|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|ITEM 16K. CYBERSECURITY
Cybersecurity Risk Management and Strategy
We have developed and implemented a cybersecurity risk management program intended to protect the confidentiality,
integrity, and availability of our digital products and services, industrial systems and Internet connected assets
(collectively, “digital and technological environments” or “DT environments”), and the information generated and
used in all processes and operations that support business activities (collectively, “Confidential Information”).
We design and assess our program based on the National Institute of Standards and Technology Cybersecurity
Framework (NIST CSF). This does not imply that we meet any particular technical standards, specifications or
requirements, only that we use the NIST CSF as a guide to help us identify, assess and manage cybersecurity risks
relevant to our business. Separately, our program has also been certified as meeting the requirements of the
International Organization for Standardization (“ISO”) 27001 security standard.
Our cybersecurity risk management program is integrated into our overall enterprise risk management program, and
shares common methodologies, reporting channels and governance processes that apply across the enterprise risk
management program to other legal, compliance, strategic, operational, and financial risk areas.
Key elements of our cybersecurity risk management program include but are not limited to the following:
▪a risk management methodology, which we use as a guide to help us identify and manage privacy related
risks;
▪risk assessments designed to help identify potential material cybersecurity risks to our DT environments and
Confidential Information.
▪a security team lead by Ferrovial Global Chief Information Security Officer (Global CISO), principally
responsible for managing (1) our cybersecurity risk assessment processes, (2) our security controls,
platforms and portfolio and (3) our response to cybersecurity incidents;
▪the use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our
security controls;
▪cybersecurity awareness training of our employees, incident response personnel, and senior management;
▪a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents;
and
▪a third-party risk management process for key service providers based on our assessment of their criticality
to our operations and respective risk profile.
We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity
incidents, that have materially affected us, including our operations, business strategy, results of operations, or
financial condition. We face risks from cybersecurity threats that, if realized, are reasonably likely to materially affect
us, including our operations, business strategy, results of operations or financial condition. See “3. Key Information—
D. Risk Factors—1. Risks Related to Our Business and Structure—4”. The increase in digitalization and consequently,
the increased risk of cyber threats and misuse of quantum technology, may affect our normal operation of assets and
our ability to generate expected value, which could have a material adverse effect on our business, financial condition,
and results of operations.”
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|Our cybersecurity risk management program is integrated into our overall enterprise risk management program, and
shares common methodologies, reporting channels and governance processes that apply across the enterprise risk
management program to other legal, compliance, strategic, operational, and financial risk areas.
Key elements of our cybersecurity risk management program include but are not limited to the following:
▪a risk management methodology, which we use as a guide to help us identify and manage privacy related
risks;
▪risk assessments designed to help identify potential material cybersecurity risks to our DT environments and
Confidential Information.
▪a security team lead by Ferrovial Global Chief Information Security Officer (Global CISO), principally
responsible for managing (1) our cybersecurity risk assessment processes, (2) our security controls,
platforms and portfolio and (3) our response to cybersecurity incidents;
▪the use of external service providers, where appropriate, to assess, test or otherwise assist with aspects of our
security controls;
▪cybersecurity awareness training of our employees, incident response personnel, and senior management;
▪a cybersecurity incident response plan that includes procedures for responding to cybersecurity incidents;
and
▪a third-party risk management process for key service providers based on our assessment of their criticality
to our operations and respective risk profile.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]
|We have not identified risks from known cybersecurity threats, including as a result of any prior cybersecurity
incidents, that have materially affected us, including our operations, business strategy, results of operations, or
financial condition. We face risks from cybersecurity threats that, if realized, are reasonably likely to materially affect
us, including our operations, business strategy, results of operations or financial condition. See “3. Key Information—
D. Risk Factors—1. Risks Related to Our Business and Structure—4”. The increase in digitalization and consequently,
the increased risk of cyber threats and misuse of quantum technology, may affect our normal operation of assets and
our ability to generate expected value, which could have a material adverse effect on our business, financial condition,
and results of operations.”
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|Cybersecurity Governance
Our Board considers cybersecurity risk as part of its risk oversight function and monitors cybersecurity and other
information technology risks. The Board also oversees management’s implementation of our cybersecurity risk
management program.
