RISK GOVERNANCE FRAMEWORK

The Board of Directors of the Bank has oversight of all risks in the Bank with specific Committees of the Board constituted to facilitate focussed oversight. There is adequate representation of Independent Directors on each of these Committees. The Board has framed the specific mandate for each of these Committees. The proceedings and the decision taken by these Committees are reported to the Board. The policies approved by the Board of Directors or Committees of the Board from time to time constitute the governing framework within which business activities are undertaken.

The roles of specific Committees of the Board constituted to facilitate focussed oversight of various risks are:

• Credit Committee: Review of developments in key industrial sectors, major credit portfolios and approval of credit proposals as per the authorisation approved by the Board.
• Audit Committee: Provides direction to the audit function and monitors the quality of internal and statutory audit; responsibilities include examining the financial statements and auditors’ report and overseeing the financial reporting process to ensure fairness, sufficiency and credibility of financial statements.
• Information Technology Strategy Committee: Approve strategy for IT and related policy documents, ensure that the IT strategy is aligned with business strategy, review IT risks, ensure proper balance of IT investments for sustaining the Bank's growth, oversee the aggregate funding of IT at Bank-level, ascertain if the management has resources to ensure the proper management of IT risks, review contribution of IT to business, oversee the activities of Digital Council, review technology from a future readiness perspective, overseeing key projects progress and critical IT systems performance and the review of special IT initiatives.
• Risk Committee: Review risk management policies pertaining to credit, market, liquidity, operational, outsourcing, reputation risks, business continuity plan and disaster recovery plan and approve Broker Empanelment Policy and any amendments thereto. The functions of the Committee also include setting limits on any industry or country, review of the Enterprise Risk Management Framework, Risk Appetite Framework, Stress Testing Framework, Internal Capital Adequacy Assessment Process and Framework for Capital Allocation; review the status of Basel II and Basel III implementation, risk dashboard covering various risks, outsourcing activities and the activities of the Asset Liability Management Committee. The Committee has oversight on risks of subsidiaries covered under the Group Risk Management Framework. The Committee also carries out Cyber Security Risk Assessment.

The Bank also has a group, namely, Financial Crime Prevention and Reputation Risk Management Group, overseeing/handling the fraud prevention, detection, investigation, monitoring, reporting and awareness creation functions.

The Bank has put in place an Enterprise Risk Management (ERM) and Risk Appetite Framework (RAF) that articulates the risk appetite and drills down the same into a limit framework for various risk categories under which various business lines operate. In addition to the ERM and RAF, portfolio reviews are carried out and presented to the Credit and Risk Committees as per the approved calendar of reviews. As a part of the reviews, the prevalent trends across various economic indicators and their impact on the Bank’s portfolio are presented to the Risk Committee. Industry analysis and reviews are also carried out and presented to the Credit Committee.

The Internal Capital Adequacy Assessment Process (ICAAP) encompasses capital planning for a four-year time horizon, assessment of material risks and the relationship between risk and capital. The capital management framework is complemented by the risk management framework, which covers the policies, processes, methodologies and frameworks established for the management of material risks. Stress testing, which is a key aspect of the ICAAP and the risk management framework, provides an insight on the impact of extreme but plausible scenarios on the Bank’s risk profile and capital position.

The independent groups for monitoring risks in the Bank are:

• Risk Management Group
• Compliance Group
• Corporate Legal Group
• Financial Crime Prevention and Reputation Risk Management Group

The Risk Management Group is further organised into the Credit Risk Management Group, Market Risk Management Group, Operational Risk Management Group and Information Security Group. The Group is headed by the Chief Risk Officer and reports to the Risk Committee of the Board of Directors.

The Compliance Group, headed by the Group Chief Compliance Officer, oversees regulatory compliance of the Bank, both at the policy and procedures level and at the level of implementation by the respective groups. The Group has unrestricted access to information within the Bank to assess the compliance to the regulatory guidelines.

The Internal Audit Group, being the third line of defence, provides independent assurance that the aforesaid independent groups monitoring the risks in the Bank, are operating in line with policies, regulations and internal standards defined for management of the various risks in the Bank.

The Compliance Group and the Internal Audit Group report to the Audit Committee of the Board of Directors. The Risk Management, Compliance and Internal Audit Groups have administrative reporting to the Executive Director, responsible for Corporate Centre.

CYBERSECURITY GOVERNANCE

ICICI Bank believes in providing services to its customers in the safest and secure manner keeping in mind that data protection for its customers is as important as providing quality banking services across the spectrum. The CIA triad of Confidentiality, Integrity, and Availability is at the heart of building a comprehensive information security framework. The Bank also lays emphasis on customer elements like protection from phishing, adaptive authentication, awareness initiatives, and provide easy to use protection and risk configuration ability in the hands of customers. The Bank also undertakes campaigns to create awareness among customers on security aspects while banking through digital channels.

The key elements of the security strategy at ICICI Bank are:

• A multi-layered 'Defence-in-Depth' strategy providing multiple lines of defence.
• Strong governance processes with segregation of duties and stringent control framework.
• Skilled dedicated teams focussing on information security and financial crime prevention.
• A zero-trust architecture and network segmentation.
• Global best-in-class security systems.
• 24x7 monitoring and surveillance of systems by agile teams (IT Command Centre, next-generation Security Operations Centre (SOC), Network Operations Centre).
• Stringent security and gating controls at the time of inducting new applications or servers.
• In-house Ethical Hacking (Red Teams) to continuously test IT systems for security flaws.

• Incident Response Plan and Crisis Management Plan (including simulation of attack scenarios).
• A fully-equipped Disaster Recovery setup in place at remote location (periodic Business Continuity / Disaster Recovery drills).
• Periodic security assessments by reputed external agencies.
• Implementation and central monitoring of terminal security solution at ATMs.
• Tightened controls to prevent misuse of access rights of separated consultants, transferred employees, separated employees.

Cyber risks form an integral part of the Bank’s enterprise risk management framework. The Bank is committed to work towards aligning itself with the changing threat landscape and has a dedicated team for cyber/ information risk management. There is robust oversight by the Board, with regular updates from the Information Security Group (ISG) of the Bank. A monthly risk-based detailed dashboard capturing the various key performance indicators and key risk indicators associated with Security Operations Centre operations and offenses summary for the month is prepared which is reviewed by the CISO and the Chief Risk Officer of the Bank.

ICICI Bank has an information/cybersecurity governance framework consisting of leadership, organisational structures and processes that help us in mitigation of growing cybersecurity threats. Our cybersecurity governance encompasses management oversight at various levels with the ultimate responsibility assumed by the Board of Directors.

The Executive Committees have diverse cross-functional members and well-defined terms of reference. Proceedings of these Committees are reported to the IT Strategy Committee. Additionally, the Bank has multiple dashboards to review system stability, continuity and availability and network uptime. The Bank also has a well-defined Information Security Policy, Cyber Security Policy and Information Security Standards and Procedures. These policies have been designed by drawing from various standards and regulations including the Reserve Bank of India's Cyber Security Framework, NCIIPC Guidelines for protection, FFIEC Cybersecurity assessment tool, the SEBI Cyber Security and Cyber Resilience Framework for Stock Brokers/ Depository Participants and the IRDAI Guidelines on Information and Cyber Security for Insurers. The Bank has also incorporated industry best practices such as the National Institute of Standards and Technology (NIST) and the regulatory requirements of various jurisdictions in which the Bank operates. Further, periodic internal and external audits are undertaken and inputs from these assessments are incorporated from time to time. The Bank’s data centre is ISO:27001* certified.

^*ISO:27001 is an international standard for information security management.

Considering the criticality and vitality of data protection and security, the Bank has deployed Data Leakage/Loss Prevention (DLP) system with data protection rules for sensitive data exposure from the Bank’s endpoints, emails and web gateways. The Bank has also deployed Digital Rights Management system to define access rights (Read/Write) with pre-defined validity and ensuring the recipients use the data only for its intended purpose.

The Bank has made arrangements for all key activities to be performed in a work-from-home environment, through secure Virtual Private Network (VPN) and Virtual Desktop Interface (VDI) and access provided through Two-Factor Authentication. The Bank also performs endpoint security posture testing while connecting to the Bank’s network. A proxy agent is present on all endpoints to ensure that all computers are connected to the internet securely as per rules laid down by the Bank. Further, Data Leakage/Loss Prevention (DLP) has been implemented and all endpoints hardened as per the Bank’s policy.

Participation in External Cyberattack Simulations

ICICI Bank conducts and participates in several cybersecurity attack simulation drills such as spear phishing drills on employees, Distributed Denial of Service (DDoS) attack drills for Internet Service Providers (ISPs), social engineering-based attacks on data centre staff to gain physical access etc. The Bank participates in cyber drills organised by the Institute for Development and Research in Banking Technology (IDRBT) annually. The Bank conducts an external ‘Breach Assessment Exercise’ or a ‘Red Teaming Simulation’ on its infrastructure with a clear and precise focus on the crown jewels of the Bank. There is an ongoing reinforcement of vigilance and awareness through ethical hacking exercises conducted on employees. Business continuity and recovery drills are conducted to assess the Bank’s ability and readiness to combat disasters, to ensure continuity of critical business processes at an acceptable level and limit the impact of the disaster on people, processes and infrastructure.

The Bank conducts comprehensive security awareness programmes to enhance the level of cybersecurity awareness among its customers and employees. The Bank is using multiple channels to reach customers, such as social media, internet banking website, ATM, SMS, emails and posters in branches, among others. The Bank also regularly issues email advisories and conducts quiz on themes like Phishing Attacks, Malwares, System & Asset Security, Display Name Spoofing, Access, Protect Digital Identity, etc. for employees. The increased awareness among employees has also increased the overall cyber resilience of the Bank.

In view of rapid digitation and growing cyber threats, it has become imperative to respond quickly and effectively when security incidents occur. As part of incident response, the Bank has a dedicated Cyber Security Incident Response Team (CSIRT). The incident response process consists of distinct phases such as preparation, prevention, detection and escalation, containment, investigation, eradication, recovery, and post-incident analysis. Further, the Bank periodically conducts mock drills to assess the efficacy of the Incident Response Plan and continuously make improvements.

There were no material incidents of security breaches or data loss during fiscal 2022.

ESG GOVERNANCE

Long-term sustainable growth of the Bank’s business is a critical strategic objective. This is backed by our commitment to adopt sustainable business practices that ensure the long-term success of the organisation and have a positive impact on the environment and society.

ICICI Bank’s commitment towards ESG was strengthened with the adoption of the Board-approved Environmental, Social and Governance Policy and assigned responsibility for ESG oversight to the Board Risk Committee of the Bank, in April 2022.