Strategic Shareholder Climate and Risk Financial Financial Barclays PLC 277 report information sustainability report Governance review review statements Annual Report 2022 Material existing and emerging risks (continued) cannot provide absolute security against contractors, and third party service For further details on the Group’s approach to cyberattacks, see the operational risk + cyberattacks. Malicious actors are providers and suppliers and their performance section. For further details on increasingly sophisticated in their subcontractors as a long-term cybersecurity regulation applicable to the Group, refer to the Supervision and regulation methods, tactics, techniques and consequence of the COVID-19 pandemic. section. procedures, seeking to steal money, gain Bad actors have taken advantage of unauthorised access to, destroy or remote working practices and modified c) New and emergent technology manipulate data, and disrupt operations, customer behaviours, exploiting the Technology is fundamental to the Group’s and some of their attacks may not be situation in novel ways that may elude business and the financial services recognised or discovered until launched or defences. Additionally, geopolitical turmoil industry. Technological advancements after initial entry into the environment, may serve to increase the risk of a present opportunities to develop new and such as novel or zero-day attacks that are cyberattack that could impact Barclays innovative ways of doing business across launched before patches are available and directly, or indirectly through its critical the Group, with new solutions being defences can be readied. Malicious actors suppliers or national infrastructure. In developed both in-house and in are also increasingly developing methods 2022, the Group faced a heightened risk of association with third party companies. For to avoid prevention, detection and alerting cyberattack as a result of the conflict in example, payment services and securities, capabilities, including employing counter- Ukraine. futures and options trading are forensic tactics making response activities increasingly occurring electronically, both Common types of cyberattacks include more difficult. Cyberattacks can originate on the Group’s own systems and through deployment of malware to obtain covert from a wide variety of sources and target other alternative systems, and becoming access to systems and data; ransomware the Group in numerous ways, including automated. Whilst increased use of attacks that render systems and data attacks on networks, systems, applications electronic payment and trading systems unavailable through encryption and or devices used by the Group or parties and direct electronic access to trading attempts to leverage business interruption such as service providers and other markets could significantly reduce the or stolen data for extortion; novel or zero- suppliers, counterparties, employees, Group’s cost base, it may, conversely, day exploits; denial of service and contractors, customers or clients, reduce the commissions, fees and margins distributed denial of service (DDoS) presenting the Group with a vast and made by the Group on these transactions attacks; infiltration via business email complex defence perimeter. Moreover, which could have a material adverse effect compromise; social engineering, including the Group does not have direct control on the Group’s business, results of phishing, vishing and smishing; automated over the cybersecurity of the systems of operations, financial condition and attacks using botnets; third-party its clients, customers, counterparties and prospects. customer, vendor, service provider and third-party service providers and suppliers, supplier account take-over; malicious Introducing new forms of technology, limiting the Group’s ability to effectively activity facilitated by an insider; and however, has the potential to increase protect and defend against certain threats. credential validation or stuffing attacks inherent risk. Failure to evaluate, actively Some of the Group’s third-party service using login and password pairs from manage and closely monitor risk during all providers and suppliers have experienced unrelated breaches. A successful phases of business development and successful attempts to compromise their cyberattack of any type has the potential implementation could introduce new cybersecurity. These included to cause serious harm to the Group or its vulnerabilities and security flaws and have a ransomware attacks that disrupted the clients and customers, including exposure material adverse effect on the Group’s service providers’ or suppliers’ operations to potential contractual liability, claims, business, results of operations, financial and, in some cases, had an impact on the litigation, regulatory or other government condition and prospects. Group's operations. Such cyberattacks are action, loss of existing or potential d) External fraud likely to continue. customers, damage to the Group’s brand The nature of fraud is wide-ranging and and reputation, and other financial loss. A failure in the Group’s adherence to its continues to evolve, as criminals seek cybersecurity policies, procedures or The impact of a successful cyberattack opportunities to target the Group’s controls, employee malfeasance, and also is likely to include operational business activities and exploit changes in human, governance or technological error consequences (such as unavailability of customer behaviour and product and could also compromise the Group’s ability services, networks, systems, devices or channel use (such as the increased use of data) remediation of which could come at to successfully prevent and defend against digital products and enhanced online cyberattacks. Furthermore, certain legacy significant cost. services) or exploit new products. Fraud technologies that are at or approaching Regulators worldwide continue to attacks can be very sophisticated and are end-of-life may not be able to maintain recognise cybersecurity as an increasing often orchestrated by organised crime acceptable levels of security. The Group systemic risk to the financial sector and groups who use various techniques to has experienced cybersecurity incidents have highlighted the need for financial target customers and clients directly to and near-misses in the past, and it is institutions to improve their monitoring obtain confidential or personal information inevitable that additional incidents will and control of, and resilience to that can be used to commit fraud. The UK occur in the future. Cybersecurity risks are cyberattacks. A successful cyberattack market has also seen significant growth in expected to increase, due to factors such may, therefore, result in significant ‘scams’ where the Group takes increased as the increasing demand across the regulatory fines on the Group. In addition, levels of liability as part of a voluntary code industry and customer expectations for any new regulatory measures introduced to provide additional safeguards to continued expansion of services delivered to mitigate these risks are likely to result in customers and clients who are tricked into over the Internet; increasing reliance on increased technology and compliance making payments to fraudsters. The Internet-based products, applications and costs for the Group. impact from fraud can lead to customer data storage; and changes in ways of detriment, financial losses (including the working by the Group’s employees, reimbursement of losses incurred by