CITIGROUP INC 10-K Cybersecurity GRC - 2025-02-21

Page last updated on July 28, 2025

CITIGROUP INC reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-21 17:12:44 EST.

Filings

10-K filed on 2025-02-21

CITIGROUP INC filed a 10-K at 2025-02-21 17:12:44 EST
Accession Number: 0000831001-25-000067

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Overview

Cybersecurity risk is the business risk associated with the threat posed by a cyberattack, cyber breach or the failure to protect Citi’s most vital business information assets or operations, resulting in a financial or reputational loss. With an evolving threat landscape, ever-increasing sophistication of threat actor tactics, techniques and procedures, ongoing and emerging geopolitical conflicts, and the use of new technologies, including those enabled by artificial intelligence and machine learning capabilities, to conduct financial transactions, Citi and its clients, customers and third parties (and fourth parties, etc.) continue to be at risk from cyberattacks and information security incidents.

Citi leverages a threat-focused, defense-in-depth strategy that ensures that multiple controls work in tandem against various threats to increase the likelihood that malicious activity will be prevented, detected and mitigated. Citi has a mature cybersecurity threat identification and management program that relies on an industry-aligned, risk-based, defense-in-depth approach, including an internal cybersecurity intelligence center, participation in industry and government information-sharing programs, vulnerability assessment and scanning tools, intrusion detection and prevention systems, security incident and event management systems, firewalls, penetration testing, adversary emulation exercises, data management (including classification, encryption at rest and in transit, and access management), multi-factor authentication requirements and other logical, physical and technical controls designed to prevent, deter, mitigate and respond to cybersecurity threats.

Citi’s cyber and information security program is supported by comprehensive governance, including policies, standards and procedures that dictate requirements and best practices around various program aspects, including, but not limited to, third-party risk management, data management, asset management, information security practices, security incident management and regulatory compliance. Citi’s Chief Information Security Organization’s risks and controls are measured against its Cybersecurity Risk Appetite Statement, which is approved annually by Citi’s Risk Committee. This statement leverages key risk indicators to define enterprise risk tolerance and management strategy. Citi also actively participates in cross-sector knowledge-sharing groups to enhance collective cybersecurity resilience.
Cybersecurity Risk Management and Governance

Citi’s risk management program is based on a three-lines-of-defense model:

• The first line of defense, led by Citi’s Chief Information Security Office and its Chief Information Security Officer (CISO), implements frontline operational and technical controls. This includes defense of infrastructure and applications, vulnerability testing, third-party risk assessments, security awareness programs, and incident response through global fusion centers.

• The second line of defense, Citi’s Technology and Cyber Compliance and Operational Risk Office (TCCORO), independently evaluates and challenges Citi’s cybersecurity risk posture. It performs threat assessments, tracks regulatory requirements, oversees risk metrics, and ensures alignment with Citi’s operational risk management framework.

• The third line of defense, Citi’s Internal Audit, provides independent assurance to the Board’s Audit Committee on the effectiveness of the first and second lines’ cybersecurity controls.

Citi maintains a global third-party security risk management program with protocols for selection, contracting, monitoring, and incident response. Contracts include data security terms and assessments are conducted at risk-based intervals.
Management Governance

Citi’s Head of Technology and Business Enablement (reporting to the CEO) has overall responsibility for Citi’s technology and cyber programs. The CISO, who has decades of experience including prior roles at Deutsche Bank and the CIA, reports to this leader. Citi’s Chief Technology Officer focuses on policy and innovation. Over 3,400 employees support Citi’s Chief Information Security Office.

Citi’s cyber governance bodies include:

• Chief Information Officer Committee (CIOC) – Reviews and escalates issues to the Board’s Technology Committee.
• Information Security Risk Operating Committee (ISROC) – Chaired by the CISO, sets program direction and reports to the CIOC.
• Security Architecture Council – Ensures alignment of architecture maturity.
• Information Technology Policy Council – Oversees consistency in policies and standards.

Citi also engages independent third parties globally to audit its ISO-27001-certified program and responds to examinations from global regulators.
Board Governance

Citigroup’s Board oversees cybersecurity risk mitigation and response. It includes members with cybersecurity experience and is briefed annually (or more frequently as needed). Board-level bodies include:

• Technology Committee – Receives quarterly updates from the Chief Information Security Office and discusses threat posture and strategy.
• Risk Management Committee (RMC) – Approves Citi’s Cybersecurity Risk Appetite Statement and monitors cyber risk alignment with enterprise risk.

In the event of a material incident, the Board is notified promptly through established communication channels. Updates include incident response, legal obligations, and regulatory/customer outreach.

For more on Board oversight, see Citi’s 2025 Annual Meeting Proxy Statement (to be filed March 2025).

Company Information