Once a year, the Board receives from our Global CISO a presentation on our cybersecurity risks, the status of our
cybersecurity program and general cybersecurity topics that impact public companies. In addition, the Global CISO
updates the Board, where they deem appropriate, regarding any significant cybersecurity incidents, as well as any
incidents considered to be potentially significant.
The Global CISO, together with the Ferrovial Head of Cybersecurity Governance and Business Continuity, the
Ferrovial Head of Cybersecurity Operations, and the local CISOs of our various Business divisions and subsidiaries
(collectively, the “Cybersecurity Management Team”), is responsible for assessing and managing our material risks
from cybersecurity threats and allocating resources to implement the cybersecurity program. The team has primary
responsibility for our overall cybersecurity risk management program and supervises both our internal cybersecurity
personnel and our retained external cybersecurity consultants. Our Cybersecurity Management Team’s general
experience includes:
▪Cybersecurity Governance, Risk & Compliance.
▪Cybersecurity Risk Management.
▪Control Framework Management and Assessment.
▪Third Party Risk Management.
▪Business Continuity Management.
▪Vulnerability Management.
▪Identity & Access Management and Protection.
▪Cybersecurity Culture and Awareness..
▪Audit and eDiscovery Management.
▪Cybersecurity Operations and Architectures.
▪Monitoring and Correlation.
▪Incident Detection and Response.
▪Endpoint Security.
▪Security in Communications Networks and Perimeters.
▪Cloud Security.
▪Application Security.
▪Attack Surface Management.
▪Threat Intelligence.
▪Information Protection.
▪Security in Software Development Lifecycle.
▪ OT/IoT Security.
▪Cybersecurity Automation.
Specifically, the Ferrovial Global CISO is a security professional with more than 25 years of IT and cybersecurity
experience gained in a variety of companies and sectors with a balanced mix of strategy, management and operational
security skills developed in multicultural international environments, analyzing and delivering secure, cost effective
services in complex and high value business environments. Over his career, he has obtained ISACA CISA, CISM,
CRISC and CDPSE qualifications and complemented his education by completing an IESE Business School
Management Development Program (PDD) and an ESADE Business School Global Management Program (GMP).
He is trusted and relied upon by our executive management team to establish security governance and design a culture
throughout Ferrovial, that places an emphasis on building and leading internal teams at all levels to transform, embed
and improve security throughout the Organization.
The Ferrovial Head of Cybersecurity Governance and Business Continuity has 20 years of experience in cybersecurity,
developing global governance, risk and control models, and deploying them in complex, heterogeneous and
multicultural environments. Over his career, he has obtained ISACA CISA and CISM qualifications and ISO 27001
LA & LI and ISO 22301 LA certifications and complemented his education by completing an IT Governance Program
provided by Universidad of Deusto. He is a professor, collaborator and occasional speaker in associations focused on
the practice of cybersecurity and privacy.
The Ferrovial Head of Cybersecurity Operations is a seasoned cybersecurity, communications, and cloud professional
with over 15 years of experience in managing and deploying international security services, including prevention,
detection, response, and auditing. He has played a pivotal role in technological and operational transformations and the
extension of cybersecurity frameworks to corporate and OT/IoT environments, and leading cybersecurity initiatives in
major corporate carve-outs. He has also completed executive programs at IMD Business School, IE Business School,
and Universitas Ferrovial and obtained his master’s degree in DevOps from Universidad de La Rioja. He holds
multiple industry-recognized certifications, including Fortinet (FCNSA & FCNSP), Checkpoint (CCSA & CCSE),
Microsoft Azure Fundamentals, Bluecoat (BCCPA & BCCPP), and Cisco CCNA.
The Ferrovial Construction local CISO is a seasoned technology professional with over 18 years of experience in
cybersecurity, technology risk management, compliance, and internal audit. He possesses a senior profile with a
multidisciplinary background and a proven history of managing international projects. His expertise includes advising
senior management and implementing significant information security transformation and cultural change programs.
He holds a master’s degree in computer science and engineering from Universidad Autónoma de Madrid and has
completed Executive Management Programs at IE, Headspring, and The Power Business Schools. Throughout his
career, he has obtained numerous professional certifications, including ISACA's CISA, COBIT, ITIL, BS25999, and
CCI's Green Level Professional.
The Ferrovial CINTRA EU and NM local CISO is a security professional with more than 20 years of experience
spanning several multinational companies, in roles including IT Security Manager, Head of IT Audit, CIO and CISO.
Over his career, he has obtained several information security qualifications such as CISA, CISM, CRISC, Business
Continuity Lead Auditor and Green Level in Industrial Cybersecurity. He has also complemented his education with
an IE Business School Management Development Program.
The Ferrovial CINTRA USA local CISO is an information technology professional with over 25 years of experience
in cybersecurity, technical architecture design, systems implementation, operation, and maintenance. He holds a
bachelor’s degree in computer science from Universidad Tecnológica Simon Rodriguez de Venezuela, and a master’s
degree in computer network technology from Herzing University. Throughout his career, he has obtained numerous
professional certifications, including ISACA's CISA, ITIL, Cisco Certified Network Associate, Microsoft Certified
Systems Engineer, VMware Certified Professional, Red Hat Certified Engineer, Microsoft® Certified Azure
Fundamental, and Microsoft® Certified Azure Security Engineer.
The Ferrovial Energy local CISO has over 20 years of experience in technology and risk management across various
sectors. He supplements his professional life with teaching and is also a member of advisory boards and collaborates
with associations focused on cybersecurity and privacy. He holds a degree in Computer Engineering from Universidad
Autónoma of Madrid and has multiple risk management and security certifications (CISSP, CISA, CISM, CRISC,
CDPSE, CSX-F and ISO 27001). Additionally, he is certified as a Security Chief and Security Director by the
Ministry of the Interior of Spain. In addition to completing a board member program at ESADE, he is currently
finishing a degree in Business Management at Universidad Ramon Llull – LaSalle and an Executive MBA at EAE
Business School.
Our management team supervises efforts to prevent, detect, mitigate and remediate cybersecurity risks and incidents
through various means, which may include: briefings from security personnel; threat intelligence and other
information obtained from governmental, public or private sources, including external consultants engaged by us; and
alerts and reports produced by security tools deployed in the digital environment.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Specifically, the Ferrovial Global CISO is a security professional with more than 25 years of IT and cybersecurity
experience gained in a variety of companies and sectors with a balanced mix of strategy, management and operational
security skills developed in multicultural international environments, analyzing and delivering secure, cost effective
services in complex and high value business environments. Over his career, he has obtained ISACA CISA, CISM,
CRISC and CDPSE qualifications and complemented his education by completing an IESE Business School
Management Development Program (PDD) and an ESADE Business School Global Management Program (GMP).
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Once a year, the Board receives from our Global CISO a presentation on our cybersecurity risks, the status of our
cybersecurity program and general cybersecurity topics that impact public companies. In addition, the Global CISO
updates the Board, where they deem appropriate, regarding any significant cybersecurity incidents, as well as anyincidents considered to be potentially significant.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Ferrovial Global CISOFerrovial Head of Cybersecurity Governance and Business ContinuityFerrovial Head of Cybersecurity OperationsFerrovial Construction local CISOFerrovial CINTRA EU and NM local CISOFerrovial CINTRA USA local CISO
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|the Ferrovial Global CISO is a security professional with more than 25 years of IT and cybersecurity experienceThe Ferrovial Head of Cybersecurity Governance and Business Continuity has 20 years of experience in cybersecurity,
developing global governance, risk and control models, and deploying them in complex, heterogeneous andmulticultural environmentsThe Ferrovial Head of Cybersecurity Operations is a seasoned cybersecurity, communications, and cloud professional
with over 15 years of experience in managing and deploying international security services, including prevention,detection, response, and auditingThe Ferrovial Construction local CISO is a seasoned technology professional with over 18 years of experience in cybersecurity, technology risk management, compliance, and internal auditThe Ferrovial CINTRA EU and NM local CISO is a security professional with more than 20 years of experience spanning several multinational companies, in roles including IT Security Manager, Head of IT Audit, CIO and CISO.The Ferrovial CINTRA USA local CISO is an information technology professional with over 25 years of experience in cybersecurity, technical architecture design, systems implementation, operation, and maintenance.The Ferrovial Energy local CISO has over 20 years of experience in technology and risk management across various sectors.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Our management team supervises efforts to prevent, detect, mitigate and remediate cybersecurity risks and incidents
through various means, which may include: briefings from security personnel; threat intelligence and other
information obtained from governmental, public or private sources, including external consultants engaged by us; and
alerts and reports produced by security tools deployed in the digital environment.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef