Strategic Shareholder Climate and Risk Financial Financial Barclays PLC 263 report information sustainability report Governance review review statements Annual Report 2022 ESG: Governance (continued) Operational resilience Chief Security Office Certifications Customers and clients have increased The Chief Security Officer for the Group Barclays holds three ISO27001 expectations for us to be ‘Always On’ and heads the Chief Security Office and certifications (being the international the interconnectivity of the financial sector reports directly to the Chief Operating standard on how to manage information means the stability and resilience of our Officer, who sits on the Group Executive security) and successfully renewed the systems, workforce and continued Committee. The Global Chief Information Triennial Recertification for Barclays provision of third-party services all have a Security Officer (CISO) for the Group Corporate Banking (Government Banking direct impact on the quality of our service. reports directly to the Chief Security Service). Barclays also has a UK Officer and is supported by a team of certification for Digital Banking. Barclays continues to invest in a multi-year CISOs for individual business units and resilience programme which is focused on Reporting phishing jurisdictions. CSO leadership manages our ability to recover from ‘severe but The CSO performs a number of key Barclays’ cybersecurity programme and is plausible’ scenarios which could cause activities related to identifying, accountable for the day-to-day detriment to our customers and clients investigating, responding to and monitoring of residual risk, identification of and the broader financial market. containing phishing / malicious email gaps, oversight of remedial actions and To enable this, we define Group-wide incidents. The CSO has embedded an implementation of strategy. business services and their operational process that provides The Group has an Information and Cyber interdependencies across the Group, education and awareness content via Security Policy supported by 10 Standards including technology, third-party services email to colleagues who clicked a malicious which define the minimum requirements and our workforce and develop the link or attachment in a phishing email, with for cyber security matters across the recovery plans and business response escalating training exercises and entire Barclays Group. These Standards plans required should a disruption event management interventions for repeated cover topics such as Vulnerability occur. We work to review and validate instances. Management, Cryptography, Network and these mechanisms on an ongoing basis All colleagues have a reporting tool Data Security, Access Management, through regular testing, with the aim of integrated into their email account, Insider Threat and Incident Response. reducing the volume and impact of enabling them to report suspected operational incidents year on year. We also An important part of Barclays’ phishing mails to Barclays JOC for further conduct regular assurance on third parties cybersecurity programme is its Joint investigation and receive feedback on to assess their capability. Operations Centres (JOCs), which operate whether the reported mail was suspect, 24x7x365 from three globally strategic Resilience and security is set as a priority genuine or part of an educational locations, linking CSO’s security from the Barclays PLC Board and is the campaign. professionals and incident response responsibility of everyone within the Training managers with control functions and Group. Every colleague must complete business unit representatives. Barclays has adopted a 65-day window for mandatory training at regular intervals mandatory training completion to allow across the year. Within CSO, Barclays has a dedicated colleagues sufficient time to complete External Cybersecurity Assurance & Please refer to pages 184 for details of Barclays PLC Board Risk Committee oversight relating to operational resilience. training. The consequence of non- Monitoring (ECAM) team that uses a risk- Please refer to the 'Material existing and emerging risks' completion is a breach which can lead to based approach to assess, monitor and section in our Risk review on pages 269 to 281 for further details on cyber-attacks, data management and information disciplinary action and impact respond to threats relating to third-party protection. compensation. service providers. Please refer to the 'Supervision and regulation' section in our Risk review on pages 370 to 377 for further details on our The 65-day window covers many different regulatory approach to managing such risks. colleague situations, including new joiners, returners from sick leave or parental leave and internal movers. Some of these situations are required by law to have a reasonable adjustment time to enable the successful completion of training. This process is managed by Barclays HR and Compliance.

Barclays PLC - Annual Report - 2022 - Page 265 Barclays PLC - Annual Report - 2022 Page 264 Page 266