limited to password/pin protection, multi-factor
authentication and encryption.
• Mobile Devices must be locked any time the device is unattended.
• Mobile Devices must not be left unattended in an unsecure location or left in sight in a car.
• If a Mobile Device is lost or stolen, Users are required to report it to their manager and the RCG Support
Desk or Shipboard IT Manager as soon as possible, so the appropriate precautions can be applied.

2.3.2. Personally-Owned Mobile Devices

The following requirements shall apply to Personally-Owned Mobile Devices when used for RCG business:

• The Company approved mobile device management application must be downloaded and enabled on
the Mobile Device, prior to using the device to access RCG Information Assets and Systems, including
and not limited to receiving/sending emails, utilizing calendars, tasks or accessing Systems. If the
mobile device management application is disabled or uninstalled from the device, then access to RCG
Information Assets and Systems via a personally owned Mobile Device shall be revoked.
• Mobile Devices used for Company business should have appropriate safeguard practices enabled on their
device to protect RCG Information Assets and Systems, including but not limited to password/pin
protection, multi-factor authentication.
• Mobile Devices used for RCG business purposes, must be locked any time the device is unattended.
• Mobile Devices used for RCG business purposes must not be left unattended in an unsecure location.
• If a personally-owned Mobile Device is lost or stolen which is used for RCG business, Users are required
to report it to their manager and the RCG Support Desk or Shipboard IT Manager as soon as possible, so
the appropriate precautions can be applied to protect the RCG Information Assets and Systems (i.e.,
remotely wiping the phone of RCG Information Assets and Systems, resetting passwords, etc.).

2.4. Email and Communication Platforms

The following should be adhered to when using RCG Email and communication platforms:

• Email and communication platforms provided by RCG are to be used for business purposes and should
follow company practices. RCG reserves the right to monitor these platforms and related
communications as it determines appropriate.
• Email and communication platforms should only be used by the registered User, or a delegate granted
access through the communication platform’s delegation process.
• If Users receive messages containing offensive or inappropriate material, they must immediately notify
their manager or HR business partner.
• Do not open email attachments or links from unknown sources. Attachments and links are the primary
source of malware and should be treated with utmost caution. Report suspicious emails using the
“Report Phishing” button or forward to abuse@rccl.com.

2
Acceptable Use Policy Information Security
January 3, 2022

The following activities are prohibited:

• Forwarding RCG email accounts to external accounts (e.g., Yahoo, Gmail, Outlook, etc.).
• Sharing email account passwords with another person or attempting to obtain another person’s email
account password.
• Intentionally spreading malicious software (i.e., viruses, worms, Trojans) or causing any Network
disruption (e.g., downtime or impact to business product or service).
• Transmitting obscene, profane, or offensive messages.
• Engaging in illegal activity or any activity that otherwise violates any RCG policy, standard or applicable
law or regulation.

2.5. Internet Activity

RCG permits access to the Internet for both business and personal use. Good judgement should be used when
accessing the Internet for personal use and should not interfere with a User’s responsibilities or the performance
of RCG Systems. The following activities are prohibited while using the internet from a company-owned device
or system:

• Viewing or downloading any inappropriate content that violates RCG policy.

• Engaging in activities designed to gain unauthorized access or to delete, alter or corrupt, data in an
unauthorized or illegal manner.
• Engaging in activities such as distributing ‘Spam’, spreading malicious software (e.g., viruses, worms,
Trojan horses, etc.) or causing any other Network disruption.
• Using RCG Systems to attempt unauthorized access into any Third Party network, systems, or computer
accessible via the Internet.
• Engaging in any activities that violate legal protections provided by copyright, trademark, patent, or
other intellectual property rights.
• Executing any form of Network monitoring or surveillance that will intercept data not intended for the
User’s computer/Mobile Device unless this activity is part of the User’s roles and responsibilities.
• Circumventing user authentication or security of any computer/Mobile Device, User account or System.
• Accessing websites that circumvent Internet controls to access sites that are explicitly blocked.

2.6. Telephony Equipment

Telephony equipment (e.g., desk phones, fax machines, modems, or other equipment that communicate via
phone), voicemail boxes and messages contained within voice mailboxes are provided to facilitate business
communications and are property of RCG. RCG telephony equipment may not be used for the following:

• Transmitting obscene, profane or offensive messages; and

• Attempting to access another User’s voicemail box unless specifically authorized.

2.7. Printer and Multifunctional Devices

Printers and multifunctional devices (combinational devices that include operations such as copying, printing,
scanning, and faxing in one machine) are property of RCG, and the primary use of these technologies are for
business purposes. Users should adhere to the following requirements:

• Users should take precautions to ensure that Restricted Information Assets cannot be retrieved or
viewed by an unintended recipient.
• Users should verify the information shared is being sent to the intended party.

RCG printer and multifunctional devices may not be used for the following:

• printing or transmitting obscene, profane, or offensive images or messages, or

• attempting to retrieve another User’s print job or data without permission from the User.

3
Acceptable Use Policy Information Security
January 3, 2022

2.8. Removable Media

Removable media (e.g., USB drives, external hard drives, DVDs, CDs, tapes) used to process and store RCG
Information Assets must be physically controlled and secured from unauthorized access. If Users have RCG
Information Assets on removable media, it is their responsibility to ensure the information is encrypted and
password protected. Removable media should not be utilized to process, store, or transfer
Restricted/Confidential Information Assets except in the case of RCG approved necessary back up data. The
use of unknown removable media is prohibited (e.g., removable media found or received from an unknown or
non-trusted source).

2.9. Privacy and Monitoring

There should be no expectation of privacy, except as provided by local law, in the use of RCG Systems including
data created, processed, transmitted, or stored on RCG Systems. RCG may access RCG Systems and User data
(including personal data) created, processed, transmitted, or stored as part of an investigation into breach of
laws or policy, based on RCG’s legitimate interests. By using RCG Systems, Users consent to monitoring and
retrieval of User data by Authorized persons from RCG. RCG reserves the right to access Systems and Intellectual
Property to ensure compliance with applicable laws, rules, regulations and RCG policies, and to prevent, detect
and investigate unauthorized use of any RCG System or Information Asset.

Any monitoring information gathered may be disclosed to appropriate RCG management and, if required to law
enforcement officials. This may involve transferring information outside the country of residence of the User
and RCG will always seek to ensure that such transfer is handled in accordance with applicable laws. Any
monitoring information gathered will be deleted by RCG in accordance with the applicable record retention
schedules of RCG’s Record Management Policy. RCG is not responsible for maintaining backup copies of any
personal materials Users create and/or save on RCG Systems (such as your laptop), and all such materials will
be destroyed upon termination of employment or contract with no further notice to the User.

3. Certification
The Company may require Users to certify that they have reviewed this Policy and are compliant with this
Policy.

4. Exceptions
Any request for an exception to this Policy must be submitted in writing to Information Security at
CyberRiskAssessments@rccl.com and approved in accordance with the Approval Matrix in the IT Risk and
Exception Management Standard Operating Procedure (“SOP”).

5. Violations, Questions, and Reporting

Violations of this Acceptable Use Policy may result in disciplinary action, up to and including termination of
employment or contract. All questions regarding this Policy should be communicated to Information Security at
CyberRiskAssessments@rccl.com. If you have concerns or need to report a violation of this Policy, contact your
supervisor, Information Security (Phone: +1(954) 517-2650, Email: CyberRiskAssessments@rccl.com), the Global
Compliance and Ethics Group (Phone: +1(305) 982-2423, Email: ethics@rccl.com), the Chief Compliance Officer
(Phone: +1(305) 539-6631, Email: compliance@rccl.com) or any of the other Compliance and Ethics contacts set
forth in the Company’s Code of Business Conduct and Ethics. You may also make a report through the Company’s
AWARE Hotline Program by phone at 1-888-81-AWARE (29273) or extension **88 for shipboard employees, or online
at RCLaware.ethicspoint.com.

The Company does not tolerate any kind of retaliation for reports or complaints made in good faith.

6. Definitions
For purposes of this Policy, the following terms shall have the following meanings:

Availability: The need to ensure that the business purpose of the System can be met and that it is accessible
to those who need to use it.

Authorized: Having official permission or approval from the Company.

4
Acceptable Use Policy Information Security
January 3, 2022

Company or RCCL/RCL/RCG: Royal Caribbean Cruises Ltd. and its wholly owned subsidiaries.

Confidentiality: Protection of Information Assets from unauthorized entities and disclosures.

Employee: means any employee or officer of the Company, whether shoreside or shipboard.

Information Asset(s): RCG data that are processed interpreted, organized, structured, or presented to
make them meaningful or useful in both physical and electronic form.

Intellectual Property: Content or data Users create on RCG Systems or for Company purposes
notwithstanding location, including without limitation, content files, Internet, e-mail, and voice mail usage
records, as well as to their office space within any company-owned or leased facilities

Integrity: Protecting Information Assets from being modified in any form or state by an unauthorized entity.

Network: A group of Systems linked by wired or wireless means to transmit Information Assets.

RCG Devices: Cellphone, Smartphone, Tablet device, or any other portable or non-portable electronic
product Authorized to access the Company’s Network.

System(s): A set of IT or Operational Technology (“OT”) hardware, software, or application used to store,
process, transfer, or maintain Company data for a specific purpose. (example: 3 servers that have software
installed to market information to guests is considered a System).

Spam: Irrelevant or inappropriate messages sent on the Internet to a large number of recipients.

Third Party(ies): A non-Employee, whether an individual or entity engaged by the Company to provide
goods or services to the Company.

User: An individual or entity, including and not limited to Employees and Third Parties, who have valid and
Authorized, limited or unlimited access to any RCG Information Asset or System.

7. Policy Administration and Governance

This policy will be managed by the following roles and span of control:

Chief Executive Officer

The Chief Executive Officer of the Company is responsible for the approval of this Policy and any
amendments to this Policy.

Chief Financial Officer

The Chief Financial Officer of the Company is responsible for the approval of this Policy and any
amendments to this Policy.

Chief Information Officer

The Chief Information Officer of the Company is responsible for overseeing this Policy and proposing
any amendments to this Acceptable Use Policy (“AUP”) Policy to the Chief Executive Officer and Chief
Financial Officer.

Chief Information Security Officer

The Chief Information Security Officer of the Company is responsible for overseeing and implementing
this Policy and proposing any amendments to this Policy to the Chief Information Officer.

Information Security
Information Security is responsible for administering this Policy and answering questions regarding this
Policy or its application. In addition, Information Security will review this Policy on an annual basis to

5
Acceptable Use Policy Information Security
January 3, 2022

determine if any amendments are appropriate and proposing such amendments to the Chief Information
Security Officer.

Department Heads
Each Department Head is responsible for ensuring that the Employees within his or her department or
Third Parties engaged by the department comply with this Policy.

This Policy must be reviewed by all the parties below and approved by the Chief Executive Officer and the
Chief Financial Officer of the Company no less than once a year or whenever there is a change in business
practices that affects the security of Information Assets or Systems.

Owner: /s/ Martha Poulter Date: 12/21/2021

Chief Information Officer

Reviewed by: /s/ Jairo Orea Date: 12/21/2021

Chief Information Security Officer

Reviewed by: /s/ Alex Lake Date: 12/21/2021

Chief Legal Officer and Chief Compliance Officer

Reviewed by: /s/ Chris Berger Date: 12/21/2021

Chief Audit and Risk Officer

Approved by: /s/ Naftali Holtz Date: 01/03/2022

Chief Financial Officer

Approved by: /s/ Jason Liberty Date: 01/03/2022

Chief Executive Officer