|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Risk Management and Strategy
Cybersecurity risk management is an integral part of our overall enterprise risk management program. Our cybersecurity risk management program provides a framework for handling cybersecurity threats and incidents, including threats and incidents associated with the use of services provided by third-party service providers, and is designed to facilitate coordination across different departments of the Grifols Group in the handling of such cybersecurity threats and incidents. This framework takes a risk-based approach to cybersecurity, aligning with internationally recognized frameworks, including NIST (National Institute of Standards and Technology) and ISO 27001, and includes steps for assessing the severity of a cybersecurity threat, identifying the source of a cybersecurity threat, including whether the cybersecurity threat is associated with a third-party service provider, implementing cybersecurity countermeasures and mitigation strategies and, as later explained in greater detail, informing management and our Board of Directors of material cybersecurity threats and incidents.
Our Security Operations Center (SOC) and our Incident Response team (IRT) operate 24 hours per day, providing continuous monitoring across our data centers, perimeters, and workstations. The SOC utilizes a Security Information and Event Management (SIEM) system, which processes alerts and enables rapid detection and response of cybersecurity incidents. Additionally, our cyber-intelligence capabilities track emerging threats, allowing for proactive mitigation strategies.
As cyberattacks evolve and become more sophisticated, we have strengthened our prevention and monitorization efforts. During the past few years, we ramped up cybersecurity and information security measures with the aim to ensure an adequate protection of our information and the assets supporting business processes. Our Chief Digital Information Officer (“CDIO”) is tasked with accelerating our companies’ use of digital platforms, data science and new technologies to transform and strengthen critical business activities such as relationships with plasma donors and customers as well as manufacturing operations, the development of new therapeutics and cybersecurity.
Our Cybersecurity Policy aims to strengthen our digital security framework. The policy focuses on maintaining secure and resilient systems, continuously assessing and mitigating cybersecurity risks, implementing protective measures, and adapting to technological changes. It also ensures effective incident response and regulatory compliance, supports a qualified cybersecurity team, provides training for employees and executives, and fosters collaboration with industry peers and government agencies.
We have adopted security measures in the past few years intended to: (i) ensure end-to-end protection of business processes, considering logical and physical security, privacy and fraud management concerns, (ii) ensure compliance with the security and privacy by design principles; and (iii) improve client access control and authentication services related to online services, from a security and user experience perspective. Our commitment to cybersecurity is underscored by our ISO 27001 certification, reflecting our adherence to the highest standards of data security.
To safeguard our digital infrastructure, we employ network segregation strategies, including enabled firewalls that isolate instruments from broader networks, permitting only authorized data streams. Our diagnostic systems utilize application whitelisting to block malware and ensure system integrity. Additionally, we encrypt connections and communications across information systems to maintain data confidentiality during transmission, using for instance Virtual Private Networks (VPN). We enforce stringent user access controls, ensuring that personnel access only the data necessary for their roles. In our product development, we integrate advanced cybersecurity measures to ensure that sensitive data is securely protected. This commitment extends to our diagnostic solutions, which are designed with features to provide peace of mind to our clients and stakeholders.
Our approach includes continuous identification and assessment of cybersecurity risks that are thoroughly analyzed to determine the possible impact present and future. Third-party evaluations are conducted as part of the architecture and services evolution. We regularly engage multiple service providers to perform periodic reviews and evaluations of our cybersecurity posture. We share the results to the IT and the Executive committee as part of the regular updates. These reviews encompass a broad range of areas, including but not limited to information technology system resilience, cybersecurity risk assessments, information security program assessments, external threat environment reviews, internal cybersecurity policy compliance, and near-term incident response to identify or disconfirm potential involvement of a threat actor. We maintain a highly qualified cybersecurity team comprising management, information technology, and legal experts.
In addition, SOC operation and incident response teams are delivered by top companies in the cybersecurity sector to ensure that the most appropriate profiles with deep knowledge in cybersecurity are available with the right capacity to handle the activities such as incident management, prioritization and incident resolution. When categorizing incidents, factors such as impact, number of users affected, type of information compromised, the threat actor involved, and sector trends are taken into consideration. Additionally, incidents are reviewed monthly in follow-up meetings with the vendor, shared in weekly IT committee sessions and discussed monthly in the cybersecurity council. Regular training programs for employees, executives, and directors are conducted to heighten awareness of cybersecurity risks and the importance of protecting sensitive and personal data.
In alignment with our continuous improvement commitment, we have updated our Cybersecurity Director Plan for the period 2025-2027. This plan outlines a comprehensive roadmap to achieve a cybersecurity maturity level that exceeds that of our peer companies.
The plan presented in the Board of Directors meeting on December 17, 2024, outlines the primary action lines, categorized according to the domains established by the Spanish National Institute of Standards and Technology (“NIST”): governance, identification, protection, detection, response and recovery.
In addition, we continuously carry out training and awareness initiatives related to security and privacy, promoting training and awareness campaigns for our employees. Some of the topics covered include protection of personal information, secure password management, device protection (laptops, smartphones, etc.), social engineering (phishing, smishing, vishing), malware and other technical attacks detection, detection of scams, security on online purchases and how to react if there is a security incident.
As of the date of this annual report on Form 20-F, we have not identified any cybersecurity threats, including as a result of any previous cybersecurity incident, that materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced an undetected cybersecurity incident. For more information about these risks, please see Item 3 of Part I, “D. Risk Factors—Risks Relating to the Company and Our Business—Cyber-attacks or other privacy and data security incidents could disrupt our business and expose us to significant losses, liability and reputational damage.”
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
Cybersecurity risk management is an integral part of our overall enterprise risk management program. Our cybersecurity risk management program provides a framework for handling cybersecurity threats and incidents, including threats and incidents associated with the use of services provided by third-party service providers, and is designed to facilitate coordination across different departments of the Grifols Group in the handling of such cybersecurity threats and incidents. This framework takes a risk-based approach to cybersecurity, aligning with internationally recognized frameworks, including NIST (National Institute of Standards and Technology) and ISO 27001, and includes steps for assessing the severity of a cybersecurity threat, identifying the source of a cybersecurity threat, including whether the cybersecurity threat is associated with a third-party service provider, implementing cybersecurity countermeasures and mitigation strategies and, as later explained in greater detail, informing management and our Board of Directors of material cybersecurity threats and incidents.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Our Board of Directors, through the Audit Committee, is responsible for supervising and evaluating the efficiency of the control and management on cybersecurity. Our Internal Audit and Enterprise Risk Management Department supports the Audit Committee in the fulfilment of this responsibility, which includes oversight of our threat landscape, posture, performance, and strategy related to cybersecurity. The Audit Committee is also charged with overseeing the cybersecurity incident trends and incidents that have been handled. Since no impactful incident occurred in 2024, no communication was made to the Audit Committee. In the event of an incident with impact, the Head of the Information Security Office would contact the Chief Digital and Information officer who will liaise with the relevant parties in the Executive Committee and Internal Audit to present the incident and impact. The same audience will be updated regularly about the root cause, and countermeasures implemented in addition to the upcoming audit committee meeting.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Audit Committee
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|the Head of ISEC and the CDIO update the Audit Committee at least twice per year regarding the control and management on cybersecurity
|Cybersecurity Risk Role of Management [Text Block]
|
To support the deployment of the principles of our cybersecurity strategy and processes, we have created and implemented the Information Security Process and Management System (the “ISMS”). The ISMS is based on the appropriate definition of objectives, roles and responsibilities, policies and procedures, and technology to: (i) identify cybersecurity threats and related risks; (ii) protect critical assets; (iii) detect and respond to cybersecurity threats and cybersecurity incidents; and (iv) recover business services due to a cybersecurity incident.
Our Head of the Information Security Office (“ISEC”) reports to the CDIO and has the authority to develop and implement our cybersecurity policies, standards, procedures, and oversee the implementation and effectiveness of the ISMS. Our Head of the ISEC has more than 20 years of experience in cybersecurity practice, working for nine years in risk management practice in a “big four” accounting firm, serving as chief Information Security Officer and Data Protection Officer. She is a Telecommunication Engineer and has been awarded with CISA, CISM and ISO Lead Auditor 271001 certifications, among others. She is also member of the ISMS forum (La Asociación Española para el Fomento de la Seguridad de la Información), in Spain and participates in multiple roundtables to stay connected to the latest cybersecurity trends. Our Chief Digital information officer has more 27 years of experience working across multiple sectors for top 100 fortune companies such as IBM, Procter and Gamble, HP and Deutsche Post DHL. We are also in the process of selecting and appointing the members for our new Global Cybersecurity Committee. This committee will facilitate the alignment of cybersecurity initiatives with business objectives; ensure global coverage of the ISMS; collaborate in the prioritization and execution of security initiatives and projects; and promote a culture of protection against cybersecurity threats throughout the Grifols Group entities. This committee will be comprised of representatives of business units, information technology and legal personnel, as well as operations and services areas.
In addition to periodic meetings with representatives from various areas, including lawyers, accountants and information technology specialists, as well as a continually open line of communications, the Head of ISEC and the CDIO update the Audit Committee at least twice per year regarding the control and management on cybersecurity.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Head of the Information Security Office (“ISEC”)
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our Head of the ISEC has more than 20 years of experience in cybersecurity practice, working for nine years in risk management practice in a “big four” accounting firm, serving as chief Information Security Officer and Data Protection Officer. She is a Telecommunication Engineer and has been awarded with CISA, CISM and ISO Lead Auditor 271001 certifications, among others. She is also member of the ISMS forum (La Asociación Española para el Fomento de la Seguridad de la Información), in Spain and participates in multiple roundtables to stay connected to the latest cybersecurity trends. Our Chief Digital information officer has more 27 years of experience working across multiple sectors for top 100 fortune companies such as IBM, Procter and Gamble, HP and Deutsche Post DHL.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
To support the deployment of the principles of our cybersecurity strategy and processes, we have created and implemented the Information Security Process and Management System (the “ISMS”). The ISMS is based on the appropriate definition of objectives, roles and responsibilities, policies and procedures, and technology to: (i) identify cybersecurity threats and related risks; (ii) protect critical assets; (iii) detect and respond to cybersecurity threats and cybersecurity incidents; and (iv) recover business services due to a cybersecurity incident.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef