|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
The cyber risk management process is an essential process within the information security management system (“ISMS”) of Evotec. The ISMS is a framework of policies and controls that manage information security and risk systematically and across the Company and is aligned with the baselines of ISO 27001, an international framework for information security. Information security risk management is incorporated into Evotec’s enterprise risk management system alongside other Company risks, all of which are overseen by the Company’s Supervisory Board. Cybersecurity risks are identified and evaluated by the Infosec team, reviewed, and approved by the management board and reported on to the Supervisory Board as part of the annual management review of company risks.
As previously disclosed, on April 6, 2023, Evotec was the victim of a ransomware incident that impacted our operations. The incident resulted in loss of sales and increased operating expenses related to response and recovery. The incident materially affected the Company, including our business strategy, results of operations, and financial condition. We have incurred costs resulting from the incident as we set up a new IT environment, and have incurred other recovery costs, and expect, due to the scope of the recovery and improvement activities, to continue incurring such costs. There is no guarantee that the risks from that incident or any future cybersecurity incident will not materially adversely affect Evotec in the future. For additional information about Evotec’s cybersecurity risks and the incident experienced in 2023, see Item 3 and Item 5 of this report. The Company has implemented the first iteration of a new and more secure IT environment, utilizing the guidance of expert third parties to consult on recommended security solutions and IT components. The migration of all IT-supported business processes into this new environment, as well as the continuous maintenance and improvement of the new environment remain constant priorities for the Company. The cyber incident has ultimately led to cybersecurity being given an even higher strategic and operational importance and greater financial resources.
In addition to implementing a new and secure IT environment, Evotec has processes in place to identify, analyze, and evaluate risks from cybersecurity threats.
Risk assessments are performed at least annually, focusing on the probability and potential impact of cybersecurity risks. Interim risk assessments are performed on a continual basis as needed, including but not limited to:
The Company has established a cybersecurity incident response process for responding to cybersecurity incidents with defined roles and responsibilities that facilitate coordination between the Chief Information Security Officer (“CISO”) and the IT, compliance, and business departments. The incident response process describes how to prepare for, detect, respond to, and recover from cybersecurity incidents, including processes to identify, assess the severity of, mitigate, and remediate the incident, as well as to comply with applicable legal and reporting obligations.
External consultants are often engaged to assist with IT projects, conduct risk analyses on behalf of the Company, or otherwise support the information security team. The Company also engages third parties to audit Evotec’s risk assessment process, in addition to the internal audits that we conduct.
We outsource elements of our information technology including infrastructure, platform, and software services, and as a result, several third-party vendors may or could have access to confidential information. Risks arising from cooperation with service providers are considered an integral part of the supplier assessment process. If the third party is determined to be of high risk, the Company will decline engagement.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
The cyber risk management process is an essential process within the information security management system (“ISMS”) of Evotec. The ISMS is a framework of policies and controls that manage information security and risk systematically and across the Company and is aligned with the baselines of ISO 27001, an international framework for information security. Information security risk management is incorporated into Evotec’s enterprise risk management system alongside other Company risks, all of which are overseen by the Company’s Supervisory Board. Cybersecurity risks are identified and evaluated by the Infosec team, reviewed, and approved by the management board and reported on to the Supervisory Board as part of the annual management review of company risks.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]
|
As previously disclosed, on April 6, 2023, Evotec was the victim of a ransomware incident that impacted our operations. The incident resulted in loss of sales and increased operating expenses related to response and recovery. The incident materially affected the Company, including our business strategy, results of operations, and financial condition. We have incurred costs resulting from the incident as we set up a new IT environment, and have incurred other recovery costs, and expect, due to the scope of the recovery and improvement activities, to continue incurring such costs. There is no guarantee that the risks from that incident or any future cybersecurity incident will not materially adversely affect Evotec in the future. For additional information about Evotec’s cybersecurity risks and the incident experienced in 2023, see Item 3 and Item 5 of this report. The Company has implemented the first iteration of a new and more secure IT environment, utilizing the guidance of expert third parties to consult on recommended security solutions and IT components. The migration of all IT-supported business processes into this new environment, as well as the continuous maintenance and improvement of the new environment remain constant priorities for the Company. The cyber incident has ultimately led to cybersecurity being given an even higher strategic and operational importance and greater financial resources.
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
The Security Board, comprised of members of management, the Senior Vice President (“SVP”) Head of Global Information Security acting as the CISO (an interim Head of Global Information Security was engaged till May 2024) and the EVP Global Head of Information Technology & Data, is the security committee which discusses, decides, and addresses risks as part of the IT environment reconstruction project. The Security Board was launched due to the cyberattack in 2023. In 2024 the Security Board’s scope was further expanded to cover all cybersecurity risks and related projects.
The Company currently employs a CISO who runs the ISMS, and coordinates with internal and external stakeholders regarding the Company’s information security. (The position of the CISO was managed by an Interim CISO between May 2023 and May 2024). The CISO informs the members of the Management Board about cyber risks and current developments. Depending on the severity of a particular incident, it is the responsibility of the CISO to notify members of senior management. This includes status information about implementation of measures for prevention, detection, mitigation, and remediation of cyber security incidents. The Management Board reports on cybersecurity risks to the Supervisory Board on an annual basis or as necessary. Material matters, including material cybersecurity incidents, are communicated to the Supervisory Board by the Management Board.
Both the current CISO, employed since May 2024, and the interim CISO each have more than 10 years of professional experience in cyber and information security, including information risk management.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Security Board, comprised of members of management, the Senior Vice President (“SVP”) Head of Global Information Security acting as the CISO (an interim Head of Global Information Security was engaged till May 2024) and the EVP Global Head of Information Technology & Data, is the security committee which discusses, decides, and addresses risks as part of the IT environment reconstruction project.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Company currently employs a CISO who runs the ISMS, and coordinates with internal and external stakeholders regarding the Company’s information security. (The position of the CISO was managed by an Interim CISO between May 2023 and May 2024). The CISO informs the members of the Management Board about cyber risks and current developments. Depending on the severity of a particular incident, it is the responsibility of the CISO to notify members of senior management. This includes status information about implementation of measures for prevention, detection, mitigation, and remediation of cyber security incidents. The Management Board reports on cybersecurity risks to the Supervisory Board on an annual basis or as necessary. Material matters, including material cybersecurity incidents, are communicated to the Supervisory Board by the Management Board
|Cybersecurity Risk Role of Management [Text Block]
|The Company currently employs a CISO who runs the ISMS, and coordinates with internal and external stakeholders regarding the Company’s information security. (The position of the CISO was managed by an Interim CISO between May 2023 and May 2024). The CISO informs the members of the Management Board about cyber risks and current developments. Depending on the severity of a particular incident, it is the responsibility of the CISO to notify members of senior management. This includes status information about implementation of measures for prevention, detection, mitigation, and remediation of cyber security incidents. The Management Board reports on cybersecurity risks to the Supervisory Board on an annual basis or as necessary. Material matters, including material cybersecurity incidents, are communicated to the Supervisory Board by the Management Board
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|
The Company currently employs a CISO who runs the ISMS, and coordinates with internal and external stakeholders regarding the Company’s information security. (The position of the CISO was managed by an Interim CISO between May 2023 and May 2024). The CISO informs the members of the Management Board about cyber risks and current developments. Depending on the severity of a particular incident, it is the responsibility of the CISO to notify members of senior management. This includes status information about implementation of measures for prevention, detection, mitigation, and remediation of cyber security incidents. The Management Board reports on cybersecurity risks to the Supervisory Board on an annual basis or as necessary. Material matters, including material cybersecurity incidents, are communicated to the Supervisory Board by the Management Board.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|
Both the current CISO, employed since May 2024, and the interim CISO each have more than 10 years of professional experience in cyber and information security, including information risk management.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
The Company currently employs a CISO who runs the ISMS, and coordinates with internal and external stakeholders regarding the Company’s information security. (The position of the CISO was managed by an Interim CISO between May 2023 and May 2024). The CISO informs the members of the Management Board about cyber risks and current developments. Depending on the severity of a particular incident, it is the responsibility of the CISO to notify members of senior management. This includes status information about implementation of measures for prevention, detection, mitigation, and remediation of cyber security incidents. The Management Board reports on cybersecurity risks to the Supervisory Board on an annual basis or as necessary. Material matters, including material cybersecurity incidents, are communicated to the Supervisory Board by the Management Board.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef