national testing and vaccine distribution efforts.2 The company?s AI initiatives are being systematically embedded into the core operational workflows of its business, with a reported plan to spend $20 billion in technology over the next decade to create ?complete interoperability? and allow data to ?flow with no hurdles.?3 Part of that effort involves deployment of AI-powered ?personal health agents? that can analyze patients? complete longitudinal data ? including lab results, insurance claims, and wearable data.4 Shareholders are concerned that amidst this technological expansion, our board of directors may not be exercising sufficient oversight of cybersecurity threats to the company?s operations as the result of AI. While AI offers opportunities, it also carries risks, notably to security and data privacy. The number of reported AI-enabled cyber attacks in business generally rose 47% in 2025.5 Experts say AI can be both the attack surface (offering opportunities for intentional and inadvertent model poisoning, prompt injection, and data leakage) and the means of attack (providing attackers the ability to perfect and scale their phishing and other social engineering attacks).6 AI systems tied to finance, customer support, or autonomous actions are especially vulnerable.7 Proxy advisor Glass Lewis recommends that companies employing AI in their operations ?provide clear disclosure concerning the role of the board in overseeing issues related to AI, including how companies are ensuring directors are fully versed on this rapidly evolving and dynamic issue.?8 A 2025 analysis of Fortune 100 company disclosures found nearly half cited AI in their descriptions of director qualifications, almost double the number doing so in 2024.9 The board of CVS Health has delegated responsibility for cybersecurity risks to its Audit Committee, which reviews the cybersecurity program ?periodically, and at least annually.?10 However, the Audit Committee charter includes no reference to AI. And biographies of current audit committee members do not reflect any expertise in cybersecurity or AI. In fact, none of the company's board members appear to possess credentials in either cybersecurity or AI.11 While CVS Health acknowledges that data governance failures can ?adversely affect [its] reputation, businesses and prospects? and require it to ?expend significant resources to remediate any damage,? shareholders believe the Company?s board may not recognize AI adoption as the unique security and privacy threat that it is.12 The board, at its discretion, may consider nominating directors with proven experience in cybersecurity or AI. 1 CVS Health 2024 Annual Report at 4 < https://s206.q4cdn.com/752775519/files/doc_downloads/CVS- Health-2024-Annual-Report.pdf >. 2 Emerj, ?Artificial Intelligence at CVS? < https://emerj.com/artificial-intelligence-at-cvs-health/ >; Klover.ai , ?CVS Health?s AI Strategy : Analysis of Dominance in Healthcare AI? < https://www.klover.ai/cvs-health-ai- strategy-analysis-of-dominance-in-healthcare-ai/ >. 3 Fortune, ?Inside CVS?s bold AI health care plan?and the tech chief?s surprising warning for the industry? < https://fortune.com/2025/07/09/inside-cvs-ai-health-care-tech-warning/ 4 https://www.klover.ai/cvs-health-ai-strategy-analysis-of-dominance-in-healthcare-ai/ >. 5 Deep Strike, ?AI Cyber Attack Statistics 2025, Trends, Costs, Defense? < https://deepstrike.io/blog/ai- cyber-attack-statistics-2025 >. 6 IBM, ?Cost of a Data Breach Report 2025: The AI Oversight Gap? < https://www.ibm.com/downloads/documents/us-en/131cf87b20b31c91 >. 7 Adversa AI, ?Top AI Security Incidents (2025 Edition)? < https://adversa.ai/top-ai-security-incidents- report-2025-edition/ >.