ESG at Citi Sustainable Finance Climate Risk & Net Zero Sustainable Operations Building Equitable & Resilient Communities Talent & DEI Responsible Business Appendices Transforming Our Risk and Controls Environment Ethics and Culture at Citi Risk Management Human Rights Serving Our Customers and Clients Responsibly Responsible Sourcing Key Elements of Our Cybersecurity Program PROGRAM GOVERNANCE COMPREHENSIVE APPROACH TO INDUSTRY LEADERSHIP • Oversight from our Board of Directors CYBERSECURITY BREACHES • Working with our clients, peer financial • Regular reviews by regulators and by • Regular risk assessments and internal institutions, governments, law enforcement internal and external auditors controls to defend against breaches and intelligence agencies on a global scale to enable the collective security of the financial • Globally managed by the Chief • Technology and cybersecurity policies services sector through: Enterprise Operations & Technology based on established industry standards Officer and the Chief Information • Sharing best practices • Robust technologies to protect data and Security Officer systems, supported by a strong team • Exchanging tactical information about • Chief Executive Officers of each with deep expertise from industry and specific cybersecurity threats business sector and region are government • Conducting joint cyber resilience exercises responsible for implementation • Secure networks to protect systems and • Driving adoption of industry-wide and compliance with program databases, and continuous improvement standards and approaches requirements of capabilities to meet the challenge of • Receiving and sharing threat data with our an evolving threat environment partners in near real time, and leveraging SECURE SOLUTIONS In the event of a potential breach, we have that information to strengthen our internal a robust process to ensure appropriate controls and practices and to protect Citi THIRD-PARTY CERTIFICATION Investment in and development of from attacks perpetrated against other firms advanced security solutions to safeguard reporting and notification, which includes: Certified compliance with the ISO 27001 information: • Fostering a culture of sharing among • Reviewing the breach to determine competitors on security issues for the sake standard for our global information • A multifaceted approach to move toward whether it meets any regulatory or legal of strong information security practices security and technology infrastructure password-less capabilities, including reporting requirements in the jurisdic- programs biometric options such as voice recogni- tion(s) where the breach occurred or tion or fingerprints in the jurisdiction(s) impacted by the • Next-generation security components breach. If deemed necessary, a legal that support digital and mobile growth, assessment is conducted. TRAINING by enabling enhanced security features • Notifying the impacted customers as for our mobile applications required by the laws or regulations of the Training provided annually to employees impacted jurisdiction(s) and as directed on how to properly handle and maintain • Advanced technology for improved in the legal assessment, if it results in the security and privacy of Citi’s and our cyber incident monitoring, detection a requirement to perform customer clients’ assets and information and response capabilities notifications. Citi 2022 ESG Report Page 70