Deutsche Bank

Corporate Responsibility
Report 2016

Keeping our information safe and secure

  • Cyber Incident and Response Centers opened
  • Enhanced governance framework and cyber security program
  • Information security policy updated

Digitalization brings a myriad of opportunities for financial institutions, allowing banks to offer personalized services and streamline business processes. However, cyber-attacks on businesses are increasing in scale, speed, and sophistication. These developments expose Deutsche Bank to information security risks.

Our mission is to protect the business and our clients. Our Chief Information Security Office (CISO), established in 2013, ensures that the appropriate governance framework, policies, processes, and technical capability are in place to manage these risks. This function sits within the Chief Operating Office.

Engaging stakeholders

Regulators have recognized that information security threats pose a significant risk for financial institutions. To this end, we work closely with them, globally and locally, to understand and preempt requirements. We also collaborate closely with national and international security organizations, government authorities, and peer organizations, recognizing that proactively sharing relevant anonymized information reduces risk for all involved parties.

Engaging stakeholders helps to ensure that we apply the most up to date information security approaches and techniques. Deutsche Bank has established a dedicated team to coordinate the sharing of intelligence and to further develop these relationships.

Detecting and preventing cyber threats

To protect the bank’s information assets, we take a multilayered approach to building information security controls into every layer of technology, including data, devices, and applications. This delivers robust end-to-end protection, while also providing multiple opportunities to detect, prevent, respond to, and recover from cyber threats. This is a key facet of the Group Information Security Strategy, which has recently been ratified by the bank’s Management Board.

In addition to sophisticated prevention methods, we also prioritize detection, backed up by a swift and appropriate response process with clearly defined responsibilities. In 2016, we opened dedicated Cyber Incident and Response Centers to improve the bank’s capability to detect threats and robustly respond to incidents globally, around the clock.

Security governance

As the central owner of information security for Deutsche Bank, our CISO is responsible for setting and implementing the bank’s information security strategy, maintaining an appropriate level of information security protection Group-wide, and protecting the confidentiality, integrity, and availability of business and client information.

Our governance framework and cyber security program have been enhanced to ensure that security policies and standards continue to reflect evolving business requirements, regulatory guidance, and emerging threats. The policies provide a formal declaration of the Management Board’s commitment to ensuring the security of the bank’s information. To demonstrate its commitment, Deutsche Bank is certified to the international ISO 27001 standard for information security.

The Information Security Policy Framework, which includes Information Security Principles and detailed Information Security Policies and Procedures, is available to all employees. In the past year, a number of policies have been updated, including major amendments on the security of electronic communication, and client access to the bank’s infrastructure policies. Chief Business Information Security Officers within each business division are ultimately responsible for the operational aspects of ensuring compliance with the Information Security Principles.

Employee awareness and responsibility

Each employee is responsible for ensuring that the information security policies and procedures are implemented. Mandatory training courses are regularly conducted for all staff, and completion of the courses is tracked. To complement this, a dedicated website, educational videos, phishing campaigns, and cyber security road shows help to raise awareness. Finally, a 24/7 global security hotline is maintained for all employees and service providers to report information security issues.