|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Our cybersecurity risk management framework is established in a dedicated addendum to our overall enterprise risk management framework. We manage cybersecurity risk at multiple levels within the organization. Due to our wide geographic spread and the acquisitions that we completed in recent years, our information systems are diversified, hosted by servers in multiple locations and supported by third-party providers of cloud services, with a wide range of software applications adapted to the different regions and functions. Policies and procedures across the Group for the safeguard of our information systems and the data residing therein are tailored to the specificities of the different parts of our organization.
Within this framework, the central Group management and the management of our segments, product lines and operating subsidiaries share responsibility for cybersecurity management and collaborate on assessing, identifying, and managing material risks. We use a variety of controls and processes to identify, mitigate and manage material cybersecurity risks, detect unusual activities and potential cybersecurity incidents or threats, including potential system breaches, and to verify the effectiveness of protective measures. Such controls and processes include identity and access management, infrastructure and architecture security, client and server end-point protection and network security. Information systems are monitored and tested on a regular basis with a view to keeping them secure and protected from cybersecurity threats. We seek to continuously strengthen our security processes and controls by investing in new and improved security technologies, improving incident response plans, engaging world-class cybersecurity advisors, contracting specialized service providers, and providing regular employee training. As part of these efforts, we have been considering emerging technologies, such as generative artificial intelligence, and the risks associated therewith. In addition, we have renewed for 2025 our Group-wide business cybersecurity insurance in order to mitigate the risk of liabilities that may result from cybersecurity incidents.
In order to manage the risk of a material impact on our operations, financial performance, and reporting due to cybersecurity threats and incidents, we have adopted a mandatory Group-wide Cybersecurity Incident Management Procedure (the “Cybersecurity Policy”). The Cybersecurity Policy, which is supported by procedural documentation, sets
forth the steps to be followed and assigns clear responsibilities within the organization in connection with cyber threats and incidents, in order to manage the response process at all stages, from detection and assessment to internal reporting and escalation, review, remedial action (including mitigation and recovery), notification to the competent authorities (where applicable), and post-incident analysis.
We provide regular training and launch awareness campaigns addressed to Group employees to understand and comply with Group policies and applicable regulations, including those related to cybersecurity. As part of our cybersecurity strategy, we have deployed across our organization cybersecurity education platforms, with mandatory training for all employees equipped with a workstation or a device connected to the information systems, in order to increase the level of our employees’ training and awareness on cybersecurity. We also periodically launch phishing simulation campaigns with the aim to test the level of awareness and expertise in recognizing malicious emails.
We work with several external consultants specializing in cybersecurity to improve our ability to identify and detect, protect against, and recover from, cybersecurity incidents. This includes both ongoing consulting services and specific interventions as our Segment CISOs deem necessary. Large part of our organization is serviced by security operations centers active 24 hours a day, 7 days a week, with market-leading providers, for the monitoring of potentially critical IT events from a cybersecurity perspective and intervening promptly with mitigation and remediation measures as and when necessary. We also engage external consultants who are experts in the field to perform penetration testing sessions; these sessions are aimed at identifying any vulnerabilities that may affect our systems and appropriately remediating them. In addition, our Cybersecurity Policy provides that external advisors may be engaged, as appropriate, in connection with the response to any cyber incidents.
Third party providers which are given access to our data and programs are required to comply with operational rules set forth in our procedures regarding the use of our resources and access to our systems and are subject to specific access controls. For us to monitor the risks related to recourse to a third party provider, we require third parties providing infrastructure services in the IT landscape for the purpose of internal control over financial reporting to provide a “Service Organization Controls (“SOC”)” report at least once a year, which includes information on such supplier’s internal control system as applied to its IT systems as well as any problems related thereto occurred during the year.
We also require certain third parties (for example, certain suppliers which have access to some of our IT infrastructure) to complete a cyber security screening process, and to provide periodic security certifications. In connection with the foregoing activities, we adopt a risk-based approach.
As previously disclosed, in August 2021 we were subject to a ransomware attack that impacted the majority of our IT systems. As we refused to engage in discussions relating to the payment of the ransom, the responsible parties published certain accounting materials extracted from our IT systems. We publicly announced the IT systems breach and gradually restored our IT systems from secure back up servers during the weeks following the breach. In the last three fiscal years, we have not experienced any material cybersecurity incidents. See “Item 3.D—Risk Factors— A disruption in our information technology, including as a result of cybercrimes, could disrupt our business operations and compromise confidential and sensitive information” for further information about data protection and cybersecurity risks.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|Our cybersecurity risk management framework is established in a dedicated addendum to our overall enterprise risk management framework. We manage cybersecurity risk at multiple levels within the organization. Due to our wide geographic spread and the acquisitions that we completed in recent years, our information systems are diversified, hosted by servers in multiple locations and supported by third-party providers of cloud services, with a wide range of software applications adapted to the different regions and functions. Policies and procedures across the Group for the safeguard of our information systems and the data residing therein are tailored to the specificities of the different parts of our organization.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|The Board has designated the Audit Committee, and delegated powers to it, to assist and advise the Board with respect to the application by the Company of information and communication technology, including risks relating to cybersecurity.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Board has designated the Audit Committee, and delegated powers to it, to assist and advise the Board with respect to the application by the Company of information and communication technology, including risks relating to cybersecurity.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Audit Committee meets regularly with management, the head of internal audit and the independent auditors to discuss risk assessment and risk management guidelines and policies and the Group’s significant risk exposures, the steps management has taken to monitor and control these exposures and the effectiveness of the design and operation of the internal risk management and control systems, including with respect to cybersecurity risk. It also meets at least annually with the Group Chief Information Officer, and/or the Segment CISOs for an update on cybersecurity risk management (including on key cybersecurity initiatives) and strategy. As frequently as may be necessary, the Audit Committee convenes to review the assessment of the materiality of cybersecurity incidents exceeding pre-defined severity thresholds, and the corporate communications relating to such incidents. The Audit Committee is also responsible for updating the Board on identified cybersecurity risks and material incidents, if any, as well as on remediation measures and investments required to be considered by the Board on cybersecurity matters.
|Cybersecurity Risk Role of Management [Text Block]
|Our organizational structure reflects the diversity of our Group by relying on the designation of a Chief Information Security Officer for each operating segment (each, a “Segment CISO”), who reports directly to the top management of the relevant segment. The Segment CISOs are principally responsible for
elaborating the cybersecurity strategy for, as well as handling all cybersecurity incidents and threats in, their respective segment. They assess and monitor the IT environment, conduct and review the risk assessment and organize preventive and detective cybersecurity measures. Pursuant to the Cybersecurity Policy, upon notice from an IT technical team about a cybersecurity incident or threat, the competent Segment CISO assesses the event, assigns it a level of severity in accordance with a predefined scale, coordinates the responsive actions (including through the appointment of external advisors), escalates the matter as set forth in the Cybersecurity Policy, and prepares reports on each cybersecurity incident.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Our organizational structure reflects the diversity of our Group by relying on the designation of a Chief Information Security Officer for each operating segment (each, a “Segment CISO”), who reports directly to the top management of the relevant segment. The Segment CISOs are principally responsible for
elaborating the cybersecurity strategy for, as well as handling all cybersecurity incidents and threats in, their respective segment. They assess and monitor the IT environment, conduct and review the risk assessment and organize preventive and detective cybersecurity measures. Pursuant to the Cybersecurity Policy, upon notice from an IT technical team about a cybersecurity incident or threat, the competent Segment CISO assesses the event, assigns it a level of severity in accordance with a predefined scale, coordinates the responsive actions (including through the appointment of external advisors), escalates the matter as set forth in the Cybersecurity Policy, and prepares reports on each cybersecurity incident.
The Cybersecurity Policy establishes a committee (the “Cybersecurity Committee”) responsible to support the Segment CISOs and the Audit Committee in connection with the assessment of, and response to, cybersecurity incidents that meet a certain severity level or other conditions as established in the policy. The Cybersecurity Committee, with the Segment CISOs, prepares and shares with the Audit Committee at least annually a report on all the cybersecurity incidents occurred during the relevant period. The Cybersecurity Committee comprises the Group Chief Information Officer, the Group Chief Financial Officer and Chief Of Operations and the Group General Counsel as permanent members, and may include additional members when dealing with specific cybersecurity incidents (including, for instance, the relevant Segment CISOs, or the chief executive officer or the chief financial officer of the entities affected by the cybersecurity incident).
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our Segment CISOs all have substantial relevant expertise (of more than a decade) in the areas of information security and cybersecurity risk management. They have extensive experience in the cybersecurity field, having served in various leadership roles in such sector, including working at leading consulting firms, providing cybersecurity services in different industries across different countries, acting as chief information security officers, and leading cybersecurity compliance efforts.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
The Cybersecurity Policy establishes a committee (the “Cybersecurity Committee”) responsible to support the Segment CISOs and the Audit Committee in connection with the assessment of, and response to, cybersecurity incidents that meet a certain severity level or other conditions as established in the policy. The Cybersecurity Committee, with the Segment CISOs, prepares and shares with the Audit Committee at least annually a report on all the cybersecurity incidents occurred during the relevant period. The Cybersecurity Committee comprises the Group Chief Information Officer, the Group Chief Financial Officer and Chief Of Operations and the Group General Counsel as permanent members, and may include additional members when dealing with specific cybersecurity incidents (including, for instance, the relevant Segment CISOs, or the chief executive officer or the chief financial officer of the entities affected by the cybersecurity incident).
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef