Deutsche Bank Technology, data and innovation Non-Financial Report 2022 Information security Security measures Layered security controls GRI 3-3 To fend off evolving security threats, the bank aims to build information security controls into every layer of technology, including identity, data, infrastructure, devices and applications, complemented by organizational controls and security training and awareness. The purpose of this layered approach is to provide end-to-end protection as well as multiple opportunities to detect, prevent, respond to, and recover from cyber threats. Deutsche Bank has in place a variety of prevention methods and controls, such as threat intelligence, data leakage prevention, cyber hygiene, or encryption solutions. This also includes placing a strong emphasis on detection, backed by a robust incident- response process. Over the course of 2022, Deutsche Bank further matured its integrated security function across information and physical security. As an example, the established threat intelligence function expanded to cover a broader spectrum of the cyber and physical security threat landscape through enhanced threat analysis capabilities and the utilization of additional threat intelligence feeds. The bank also established a Responsible Disclosure process through which it encourages the active sharing of suspected security vulnerabilities with the bank’s security teams. The bank actively shares best practices and threat information with national and international security organizations, government authorities, and peer organizations. These relationships help ensure that the bank’s security technology and procedures reflect current industry best practices and keep pace with the threat environment. Deutsche Bank’s security incident management covers cyber-security events that may affect itself, its clients and business partners, or employees. The related management and reporting processes are designed to be enabled to respond quickly and effectively to cyber-attacks or information security threats, to minimize loss, leakage, or disruption, and to use insights gained from the handling of incidents to continuously improve the bank’s processes. The bank’s Cyber Intelligence and Response Centers in Asia-Pacific, Europe, and the United States provide global 24/7 monitoring, which enhances its ability to detect threats and respond to incidents worldwide. In 2022, there were no material negative impacts to the bank’s systems, information assets, or client information as a result of an attempted cyber-attack or other information security incident. Fostering a security culture GRI 2-23, 3-3, 404-2, FS4 A key element of the bank’s security strategy is to foster and maintain a bank-wide security culture characterized by strong collaboration across divisions and functions and an active awareness among its employees of their important role as a human firewall. This is reinforced by conducting “Time to be aware – you are security,” a security awareness campaign communicated to all employees worldwide. It consists of basic security practices and useful tips for typical work situations both at the office and on the go, complemented by detailed and continually updated information about key issues. Another way the bank reinforces security awareness is by periodically conducting simulated phishing attacks. The dynamics of the cyber threat environment make ongoing personnel training essential. Deutsche Bank requires mandatory information security training for all employees including eligible contractor staff. This training encompasses the content of the information security policy, important and current security threats as well as the process to report security incidents or any other security-related concerns. For Deutsche Bank employees, failure to complete this training and late completion can result in disciplinary consequences. Deutsche Bank continually assesses its information security training offering to strengthen security culture and updates the trainings as necessary. Within 2022, a learning completion rate of 99,98 % was achieved for the e-Learning-based mandatory information security training. Third-party security risk management GRI 3-3 Reliance on third parties’ products and services that support critical operations can affect the bank’s risk posture, because it can be the target of new and evolving information security attacks. This risk, along with increased regulatory requirements, has necessitated detailed oversight and continuous monitoring of third-party security as well as the continued maturing of the bank’s technology driven third party security capabilities. Deutsche Bank manages information security third-party risk by means of its global third-party risk management program, which includes requisite obligations of information security controls, as applicable. 106