CITIGROUP INC 10-K Cybersecurity GRC - 2024-02-23

Page last updated on April 22, 2024

CITIGROUP INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-23 17:10:34 EST.

Filings

10-K filed on 2024-02-23

CITIGROUP INC filed an 10-K at 2024-02-23 17:10:34 EST
Accession Number: 0000831001-24-000033

Item 1C. Cybersecurity.

Overview

Cybersecurity risk is the business risk associated with the threat posed by a cyberattack, cyber breach or the failure to protect Citi’s most vital business information assets or operations, resulting in a financial or reputational loss (see the operational processes and systems and cybersecurity risk factors in “Risk Factors-Operational Risks” above). With an evolving threat landscape, ever-increasing sophistication of threat actor tactics, techniques and procedures, ongoing and emerging geopolitical conflicts, and the use of new technologies, including those enabled by artificial intelligence and machine learning capabilities, to conduct financial transactions, Citi and its clients, customers and third parties (and fourth parties, etc.) continue to be at risk from cyberattacks and information security incidents. Citi leverages a threat-focused, defense-in-depth strategy that ensures that multiple controls work in tandem against various threats to increase the likelihood that malicious activity will be prevented, detected and mitigated.

Citi has a mature cybersecurity threat identification and management program that relies on an industry-aligned defense-in-depth approach, including an internal cybersecurity intelligence center, participation in industry and government information-sharing programs, vulnerability assessment and scanning tools, intrusion detection and prevention systems, security incident and event management systems, firewalls, penetration testing, adversary emulation exercises, data management (including classification, encryption at rest and in transit, and access management), multi-factor authentication requirements and other logical, physical and technical controls designed to prevent, deter, mitigate and respond to cybersecurity threats.

Citi’s cyber and information security program is supported by comprehensive governance, including policies, standards and procedures that dictate requirements and best practices around various topics, including, but not limited to, third-party risk management, data management, asset management, information security practices, security incident management, and regulatory and disclosure compliance. Citi’s Chief Information Security Office’s risks and controls are measured against its Cybersecurity Risk Appetite Statement, which was initially approved by the Risk Management Committee of the Board of Directors and is reapproved annually by Citi’s Risk Committee, chaired by Citi’s Chief Risk Officer. Citi’s Cybersecurity Risk Appetite Statement leverages key risk indicators to establish enterprise risk tolerance and define risk management strategy with respect to cyber and information security. Further, Citi actively participates in financial industry, government and cross-sector knowledge-sharing groups to enhance individual and collective cybersecurity preparedness and resilience.

Cybersecurity Risk Management and Governance

Citi’s technology and cybersecurity risk management program is built on Citi’s three lines of defense, each of which is integrated into Citi’s overall risk management systems and processes.

Citi’s Chief Information Security Office, which is led by Citi’s Chief Information Security Officer (CISO), serves as the first line of defense. This office provides frontline business, operational and technical controls and capabilities to (1) protect against cybersecurity risks, and (2) respond to cyber incidents and data breaches. Citi manages cybersecurity threats through its state-of-the-art fusion centers, which serve as central commands for monitoring and coordinating responses to cyber threats.

Citi’s Chief Information Security Office is responsible for application and infrastructure defense and security controls, performing vulnerability assessments and third-party information security assessments (including cybersecurity risk assessments associated with Citi’s use of products and services from vendors and other third-party providers), employee awareness and training programs and security incident management. In each case, the enterprise information security team works in coordination with a network of information security officers who are embedded within Citi’s global businesses and functions, consistent with Citi’s philosophy that all Citi stakeholders have a responsibility in managing cyber and information security risks.

Citi’s Technology and Cyber Compliance and Operational Risk Office (TCCORO) serves as the second line of defense. This office independently evaluates and challenges Citi’s risk mitigation practices and capabilities, from a fused operational risk and compliance lens. It functions as a joint second line of defense and in accordance with Citi’s Cybersecurity Risk Appetite Statement. TCCORO also advises first line partners in CISO, supporting enterprise-wide efforts to proactively identify and remediate cybersecurity risks before they materialize as incidents that negatively affect business operations.

To address evolving cybersecurity risks and corresponding regulations, TCCORO monitors cybersecurity legal and regulatory requirements, identifies and defines emerging risks, executes strategic cybersecurity threat assessments, performs new product and initiative reviews, performs data management risk oversight and conducts cybersecurity risk assurance reviews (inclusive of third-party assessments). In addition, this office oversees and challenges metrics related to cybersecurity and technology and ensures they remain aligned with Citi’s overall operational risk management framework to effectively track, identify and manage risk. TCCORO presents an independent viewpoint on enterprise cybersecurity risk posture, and oversees CISO’s cybersecurity risk identification, measurement and enterprise-wide governance of cybersecurity risk.

Internal Audit serves as Citi’s third line of defense and provides independent assurance to the Audit Committee of the Board on the effectiveness of controls operated by the first and second lines of defense to manage cybersecurity risk.

Citi recognizes the risks associated with outsourcing services to, sharing data with, and/or technologically interacting with third parties. Citi has built a robust third-party information security risk management program that governs third-party engagements from selection, to the establishment of legal agreements that govern the relationship, to ongoing monitoring through the duration of the relationship. Third-party risk management includes contractual requirements around data and cybersecurity, vulnerability assessments, third-party information security assessments performed at intervals determined by risk, governance to manage end-of-life and end-of-vendor-support risks, and third-party incident response protocols.

Management Governance

Citi’s Head of Operations and Technology (O&T), who reports directly to Citi’s CEO, has overall responsibility for Citi’s first line of defense cyber and information security and technology programs. Citi’s Head of O&T has over 40 years of experience in financial services and technology focused roles, including prior positions at Citi as a regional Chief Information Officer, Head of Technology for Citi’s former Institutional Clients Group and Head of Securities and Banking Operations and Technology. For additional information, see “Corporate Information-Executive Officers” below.

Citi’s CISO, who reports directly to Citi’s Head of O&T, has primary responsibility to assess and manage Citi’s material risks from cybersecurity threats. Citi’s CISO has decades of experience in managing cybersecurity risks from prior roles as Deutsche Bank’s Chief Security Officer, the Chief Information Officer for the Central Intelligence Agency and the Chief Information Officer for the U.S. Intelligence Community. The CISO is supported by a team of subject matter experts in security operations, network architecture, cyber and information security governance and cybersecurity operations. Citi’s Chief Information Security Office employs approximately 3,400 individuals to manage its operations.

Citi’s Chief Technology Officer (CTO), who also reports directly to Citi’s Head of O&T, has primary responsibility for technology policy, innovation enablement and strategy. Citi’s CTO has decades of subject matter experience in financial services and technology from previously leading the Engineering and Architecture Services group at J.P. Morgan Chase, and serving as the Chief Technology Officer at Deutsche Bank and the Chief Information Officer for Sales, Research and Securities Data Services at Goldman Sachs.

Multiple management committees and functions also support Citi’s cyber and information security management.

Citi’s Information Security Risk Committee (ISRC) governs enterprise-level risk tolerance, including cybersecurity risk. This committee serves as the most senior cyber and information security forum within Citi and is supported by other committees/forums described below. The committee is co-chaired by Citi’s Chief Risk Officer and Head of O&T and meets at least quarterly. In addition, the committee oversees risk tolerance determinations, reviews emerging threats and their business impacts, commits to appropriate resource levels and investments and supports the continual improvement of the cyber and information security management programs across all of Citi’s businesses and geographies.

The Chief Information Officer Committee (CIOC), which consists of, among others, the Head of O&T, Citi’s Co-Chief Information Officers (who report to the Head of O&T), the CISO, and the Head of TCCORO (who reports both to Citi’s Head of Operational Risk within the Risk Organization and its Head of Global Functions Compliance within the Global Legal and Compliance Organization), serves as an escalation forum for items requiring the attention of technology senior management, including approval of policies, and reports items requiring further escalation to the Technology Committee of the Board of Directors, as appropriate.

The Information Security Risk Operating Committee (ISROC) is chaired by the CISO and comprises senior members of the Chief Information Security Office and representatives from partner organizations. This committee sets the direction and prioritization for the implementation of the cyber and information security program across Citi. The committee reports and escalates to the CIOC, including for intermediary review and approval of policies escalated from the Information Technology Policy Council (see below). Any actions constituting risk exceptions are escalated to the ISRC.

The Security Architecture Council, which reports to the ISROC, is an oversight and decision-making body focused on ensuring that the target level of security architectural maturity is attained. This council is co-chaired by two representatives from the security architecture and cybersecurity services organizations.

Citi’s Information Technology Policy Council provides a centralized review to oversee consistency in the formation of information technology policies and standards. This counsel maintains oversight of policy document requirements to ensure that information technology policy documents meet Citi’s objectives as established internally and are in line with laws and regulations as identified and communicated by ICRM.

In addition, Citi regularly engages third parties globally to assess, audit and/or exercise Citi’s cyber and information security program, which is ISO-27001 certified. ISO-27001 is an international standard for information security management systems. Citi is regulated by bodies across the globe that also regularly examine and audit Citi’s cyber and information security program against local laws, regulations and industry best practices.

Board Governance Citi’s Board of Directors and its committees provide oversight of senior management’s efforts to mitigate cybersecurity risk and respond to cybersecurity incidents. Citi’s Board includes members with cybersecurity expertise and experience.

Citi’s full Board is briefed annually on cybersecurity risks and receives updates as needed on Citi’s cyber and information security program, including changes to the threat landscape and a roadmap for progress around addressing related risks. Additionally, Citi’s Board participates in cybersecurity exercises to improve preparedness to address cybersecurity incidents.

The Board’s Technology Committee receives quarterly updates from the Chief Information Security Office on the cybersecurity threat landscape, regulatory landscape, posture, and strategy and engages in discussions throughout the year with senior management and subject matter experts on the effectiveness of Citi’s overall cybersecurity program.

The Board’s Risk Management Committee (RMC) approved a standalone Cybersecurity Risk Appetite Statement against which Citi’s performance is measured quarterly. In addition, the RMC oversees Citi’s risk profile, which includes cybersecurity risk, and monitors whether Citi is operating within its cybersecurity risk appetite under its mandate to review key operational risks, including steps taken by management to control such risks.

In the event of a potentially material cybersecurity incident impacting Citi, the Board would be made aware of such incident via lines of communication that run from the Chief Information Security Office to senior management and also to the Board. This contemporaneous reporting on significant cyber events includes information and discussion around incident response, legal obligations (including disclosure), and outreach and notification to regulators and customers when needed.

For additional information on the Board’s oversight of cybersecurity risk management, see Citi’s upcoming 2024 Annual Meeting Proxy Statement to be filed with the SEC in March 2024.

Company Information