|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Risk Management and Strategy
We have developed and implemented a cybersecurity risk management approach intended to protect the confidentiality, integrity, and availability of our critical systems, information, and our customers’ data. Our cybersecurity risk management approach and processes are part of our Executive Board-issued risk management policy that aligns our management of risk to our risk appetite, and is consistent with the methodologies, reporting channels and governance processes that apply across our enterprise risk management program to legal, compliance, strategic, operational, financial and other risk areas of the SAP Group. We have central processes and corresponding solutions to store, maintain, and report enterprise risk-relevant information, including cybersecurity risks.
Our cybersecurity risk management approach includes a security software development and operations program intended to reduce risks to our products, a software vulnerability and patch management program, and cybersecurity incident detection, response, and recovery programs, among others. Our cybersecurity risk team is committed to integrating cybersecurity risks into our overall enterprise risk management approach and processes.
We design and implement a solid security and cloud compliance strategy in line with the overall SAP business, product, and technology strategies. To execute on that strategy, we establish and manage a risk-based cybersecurity framework for SAP according to well accepted industry standards such as the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) and ISO 27001. In doing so, we use NIST CSF as a guide to advocate a risk-based approach to identify and assess cybersecurity risks relevant to our business.
Cybersecurity risks are reported regularly to the Executive Board through cumulative risk reporting and risk updates are steered via regular security updates to the Executive Board. The Supervisory Board’s Product and Technology Committee (formerly the Technology and Strategy Committee) (PTC) and its Audit & Compliance Committee (ACC) are apprised of key cybersecurity risks. By bringing these risks to the attention of the Executive Board, the PTC, and the ACC as appropriate, SAP’s disclosure decision makers have an early and recurring opportunity to assess the materiality of these cybersecurity risks.
Key elements of our cybersecurity risk management approach include:
SAP internal and external experts are engaged to evaluate SAP’s risk identification, assessment, and monitoring systems and processes, including with respect to cybersecurity risks. For example, SAP engaged third party consultants to assist with its implementation of the SAP Cybersecurity Framework according to NIST CSF and the development of a NIST CSF self-assessment methodology which was also contributed to the community under a creative license. The PTC and ACC periodically request an independent review of the quality of our cybersecurity risk monitoring systems.
, our risk management systems are regularly audited by our external auditors and are subject to internal audits, including our cybersecurity monitoring systems. We consider the results of external and internal audits of our risk detection and monitoring systems and implement modifications as necessary. Finally, SAP engages third party legal consultants as necessary to assist with the implementation of legal requirements and industry standards, and to identify process weaknesses and track improvements.
have not identified risks from existing and known cybersecurity threats that have materially affected or are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. However, we are subject to certain risks that if realized and sufficiently severe, are reasonably likely to materially affect our operations, business strategy or financial condition. See “Risk Factors – Cybersecurity and Security: Cybersecurity attacks or breaches, and security vulnerabilities in our infrastructure or services or those of our third-party partners could materially impact our business operations, products, and service delivery.”
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|Our cybersecurity risk management approach and processes are part of our Executive Board-issued risk management policy that aligns our management of risk to our risk appetite, and is consistent with the methodologies, reporting channels and governance processes that apply across our enterprise risk management program to legal, compliance, strategic, operational, financial and other risk areas of the SAP Group. We have central processes and corresponding solutions to store, maintain, and report enterprise risk-relevant information, including cybersecurity risks.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
(1)Supervisory Board Oversight of Risks from Cybersecurity Threats
Starting in 2023, the Supervisory Board, through the Product and Technology Committee (PTC) (formerly the Technology and Strategy Committee) and its Audit & Compliance Committee (ACC), governs the Executive Board’s oversight of SAP’s cybersecurity risk management approach. Before 2023, the ACC had full oversight responsibility for SAP’s cybersecurity risk management approach.
The ACC reviews the effectiveness of SAP’s system for monitoring corporate security, which includes cybersecurity. The ACC coordinates with the members of the Executive Board, as well as the Chief Security Officer (CSO) and the Chief Security Compliance & Risk Officer (CSCRO), on the cybersecurity controls and other measures established by the Executive Board. The ACC is focused on cybersecurity risk and incident management and mitigation.
The PTC reviews and monitors the technical systems and processes intended to defend against cybersecurity attacks and improve the security of SAP’s infrastructure. The PTC coordinates with the members of the Executive Board as well as the CSO and the CSCRO on the potential and actual, if any, product and operational impacts of known cybersecurity risks and incidents. The PTC is focused on mitigating the product and operational-related impacts, if any, of cybersecurity risks and incidents.
The PTC and the ACC are informed about risks from cybersecurity threats by the Executive Board and security executives, with additional input from SAP’s Global Security & Cloud Compliance organization (SGSC), the Global Risk & Assurance Services group (GR&AS), SAP Legal, Business Information Security Officers (BISOs), and internal and external cybersecurity and legal consultants. SAP's Global Security & Cloud Compliance Office reports regularly to the PTC and to the ACC, as well as upon request and the occurrence of certain findings. In addition, the PTC and ACC often participate in meetings with the Executive Board or members thereof and security executives for the purpose of receiving information on and discussing SAP’s cybersecurity risks and risk management approach. The PTC and ACC participate in key decisions on cybersecurity-related issues, including risk materiality assessments, incident response and the provision of any necessary related disclosures.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Product and Technology Committee (PTC) (formerly the Technology and Strategy Committee) and its Audit & Compliance Committee (ACC)
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
The PTC and the ACC are informed about risks from cybersecurity threats by the Executive Board and security executives, with additional input from SAP’s Global Security & Cloud Compliance organization (SGSC), the Global Risk & Assurance Services group (GR&AS), SAP Legal, Business Information Security Officers (BISOs), and internal and external cybersecurity and legal consultants. SAP's Global Security & Cloud Compliance Office reports regularly to the PTC and to the ACC, as well as upon request and the occurrence of certain findings. In addition, the PTC and ACC often participate in meetings with the Executive Board or members thereof and security executives for the purpose of receiving information on and discussing SAP’s cybersecurity risks and risk management approach. The PTC and ACC participate in key decisions on cybersecurity-related issues, including risk materiality assessments, incident response and the provision of any necessary related disclosures.
|Cybersecurity Risk Role of Management [Text Block]
|
SAP Global Security & Cloud Compliance
SGSC is co-led by SAP’s CSO and its CSCRO, both of whom report to the Member of the Executive Board for Customer Service & Delivery. SGSC is responsible for areas such as product and application security, cyber defense, operational security risk management, security compliance, physical security, as well as the Trust Office that supports customers and partners with security-related issues. SGSC coordinates with SAP Legal and reports to the ACC and/or the PTC as well as the Executive Board regarding the prevention, detection, mitigation and remediation of cybersecurity risks and incidents, including assessments of the materiality of cybersecurity risks and incidents. In addition, the SGSC reports to the Executive Board, the PTC and/or ACC as necessary outside of the quarterly reporting cadence on any potentially material cybersecurity risks and incidents.
Business Information Security Officers (BISO)
Each of SAP’s product Lines of Business (LOB) has a BISO, who is a senior security leader assigned to manage the security strategy and operations of the LOB and coordinate with other BISOs through a BISO Council reporting to our CSO. These BISOs serve many important functions, including managing SAP’s risk within each LOB. It is the responsibility of each BISO to supervise and monitor the specific risks associated with their respective LOB. This facilitates the reporting of security threats to the Security & Risk Assurance (SRA) Team through the local unit risk coordinator. The SRA Team evaluates and measures the security risks using a cyber risk quantification tool. Once validated, these risks are recorded and included in the Global Enterprise risk register and subject to risk mitigation actions. In the event of an incident, the BISO helps manage the event and support the CSO, CSCRO and, ultimately, the Executive Board in their decision-making processes. BISOs are supported by local security resources to assist with implementing SAP’s security strategy and protections within the business and technology context best suited for the LOB in question. BISOs and SAP Legal coordinate on significant cybersecurity risks and incidents impacting their LOB.
Risk Coordinator
A Risk Coordinator assumes the delegated responsibilities of the business unit head to support risk management activities in the relevant areas of responsibility. However, not every LOB necessarily has a dedicated Risk Coordinator if the Business Unit Head is directly involved.
Global Risk & Assurance Services Organization
SAP’s GR&AS organization, led by our Chief Risk Officer/Chief Audit Executive (CRO), provides regular updates to the ACC, the PTC, and the Executive Board on SAP’s risk management systems and risks meeting SAP’s internal risk threshold. The CRO reports to SAP’s Group CFO and is responsible for designing and implementing SAP’s risk management system, with oversight by the Executive Board.
Cybersecurity Control Team
SAP maintains a cross functional cybersecurity control team consisting of the CSO, the CSCRO, SVP Legal - Litigation and Cybersecurity, Chief Cybersecurity Counsel, Senior Corporate & Securities Counsel, Group Data Protection Officer & Head of SAP Data Protection, and members of SAP’s Global Accounting, Reporting & Tax department. This group meets on both a quarterly and an ad hoc basis to review cybersecurity issues, including but not limited to actual and potential cybersecurity incidents, thwarted attempts, cyber-related risks, and internal investigations (collectively, cybersecurity events). As part of its review and assessment, this group evaluates the implications, if any, of the cybersecurity events on SAP’s financial statements and related disclosures. Where appropriate, matters are escalated and discussed among SAP’s General Counsel, the Executive Board, the PTC and/or the ACC. Assessments ensue at this level with senior leaders from the Cybersecurity Control Team and cybersecurity consultants who provide the Executive Board, the PTC and/or the ACC with updates on an as-needed basis and in SAP Security briefings. SAP discusses any significant cybersecurity events, their impact on SAP's financial statements, and any related disclosures with its external auditors.
Employee Cybersecurity Education, Training and Compliance
SGSC provides annual, mandatory security training which includes education and training on key cybersecurity risks companies like SAP face, and SAP’s expectations of employees as part of its risk mitigation strategy. In addition to this regular education, the Executive Board, the PTC and the ACC receive training on cybersecurity topics from our CSO, CSCRO and internal security staff as part of the continuing education on cybersecurity topics that impact public companies.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Executive Board is regularly apprised of and monitors SAP’s initiatives to prevent, detect, mitigate, and remediate cybersecurity risks and incidents, including processes supported by SGSC, SAP’s BISOs, GR&AS, SAP Legal, the Cybersecurity Control Team, and external legal and cybersecurity experts
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Certain members of SAP’s Executive Board have engineering, computer science and data science backgrounds and degrees, and knowledge, skills, and hands on experience in cybersecurity risk and incident management.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Executive Board is regularly apprised of and monitors SAP’s initiatives to prevent, detect, mitigate, and remediate cybersecurity risks and incidents, including processes supported by SGSC, SAP’s BISOs, GR&AS, SAP Legal, the Cybersecurity Control Team, and external legal and cybersecurity experts. The SAP Security and Cloud Compliance Governance Model is designed to ensure executive engagement and facilitates shared responsibility in quarterly SAP Security Advisory Board and Security Council meetings and in periodic updates to the Executive Board
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef