Deutsche Bank Technology, data and innovation Non-Financial Report 2022 Information security Information security – Preserving the confidentiality, integrity, and availability of information assets – Continually adapting security controls based on an evolving threat landscape GRI 3-3 Clients expect access to their bank’s services anytime, anywhere, and through a variety of channels. Deutsche Bank operates in an environment with increasing levels of digitization and a continually evolving threat landscape related to information security. Cyber-attacks could lead to technology failures, security breaches, unauthorized access, loss, destruction of data, unavailability of services, and the inaccessibility of systems and/or data. Amid these threats and challenges, Deutsche Bank has the responsibility to preserve the confidentiality, integrity, and availability of clients’ and business partners’ data and its own information assets. Doing so consistently and effectively is essential for retaining stakeholders’ trust. Consequently, information security remains a significant topic and therefore the bank continues to invest in risk mitigation. In 2022, Deutsche Bank again adapted its security capabilities to keep pace with evolving threats. The bank’s group-wide security strategy articulates the steps it takes to safeguard its ability to provide products and services to clients, thereby ensuring revenue streams. Security strategy, framework, and governance GRI 2-12/13/23/24/25, 3-3 Responsible for security matters at Deutsche Bank is the Chief Security Officer. The Chief Security Officer has delegated authority from the Management Board and reports directly to the Chief Technology, Data, and Innovation Officer, who is a member of the Management Board. The Management Board receives a comprehensive quarterly information security risk posture report as well as ad hoc information if required. Furthermore, the Chief Security Officer provides the Supervisory Board’s Committee responsible for Technology, Data and Innovation with regular updates on material topics relating to security. The Chief Security Office develops the bank’s group-wide security strategy and oversees its implementation and operationalization globally. This strategy is reviewed continually to address changes in the threat landscape, technology, the regulatory environment, the bank’s corporate and IT strategy, and other internal and external parameters. Deutsche Bank’s strategy framework provides comprehensive and layered security controls. This framework is strengthened by a threat-driven approach to direct and adjust the security investment, including the continual review and assessment of the maturity of the bank’s security implementation. The Chief Security Officer is supported by information security role holders at various seniority levels to ensure that security requirements are met both at a regional level as well as from a divisional and technical perspective. All information security activities are overseen by governance forums chaired by the Chief Security Officer. The fora include the Group IT Security Council (for the bank’s IT functions) and the Group Information Security Committee (for the bank’s business divisions) that reviews and endorses the bank´s information security policies and procedures. Security policies and their implementation are guided by international standards and best practices. The bank’s Information Security Management System has been certified and recertified to ISO 27001 in all information security domains since 2012 and was again successfully recertified in 2021, including a yearly certification-follow-up in 2022, which ensures compliance between the certification terms. Deutsche Bank has a well-established global regulatory engagement model to understand, identify and implement controls related to applicable regulatory change, as necessary. The effectiveness of the overall approach to information security is evaluated on a regular basis by third-party organizations that compare the bank’s approach with industry benchmarks. In addition, the independent Group Audit function frequently includes the assessment of security controls in its audit plan. 105