|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|The Company has established cybersecurity policies to process cybersecurity threats from the crisis management phase
whereby the Company conducts severity and materiality assessments to the disclosure phase. The purpose of these procedures is to
ensure that TORM complies with statutory and regulatory requirements such as the: (i) Commission’s cybersecurity policy requiring
registrants to disclose material cybersecurity incidents on Form 6-K and to disclose on an annual basis material information regarding
its cybersecurity risk management, strategy and governance on Form 20-F; and (ii) Network and Information Security Directive 2
(NIS2 Directive) from the EU which aims to achieve a high common level of cybersecurity across Member States.
These policies are intended to apply to all cybersecurity incidents with material or critical risk impact to the Company’s
employees, assets and third parties, including customers, external consultants, vendors, and suppliers. An incident (or collection of
related incidents) is considered material if there is a substantial likelihood that a reasonable shareholder would consider it important in
making an investment decision, or if it would have significantly altered the ‘total mix’ of information made available.
The company is continuously reassessing its IT risks. In 2024, the estimated likelihood that a cybersecurity incident would
occur changed to "possible" due to the increased threats from Russia and the observed cases of hybrid warfare aimed at critical
infrastructure. Impact assessments establish that there will only be minor operational and financial impacts of a cyber incident dueto effective business continuity plans including effective incident response and disaster recovery plans.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|IT Security Policies
The Company’s IT Security Policy is based on ISO27001:2022. The purpose of the IT Security Policy is to preserve the
confidentiality, integrity, and availability of systems and data used by TORM, to reduce the risk of information security incidents, and
to ensure compliance with relevant legislation.
The Company has also implemented a cybersecurity incident response policy based on the SANS (Sysadmin Audit, Network
and Security) incident response framework. The purpose of the incident response policy is to ensure that TORM detects, responds to
and reports security incidents to minimize impact, prevent foreseen future incidents and to comply with regulatory requirements.
To proactively manage cybersecurity risks, the Company has defined an IT risk management policy based on ISO27005 and
integrated the following procedures: (i) Crisis Management Procedure; (ii) Business Continuity Procedure; (iii) Disaster Recovery
Procedure; (iv) Disclosure Procedure, and (v) Data Breach Response.
To ensure that the Company can comprehensively respond to cybersecurity incidents, the Company has developed and
maintained certain procedures including, but not limited to, identifying, and maintaining inventory of critical IT assets, securing
defined lines of communication, providing employees with cybersecurity awareness training and testing incident response procedures
annually. The Company has also established an identification, containment, eradication and recovery, and post-incident evaluation
procedures.
The Company has established a detection procedure whereby it deploys a monitoring system that analyzes correlated events
from multiple systems and notifies IT of incidents that should be investigated and assessed. The Company has also implemented
procedures to continuously monitor vulnerabilities in its systems to proactively mitigate these vulnerabilities before a potential exploit.
Additionally, the Company shall attempt to contain the incident’s impact and intend to remediate or remove any malware or other
artifacts introduced by the attacks. In case a significant cybersecurity incident occurs, the Company shall compile a detailed
examination and discussion of the events, no later than two weeks after the incident.
In addition to the Company’s cybersecurity incident response policy described above, TORM has implemented a third-party
management policy which is based on COBIT 2019 (Control Objectives for Information and Related Technologies) control objectives.
The policy applies to any third-party person, independent consultant, organization, or legal entity, including supplier, vendors, or
business partners with whom TORM contracts for IT products and services. The Company performs due diligence on its third-party
management to ensure that the performance of the supplier, IT security measures and third-party risks are regularly reviewed andassessed.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|Board of Directors, which ultimately oversees cybersecurity risks and initiatives.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Risk Committee
monitors the progress of TORM’s cybersecurity efforts and together with the Chief Financial Officer ensures integrity of reporting.
The Risk Committee reports to the Board of Directors at each Risk Committee meeting.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Based on the risk assessment, risks are prioritized for risk
treatment to comply with the defined risk appetite and exceptions are escalated to the risk owner (the Chief Financial Officer) for
approval. Cybersecurity risks are being continuously monitored and the risk registers for vessels and office are being reviewed on an
annual basis. Head of Group IT and the Company's CISO annually report on risks and approved exceptions to the Senior ManagementTeam and the Risk Committee.
|Cybersecurity Risk Role of Management [Text Block]
|The Chief Financial Officer has the overall risk ownership and accountability to control such risk. The Chief Financial
Officer formulates cybersecurity strategies and drives initiatives, and together with the Head of Group IT, set targets, assesses risks,
develop policies and procedures, and execute our cybersecurity efforts. The Chief Financial Officer regularly reports to the Risk
Committee and the overall Board of Directors, which ultimately oversees cybersecurity risks and initiatives. The Risk Committee
monitors the progress of TORM’s cybersecurity efforts and together with the Chief Financial Officer ensures integrity of reporting.
The Risk Committee reports to the Board of Directors at each Risk Committee meeting.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|The head of Group IT, assisted by the Company's CISO, is responsible for keeping the IT security policy and the IT Risk
Management Policy updated and communicated to relevant stakeholders in the TORM Group. Furthermore, it is the head of Group
IT’s responsibility to ensure that these policies are reviewed at least once a year and re-approved by the Risk Committee of the Board
of Directors.
Under the IT Risk Management Policy, cybersecurity risks are identified and evaluated based on an evaluation of threat
scenarios, critical assets, vulnerabilities, threats and existing controls. Based on the risk assessment, risks are prioritized for risk
treatment to comply with the defined risk appetite and exceptions are escalated to the risk owner (the Chief Financial Officer) for
approval. Cybersecurity risks are being continuously monitored and the risk registers for vessels and office are being reviewed on an
annual basis. Head of Group IT and the Company's CISO annually report on risks and approved exceptions to the Senior Management
Team and the Risk Committee.
The Chief Financial Officer has the overall risk ownership and accountability to control such risk. The Chief Financial
Officer formulates cybersecurity strategies and drives initiatives, and together with the Head of Group IT, set targets, assesses risks,
develop policies and procedures, and execute our cybersecurity efforts. The Chief Financial Officer regularly reports to the Risk
Committee and the overall Board of Directors, which ultimately oversees cybersecurity risks and initiatives. The Risk Committee
monitors the progress of TORM’s cybersecurity efforts and together with the Chief Financial Officer ensures integrity of reporting.
The Risk Committee reports to the Board of Directors at each Risk Committee meeting.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|The Head of Group IT has more than 10 years of experience in IT management, with six years of experience in roles as chief
information officer and Head of IT with enterprise responsibility for information security. Apart from this, the Head of Group IT is
Certified in Cybersecurity (CC) from ISC2 and is attending the NIS2 Executive Program by Bech-Bruun.
In 2024, the Company hired a CISO with more than 10 years dedicated experience in the cybersecurity field to head the IT
risk and security team and to lead the continuous work on increasing the cybersecurity maturity in the Company.
The Chief Financial Officer has extensive experience from senior positions in banking and from heading up the Company’s
IT and Risk Management Division for more than five years. The Chief Financial Officer is responsible for IT, as well as Risk
Management, and has focused intensively on information security, including cybersecurity, and is following a designated NIS2
Executive Program.
The Chief Executive Officer has extensive experience from senior management positions in the shipping industry for over 25
years. As Chief Executive Officer and a member of the Board of Directors, he has had the overall managerial responsibility for the
Company’s information security, and he has been closely involved in designing the Company’ Risk Management set-up and
procedures. The Chief Executive Officer has been closely involved in designing cybersecurity training for the Company’s Board of
Directors.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Under the IT Risk Management Policy, cybersecurity risks are identified and evaluated based on an evaluation of threat
scenarios, critical assets, vulnerabilities, threats and existing controls. Based on the risk assessment, risks are prioritized for risk
treatment to comply with the defined risk appetite and exceptions are escalated to the risk owner (the Chief Financial Officer) for
approval. Cybersecurity risks are being continuously monitored and the risk registers for vessels and office are being reviewed on an
annual basis. Head of Group IT and the Company's CISO annually report on risks and approved exceptions to the Senior Management
Team and the Risk Committee.
The Chief Financial Officer has the overall risk ownership and accountability to control such risk. The Chief Financial
Officer formulates cybersecurity strategies and drives initiatives, and together with the Head of Group IT, set targets, assesses risks,
develop policies and procedures, and execute our cybersecurity efforts. The Chief Financial Officer regularly reports to the Risk
Committee and the overall Board of Directors, which ultimately oversees cybersecurity risks and initiatives. The Risk Committee
monitors the progress of TORM’s cybersecurity efforts and together with the Chief Financial Officer ensures integrity of reporting.
The Risk Committee reports to the Board of Directors at each Risk Committee meeting.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef