Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Our cybersecurity risk management forms an integral part of NatWest Group’s overall enterprise-wide risk management framework (EWRMF) that is designed around a three lines of defence model. Specifically, management of cybersecurity risk is a subset of NatWest Group’s wider operational risk management. To support our cybersecurity risk management, we have information and cybersecurity policies. These policies are reviewed at least annually and benchmarked against industry best practice standards, including the Information Security Forum: Standard Of Good Practice (ISF: SOGP) and relevant publications by competent authorities such as the National Cyber Security Centre (NCSC), to help us identify and remediate any gaps in our controls and procedures. Our policies are also aligned with a number of other international and industry standards, such as ISO 27001 and the National Institute of Standards and Technology Cyber Security Framework. In addition, NatWest Group is certified in Cyber Essentials Plus by the IASME Consortium Ltd (IASME), a recognised government owned scheme operated by the NCSC.

The information and cybersecurity policies form part of our internal process to support NatWest Group’s annual attestation to its management’s assessment of the effectiveness of its internal control over financial reporting required under Section 404 of the Sarbanes-Oxley Act.

Our cybersecurity risk management framework is designed to mitigate the impact of cybersecurity threats and incidents. The framework also includes a structured approach for identifying and managing both internal cybersecurity incidents and external incidents impacting our third-party suppliers.

In addition, the framework includes a process for assessing the severity and source of a cybersecurity threat or incident, including in relation to third-party service providers, enabling us to implement mitigating controls as required and to inform NatWest Group’s management and board of directors of any material impact.

The functions of our cybersecurity risk management framework are based on a three lines of defence model:

–

NatWest Group’s first line of defence is responsible for setting NatWest Group’s information and cybersecurity risk management strategy and policies, including: delivering effective and efficient cybersecurity products and services and identifying, considering and assessing material cybersecurity threats on an ongoing basis. As part of the first line of defence we:

a)

continue to invest significant resources in developing and improving our cybersecurity risk management processes and engage third-party service providers to independently review and test these processes at least annually.

b)

support due diligence processes in respect of third-party service providers involved in our supply chain by defining minimum security requirements in line with industry practice that suppliers are contractually bound by. These minimum standards, among others, require suppliers to notify NatWest Group of any material cybersecurity incidents.

c)

educate our employees and customers on cybersecurity threats and incidents on the basis of education and awareness programmes that are designed around the most relevant cybersecurity threats and incidents for NatWest Group. These programmes, including ethical phishing campaigns are reviewed regularly and updated based on changes to the cybersecurity threat landscape. Our employees are also required to participate in annual information security (including cybersecurity) trainings.

Operational risk continued

Cybersecurity Risk Management Processes continued

–

As part of the second line of defence, a dedicated Operational Risk team is responsible for the assessment, identification and management of NatWest Group’s cybersecurity risk and provides regular updates and opinions to senior risk committees of NatWest Group. These include monthly updates and escalations as required to the NatWest Digital X Risk Committee. The Operational Risk team also provides annual opinions to NatWest Group’s Executive Risk Committee and Board Risk Committee.

–

As part of the third line of defence, NatWest Group’s Internal Audit team has a risk-based coverage approach to assess the adequacy of the design and operational effectiveness of key internal controls, governance and risk management, including in connection with cybersecurity risk. The frequency and scope of the internal audit coverage depends on the ongoing assessment of the key risks to NatWest Group.

Cybersecurity Risk Management Processes Integrated [Text Block]

Our cybersecurity risk management forms an integral part of NatWest Group’s overall enterprise-wide risk management framework (EWRMF) that is designed around a three lines of defence model. Specifically, management of cybersecurity risk is a subset of NatWest Group’s wider operational risk management. To support our cybersecurity risk management, we have information and cybersecurity policies. These policies are reviewed at least annually and benchmarked against industry best practice standards, including the Information Security Forum: Standard Of Good Practice (ISF: SOGP) and relevant publications by competent authorities such as the National Cyber Security Centre (NCSC), to help us identify and remediate any gaps in our controls and procedures. Our policies are also aligned with a number of other international and industry standards, such as ISO 27001 and the National Institute of Standards and Technology Cyber Security Framework. In addition, NatWest Group is certified in Cyber Essentials Plus by the IASME Consortium Ltd (IASME), a recognised government owned scheme operated by the NCSC.

The information and cybersecurity policies form part of our internal process to support NatWest Group’s annual attestation to its management’s assessment of the effectiveness of its internal control over financial reporting required under Section 404 of the Sarbanes-Oxley Act.

Our cybersecurity risk management framework is designed to mitigate the impact of cybersecurity threats and incidents. The framework also includes a structured approach for identifying and managing both internal cybersecurity incidents and external incidents impacting our third-party suppliers.

In addition, the framework includes a process for assessing the severity and source of a cybersecurity threat or incident, including in relation to third-party service providers, enabling us to implement mitigating controls as required and to inform NatWest Group’s management and board of directors of any material impact.

The functions of our cybersecurity risk management framework are based on a three lines of defence model:

–

NatWest Group’s first line of defence is responsible for setting NatWest Group’s information and cybersecurity risk management strategy and policies, including: delivering effective and efficient cybersecurity products and services and identifying, considering and assessing material cybersecurity threats on an ongoing basis. As part of the first line of defence we:

a)

continue to invest significant resources in developing and improving our cybersecurity risk management processes and engage third-party service providers to independently review and test these processes at least annually.

b)

support due diligence processes in respect of third-party service providers involved in our supply chain by defining minimum security requirements in line with industry practice that suppliers are contractually bound by. These minimum standards, among others, require suppliers to notify NatWest Group of any material cybersecurity incidents.

c)

educate our employees and customers on cybersecurity threats and incidents on the basis of education and awareness programmes that are designed around the most relevant cybersecurity threats and incidents for NatWest Group. These programmes, including ethical phishing campaigns are reviewed regularly and updated based on changes to the cybersecurity threat landscape. Our employees are also required to participate in annual information security (including cybersecurity) trainings.

Operational risk continued

Cybersecurity Risk Management Processes continued

–

As part of the second line of defence, a dedicated Operational Risk team is responsible for the assessment, identification and management of NatWest Group’s cybersecurity risk and provides regular updates and opinions to senior risk committees of NatWest Group. These include monthly updates and escalations as required to the NatWest Digital X Risk Committee. The Operational Risk team also provides annual opinions to NatWest Group’s Executive Risk Committee and Board Risk Committee.

–

As part of the third line of defence, NatWest Group’s Internal Audit team has a risk-based coverage approach to assess the adequacy of the design and operational effectiveness of key internal controls, governance and risk management, including in connection with cybersecurity risk. The frequency and scope of the internal audit coverage depends on the ongoing assessment of the key risks to NatWest Group.

Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]

true

Cybersecurity Risk Board of Directors Oversight [Text Block]

Board Cybersecurity Risk Oversight

Board

The Board of Directors (Board) ensures there is a framework of prudent and effective controls which enables risks – including information and cyber security risk - to be assessed and managed. In addition to approving the EWRMF (including NatWest Group’s risk appetite framework) on recommendation from the Group Board Risk Committee, the Board approves the risk appetite for principal risks, including operational risk of which information and cybersecurity is a component. The Board monitors information and cybersecurity performance against risk appetite through the receipt of regular reporting and receives reporting on top and emerging risks, including the likelihood of a cyber-attack. The Board also considers material risks, including information and cybersecurity, and reviews the effectiveness of risk management and internal control systems.

Group Board Risk Committee (BRC)

In relation to information and cybersecurity risk, BRC provides oversight and advice to the Board on current and future risk exposures of NatWest Group and its subsidiaries; future risk profile including risk appetite; the approval and effectiveness of the EWRMF and the internal controls required to manage risk. It approves the enterprise-wide risk management strategy and oversees its effective delivery. BRC reviews all information and cybersecurity risk exposures and management’s recommendations to monitor, control and mitigate such exposures. It also reviews NatWest Group’s information and cybersecurity performance against risk appetite through the receipt of regular reporting, updates on top and emerging risks and updates from the first and second lines of defence and escalates matters to the Board as required.

Management responsible for managing information and cybersecurity risk

NatWest Group’s first line of defence is responsible for setting NatWest Group’s information and cybersecurity risk management strategy, including: delivering effective and efficient cybersecurity products, policies and services and identifying, considering and assessing material cybersecurity threats on an ongoing basis. NatWest Group’s cybersecurity programmes are under the direction of the Chief Information Officer (CIO) who holds regulatory accountability under the Senior Managers and Certification Regime for defining and delivering NatWest Group’s internal technology, infrastructure services and customer operations, including NatWest Group’s IT strategy, cybersecurity, operational continuity, and resilience. The Chief Information Security Officer (CISO) reports to the CIO and receives regular reports from the cybersecurity team under his supervision. The CIO is an established Technology Leader with over 30 years of experience in Financial Services, joining NWG in 2022. Prior to 2022, the CIO spent eight years at Deutsche Bank where he held a number of roles including CIO for the Corporate and Investment Bank, Head of Technology for Financial Crime, CIO for the UK and Group CTO. Prior to joining Deutsche Bank, the CIO drove the technology strategy and innovation agenda for RBS Markets as their CIO and spent the early part of his career at JP Morgan.

The CISO, via the cybersecurity team, monitors the prevention, detection, mitigation, and remediation of cybersecurity threats and incidents. The CISO and the cybersecurity team are experienced information security professionals with many years of experience in the information and cyber security industry. Prior to joining NatWest Group, the CISO was a technical director at Communications-Electronics Security Group (now known as the UK’s National Cyber Security Centre) where he advised on securing some of the UK’s most critical assets. He is a member of the Chartered Institute of Information Security (CIISec) and has spoken at a wide range of events on cyber security and related topics.

Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

Group Board Risk Committee (BRC)

In relation to information and cybersecurity risk, BRC provides oversight and advice to the Board on current and future risk exposures of NatWest Group and its subsidiaries; future risk profile including risk appetite; the approval and effectiveness of the EWRMF and the internal controls required to manage risk. It approves the enterprise-wide risk management strategy and oversees its effective delivery. BRC reviews all information and cybersecurity risk exposures and management’s recommendations to monitor, control and mitigate such exposures. It also reviews NatWest Group’s information and cybersecurity performance against risk appetite through the receipt of regular reporting, updates on top and emerging risks and updates from the first and second lines of defence and escalates matters to the Board as required.

Cybersecurity Risk Management Positions or Committees Responsible [Flag]

true

Cybersecurity Risk Management Expertise of Management Responsible [Text Block]

The CIO is an established Technology Leader with over 30 years of experience in Financial Services, joining NWG in 2022. Prior to 2022, the CIO spent eight years at Deutsche Bank where he held a number of roles including CIO for the Corporate and Investment Bank, Head of Technology for Financial Crime, CIO for the UK and Group CTO. Prior to joining Deutsche Bank, the CIO drove the technology strategy and innovation agenda for RBS Markets as their CIO and spent the early part of his career at JP Morgan.

Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]

true