|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Protecting the security and integrity of CureVac’s IT systems and safeguarding the privacy of our business partners, patients and employees along with our intellectual property is a key priority for us. Cybersecurity risks are among the core risks evaluated through our enterprise risk management program.
To address cybersecurity threats and in an effort to prevent IT system interruptions, we are developing enterprise-wide policies, procedures, and practices based on industry standards, including the ISO 27001 Standard and “BSI-Grundschutz”. CureVac’s systems are regularly patched and updated with supported software releases. We conduct regular internal vulnerability analyses (including simulated hacking) as well as external penetration testing utilizing third parties to verify and ensure the effectiveness of our cybersecurity controls. Our employees are required to participate in our cybersecurity awareness program, which includes access to specific cybersecurity and information security training sessions and content and periodic phishing attack simulations.
CureVac requires employees to report IT security incidents to the IT security team via CureVac’s internal service management platform. Additionally, we have implemented a 24/7/365 Cyber Security Operations Center (CSOC) operated by an external third party. The CSOC provides active monitoring and is responsible for investigating any security incidents and alerts on our platforms.
In 2024, we did not identify any cybersecurity threats or incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats or incidents or provide assurances that we have not experienced an undetected cybersecurity incident. For more information about these risks, please see “Risk Factors–Risks Related to Our Business and Industry” in this Annual Report on Form 20-F.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
Protecting the security and integrity of CureVac’s IT systems and safeguarding the privacy of our business partners, patients and employees along with our intellectual property is a key priority for us. Cybersecurity risks are among the core risks evaluated through our enterprise risk management program.
Our IT security team is responsible for assessing and maintaining our cybersecurity risk management program. Our Head of IT oversees our cybersecurity program and is supported by our Senior Director of Infrastructure & Operations, the IT Leadership Team and other business leaders. Our cybersecurity program is designed to enable the Company to respond to the threat of security breaches and cyberattacks and to protect and preserve the confidentiality, integrity, and continued availability of information assets processed by the Company. Our Senior Director of Infrastructure & Operations and his team are experienced subject matter experts in the field of information security. The Senior Director of Infrastructure & Operations has over 25 years of international experience in information security, IT strategy and IT management, including security consulting. Similarly, our Head of IT has over 25 years of experience in various senior international IT leadership roles. Our internal IT security team is augmented by third parties, who provide additional information security expertise.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|The management board provides oversight over the enterprise risk management program, reviews the risk portfolio on a quarterly basis and is responsible for ensuring that we have implemented an appropriate and effective risk management system and process. The supervisory board reviews the enterprise risk management program on an annual basis. In addition, the Head of IT provides regular updates on the status of the cybersecurity program, and emerging cybersecurity threats and incidents to the management board. At least once each year, the Audit Committee discusses our approach to cybersecurity risk management with the Head of IT and, as necessary, to the full supervisory board, based on management’s assessment of risk.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Audit Committee
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|In addition, the Head of IT provides regular updates on the status of the cybersecurity program, and emerging cybersecurity threats and incidents to the management board.At least once each year, the Audit Committee discusses our approach to cybersecurity risk management with the Head of IT and, as necessary, to the full supervisory board, based on management’s assessment of risk.
|Cybersecurity Risk Role of Management [Text Block]
|
Our IT security team is responsible for assessing and maintaining our cybersecurity risk management program. Our Head of IT oversees our cybersecurity program and is supported by our Senior Director of Infrastructure & Operations, the IT Leadership Team and other business leaders. Our cybersecurity program is designed to enable the Company to respond to the threat of security breaches and cyberattacks and to protect and preserve the confidentiality, integrity, and continued availability of information assets processed by the Company. Our Senior Director of Infrastructure & Operations and his team are experienced subject matter experts in the field of information security. The Senior Director of Infrastructure & Operations has over 25 years of international experience in information security, IT strategy and IT management, including security consulting. Similarly, our Head of IT has over 25 years of experience in various senior international IT leadership roles. Our internal IT security team is augmented by third parties, who provide additional information security expertise.
Where appropriate, threats or incidents are escalated to our Head of IT, who informs our CEO, management board and/or Data Protection Officer of any such threats or incidents. Any breaches related to personal data are managed by the Data Protection Officer in consultation with CureVac’s IT security team.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Head of IT
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our Senior Director of Infrastructure & Operations and his team are experienced subject matter experts in the field of information security. The Senior Director of Infrastructure & Operations has over 25 years of international experience in information security, IT strategy and IT management, including security consulting. Similarly, our Head of IT has over 25 years of experience in various senior international IT leadership roles.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Where appropriate, threats or incidents are escalated to our Head of IT, who informs our CEO, management board and/or Data Protection Officer of any such threats or incidents.The Head of IT updates the status of the cybersecurity program quarterly within the enterprise risk management program.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef