Balancing Digital Aspirations While Addressing Risk Management Fundamentals: Observations From Citi Treasury Diagnostics

46 CYBER THREAT INCREASING: CORPORATE RESPONSE Suffered loss as a result of a fraud and/or security breach in the past 24 months Security incidents in the last 24 months Business e-mail compromise (e.g. phishing and/or impersonation) Fraud (e.g. fake invoice or payment details change) Data/network/machine compromise (e.g. malware, data theft, etc.) 56% 39% No security incidents 22% 11% Wilful insider fraud 6% Yes No Don’t know /not sure Cybersecurity is a key concern at... Board Level CEO CFO/Treasurer CTO/CIO/CISO/ Chief Risk Officer None of the Above 98% 9% 13% 2% 23% 19% 31% 53% 50% Only 22% of respondents indicate they have not experienced a security incident in the last 24 months. Despite 98% of companies stating that Cybersecurity is a key concern at Board or C-suite Level, 60% are either unclear or don’t have a risk-based assessment process in place. 20% don’t know or are not aware of a policy in place for secure information management. 43% do have a policy but believe there is room for improvement. Use of risk-based assessment vs. Policy for secure Information Management Yes, and it works well No Yes, but there is room for improvement Don’t know/not sure Use of risk-based assessment process to manage 3rd party business relationships, including security assessments Policy in place for secure information management 37% 11% 43% 29% 6% 21% 14% 39%