INFORMATION SECURITY RISK:

Information security risk comprises the impacts to an organization and its stakeholders that could occur
due to the threats and vulnerabilities associated with the operation and use of information systems and the
environments in which those systems operate. The primary means of mitigating information security-
related risk is through the selection, implementation, maintenance, and continuous monitoring of
preventive, detective, and corrective security controls to protect information assets from compromise or to
limit the damage to the organization should a compromise occur. It is vitally important for HBL to protect
its customers and their data from cyber-attacks and large scale data breaches. Information Security plays a
pivotal role in protecting HBL’s data assets from both internal and external threats through cyber security
risk and security assessments. These are supported by preventive and detective controls capable of
responding to emerging external threats. During 2019, a centralized vulnerability assessment and
penetration testing program was established with enhanced coverage including domestic and international
IT assets. Cyber-security awareness for staff and customers continued to be a prime focus area. A formal
risk assessment program covering sensitive areas, third parties and IT assets was also accomplished.
Cyber-security resilience was enhanced through the roll-out of security solutions such as anti-malware
and data loss protection, encryption, and enhanced monitoring of cyber-security operations. We retained
our PCI DSS certification, which is the de facto security standard for the Payment Card Industry. We also
successfully passed our audit for the ISO 27001 Information Security Certification. In 2020, we will
continue to seek re-certifications and new certifications to improve security and controls to best-in-class
levels. Going forward, we plan to strengthen our cyber-defences through the use of AI and machine
learning based technologies, proactively mitigating against advanced threats. We will also implement
end-to-end risk assessments and a centralized identity and access management system. We will enhance
the capability, coverage, and skill set of our 24x7 Information Security Operations Center. Improved data
loss prevention systems will mitigate against data leakages and potential disclosure of confidential
information. Customers themselves are an important component of the security process and continuous
customer education about cyber risks will remain an important component of our defense strategy. These
measures will allow HBL to offer innovative digital solutions to its clients while ensuring them protection
and peace of mind.

EQUITY RISK:
Equity risk is "the financial risk involved in holding equity in a particular investment." Equity
risk often refers to equity in companies through the purchase of stocks, and does not commonly
refer to the risk in paying into real estate or building equity in properties
The measure of risk used in the equity markets is typically the standard deviation of a security's
price over a number of periods. The standard deviation will delineate the normal fluctuations one
can expect in that particular security above and below the mean, or average. However, since
most investors would not consider fluctuations above the average return as "risk," some
economists prefer other means of measuring it. The Bank holds equity investments in both the
AFS and HFT portfolios. The AFS portfolio takes a medium-term market view of capital gains
and dividend income while the realization of short term capital gains is the principal objective of
the HFT portfolio. The portfolios are managed by the Bank through the Equity Investment Policy
approved by the Board. The policy defines various position limits, portfolio limits and loss
triggers for the equity desk. The Bank also applies stress tests on the equity portfolio which is
part of the Bank’s overall market risk exposure limit on the trading book.