2025 Public Sector Perspectives

6. Practice your threat response and communication strategy in advance If a cyberattack occurred today, are you clear about who needs to know what and when, among your broadly defined internal and external central bank constituencies? Are the communication channels and scenarios for your central bank clearly established and socialized with the necessary partners and stakeholders? The materiality and timing thresholds of public communication are complex and have enormous repercussions for the system and the central bank if loosely managed. You will be under enormous time pressure in an actual crisis, so your communication channels within and around the central bank must be pre-defined and well-rehearsed. 7. Robust due diligence on critical vendors Be it power, telecom, software, or another key infrastructure service provider, we have learned how important preparation and communication with critical vendors in our supply chain is. Remember: when malware threatens, it is often through a cracked door left open by the weakest link in your chain. This is often an external supplier’s system. Central banks should be digging deep into their vendors to uncover and understand any potential network, supply chain, and third-party vendor cyber risks or issues. This is not just a matter of operational risk, but also one of reputational risk, as central banks should represent expected best practice behavior. 8. Time speeds up in a crisis: Have your containment protocols set In advance In a cyber crisis, which systems need to be shut down immediately? What are the over-arching network and financial implications of those decisions? Is the network design segmented such that non-cyber-specialist decision makers can understand? Segmentation is a best practice and cannot be properly considered in a crisis; therefore, it needs to be determined and in proper place beforehand. Our teams have observed scenarios in which non-cyber senior decision makers had to direct containment measures in less than 30 seconds. Yes, that is 30 seconds to make a systemically significant business decision. The takeaway: You must understand your containment protocols and their full-scope impact, such that in a crisis, key decision makers have the cyber knowledge and training to make a well-informed, best- case decision at an extraordinary pace. Hint: Mock cyber exercises are great testing grounds to practice your firm and leadership’s response capabilities to a cyber crisis. If you have played the scenario out in a drill, you have a strong foundation for success. 9. Know your critical assets For Citi, one of our most critical assets is client data. Similarly, central banks need to evaluate their assets and classify them accordingly – critical, less critical, non-critical — to help align processes and resources based on clear priorities. This is a useful exercise not only if a cyberattack lands, but also in building your cybersecurity resiliency programs. Thoughtful designation of and prioritization of your data and assets is essential. 10. Construct a cyber center, lab, or dedicated team to build your central bank cybersecurity program I hope this tip is common knowledge and something you have already done. At Citi, we utilize Cyber Security Fusion Centers (CSFCs). The term “fusion” reflects the comprehensive and integrated approachwe take to cybersecurity, as we have aggregated expertise from across necessary functions in the bank as the foundation of our cybersecurity program. We borrowed heavily from the U.S. government’s “joint task force” model, based on lessons learned in crisis, dating as far back as the terrorist attacks of September 11. If youwere to visit our fusion centers, youmight confuse it with an official secure, state of the art, command-and-control facility. That is by design. Citi has individual teams dedicated to functions such as identifying frauds, securing our internal networks, responding to security breaches, and monitoring the dark web. The fusion center as a concept is a “teamof teams” approach, able to drive response to cyber incidents, along with driving the necessary connective tissue between functions. We maintain a follow- the-sunmodel, with a CSFC in North America, EMEA and the APAC regions, creating andmaintaining a holistic view of internal and external threats to better prevent intrusion, detect hackers early, and coordinate effective responses on a 24/7 non-stop basis. One critical function of any cybersecurity team is to stress test the organization’s own systems to make sure they can withstand and respond to an actual threat event. We employ “ethical” hackers, who are incentivized to identify vulnerabilities in the bank’s systems. We also maintain “hunt teams” trained to think like the various cybercriminals to detect system weaknesses. The CSFCs regularly conduct exercises to test detection abilities and develop effective response habits. This is an example of Citi’s proactive posture towards cyber defense. Our Fusion Centers are also conduits for information-sharing within appropriate channels and within our business ecosystem. The Centers share data, observations, and best practices with the FS-ISAC, similar groups in Asia and Europe, and with systemically appropriate central banks and governments. In this way, the financial system benefits from Citi’s cybersecurity leadership, and Citi Perspectives for the Public Sector 37