Cybersecurity Risk Management and Strategy Disclosure |
12 Months Ended |
|---|---|
Dec. 31, 2025 | |
| Cybersecurity Risk Management, Strategy, and Governance [Line Items] | |
| Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] | We and Deutsche Bank Group operate in an environment with increasing levels of digitization and a constantly evolving landscape related to cybersecurity threats. Due to the dynamics and complexity of the current environment, the Deutsche Bank Group is continuously monitoring the security threat landscape. Deutsche Bank Group vigilantly observes technological developments, the geopolitical landscape and economic impacts driving security risks and assesses their relevance for potential impacts to Deutsche Bank Group and the wider financial ecosystem. Deutsche Bank Group has a variety of prevention methods and controls in place, such as threat intelligence, network security, identity and access management, data leakage prevention, cyber hygiene, and encryption solutions. These also include placing a strong emphasis on detection, backed by a robust incident-response process. Deutsche Bank Group actively shares best practices and threat information with national and international security organizations, government authorities, and peer organizations. These relationships help to ensure that Deutsche Bank Group’s security technology and procedures reflect current industry best practices and keep pace with the threat environment. Deutsche Bank Group’s security incident management covers cybersecurity events that may affect it and its subsidiaries, its clients, business partners, or employees. The related management and reporting processes performed with the involvement of compliance, legal and data privacy are designed to enable a quick and effective response to cyberattacks and information security threats. Further, if DWS is notified of an incident, then a communication protocol will be followed to notify affected or potentially affected parties internal and external to DWS, including notification to us if our data or our stockholders data is at risk. The audit committee of our board of directors is responsible for overseeing the implementation of the cybersecurity policies and procedures applicable to us, and related reporting. This includes quarterly reporting to our audit committee as well as ad hoc incident reporting whereby if we are notified of an incident, whether reported to us by Deutsche Bank Group or any of our third-party vendors, we will assess it and advise the audit committee of our board of directors depending on the severity of the incident. The audit committee can, in its discretion and at our expense, retain special legal or other consultants to advise the audit committee or to assist in the conduct of any investigation, subject to our board of directors determination to allocate assets to pay for such investigation. To address evolving security threats, Deutsche Bank Group continually reviews and enhances its information security controls into every layer of technology, including databases, infrastructure, devices, and applications. This is complemented by organizational controls and security training and awareness. The purpose of this layered approach is to strengthen end-to-end protection by utilizing multiple opportunities to detect, prevent, respond to, and recover from cyberthreats. Security risks are assessed on a regular basis, at least annually, taking internal as well as external risk drivers and events dynamically into account. A thorough analysis of the external threat landscape, which leverages industry standard threat assessment frameworks, provides a foundation for the assessment of financial industry relevant risk scenarios. These are evaluated against Deutsche Bank Group’s capabilities to cope with these risks. In case of emerging developments, additional risk reviews are conducted. Reliance on third parties’ products and services that support critical operations can affect the risk posture, because these can be the target of new and evolving cybersecurity attacks. This risk, along with expanded regulatory requirements, has necessitated an increased use of technology to better identify information security risks across third parties and where necessary, pro-actively perform outreach with them. Deutsche Bank Group has a third-party risk management process designed to identify, monitor, and mitigate risks arising from working with third parties, which includes oversight of third parties’ operations related to the services provided. In addition, where appropriate, Deutsche Bank Group will seek to include in its contractual arrangements with certain third-party vendors provisions addressing best practices with respect to data and cybersecurity, as well as the right to assess, monitor, audit and test such vendors’ cybersecurity programs and practices. For a discussion of how risks from cybersecurity threats affect our business, and our reliance on Deutsche Bank Group in managing these risks, see “Part 1. Item 1A. Risk Factors – General Risk Factors – Cybersecurity risks and data protection could result in the loss of data, interruptions in our business, damage to our reputation, and subject us to regulatory actions, increased costs and financial losses, each of which could have a material adverse effect on our business and results of operations” in this Annual Report on Form 10-K.
|
| Cybersecurity Risk Management Processes Integrated [Flag] | true |
| Cybersecurity Risk Management Processes Integrated [Text Block] | Deutsche Bank Group’s security policy framework defines the core principles of security risk management and the fundamentals for security management. The complete framework is reviewed annually. The framework is governed centrally and applied globally across all product groups and business and infrastructure divisions. The framework includes a clear description of the risk tolerance related to information security. It also sets out the roles, responsibilities and accountabilities of key personnel identified to manage information security risk; the strategy and measures to cope with information security breaches, and related communication procedure.
|
| Cybersecurity Risk Management Third Party Engaged [Flag] | true |
| Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] | true |
| Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] | false |
| Cybersecurity Risk Board of Directors Oversight [Text Block] | Responsibility for cybersecurity matters sits within the Chief Security Office, where it forms the first Line of Defense within Deutsche Bank’s Three Lines of Defense model. The Chief Security Officer (“CSO”) has delegated authority from the Deutsche Bank Management Board (“Management Board”) and reports directly to the Chief Technology, Data, and Innovation Officer, who is a member of the Management Board. The Management Board is accountable for the implementation of the information security framework, with oversight from the Deutsche Bank Supervisory Board. There are multiple mechanisms in place for the CSO to escalate security issues directly to the Management Board if required. Deutsche Bank’s Chief Security Officer has served in various information security roles for more than 20 years. This includes the role as global Chief Information Security Officer (“CISO”) / CSO for three different large European financial institutions and a partner position in a global strategy and consulting firm, leading security work for financial service clients. The Chief Security Officer is supported by information security role holders at various seniority levels to help ensure that security requirements are met from a regional, divisional, and technical perspective. The Chief Security Office develops Deutsche Bank Group’s security strategy and oversees its implementation and operationalization globally via the organizational set-up, governance, and implemented security policies. The security strategy, which is reviewed on a regular basis, incorporates developments in the threat landscape, technology, the regulatory environment, the overall corporate and IT strategy, and other internal and external parameters. The Chief Security Office maintains a comprehensive metrics and reporting framework, underpinned by an extensive data set allowing for global, regional, and divisional views. Security metrics and reporting provided to Deutsche Bank Group´s governance forums at all seniority levels support appropriate security risk awareness and decision taking. The Management Board receives a comprehensive quarterly information security risk posture report, as well as ad hoc information if required. Furthermore, the Chief Security Officer provides regular updates on material topics relating to security to the Supervisory Board’s Committee responsible for technology, data and innovation. Information security risk is managed as an operational risk under the operational risk management framework of Deutsche Bank Group. The Chief Security Office, in its responsibility as the first line of defense, executes against the operational risk management framework and leverages its various instruments whereas the operational risk management as the second line of defense provides oversight, review, and challenge. Accordingly, part of the operational risk committee’s remit is to oversee and govern Deutsche Bank Group’s cybersecurity risk profile, remediation programs and risk tolerance. Should a cybersecurity incident occur, Deutsche Bank Group has an established protocol for communicating such incident to the divisions of Deutsche Bank Group that may be impacted, including chief security officers and division heads. Those personnel in turn will notify potentially affected groups further downstream as applicable, including down to us if any our or our stockholders' information may be at risk. Deutsche Bank Group’s security policy framework defines the core principles of security risk management and the fundamentals for security management. The complete framework is reviewed annually. The framework is governed centrally and applied globally across all product groups and business and infrastructure divisions. The framework includes a clear description of the risk tolerance related to information security. It also sets out the roles, responsibilities and accountabilities of key personnel identified to manage information security risk; the strategy and measures to cope with information security breaches, and related communication procedure. Additionally, Deutsche Bank Group’s Information Security Management System has been certified according to ISO 27001 for all information security domains defined in that standard since 2012. To maintain the ISO 27001 certification, Deutsche Bank Group performs a full recertification process every three years, with the latest taking place in 2024. With the last recertification, Deutsche Bank upgraded its Information Security Management System to the 2022 version of ISO 27001. Furthermore, the Deutsche Bank Group performs an annual surveillance audit designed to ensure compliance between certification intervals. Deutsche Bank Group employs a variety of mechanisms to self-identify areas for improvements and control enhancements. These encompass comprehensive security testing including red teaming and threat-led penetration testing, security problem management, and lessons learned. The effectiveness of Deutsche Bank Group´s overall information security program is evaluated on a regular basis by third-party organizations which include external auditors, regulators and security testing organizations.
|
| Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] | The audit committee of our board of directors is responsible for overseeing the implementation of the cybersecurity policies and procedures applicable to us, and related reporting. |
| Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] | This includes quarterly reporting to our audit committee as well as ad hoc incident reporting whereby if we are notified of an incident, whether reported to us by Deutsche Bank Group or any of our third-party vendors, we will assess it and advise the audit committee of our board of directors depending on the severity of the incident. The audit committee can, in its discretion and at our expense, retain special legal or other consultants to advise the audit committee or to assist in the conduct of any investigation, subject to our board of directors determination to allocate assets to pay for such investigation. |
| Cybersecurity Risk Role of Management [Text Block] | Responsibility for cybersecurity matters sits within the Chief Security Office, where it forms the first Line of Defense within Deutsche Bank’s Three Lines of Defense model. The Chief Security Officer (“CSO”) has delegated authority from the Deutsche Bank Management Board (“Management Board”) and reports directly to the Chief Technology, Data, and Innovation Officer, who is a member of the Management Board. The Management Board is accountable for the implementation of the information security framework, with oversight from the Deutsche Bank Supervisory Board. There are multiple mechanisms in place for the CSO to escalate security issues directly to the Management Board if required. Deutsche Bank’s Chief Security Officer has served in various information security roles for more than 20 years. This includes the role as global Chief Information Security Officer (“CISO”) / CSO for three different large European financial institutions and a partner position in a global strategy and consulting firm, leading security work for financial service clients. The Chief Security Officer is supported by information security role holders at various seniority levels to help ensure that security requirements are met from a regional, divisional, and technical perspective. The Chief Security Office develops Deutsche Bank Group’s security strategy and oversees its implementation and operationalization globally via the organizational set-up, governance, and implemented security policies. The security strategy, which is reviewed on a regular basis, incorporates developments in the threat landscape, technology, the regulatory environment, the overall corporate and IT strategy, and other internal and external parameters. The Chief Security Office maintains a comprehensive metrics and reporting framework, underpinned by an extensive data set allowing for global, regional, and divisional views. Security metrics and reporting provided to Deutsche Bank Group´s governance forums at all seniority levels support appropriate security risk awareness and decision taking. The Management Board receives a comprehensive quarterly information security risk posture report, as well as ad hoc information if required. Furthermore, the Chief Security Officer provides regular updates on material topics relating to security to the Supervisory Board’s Committee responsible for technology, data and innovation.
|
| Cybersecurity Risk Management Positions or Committees Responsible [Flag] | true |
| Cybersecurity Risk Management Positions or Committees Responsible [Text Block] | The Chief Security Officer (“CSO”) has delegated authority from the Deutsche Bank Management Board (“Management Board”) and reports directly to the Chief Technology, Data, and Innovation Officer, who is a member of the Management Board. The Management Board is accountable for the implementation of the information security framework, with oversight from the Deutsche Bank Supervisory Board. There are multiple mechanisms in place for the CSO to escalate security issues directly to the Management Board if required. |
| Cybersecurity Risk Management Expertise of Management Responsible [Text Block] | Deutsche Bank’s Chief Security Officer has served in various information security roles for more than 20 years. This includes the role as global Chief Information Security Officer (“CISO”) / CSO for three different large European financial institutions and a partner position in a global strategy and consulting firm, leading security work for financial service clients. The Chief Security Officer is supported by information security role holders at various seniority levels to help ensure that security requirements are met from a regional, divisional, and technical perspective. |
| Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] | The Chief Security Office maintains a comprehensive metrics and reporting framework, underpinned by an extensive data set allowing for global, regional, and divisional views. Security metrics and reporting provided to Deutsche Bank Group´s governance forums at all seniority levels support appropriate security risk awareness and decision taking. The Management Board receives a comprehensive quarterly information security risk posture report, as well as ad hoc information if required. Furthermore, the Chief Security Officer provides regular updates on material topics relating to security to the Supervisory Board’s Committee responsible for technology, data and innovation.
|
| Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] | true |