Global Citizenship Report 2017

Safeguarding Data and Protecting Customer Information Digital solutions are an integral part of our daily lives, and as consumers, corporations and governments turn to technological solutions, the opportunity to leverage the benefits of big data grows. But with this significant opportunity comes increased concerns related to privacy and security breaches. Data security and privacy are top priorities for Citi and for our stakeholders and are among our most material citizenship issues. Information Security Citi’s Global Information Security Program couples information gathering and data analysis with forensics to inform strategic decisions. Our approach rests on having the right technology, systems, policies, processes and talent in place to prevent, detect, respond to and recover from cyber threats quickly. Citi conducts regular information security risk assessments and trainings and has internal controls to prevent infor- mation security breaches. We have developed stringent policies, employ robust technologies to protect our data and systems, and have built a strong, well-trained team. Our Global Information Security team protects information from data breaches and misuse by maintaining strong networks to protect our systems and databases, but we remain vigilant as such threats persist. Our program is accredited by the British Standards Institution, and Citi is the first major financial institution to have its Global Information Security Program ISO 27001 certified. The program is also regularly examined by regulators as well as by internal and external auditors. Citi also collaborates with external stakeholders to raise the security of the industry. We work with our clients, competitors, governments, law enforcement and intelligence agencies to share best practices and conduct joint cyber resilience exercises. Our security teams also study informa- tion security challenges across industries to learn how to strengthen our internal practices and respond to problems quickly. Reinforcing our culture of ethics and responsibility, the Audit Committee of our Board oversees the development, implementation and maintenance of our Global Information Security Program. The program is managed by the Chief Operations and Technology Officer and the Chief Information Security Officer on a global, enterprise basis; the Chief Executives of each business sector and region are responsible for implementation and compliance with program procedures and requirements. Annually, we provide our employees with training on how to properly handle personal information and how to maintain the security and privacy of information when working with companies that provide services to us. As part of our approach to safeguarding information, we invest in, develop and use advanced technology. For example: • Pindrop Security, a Citi Ventures portfolio company, com- bines authentication and anti-fraud technology to analyze phone calls within 30 seconds, helping customer service representatives confirm whether callers are who they say they are. Citi helped to shape the company’s product roadmap through testing, fine-tuning and adapting to fit Citi’s infrastructure needs. Using Pindrop technology, more than half of all phone-based fraud attempts have been detected as the calls are taking place, and we have seen a reduction in fraud loss with lower operational costs and improved customer experience. • Our SmartPass Touch ID technology — a collaboration between the Citi Ventures portfolio company Unbound and Citi’s Innovation Lab — allows CitiVelocity clients to use fingerprint identification to log in to their accounts via their mobile devices. The fingerprint is tied to a password, which is randomly split between the mobile device and a server. This means the password is never stored on the device, which makes it more secure. 30