|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Ferrari recognizes the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include, among other things: operational risks, intellectual property theft, fraud, extortion, harm to employees or customers and violation of data privacy or security laws. The identification, assessment and management of cybersecurity risk is integrated into our Enterprise Risk Management process, which in turn operates within the overall Ferrari Internal Control and Risk Management System. Cybersecurity risks related to our business, technical operations, privacy and compliance issues including any Ferrari
confidential information about vehicles, services, projects and all non-public activities related to Racing Department, employees, clients and fans personal data are identified and addressed through a multi-faceted approach, through e.g. red-teaming, pentesting, friendly phishing and 3rd party-managed cyber security posture analysis. Dealers’ and suppliers’ cybersecurity risks are evaluated in a similar way, as further explained below.
To defend, detect and respond to cybersecurity incidents, we, among other things, conduct proactive privacy and cybersecurity reviews of systems and applications, including yearly attack exercises to test our cybersecurity posture, audit applicable data policies, perform penetration testing using external third-party tools, techniques and security service providers to test our posture, operate a bug bounty program to encourage proactive vulnerability reporting. We also conduct continuous training to employees with in class sessions, online training, at least monthly “security pills” (i.e. email to all users to inform them e.g. of running phishing, campaigns, cyberattacks against suppliers, or stories about cybersecurity events, with the goal of improving end user awareness), friendly phishing campaigns and dedicated one-to-one support and advisory for any cybersecurity question or doubt. Furthermore, our team monitors emerging laws and regulations related to data protection and information security (including Operational Technology (OT) and vehicles) and implements appropriate changes and collaborates with technical and business stakeholders across our business units to further analyze the risk to the company, and define detection, mitigation and remediation strategies.
Once identified, cybersecurity events and data incidents are collected, evaluated, ranked by severity and prioritized for response and remediation, including based on materiality, operational, business and privacy impact. Our incident response and breach management processes have four overarching and interconnected stages: 1) preparation for a cybersecurity incident, 2) detection and analysis of a security incident, 3) containment, eradication and recovery, and 4) post-incident analysis.
To protect its shareholders and stakeholders, starting from 2019 Ferrari has implemented a cyber insurance program that covers damages directly caused by hacking attacks, system failures and other cybersecurity events (loss of profit, costs and expenses, restoration costs), as well as damages incurred by third parties following a breach of security and/or confidentiality of personal data.
Third Party Engagement
As part of our risk management and strategies described above, we regularly engage external auditors and consultants to assess our compliance with applicable practices and standards, including for UNECE R155, SOX, NYDFS500 certification for cybersecurity of financial services as well as for assistance with periodic security assessments such as penetration testing, continuous and automatic vulnerability assessment, email and web filtering, endpoint and infrastructure protection, data loss prevention, authentication systems, and advisory and support on certain cybersecurity enhancements. Worldwide primary cybersecurity companies are frequently involved. These partnerships enable us to leverage specialized knowledge, insights and training, ensuring our cybersecurity strategies and processes remain aligned with fast evolving risk scenarios and new technologies.
Suppliers’ Security Profile
To oversee and identify cybersecurity threats associated with third parties, Ferrari has implemented an evaluation process of suppliers’ security profile. Starting from the initial supplier evaluation, cybersecurity posture is evaluated through a specific questionnaire which contains different requirements depending on the type of goods/services provided. Depending on the outcome of the questionnaire, certain suppliers are audited in person by the Ferrari Internal Audit Department, which analyzes a supplier’s main risks and, together with the supplier, defines (and monitors) action plans to close or reduce the identified security gaps. At the end of the evaluation process, a cybersecurity maturity ranking is assigned, verified with a risk-based approach. The resulting risk profile is among the criteria used to assign the bid.
Suppliers are formally required to inform Ferrari, through a dedicated channel, of cyber incidents they suffer. Ferrari also hires additional cybersecurity services to be promptly and independently informed of suppliers’ cyber incidents and trigger the incident management process.
Dealers’ Security Profile
Dealers undergo a cybersecurity evaluation and assessment similar to that described above for suppliers, albeit using a different cybersecurity questionnaire. Any final action plans are agreed with the dealership management. Same as suppliers,
dealers are required to inform Ferrari Enterprise Cybersecurity in case of cyberincidents, and are subject to a monitoring process performed by Internal Audit.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
Ferrari recognizes the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include, among other things: operational risks, intellectual property theft, fraud, extortion, harm to employees or customers and violation of data privacy or security laws. The identification, assessment and management of cybersecurity risk is integrated into our Enterprise Risk Management process, which in turn operates within the overall Ferrari Internal Control and Risk Management System. Cybersecurity risks related to our business, technical operations, privacy and compliance issues including any Ferrari
confidential information about vehicles, services, projects and all non-public activities related to Racing Department, employees, clients and fans personal data are identified and addressed through a multi-faceted approach, through e.g. red-teaming, pentesting, friendly phishing and 3rd party-managed cyber security posture analysis. Dealers’ and suppliers’ cybersecurity risks are evaluated in a similar way, as further explained below.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|Audit Committee: it is the Committee appointed by Board of Directors to oversee the implementation and maintenance of an adequate risk management and internal control system, receives regular reporting on most relevant risks and reviews and monitors the effectiveness of controls on these risks, including cyber risks. It invites the Head of Enterprise Cybersecurity and CDTO to report and discuss about cybersecurity at a committee meeting at least once a year. With the same frequency the Board of Directors is informed of cybersecurity strategy, governance and management. Further information about the Audit Committee is included in the Corporate Governance section.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Audit Committee
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Audit Committee: it is the Committee appointed by Board of Directors to oversee the implementation and maintenance of an adequate risk management and internal control system, receives regular reporting on most relevant risks and reviews and monitors the effectiveness of controls on these risks, including cyber risks. It invites the Head of Enterprise Cybersecurity and CDTO to report and discuss about cybersecurity at a committee meeting at least once a year. With the same frequency the Board of Directors is informed of cybersecurity strategy, governance and management. Further information about the Audit Committee is included in the Corporate Governance section.
|Cybersecurity Risk Role of Management [Text Block]
|
Cybersecurity management is governed by the following departments and committees:
•Enterprise Cybersecurity: the department is responsible for the cybersecurity of the Group, including information technology (IT), operational technology (OT) and vehicle cybersecurity. The Head of Enterprise Cybersecurity, who joined Ferrari in 2019, has a degree in legal informatics, an Executive MBA and over 10 years of experience in primary companies with a multi-year role also as Data Privacy Officer. The Head of Enterprise Cybersecurity reports to the Chief Digital Transformation Officer (CDTO) and also has a direct link to the CEO. For additional information relating to the CDTO’s qualifications see the “—Ferrari Leadership Team” within this section.
•Internal Control Committee (ICC): it meets periodically to monitor, evaluate and discuss Group enterprise cross-risks and approve related initiatives, including cybersecurity risks, status on addressing and/or mitigating those risks, cybersecurity and data privacy incidents (if any) and status on cybersecurity initiatives. It is composed of executives and C - level executives representing the Enterprise Cybersecurity, Digital Transformation, Legal, Finance, Internal Audit, Compliance and Risk (which includes Enterprise Risk Management) and Human Resources departments.
•Cyber Crisis Committee (CCC): it comes into play in case of significant cyber incidents. It is composed by Enterprise Cybersecurity departments and C-level executives representing the Digital Transformation, Legal, Finance, Communication, and Compliance departments as well as, depending on the individual case, the relevant internal business functions (e.g. Sales, Purchasing, Design and Racing).
•Audit Committee: it is the Committee appointed by Board of Directors to oversee the implementation and maintenance of an adequate risk management and internal control system, receives regular reporting on most relevant risks and reviews and monitors the effectiveness of controls on these risks, including cyber risks. It invites the Head of Enterprise Cybersecurity and CDTO to report and discuss about cybersecurity at a committee meeting at least once a year. With the same frequency the Board of Directors is informed of cybersecurity strategy, governance and management. Further information about the Audit Committee is included in the Corporate Governance section.
In addition to the previous committees, the CEO is directly and immediately informed of any material incidents and has direct contact with the Head of Enterprise Cybersecurity at least monthly.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Enterprise Cybersecurity: the department is responsible for the cybersecurity of the Group, including information technology (IT), operational technology (OT) and vehicle cybersecurity. The Head of Enterprise Cybersecurity, who joined Ferrari in 2019, has a degree in legal informatics, an Executive MBA and over 10 years of experience in primary companies with a multi-year role also as Data Privacy Officer. The Head of Enterprise Cybersecurity reports to the Chief Digital Transformation Officer (CDTO) and also has a direct link to the CEO. For additional information relating to the CDTO’s qualifications see the “—Ferrari Leadership Team” within this section.
•Internal Control Committee (ICC): it meets periodically to monitor, evaluate and discuss Group enterprise cross-risks and approve related initiatives, including cybersecurity risks, status on addressing and/or mitigating those risks, cybersecurity and data privacy incidents (if any) and status on cybersecurity initiatives. It is composed of executives and C - level executives representing the Enterprise Cybersecurity, Digital Transformation, Legal, Finance, Internal Audit, Compliance and Risk (which includes Enterprise Risk Management) and Human Resources departments.
•Cyber Crisis Committee (CCC): it comes into play in case of significant cyber incidents. It is composed by Enterprise Cybersecurity departments and C-level executives representing the Digital Transformation, Legal, Finance, Communication, and Compliance departments as well as, depending on the individual case, the relevant internal business functions (e.g. Sales, Purchasing, Design and Racing).
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|The Head of Enterprise Cybersecurity, who joined Ferrari in 2019, has a degree in legal informatics, an Executive MBA and over 10 years of experience in primary companies with a multi-year role also as Data Privacy Officer. The Head of Enterprise Cybersecurity reports to the Chief Digital Transformation Officer (CDTO) and also has a direct link to the CEO. For additional information relating to the CDTO’s qualifications see the “—Ferrari Leadership Team” within this section.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Internal Control Committee (ICC): it meets periodically to monitor, evaluate and discuss Group enterprise cross-risks and approve related initiatives, including cybersecurity risks, status on addressing and/or mitigating those risks, cybersecurity and data privacy incidents (if any) and status on cybersecurity initiatives. It is composed of executives and C - level executives representing the Enterprise Cybersecurity, Digital Transformation, Legal, Finance, Internal Audit, Compliance and Risk (which includes Enterprise Risk Management) and Human Resources departments.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef