Cybersecurity Risk Management and Strategy Disclosures

12 Months Ended

Dec. 31, 2024

Cybersecurity Risk Management Strategy And Governance [Line Items]

Cybersecurity Risk Management Processes For Assessing Identifying And Managing Threats [Text Block]

Cybersecurity and information security

Risk management and strategy

Cybersecurity and information-security (CIS) risk is the risk that a malicious internal or external act, or a failure of IT

hardware or software, or human error may have a material impact on confidentiality, integrity, or availability of UBS’s

data or information systems.

CIS risk is a key operational risk facing UBS, and we devote considerable resources to establishing and maintaining

processes for assessing, identifying and managing CIS risk through our global workforce and cyber-operations centers

around the world.

›

Refer to “Risk governance” in this section for information about our risk governance framework

Governance

In line with our overall non-financial risk management framework, we take a cross-functional approach to addressing

CIS risk, with the Group Operations and Technology Office (GOTO), business divisions, GCRG, Group Risk Control, Group

Legal, and Group Internal Audit all playing key roles. Our risk control framework follows the three-lines-of-defense model.

GOTO establishes the policies and procedures designed to safeguard our information systems and the information those

systems collect and process. The business divisions, together with GOTO, are then responsible for implementing those

policies and procedures as part of the first line of defense. GCRG leads the second line of defense, by convening and

consulting with additional control functions to provide independent oversight, and challenges the first line’s CIS

framework and implementation. As the third line of defense, Group Internal Audit conducts independent reviews and

validates the first-line and second-line processes and functions.

The Cyber and Information Security Committee

 (the CIS-C) is the primary decision-making body with oversight of and

accountability for the Group-wide CIS program. The committee is jointly chaired by the Group Chief Operations and

Technology Officer and the Group Chief Compliance and Governance Officer. The Head Group Internal Audit is a

permanent guest. The committee meets on a monthly basis and serves as a platform for interaction across the three lines

of defense for the identification and effective governance of CIS strategy, risks and regulatory obligations.

The CIS-C

governance structure is intended to streamline decision-making and, where necessary, escalation to the BoD and the

GEB.

Following the merger of UBS AG and Credit Suisse AG on 31 May 2024, UBS established a unified governance structure

and consolidated CIS leadership under a single Group Chief Information Security Officer (Group CISO) function. This

unified governance ensures that consistent and robust security measures are embedded across the entire organization.

Consequently, the role of the Credit Suisse Chief Information Security Officer has been dissolved, and all CIS

responsibilities are now managed centrally by the Group CISO. We have raised the profile and highlighted the role of our

regional CISOs to better position our ability to engage with regulators and other key stakeholders. All regional CISOs

now report directly to the Group CISO.

›

Refer to “Cybersecurity governance” in “Board of Directors” in the “Corporate governance” section of this report for more

information

CIS program

Our CIS program is led by the Group CISO, who reports both to the Group Chief Operations and Technology Officer and

the Group Chief Compliance and Governance Officer. The CIS program is designed to identify, prevent, detect and

respond to CIS events, with the goal of maintaining the integrity and availability of our technology infrastructure and the

confidentiality and integrity of our information. Our Group CISO, senior management within GOTO and management

personnel overseeing the CIS program all have substantial relevant expertise in the areas of cybersecurity and information

security. Our CIS program includes the following elements:

–

Threat intelligence:

 We systematically gather threat information and monitor threat alerts from external sources. Our

cyber-threat intelligence team analyzes such information and uses it to enhance existing defense capabilities, to

respond to identified threats and to adjust our CIS strategy where needed. In 2024, the team’s remit was expanded

to include providing research, analysis and advice on CIS risks associated with emerging technologies, including AI.

–

Preventative and detection controls:

 We use layered firm-wide controls to prevent and detect cyberattacks. Defenses

include system hardening, firewalls, intrusion prevention and detection systems, and other controls. External network

connections are identified and recorded in an inventory. Access rights are defined for information assets, and IT systems

and applications enforce authentication. We maintain access controls and approval processes designed to prevent

unauthorized access.

–

Cyber-defense and incident response capabilities

: The Cybersecurity Operations Center is responsible for providing

24/7/365 real-time monitoring, detection and response capabilities for cyberattacks and acting as the primary interface

for cybersecurity events. Incidents assessed as having the potential to adversely affect our critical operations are subject

to mandatory management notification. If assessed as potentially significant, cybersecurity and data incidents are

managed under our crisis management framework.

–

Education and training:

All UBS staff, including the external workforce, receive appropriate CIS awareness training,

commensurate with their roles and responsibilities.

Third-party risk: Vulnerabilities in the cyber-risk environment of third parties represent a particular threat to our CIS

and our ability to maintain our business services. We follow a risk-based approach to assess and mitigate CIS risks

related to third parties. Third-party services and processes are monitored and checked on an ongoing basis, with

appropriate supervision from the CIS-C. This is a key component of our third-party risk management program,

notwithstanding the challenges we face in imposing the same levels of protection to the systems and data of third

parties that we rely on ourselves.

–

Monitoring and testing:

 Effective incident response and problem management processes are complemented by

vulnerability assessments, penetration and testing engagements based on specific threat scenarios that simulate tactics,

techniques and procedures that might be used against our systems, as mandated by our policy regulations. This

includes testing by internal and external red teams (simulating attacks by potential adversaries). Actual security-related

events are directly correlated with threat scenarios to monitor and detect potential threats, such as network-intrusion

and malware-driven events. Our deployed security measures are designed with the objective of isolating and containing

threats that are detected to allow for effective incident response and analysis.

CIS assessment framework

Our CIS assessment framework includes internal and external cybersecurity risk assessments for applications and bank

processes alongside a structured risk assessment process of third-party service providers. These processes are designed,

along with our security capabilities, to support business objectives and priorities.

We conduct assessments to evaluate and test our CIS program and provide guidance on operating and improving the

program, including the design and operational effectiveness of the security and resiliency of our information systems.

Our assessments, along with our threat intelligence capabilities, are used to assess and prioritize programs to improve

our security, our incident response capabilities and our operational resilience. As the cyber-threat landscape evolves at an

increasing pace, we seek to enhance our CIS controls to meet developing threats. We have ongoing programs that are

intended to increase our CIS maturity across various dimensions, including governance, identification, protection and

detection, as well as cyberattack response and recovery, and risk from third-party service providers.

We recognize that we will never be able to completely eliminate the risk of a future cyberattack, but, by using a risk-

based approach, we work toward reducing the likelihood of a successful attack and toward mitigation of the potential

business impact of such an attack.

The BoD, its Risk Committee and the GEB receive regular presentations and reports throughout the year from our Group

Chief Operations and Technology Officer and our Group CISO on internal and external CIS developments, threats and

risks. In addition, on a quarterly basis, the BoD receives reports on the performance of CIS risk appetite metrics, including

metrics on vulnerabilities and third-party CIS risks and incidents, and is notified promptly if a Board-level CIS risk limit is

breached. The Risk Committee of the BoD and the GEB also receive regular updates on CIS strategy, risks and alignment

with regulatory requirements.

Operational resilience and incident response

Our business continuity and resilience framework is designed to limit the disruption CIS events cause to our business

activities. In accordance with the firm’s cyber-incident response framework, the CIS-C, including the incident response

team, tracks, documents, responds to and analyzes CIS threats and incidents, including those experienced by the firm’s

third-party service providers that may impact the firm. Additionally, we maintain established procedures for responding

to, and escalating, CIS and other system availability incidents. These are regularly practiced, including tabletop exercises

up to and including the Group Crisis Task Force.

Our CIS and data confidentiality contingency plans include event playbooks and escalation procedures designed to

support a structured assessment of potential incidents and timely escalation and reporting of incidents based on the

assessed potential impact. Incidents assessed to have the potential to adversely affect our critical operations are subject

to mandatory management notification. If assessed as potentially significant, cybersecurity and data incidents are

managed under our crisis management framework, which provides pre-established cross-functional task forces to

manage the incident, ensure appropriate and timely regulatory, market and client communications and robust oversight

by management, with escalation frameworks to inform and ensure oversight by the GEB and the BoD.

›

Refer to “Crisis management framework” in the “Regulation and supervision” section of this report for more information about

our crisis management framework

Cybersecurity Risk Management Processes Integrated Flag

true

Cybersecurity Risk Management Processes Integrated [Text Block]

Governance

In line with our overall non-financial risk management framework, we take a cross-functional approach to addressing

CIS risk, with the Group Operations and Technology Office (GOTO), business divisions, GCRG, Group Risk Control, Group

Legal, and Group Internal Audit all playing key roles. Our risk control framework follows the three-lines-of-defense model.

GOTO establishes the policies and procedures designed to safeguard our information systems and the information those

systems collect and process. The business divisions, together with GOTO, are then responsible for implementing those

policies and procedures as part of the first line of defense. GCRG leads the second line of defense, by convening and

consulting with additional control functions to provide independent oversight, and challenges the first line’s CIS

framework and implementation. As the third line of defense, Group Internal Audit conducts independent reviews and

validates the first-line and second-line processes and functions.

The Cyber and Information Security Committee

 (the CIS-C) is the primary decision-making body with oversight of and

accountability for the Group-wide CIS program. The committee is jointly chaired by the Group Chief Operations and

Technology Officer and the Group Chief Compliance and Governance Officer. The Head Group Internal Audit is a

permanent guest. The committee meets on a monthly basis and serves as a platform for interaction across the three lines

of defense for the identification and effective governance of CIS strategy, risks and regulatory obligations.

The CIS-C

governance structure is intended to streamline decision-making and, where necessary, escalation to the BoD and the

GEB.

Following the merger of UBS AG and Credit Suisse AG on 31 May 2024, UBS established a unified governance structure

and consolidated CIS leadership under a single Group Chief Information Security Officer (Group CISO) function. This

unified governance ensures that consistent and robust security measures are embedded across the entire organization.

Consequently, the role of the Credit Suisse Chief Information Security Officer has been dissolved, and all CIS

responsibilities are now managed centrally by the Group CISO. We have raised the profile and highlighted the role of our

regional CISOs to better position our ability to engage with regulators and other key stakeholders. All regional CISOs

now report directly to the Group CISO.

›

Refer to “Cybersecurity governance” in “Board of Directors” in the “Corporate governance” section of this report for more

information

CIS program

Our CIS program is led by the Group CISO, who reports both to the Group Chief Operations and Technology Officer and

the Group Chief Compliance and Governance Officer. The CIS program is designed to identify, prevent, detect and

respond to CIS events, with the goal of maintaining the integrity and availability of our technology infrastructure and the

confidentiality and integrity of our information. Our Group CISO, senior management within GOTO and management

personnel overseeing the CIS program all have substantial relevant expertise in the areas of cybersecurity and information

security. Our CIS program includes the following elements:

–

Threat intelligence:

 We systematically gather threat information and monitor threat alerts from external sources. Our

cyber-threat intelligence team analyzes such information and uses it to enhance existing defense capabilities, to

respond to identified threats and to adjust our CIS strategy where needed. In 2024, the team’s remit was expanded

to include providing research, analysis and advice on CIS risks associated with emerging technologies, including AI.

–

Preventative and detection controls:

 We use layered firm-wide controls to prevent and detect cyberattacks. Defenses

include system hardening, firewalls, intrusion prevention and detection systems, and other controls. External network

connections are identified and recorded in an inventory. Access rights are defined for information assets, and IT systems

and applications enforce authentication. We maintain access controls and approval processes designed to prevent

unauthorized access.

–

Cyber-defense and incident response capabilities

: The Cybersecurity Operations Center is responsible for providing

24/7/365 real-time monitoring, detection and response capabilities for cyberattacks and acting as the primary interface

for cybersecurity events. Incidents assessed as having the potential to adversely affect our critical operations are subject

to mandatory management notification. If assessed as potentially significant, cybersecurity and data incidents are

managed under our crisis management framework.

–

Education and training:

All UBS staff, including the external workforce, receive appropriate CIS awareness training,

commensurate with their roles and responsibilities.

Third-party risk: Vulnerabilities in the cyber-risk environment of third parties represent a particular threat to our CIS

and our ability to maintain our business services. We follow a risk-based approach to assess and mitigate CIS risks

related to third parties. Third-party services and processes are monitored and checked on an ongoing basis, with

appropriate supervision from the CIS-C. This is a key component of our third-party risk management program,

notwithstanding the challenges we face in imposing the same levels of protection to the systems and data of third

parties that we rely on ourselves.

–

Monitoring and testing:

 Effective incident response and problem management processes are complemented by

vulnerability assessments, penetration and testing engagements based on specific threat scenarios that simulate tactics,

techniques and procedures that might be used against our systems, as mandated by our policy regulations. This

includes testing by internal and external red teams (simulating attacks by potential adversaries). Actual security-related

events are directly correlated with threat scenarios to monitor and detect potential threats, such as network-intrusion

and malware-driven events. Our deployed security measures are designed with the objective of isolating and containing

threats that are detected to allow for effective incident response and analysis.

CIS assessment framework

Our CIS assessment framework includes internal and external cybersecurity risk assessments for applications and bank

processes alongside a structured risk assessment process of third-party service providers. These processes are designed,

along with our security capabilities, to support business objectives and priorities.

We conduct assessments to evaluate and test our CIS program and provide guidance on operating and improving the

program, including the design and operational effectiveness of the security and resiliency of our information systems.

Our assessments, along with our threat intelligence capabilities, are used to assess and prioritize programs to improve

our security, our incident response capabilities and our operational resilience. As the cyber-threat landscape evolves at an

increasing pace, we seek to enhance our CIS controls to meet developing threats. We have ongoing programs that are

intended to increase our CIS maturity across various dimensions, including governance, identification, protection and

detection, as well as cyberattack response and recovery, and risk from third-party service providers.

We recognize that we will never be able to completely eliminate the risk of a future cyberattack, but, by using a risk-

based approach, we work toward reducing the likelihood of a successful attack and toward mitigation of the potential

business impact of such an attack.

The BoD, its Risk Committee and the GEB receive regular presentations and reports throughout the year from our Group

Chief Operations and Technology Officer and our Group CISO on internal and external CIS developments, threats and

risks. In addition, on a quarterly basis, the BoD receives reports on the performance of CIS risk appetite metrics, including

metrics on vulnerabilities and third-party CIS risks and incidents, and is notified promptly if a Board-level CIS risk limit is

breached. The Risk Committee of the BoD and the GEB also receive regular updates on CIS strategy, risks and alignment

with regulatory requirements.

Operational resilience and incident response

Our business continuity and resilience framework is designed to limit the disruption CIS events cause to our business

activities. In accordance with the firm’s cyber-incident response framework, the CIS-C, including the incident response

team, tracks, documents, responds to and analyzes CIS threats and incidents, including those experienced by the firm’s

third-party service providers that may impact the firm. Additionally, we maintain established procedures for responding

to, and escalating, CIS and other system availability incidents. These are regularly practiced, including tabletop exercises

up to and including the Group Crisis Task Force.

Our CIS and data confidentiality contingency plans include event playbooks and escalation procedures designed to

support a structured assessment of potential incidents and timely escalation and reporting of incidents based on the

assessed potential impact. Incidents assessed to have the potential to adversely affect our critical operations are subject

to mandatory management notification. If assessed as potentially significant, cybersecurity and data incidents are

managed under our crisis management framework, which provides pre-established cross-functional task forces to

manage the incident, ensure appropriate and timely regulatory, market and client communications and robust oversight

by management, with escalation frameworks to inform and ensure oversight by the GEB and the BoD.

›

Refer to “Crisis management framework” in the “Regulation and supervision” section of this report for more information about

our crisis management framework

Cybersecurity Risk Management Third Party Engaged Flag

true

Cybersecurity Risk Third Party Oversight And Identification Processes Flag

true

Cybersecurity Risk Materially Affected Or Reasonably Likely To Materially Affect Registrant Flag

false

Cybersecurity Risk Board Of Directors Oversight [Text Block]

Governance

In line with our overall non-financial risk management framework, we take a cross-functional approach to addressing

CIS risk, with the Group Operations and Technology Office (GOTO), business divisions, GCRG, Group Risk Control, Group

Legal, and Group Internal Audit all playing key roles. Our risk control framework follows the three-lines-of-defense model.

GOTO establishes the policies and procedures designed to safeguard our information systems and the information those

systems collect and process. The business divisions, together with GOTO, are then responsible for implementing those

policies and procedures as part of the first line of defense. GCRG leads the second line of defense, by convening and

consulting with additional control functions to provide independent oversight, and challenges the first line’s CIS

framework and implementation. As the third line of defense, Group Internal Audit conducts independent reviews and

validates the first-line and second-line processes and functions.

The Cyber and Information Security Committee

 (the CIS-C) is the primary decision-making body with oversight of and

accountability for the Group-wide CIS program. The committee is jointly chaired by the Group Chief Operations and

Technology Officer and the Group Chief Compliance and Governance Officer. The Head Group Internal Audit is a

permanent guest. The committee meets on a monthly basis and serves as a platform for interaction across the three lines

of defense for the identification and effective governance of CIS strategy, risks and regulatory obligations.

The CIS-C

governance structure is intended to streamline decision-making and, where necessary, escalation to the BoD and the

GEB.

Following the merger of UBS AG and Credit Suisse AG on 31 May 2024, UBS established a unified governance structure

and consolidated CIS leadership under a single Group Chief Information Security Officer (Group CISO) function. This

unified governance ensures that consistent and robust security measures are embedded across the entire organization.

Consequently, the role of the Credit Suisse Chief Information Security Officer has been dissolved, and all CIS

responsibilities are now managed centrally by the Group CISO. We have raised the profile and highlighted the role of our

regional CISOs to better position our ability to engage with regulators and other key stakeholders. All regional CISOs

now report directly to the Group CISO.

›

Refer to “Cybersecurity governance” in “Board of Directors” in the “Corporate governance” section of this report for more

information

CIS program

Our CIS program is led by the Group CISO, who reports both to the Group Chief Operations and Technology Officer and

the Group Chief Compliance and Governance Officer. The CIS program is designed to identify, prevent, detect and

respond to CIS events, with the goal of maintaining the integrity and availability of our technology infrastructure and the

confidentiality and integrity of our information. Our Group CISO, senior management within GOTO and management

personnel overseeing the CIS program all have substantial relevant expertise in the areas of cybersecurity and information

security. Our CIS program includes the following elements:

–

Threat intelligence:

 We systematically gather threat information and monitor threat alerts from external sources. Our

cyber-threat intelligence team analyzes such information and uses it to enhance existing defense capabilities, to

respond to identified threats and to adjust our CIS strategy where needed. In 2024, the team’s remit was expanded

to include providing research, analysis and advice on CIS risks associated with emerging technologies, including AI.

–

Preventative and detection controls:

 We use layered firm-wide controls to prevent and detect cyberattacks. Defenses

include system hardening, firewalls, intrusion prevention and detection systems, and other controls. External network

connections are identified and recorded in an inventory. Access rights are defined for information assets, and IT systems

and applications enforce authentication. We maintain access controls and approval processes designed to prevent

unauthorized access.

–

Cyber-defense and incident response capabilities

: The Cybersecurity Operations Center is responsible for providing

24/7/365 real-time monitoring, detection and response capabilities for cyberattacks and acting as the primary interface

for cybersecurity events. Incidents assessed as having the potential to adversely affect our critical operations are subject

to mandatory management notification. If assessed as potentially significant, cybersecurity and data incidents are

managed under our crisis management framework.

–

Education and training:

All UBS staff, including the external workforce, receive appropriate CIS awareness training,

commensurate with their roles and responsibilities.

Third-party risk: Vulnerabilities in the cyber-risk environment of third parties represent a particular threat to our CIS

and our ability to maintain our business services. We follow a risk-based approach to assess and mitigate CIS risks

related to third parties. Third-party services and processes are monitored and checked on an ongoing basis, with

appropriate supervision from the CIS-C. This is a key component of our third-party risk management program,

notwithstanding the challenges we face in imposing the same levels of protection to the systems and data of third

parties that we rely on ourselves.

–

Monitoring and testing:

 Effective incident response and problem management processes are complemented by

vulnerability assessments, penetration and testing engagements based on specific threat scenarios that simulate tactics,

techniques and procedures that might be used against our systems, as mandated by our policy regulations. This

includes testing by internal and external red teams (simulating attacks by potential adversaries). Actual security-related

events are directly correlated with threat scenarios to monitor and detect potential threats, such as network-intrusion

and malware-driven events. Our deployed security measures are designed with the objective of isolating and containing

threats that are detected to allow for effective incident response and analysis.

CIS assessment framework

Our CIS assessment framework includes internal and external cybersecurity risk assessments for applications and bank

processes alongside a structured risk assessment process of third-party service providers. These processes are designed,

along with our security capabilities, to support business objectives and priorities.

We conduct assessments to evaluate and test our CIS program and provide guidance on operating and improving the

program, including the design and operational effectiveness of the security and resiliency of our information systems.

Our assessments, along with our threat intelligence capabilities, are used to assess and prioritize programs to improve

our security, our incident response capabilities and our operational resilience. As the cyber-threat landscape evolves at an

increasing pace, we seek to enhance our CIS controls to meet developing threats. We have ongoing programs that are

intended to increase our CIS maturity across various dimensions, including governance, identification, protection and

detection, as well as cyberattack response and recovery, and risk from third-party service providers.

We recognize that we will never be able to completely eliminate the risk of a future cyberattack, but, by using a risk-

based approach, we work toward reducing the likelihood of a successful attack and toward mitigation of the potential

business impact of such an attack.

The BoD, its Risk Committee and the GEB receive regular presentations and reports throughout the year from our Group

Chief Operations and Technology Officer and our Group CISO on internal and external CIS developments, threats and

risks. In addition, on a quarterly basis, the BoD receives reports on the performance of CIS risk appetite metrics, including

metrics on vulnerabilities and third-party CIS risks and incidents, and is notified promptly if a Board-level CIS risk limit is

breached. The Risk Committee of the BoD and the GEB also receive regular updates on CIS strategy, risks and alignment

with regulatory requirements.

Operational resilience and incident response

Our business continuity and resilience framework is designed to limit the disruption CIS events cause to our business

activities. In accordance with the firm’s cyber-incident response framework, the CIS-C, including the incident response

team, tracks, documents, responds to and analyzes CIS threats and incidents, including those experienced by the firm’s

third-party service providers that may impact the firm. Additionally, we maintain established procedures for responding

to, and escalating, CIS and other system availability incidents. These are regularly practiced, including tabletop exercises

up to and including the Group Crisis Task Force.

Our CIS and data confidentiality contingency plans include event playbooks and escalation procedures designed to

support a structured assessment of potential incidents and timely escalation and reporting of incidents based on the

assessed potential impact. Incidents assessed to have the potential to adversely affect our critical operations are subject

to mandatory management notification. If assessed as potentially significant, cybersecurity and data incidents are

managed under our crisis management framework, which provides pre-established cross-functional task forces to

manage the incident, ensure appropriate and timely regulatory, market and client communications and robust oversight

by management, with escalation frameworks to inform and ensure oversight by the GEB and the BoD.

Cybersecurity Risk Board Committee Or Subcommittee Responsible For Oversight [Text Block]

The Cyber and Information Security Committee

 (the CIS-C) is the primary decision-making body with oversight of and

accountability for the Group-wide CIS program. The committee is jointly chaired by the Group Chief Operations and

Technology Officer and the Group Chief Compliance and Governance Officer. The Head Group Internal Audit is a

permanent guest. The committee meets on a monthly basis and serves as a platform for interaction across the three lines

of defense for the identification and effective governance of CIS strategy, risks and regulatory obligations.

The CIS-C

governance structure is intended to streamline decision-making and, where necessary, escalation to the BoD and the

GEB.

Cybersecurity Risk Process For Informing Board Committee Or Subcommittee Responsible For Oversight [Text Block]

In line with our overall non-financial risk management framework, we take a cross-functional approach to addressing

CIS risk, with the Group Operations and Technology Office (GOTO), business divisions, GCRG, Group Risk Control, Group

Legal, and Group Internal Audit all playing key roles. Our risk control framework follows the three-lines-of-defense model.

GOTO establishes the policies and procedures designed to safeguard our information systems and the information those

systems collect and process. The business divisions, together with GOTO, are then responsible for implementing those

policies and procedures as part of the first line of defense. GCRG leads the second line of defense, by convening and

consulting with additional control functions to provide independent oversight, and challenges the first line’s CIS

framework and implementation. As the third line of defense, Group Internal Audit conducts independent reviews and

validates the first-line and second-line processes and functions.

The Cyber and Information Security Committee

 (the CIS-C) is the primary decision-making body with oversight of and

accountability for the Group-wide CIS program. The committee is jointly chaired by the Group Chief Operations and

Technology Officer and the Group Chief Compliance and Governance Officer. The Head Group Internal Audit is a

permanent guest. The committee meets on a monthly basis and serves as a platform for interaction across the three lines

of defense for the identification and effective governance of CIS strategy, risks and regulatory obligations.

The CIS-C

governance structure is intended to streamline decision-making and, where necessary, escalation to the BoD and the

GEB.

Following the merger of UBS AG and Credit Suisse AG on 31 May 2024, UBS established a unified governance structure

and consolidated CIS leadership under a single Group Chief Information Security Officer (Group CISO) function. This

unified governance ensures that consistent and robust security measures are embedded across the entire organization.

Consequently, the role of the Credit Suisse Chief Information Security Officer has been dissolved, and all CIS

responsibilities are now managed centrally by the Group CISO. We have raised the profile and highlighted the role of our

regional CISOs to better position our ability to engage with regulators and other key stakeholders. All regional CISOs

now report directly to the Group CISO.

Cybersecurity Risk Role Of Management [Text Block]

Governance

In line with our overall non-financial risk management framework, we take a cross-functional approach to addressing

CIS risk, with the Group Operations and Technology Office (GOTO), business divisions, GCRG, Group Risk Control, Group

Legal, and Group Internal Audit all playing key roles. Our risk control framework follows the three-lines-of-defense model.

GOTO establishes the policies and procedures designed to safeguard our information systems and the information those

systems collect and process. The business divisions, together with GOTO, are then responsible for implementing those

policies and procedures as part of the first line of defense. GCRG leads the second line of defense, by convening and

consulting with additional control functions to provide independent oversight, and challenges the first line’s CIS

framework and implementation. As the third line of defense, Group Internal Audit conducts independent reviews and

validates the first-line and second-line processes and functions.

The Cyber and Information Security Committee

 (the CIS-C) is the primary decision-making body with oversight of and

accountability for the Group-wide CIS program. The committee is jointly chaired by the Group Chief Operations and

Technology Officer and the Group Chief Compliance and Governance Officer. The Head Group Internal Audit is a

permanent guest. The committee meets on a monthly basis and serves as a platform for interaction across the three lines

of defense for the identification and effective governance of CIS strategy, risks and regulatory obligations.

The CIS-C

governance structure is intended to streamline decision-making and, where necessary, escalation to the BoD and the

GEB.

Following the merger of UBS AG and Credit Suisse AG on 31 May 2024, UBS established a unified governance structure

and consolidated CIS leadership under a single Group Chief Information Security Officer (Group CISO) function. This

unified governance ensures that consistent and robust security measures are embedded across the entire organization.

Consequently, the role of the Credit Suisse Chief Information Security Officer has been dissolved, and all CIS

responsibilities are now managed centrally by the Group CISO. We have raised the profile and highlighted the role of our

regional CISOs to better position our ability to engage with regulators and other key stakeholders. All regional CISOs

now report directly to the Group CISO.

›

Refer to “Cybersecurity governance” in “Board of Directors” in the “Corporate governance” section of this report for more

information

CIS program

Our CIS program is led by the Group CISO, who reports both to the Group Chief Operations and Technology Officer and

the Group Chief Compliance and Governance Officer. The CIS program is designed to identify, prevent, detect and

respond to CIS events, with the goal of maintaining the integrity and availability of our technology infrastructure and the

confidentiality and integrity of our information. Our Group CISO, senior management within GOTO and management

personnel overseeing the CIS program all have substantial relevant expertise in the areas of cybersecurity and information

security. Our CIS program includes the following elements:

–

Threat intelligence:

 We systematically gather threat information and monitor threat alerts from external sources. Our

cyber-threat intelligence team analyzes such information and uses it to enhance existing defense capabilities, to

respond to identified threats and to adjust our CIS strategy where needed. In 2024, the team’s remit was expanded

to include providing research, analysis and advice on CIS risks associated with emerging technologies, including AI.

–

Preventative and detection controls:

 We use layered firm-wide controls to prevent and detect cyberattacks. Defenses

include system hardening, firewalls, intrusion prevention and detection systems, and other controls. External network

connections are identified and recorded in an inventory. Access rights are defined for information assets, and IT systems

and applications enforce authentication. We maintain access controls and approval processes designed to prevent

unauthorized access.

–

Cyber-defense and incident response capabilities

: The Cybersecurity Operations Center is responsible for providing

24/7/365 real-time monitoring, detection and response capabilities for cyberattacks and acting as the primary interface

for cybersecurity events. Incidents assessed as having the potential to adversely affect our critical operations are subject

to mandatory management notification. If assessed as potentially significant, cybersecurity and data incidents are

managed under our crisis management framework.

–

Education and training:

All UBS staff, including the external workforce, receive appropriate CIS awareness training,

commensurate with their roles and responsibilities.

Third-party risk: Vulnerabilities in the cyber-risk environment of third parties represent a particular threat to our CIS

and our ability to maintain our business services. We follow a risk-based approach to assess and mitigate CIS risks

related to third parties. Third-party services and processes are monitored and checked on an ongoing basis, with

appropriate supervision from the CIS-C. This is a key component of our third-party risk management program,

notwithstanding the challenges we face in imposing the same levels of protection to the systems and data of third

parties that we rely on ourselves.

–

Monitoring and testing:

 Effective incident response and problem management processes are complemented by

vulnerability assessments, penetration and testing engagements based on specific threat scenarios that simulate tactics,

techniques and procedures that might be used against our systems, as mandated by our policy regulations. This

includes testing by internal and external red teams (simulating attacks by potential adversaries). Actual security-related

events are directly correlated with threat scenarios to monitor and detect potential threats, such as network-intrusion

and malware-driven events. Our deployed security measures are designed with the objective of isolating and containing

threats that are detected to allow for effective incident response and analysis.

CIS assessment framework

Our CIS assessment framework includes internal and external cybersecurity risk assessments for applications and bank

processes alongside a structured risk assessment process of third-party service providers. These processes are designed,

along with our security capabilities, to support business objectives and priorities.

We conduct assessments to evaluate and test our CIS program and provide guidance on operating and improving the

program, including the design and operational effectiveness of the security and resiliency of our information systems.

Our assessments, along with our threat intelligence capabilities, are used to assess and prioritize programs to improve

our security, our incident response capabilities and our operational resilience. As the cyber-threat landscape evolves at an

increasing pace, we seek to enhance our CIS controls to meet developing threats. We have ongoing programs that are

intended to increase our CIS maturity across various dimensions, including governance, identification, protection and

detection, as well as cyberattack response and recovery, and risk from third-party service providers.

We recognize that we will never be able to completely eliminate the risk of a future cyberattack, but, by using a risk-

based approach, we work toward reducing the likelihood of a successful attack and toward mitigation of the potential

business impact of such an attack.

The BoD, its Risk Committee and the GEB receive regular presentations and reports throughout the year from our Group

Chief Operations and Technology Officer and our Group CISO on internal and external CIS developments, threats and

risks. In addition, on a quarterly basis, the BoD receives reports on the performance of CIS risk appetite metrics, including

metrics on vulnerabilities and third-party CIS risks and incidents, and is notified promptly if a Board-level CIS risk limit is

breached. The Risk Committee of the BoD and the GEB also receive regular updates on CIS strategy, risks and alignment

with regulatory requirements.

Operational resilience and incident response

Our business continuity and resilience framework is designed to limit the disruption CIS events cause to our business

activities. In accordance with the firm’s cyber-incident response framework, the CIS-C, including the incident response

team, tracks, documents, responds to and analyzes CIS threats and incidents, including those experienced by the firm’s

third-party service providers that may impact the firm. Additionally, we maintain established procedures for responding

to, and escalating, CIS and other system availability incidents. These are regularly practiced, including tabletop exercises

up to and including the Group Crisis Task Force.

Our CIS and data confidentiality contingency plans include event playbooks and escalation procedures designed to

support a structured assessment of potential incidents and timely escalation and reporting of incidents based on the

assessed potential impact. Incidents assessed to have the potential to adversely affect our critical operations are subject

to mandatory management notification. If assessed as potentially significant, cybersecurity and data incidents are

managed under our crisis management framework, which provides pre-established cross-functional task forces to

manage the incident, ensure appropriate and timely regulatory, market and client communications and robust oversight

by management, with escalation frameworks to inform and ensure oversight by the GEB and the BoD.

Cybersecurity Risk Management Positions Or Committees Responsible Flag

true

Cybersecurity Risk Management Positions Or Committees Responsible [Text Block]

In line with our overall non-financial risk management framework, we take a cross-functional approach to addressing

CIS risk, with the Group Operations and Technology Office (GOTO), business divisions, GCRG, Group Risk Control, Group

Legal, and Group Internal Audit all playing key roles. Our risk control framework follows the three-lines-of-defense model.

GOTO establishes the policies and procedures designed to safeguard our information systems and the information those

systems collect and process. The business divisions, together with GOTO, are then responsible for implementing those

policies and procedures as part of the first line of defense. GCRG leads the second line of defense, by convening and

consulting with additional control functions to provide independent oversight, and challenges the first line’s CIS

framework and implementation. As the third line of defense, Group Internal Audit conducts independent reviews and

validates the first-line and second-line processes and functions.

The Cyber and Information Security Committee

 (the CIS-C) is the primary decision-making body with oversight of and

accountability for the Group-wide CIS program. The committee is jointly chaired by the Group Chief Operations and

Technology Officer and the Group Chief Compliance and Governance Officer. The Head Group Internal Audit is a

permanent guest. The committee meets on a monthly basis and serves as a platform for interaction across the three lines

of defense for the identification and effective governance of CIS strategy, risks and regulatory obligations.

The CIS-C

governance structure is intended to streamline decision-making and, where necessary, escalation to the BoD and the

GEB.

Following the merger of UBS AG and Credit Suisse AG on 31 May 2024, UBS established a unified governance structure

and consolidated CIS leadership under a single Group Chief Information Security Officer (Group CISO) function. This

unified governance ensures that consistent and robust security measures are embedded across the entire organization.

Consequently, the role of the Credit Suisse Chief Information Security Officer has been dissolved, and all CIS

responsibilities are now managed centrally by the Group CISO. We have raised the profile and highlighted the role of our

regional CISOs to better position our ability to engage with regulators and other key stakeholders. All regional CISOs

now report directly to the Group CISO.

Cybersecurity Risk Management Expertise Of Management Responsible [Text Block]

Governance

In line with our overall non-financial risk management framework, we take a cross-functional approach to addressing

CIS risk, with the Group Operations and Technology Office (GOTO), business divisions, GCRG, Group Risk Control, Group

Legal, and Group Internal Audit all playing key roles. Our risk control framework follows the three-lines-of-defense model.

GOTO establishes the policies and procedures designed to safeguard our information systems and the information those

systems collect and process. The business divisions, together with GOTO, are then responsible for implementing those

policies and procedures as part of the first line of defense. GCRG leads the second line of defense, by convening and

consulting with additional control functions to provide independent oversight, and challenges the first line’s CIS

framework and implementation. As the third line of defense, Group Internal Audit conducts independent reviews and

validates the first-line and second-line processes and functions.

The Cyber and Information Security Committee

 (the CIS-C) is the primary decision-making body with oversight of and

accountability for the Group-wide CIS program. The committee is jointly chaired by the Group Chief Operations and

Technology Officer and the Group Chief Compliance and Governance Officer. The Head Group Internal Audit is a

permanent guest. The committee meets on a monthly basis and serves as a platform for interaction across the three lines

of defense for the identification and effective governance of CIS strategy, risks and regulatory obligations.

The CIS-C

governance structure is intended to streamline decision-making and, where necessary, escalation to the BoD and the

GEB.

Following the merger of UBS AG and Credit Suisse AG on 31 May 2024, UBS established a unified governance structure

and consolidated CIS leadership under a single Group Chief Information Security Officer (Group CISO) function. This

unified governance ensures that consistent and robust security measures are embedded across the entire organization.

Consequently, the role of the Credit Suisse Chief Information Security Officer has been dissolved, and all CIS

responsibilities are now managed centrally by the Group CISO. We have raised the profile and highlighted the role of our

regional CISOs to better position our ability to engage with regulators and other key stakeholders. All regional CISOs

now report directly to the Group CISO.

›

Refer to “Cybersecurity governance” in “Board of Directors” in the “Corporate governance” section of this report for more

information

CIS program

Our CIS program is led by the Group CISO, who reports both to the Group Chief Operations and Technology Officer and

the Group Chief Compliance and Governance Officer. The CIS program is designed to identify, prevent, detect and

respond to CIS events, with the goal of maintaining the integrity and availability of our technology infrastructure and the

confidentiality and integrity of our information. Our Group CISO, senior management within GOTO and management

personnel overseeing the CIS program all have substantial relevant expertise in the areas of cybersecurity and information

security. Our CIS program includes the following elements:

–

Threat intelligence:

 We systematically gather threat information and monitor threat alerts from external sources. Our

cyber-threat intelligence team analyzes such information and uses it to enhance existing defense capabilities, to

respond to identified threats and to adjust our CIS strategy where needed. In 2024, the team’s remit was expanded

to include providing research, analysis and advice on CIS risks associated with emerging technologies, including AI.

–

Preventative and detection controls:

 We use layered firm-wide controls to prevent and detect cyberattacks. Defenses

include system hardening, firewalls, intrusion prevention and detection systems, and other controls. External network

connections are identified and recorded in an inventory. Access rights are defined for information assets, and IT systems

and applications enforce authentication. We maintain access controls and approval processes designed to prevent

unauthorized access.

–

Cyber-defense and incident response capabilities

: The Cybersecurity Operations Center is responsible for providing

24/7/365 real-time monitoring, detection and response capabilities for cyberattacks and acting as the primary interface

for cybersecurity events. Incidents assessed as having the potential to adversely affect our critical operations are subject

to mandatory management notification. If assessed as potentially significant, cybersecurity and data incidents are

managed under our crisis management framework.

–

Education and training:

All UBS staff, including the external workforce, receive appropriate CIS awareness training,

commensurate with their roles and responsibilities.

Third-party risk: Vulnerabilities in the cyber-risk environment of third parties represent a particular threat to our CIS

and our ability to maintain our business services. We follow a risk-based approach to assess and mitigate CIS risks

related to third parties. Third-party services and processes are monitored and checked on an ongoing basis, with

appropriate supervision from the CIS-C. This is a key component of our third-party risk management program,

notwithstanding the challenges we face in imposing the same levels of protection to the systems and data of third

parties that we rely on ourselves.

–

Monitoring and testing:

 Effective incident response and problem management processes are complemented by

vulnerability assessments, penetration and testing engagements based on specific threat scenarios that simulate tactics,

techniques and procedures that might be used against our systems, as mandated by our policy regulations. This

includes testing by internal and external red teams (simulating attacks by potential adversaries). Actual security-related

events are directly correlated with threat scenarios to monitor and detect potential threats, such as network-intrusion

and malware-driven events. Our deployed security measures are designed with the objective of isolating and containing

threats that are detected to allow for effective incident response and analysis.

CIS assessment framework

Our CIS assessment framework includes internal and external cybersecurity risk assessments for applications and bank

processes alongside a structured risk assessment process of third-party service providers. These processes are designed,

along with our security capabilities, to support business objectives and priorities.

We conduct assessments to evaluate and test our CIS program and provide guidance on operating and improving the

program, including the design and operational effectiveness of the security and resiliency of our information systems.

Our assessments, along with our threat intelligence capabilities, are used to assess and prioritize programs to improve

our security, our incident response capabilities and our operational resilience. As the cyber-threat landscape evolves at an

increasing pace, we seek to enhance our CIS controls to meet developing threats. We have ongoing programs that are

intended to increase our CIS maturity across various dimensions, including governance, identification, protection and

detection, as well as cyberattack response and recovery, and risk from third-party service providers.

We recognize that we will never be able to completely eliminate the risk of a future cyberattack, but, by using a risk-

based approach, we work toward reducing the likelihood of a successful attack and toward mitigation of the potential

business impact of such an attack.

The BoD, its Risk Committee and the GEB receive regular presentations and reports throughout the year from our Group

Chief Operations and Technology Officer and our Group CISO on internal and external CIS developments, threats and

risks. In addition, on a quarterly basis, the BoD receives reports on the performance of CIS risk appetite metrics, including

metrics on vulnerabilities and third-party CIS risks and incidents, and is notified promptly if a Board-level CIS risk limit is

breached. The Risk Committee of the BoD and the GEB also receive regular updates on CIS strategy, risks and alignment

with regulatory requirements.

Operational resilience and incident response

Our business continuity and resilience framework is designed to limit the disruption CIS events cause to our business

activities. In accordance with the firm’s cyber-incident response framework, the CIS-C, including the incident response

team, tracks, documents, responds to and analyzes CIS threats and incidents, including those experienced by the firm’s

third-party service providers that may impact the firm. Additionally, we maintain established procedures for responding

to, and escalating, CIS and other system availability incidents. These are regularly practiced, including tabletop exercises

up to and including the Group Crisis Task Force.

Our CIS and data confidentiality contingency plans include event playbooks and escalation procedures designed to

support a structured assessment of potential incidents and timely escalation and reporting of incidents based on the

assessed potential impact. Incidents assessed to have the potential to adversely affect our critical operations are subject

to mandatory management notification. If assessed as potentially significant, cybersecurity and data incidents are

managed under our crisis management framework, which provides pre-established cross-functional task forces to

manage the incident, ensure appropriate and timely regulatory, market and client communications and robust oversight

by management, with escalation frameworks to inform and ensure oversight by the GEB and the BoD.

Cybersecurity Risk Process For Informing Management Or Committees Responsible [Text Block]

Governance

In line with our overall non-financial risk management framework, we take a cross-functional approach to addressing

CIS risk, with the Group Operations and Technology Office (GOTO), business divisions, GCRG, Group Risk Control, Group

Legal, and Group Internal Audit all playing key roles. Our risk control framework follows the three-lines-of-defense model.

GOTO establishes the policies and procedures designed to safeguard our information systems and the information those

systems collect and process. The business divisions, together with GOTO, are then responsible for implementing those

policies and procedures as part of the first line of defense. GCRG leads the second line of defense, by convening and

consulting with additional control functions to provide independent oversight, and challenges the first line’s CIS

framework and implementation. As the third line of defense, Group Internal Audit conducts independent reviews and

validates the first-line and second-line processes and functions.

The Cyber and Information Security Committee

 (the CIS-C) is the primary decision-making body with oversight of and

accountability for the Group-wide CIS program. The committee is jointly chaired by the Group Chief Operations and

Technology Officer and the Group Chief Compliance and Governance Officer. The Head Group Internal Audit is a

permanent guest. The committee meets on a monthly basis and serves as a platform for interaction across the three lines

of defense for the identification and effective governance of CIS strategy, risks and regulatory obligations.

The CIS-C

governance structure is intended to streamline decision-making and, where necessary, escalation to the BoD and the

GEB.

Following the merger of UBS AG and Credit Suisse AG on 31 May 2024, UBS established a unified governance structure

and consolidated CIS leadership under a single Group Chief Information Security Officer (Group CISO) function. This

unified governance ensures that consistent and robust security measures are embedded across the entire organization.

Consequently, the role of the Credit Suisse Chief Information Security Officer has been dissolved, and all CIS

responsibilities are now managed centrally by the Group CISO. We have raised the profile and highlighted the role of our

regional CISOs to better position our ability to engage with regulators and other key stakeholders. All regional CISOs

now report directly to the Group CISO.

›

Refer to “Cybersecurity governance” in “Board of Directors” in the “Corporate governance” section of this report for more

information

CIS program

Our CIS program is led by the Group CISO, who reports both to the Group Chief Operations and Technology Officer and

the Group Chief Compliance and Governance Officer. The CIS program is designed to identify, prevent, detect and

respond to CIS events, with the goal of maintaining the integrity and availability of our technology infrastructure and the

confidentiality and integrity of our information. Our Group CISO, senior management within GOTO and management

personnel overseeing the CIS program all have substantial relevant expertise in the areas of cybersecurity and information

security. Our CIS program includes the following elements:

–

Threat intelligence:

 We systematically gather threat information and monitor threat alerts from external sources. Our

cyber-threat intelligence team analyzes such information and uses it to enhance existing defense capabilities, to

respond to identified threats and to adjust our CIS strategy where needed. In 2024, the team’s remit was expanded

to include providing research, analysis and advice on CIS risks associated with emerging technologies, including AI.

–

Preventative and detection controls:

 We use layered firm-wide controls to prevent and detect cyberattacks. Defenses

include system hardening, firewalls, intrusion prevention and detection systems, and other controls. External network

connections are identified and recorded in an inventory. Access rights are defined for information assets, and IT systems

and applications enforce authentication. We maintain access controls and approval processes designed to prevent

unauthorized access.

–

Cyber-defense and incident response capabilities

: The Cybersecurity Operations Center is responsible for providing

24/7/365 real-time monitoring, detection and response capabilities for cyberattacks and acting as the primary interface

for cybersecurity events. Incidents assessed as having the potential to adversely affect our critical operations are subject

to mandatory management notification. If assessed as potentially significant, cybersecurity and data incidents are

managed under our crisis management framework.

–

Education and training:

All UBS staff, including the external workforce, receive appropriate CIS awareness training,

commensurate with their roles and responsibilities.

Third-party risk: Vulnerabilities in the cyber-risk environment of third parties represent a particular threat to our CIS

and our ability to maintain our business services. We follow a risk-based approach to assess and mitigate CIS risks

related to third parties. Third-party services and processes are monitored and checked on an ongoing basis, with

appropriate supervision from the CIS-C. This is a key component of our third-party risk management program,

notwithstanding the challenges we face in imposing the same levels of protection to the systems and data of third

parties that we rely on ourselves.

–

Monitoring and testing:

 Effective incident response and problem management processes are complemented by

vulnerability assessments, penetration and testing engagements based on specific threat scenarios that simulate tactics,

techniques and procedures that might be used against our systems, as mandated by our policy regulations. This

includes testing by internal and external red teams (simulating attacks by potential adversaries). Actual security-related

events are directly correlated with threat scenarios to monitor and detect potential threats, such as network-intrusion

and malware-driven events. Our deployed security measures are designed with the objective of isolating and containing

threats that are detected to allow for effective incident response and analysis.

CIS assessment framework

Our CIS assessment framework includes internal and external cybersecurity risk assessments for applications and bank

processes alongside a structured risk assessment process of third-party service providers. These processes are designed,

along with our security capabilities, to support business objectives and priorities.

We conduct assessments to evaluate and test our CIS program and provide guidance on operating and improving the

program, including the design and operational effectiveness of the security and resiliency of our information systems.

Our assessments, along with our threat intelligence capabilities, are used to assess and prioritize programs to improve

our security, our incident response capabilities and our operational resilience. As the cyber-threat landscape evolves at an

increasing pace, we seek to enhance our CIS controls to meet developing threats. We have ongoing programs that are

intended to increase our CIS maturity across various dimensions, including governance, identification, protection and

detection, as well as cyberattack response and recovery, and risk from third-party service providers.

We recognize that we will never be able to completely eliminate the risk of a future cyberattack, but, by using a risk-

based approach, we work toward reducing the likelihood of a successful attack and toward mitigation of the potential

business impact of such an attack.

The BoD, its Risk Committee and the GEB receive regular presentations and reports throughout the year from our Group

Chief Operations and Technology Officer and our Group CISO on internal and external CIS developments, threats and

risks. In addition, on a quarterly basis, the BoD receives reports on the performance of CIS risk appetite metrics, including

metrics on vulnerabilities and third-party CIS risks and incidents, and is notified promptly if a Board-level CIS risk limit is

breached. The Risk Committee of the BoD and the GEB also receive regular updates on CIS strategy, risks and alignment

with regulatory requirements.

Cybersecurity Risk Management Positions Or Committees Responsible Report To Board Flag

true