Deutsche Bank

Non-Financial Report 2017

Information Security

Clients expect to access the services they need anytime, anywhere, and through a variety of channels. Evolving and innovating our technology, service offering, and processes in many instances builds on partnering with service providers and the integration of fintech development. In parallel, cyber-attacks on businesses are increasing in scale, speed, and sophistication. Information security, therefore, is one of Deutsche Bank’s material non-financial topics. Preserving the confidentiality, integrity, and availability of our clients’ & partners’ data and the bank’s information assets is essential for upholding the trust placed in Deutsche Bank by our clients, shareholders, employees, and other stakeholders.


Our governance framework and cyber-security program are continuously enhanced to ensure that security policies and standards continue to mirror evolving business requirements, regulatory guidance, and emerging cyber threats. Information security policies support Deutsche Bank in complying with these parameters and build the foundation for actively managing and governing information security-related implementation processes. International standards and best practices are used to structure Deutsche Bank´s comprehensive information security policy landscape. Our information Security Management System is certified to the international ISO 27001 standard since 2012 and was re-certified in 2015. Our policies provide a formal declaration of the Management Board’s commitment to ensuring the security of the bank’s information. A decision-making IT Security Committee with delegated authority from the COO representative of the Management Board, is furthermore well established to oversee all activities, including potential escalations.

Chief Information Security Office

In 2017, responsibility for both physical (Corporate Security) and information security was aligned in order to ensure that the protection of information assets and physical security of people, assets and buildings are designed and delivered in a holistic manner, leading to the formation of the Chief Security Office (CSO). This function sits in the Chief Operating Office. Within the Chief Security Office, Chief Information Security Office (CISO) remains the central and independent owner of information security for Deutsche Bank. CISO is mandated to ensure that the appropriate governance framework, policies, processes, and technical capabilities are in place to manage the related information security risk within Deutsche Bank. As such, CISO is responsible for setting and implementing the Group Information Security strategy globally, which has been reviewed and confirmed in 2017.

This mandate for Deutsche Bank´s CSO CISO is complemented by a CISO governance & operations unit within Postbank.

CISO works with every business division and all employees of Deutsche Bank to ensure the bank’s systems are protected as well as used safely and securely to achieve Deutsche Bank’s business objectives. By driving excellence in information security, benchmarked in global & regional industry forums, we aim to build competitive advantage, protect our brand and reputation and hereby increase client and market confidence.

Cyber Threats

To protect the bank’s information assets, we take a multi-layered approach to building information security controls into every layer of technology, including data, devices, and applications (“Defence in Depth”). This delivers robust end-to-end protection, while also providing multiple opportunities to detect, prevent, respond to, and recover from cyber threats. This approach is a key facet of our Group Information Security Strategy.

In addition to prevention methods and controls like threat operations, data leakage prevention, vulnerability management, and continuous staff awareness programs, we also prioritize detection, backed up by a robust response process. Our dedicated Cyber Incident and Response Centers in Germany, Singapore, and the US are set up to provide 24/7 coverage across different time zones (follow the sun-model), improving the bank’s capability to detect threats and robustly respond to incidents globally.

“Human Firewall”

Strengthening the “human firewall” is a further key element to our information security strategy. In 2017, a global multi-channel awareness campaign for all Deutsche Bank Group staff covering the full range of information and corporate security topics was launched. Additionally, we educate our clients about cyber threats and how the bank protects their information assets through information material and events.

We recognize the importance of continuous training and education in a highly dynamic cyber-threat environment. In 2017, CISO reviewed its Information Security Profession Framework for all CISO staff and defined respective education requirements for all roles defined in the framework. In addition to our awareness measures, Deutsche Bank staff as a whole is trained through mandatory trainings. This is complemented by specific training for individuals in specialist roles and target groups.

Engaging Stakeholders

Regulators have recognized that information security threats pose a significant risk for financial institutions. To this end, we work closely with these authorities, globally and locally, to understand and pre-empt requirements. We also collaborate closely with national and international security organizations, government authorities, and peer organizations, recognizing that proactively sharing relevant indicators of compromise (IoC) and anomalies in the internet reduces risk for all involved parties.

Engaging stakeholders helps to ensure that we apply the most up-to-date information security approaches and technology. Deutsche Bank has established a dedicated team to coordinate the sharing of intelligence and to further develop these relationships.