Credit Suisse (CS) Risk Analysis

Country, regional and political risks are components of market and credit risk. Financial markets and economic conditions generally have been and may in the future be materially affected by such risks. Economic or political pressures in a country or region, including those arising from local market disruptions, currency crises, monetary controls or other factors, may adversely affect the ability of clients or counterparties located in that country or region to obtain foreign currency or credit and, therefore, to perform their obligations to us, which in turn may have an adverse impact on our results of operations.

We finance and acquire principal positions in a number of real estate and real estate-related products, primarily for clients, and originate loans secured by commercial and residential properties. As of December 31, 2021, our real estate loans as reported to the SNB totaled approximately CHF 147.9 billion. We also securitize and trade in commercial and residential real estate and real estate-related whole loans, mortgages and other real estate and commercial assets and products, including CMBS and RMBS. Our real estate-related businesses and risk exposures could be adversely affected by any downturn in real estate markets, other sectors and the economy as a whole. In particular, we have exposure to commercial real estate, which has been impacted by the COVID-19 pandemic and resulting tight government controls and containment measures. Should these conditions persist or deteriorate, they could create additional risk for our commercial real estate-related businesses. In addition, the risk of potential price corrections in the real estate market in certain areas of Switzerland could have a material adverse effect on our real estate-related businesses.

We suffered reputational harm as a result of the Archegos and SCFF matters and may suffer further reputational harm in the future as a result of these matters or other events. Our ability to attract and retain customers, clients, investors and employees, and conduct business transactions with our counterparties, can be adversely affected to the extent our reputation is damaged. Harm to our reputation can arise from various sources, including if our comprehensive procedures and controls fail, or appear to fail, to prevent employee misconduct, negligence and fraud, to address conflicts of interest and breach of fiduciary obligations, to produce materially accurate and complete financial and other information, to identify credit, liquidity, operational and market risks inherent in our business or to prevent adverse legal or regulatory actions or investigations. Additionally, our reputation can be harmed by compliance failures, information or security breaches, personal data breaches, cyber incidents, technology failures, challenges to the suitability or reasonableness of our particular trading or investment recommendations or strategies and the activities of our customers, clients, counterparties and third parties. Actions by the financial services industry generally or by certain members or individuals in the industry also can adversely affect our reputation. In addition, our reputation may be negatively impacted by our ESG practices and disclosures, including those related to climate change and how we address ESG concerns in our business activities, or by our clients’ involvement in certain business activities associated with climate change. Adverse publicity or negative information in the media, posted on social media by employees, or otherwise, whether or not factually correct, can also adversely impact our business prospects or financial results, which risk can be magnified by the speed and pervasiveness with which information is disseminated through those channels. A reputation for financial strength and integrity is critical to our performance in the highly competitive environment arising from globalization and convergence in the financial services industry, and our failure to address, or the appearance of our failing to address, these and other issues gives rise to reputational risk that can harm our business, results of operations and financial condition. Failure to appropriately address any of these issues could also give rise to additional regulatory restrictions and legal risks, which may further lead to reputational harm. > Refer to “Reputational risk” in III – Treasury, Risk, Balance sheet and Off-balance sheet – Risk management – Risk coverage and management for further information.

We face significant legal risks in our businesses, and the volume and amount of damages claimed in litigation, regulatory proceedings and other adversarial proceedings against financial services firms continue to increase in many of the principal markets in which we operate. We and our subsidiaries are subject to a number of material legal proceedings, regulatory actions and investigations, and an adverse result in one or more of these proceedings could have a material adverse effect on our operating results for any particular period, depending, in part, on our results for such period. > Refer to “Note 40 – Litigation” in VI – Consolidated financial statements – Credit Suisse Group for information relating to these and other legal and regulatory proceedings involving our investment banking and other businesses. It is inherently difficult to predict the outcome of many of the legal, regulatory and other adversarial proceedings involving our businesses, particularly those cases in which the matters are brought on behalf of various classes of claimants, seek damages of unspecified or indeterminate amounts or involve novel legal claims. Management is required to establish, increase or release reserves for losses that are probable and reasonably estimable in connection with these matters, all of which requires the application of significant judgment and discretion. > Refer to “Critical accounting estimates” in II – Operating and financial review and “Note 1 – Summary of significant accounting policies” in VI – Consolidated financial statements – Credit Suisse Group for further information.

Operational risk is the risk of financial loss arising from inadequate or failed internal processes, people or systems or from external events. In general, although we have business continuity plans, our businesses face a wide variety of operational risks, including technology risk that stems from dependencies on information technology, third-party suppliers and the telecommunications infrastructure as well as from the interconnectivity of multiple financial institutions with central agents, exchanges and clearing houses. As a global financial services company, we rely heavily on our financial, accounting and other data processing systems, which are varied and complex, and we may face additional technology risks due to the global nature of our operations. Our business depends on our ability to process a large volume of diverse and complex transactions within a short space of time, including derivatives transactions, which have increased in volume and complexity. We may rely on automation, robotic processing, machine learning and artificial intelligence for certain operations, and this reliance may increase in the future with corresponding advancements in technology, which could expose us to additional cybersecurity risks. We are exposed to operational risk arising from errors made in the execution, confirmation or settlement of transactions or from transactions not being properly recorded or accounted for. Cybersecurity and other information technology risks for financial institutions have significantly increased in recent years and we may face an increased risk of cyber attacks or heightened risks associated with a lesser degree of data and intellectual property protection in certain foreign jurisdictions in which we operate. Regulatory requirements in these areas have increased and are expected to increase further, which may vary and potentially conflict across different jurisdictions. Information security, data confidentiality and integrity are of critical importance to our businesses, and there has been recent regulatory scrutiny on the ability of companies to safeguard personal information of individuals in accordance with data protection regulation, including the European General Data Protection Regulation and the Swiss Federal Act on Data Protection. Governmental authorities, employees, individual customers or business partners may initiate proceedings against us as a result of security breaches affecting the confidentiality or integrity of personal data, as well as the failure, or perceived failure, to comply with data protection regulations. The adequate monitoring of operational risks and adherence to data protection regulations have also come under increased regulatory scrutiny. Any failure of Credit Suisse to adequately ensure the security of data and to address the increased technology-related operational risks could also lead to regulatory sanctions or investigations and a loss of trust in our systems, which may adversely affect our reputation, business and operations. > Refer to “Recent regulatory developments and proposals– Switzerland – Data Protection Act”, “Regulatory Framework – Switzerland – Cybersecurity”, “Regulatory Framework – US – Cybersecurity” and “Regulatory Framework – EU – Data protection regulation” in Regulation and supervision for further information. Threats to our cybersecurity and data protection systems require us to dedicate significant financial and human resources to protect the confidentiality, integrity and availability of our systems and information. Despite our wide range of security measures, it is not always possible to anticipate the evolving threat landscape and mitigate all risks to our systems and information. These threats may derive from human error, misconduct (including errors in judgment, fraud or malice and/or engaging in violations of applicable laws, rules, policies or procedures), or may result from accidental technological failure. There may also be attempts to fraudulently induce employees, clients, third parties or other users of our systems to disclose sensitive information in order to gain access to our data or that of our clients. We could also be affected by risks to the systems and information of our clients, vendors, service providers, counterparties and other third parties. For example, remote working may require our employees to use third party technology, which may not provide the same level of information security as our own information systems. Risks relating to cyber attacks on our vendors and other third parties have also been increasing due to more frequent and severe supply chain attacks impacting software and information technology service providers in recent years. Security breaches may involve substantial remediation costs, affect our ability to carry out our businesses or impair the trust of our clients or potential clients, any of which could have a material adverse effect on our business and financial results. In addition, we may introduce new products or services or change processes, resulting in new operational risks that we may not fully appreciate or identify. The ongoing global COVID-19 pandemic has led to a wide-scale and prolonged shift to remote working for our employees, which increases the vulnerability of our information technology systems and the likelihood of damage as a result of a cybersecurity incident. For example, the use of remote devices to access the firm’s networks could impact our ability to quickly detect and mitigate security threats and human errors as they arise. Additionally, it is more challenging to ensure the comprehensive roll-out of system security updates and we also have less visibility over the physical security of our devices and systems. Our customers have also increasingly relied on remote (digital) banking services during the COVID-19 pandemic. This has resulted in a greater demand for our information technology infrastructure and increases the potential significance of any outage or cybersecurity incident that may occur. Due to the evolving nature of cybersecurity risks and our reduced visibility and control in light of remote working in the context of the global COVID-19 pandemic, our efforts to provide appropriate policies and security measures may prove insufficient to mitigate all cybersecurity and data protection threats. The rise in remote access, by both our employees and customers, has increased the burden on our information technology systems and may cause our systems (and our ability to deliver our services) to become slow or fail entirely. Any slowdown in our service delivery or any system outage due to overutilization will have a negative impact on our business and reputation. We and other financial institutions have suffered cyber attacks, information or security breaches, personal data breaches and other forms of attacks, incidents and failures. Cybersecurity risks have also significantly increased in recent years in part due to the growing number and increasingly sophisticated activities of malicious cyber actors, including organized crime groups, state-sponsored actors, terrorist organizations, extremist parties and hackers. In addition, we have been and will continue to be subject to cyber attacks, information or security breaches, personal data breaches and other forms of attacks, incidents and failures involving disgruntled employees, activists and other third parties, including those engaging in corporate espionage. We expect to continue to be the target of such attacks in the future, and we may experience other forms of cybersecurity or data protection incidents or failures in the future. In the event of a cyber attack, information or security breach, personal data breach or technology failure, we have experienced and may in the future experience operational issues, the infiltration of payment systems or the unauthorized release, gathering, monitoring, misuse, loss or destruction of confidential, proprietary and other information relating to Credit Suisse, our clients, employees, vendors, service providers, counterparties or other third parties. Emerging technologies, including the increasing use of automation, artificial intelligence (AI) and robotics, as well as the broad utilization of third-party financial data aggregators, could further increase our cybersecurity risk and exposure. Given our global footprint and the high volume of transactions we process, the large number of clients, partners and counterparties with which we do business, our growing use of digital, mobile, cloud- and internet-based services, and the increasing frequency, sophistication and evolving nature of cyber attacks, a cyber attack, information or security breach, personal data breach or technology failure may occur without detection for an extended period of time. In addition, we expect that any investigation of a cyber attack, information or security breach, personal data breach or technology failure will be inherently unpredictable and it may take time before any investigation is complete. These factors may inhibit our ability to provide timely, accurate and complete information about the event to our clients, employees, regulators, other stakeholders and the public. During such time, we may not know the extent of the harm or how best to remediate it and certain errors or actions may be repeated or compounded before they are discovered and rectified, all or any of which would further increase the costs and consequences of a cyber attack, information or security breach, personal data breach or technology failure. If any of our systems do not operate properly or are compromised as a result of cyber attacks, information or security breaches, personal data breaches, technology failures, unauthorized access, loss or destruction of data, unavailability of service, computer viruses or other events that could have an adverse security impact, we could, among other things, be subject to litigation or suffer financial loss not covered by insurance, a disruption of our businesses, liability to our clients, employees, counterparties or other third parties, damage to relationships with our vendors or service providers, regulatory intervention or reputational damage. Any such event could also require us to expend significant additional resources to modify our protective measures or to investigate and remediate vulnerabilities or other exposures. We may also be required to expend resources to comply with new and increasingly expansive regulatory requirements related to cybersecurity.