|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Cybersecurity Risk Management and Strategy
Cybersecurity risk management is an integral part of our overall information security program. We follow a risk-based approach to information security, designed to align our practices with industry standards and regulatory requirements. We are implementing an Information Security Management System (“ISMS”) based on recognized industry governance frameworks, including the International Organization for Standardization, the National Institute of Standards and Technology and the Center for Internet Security Controls. Our existing management system provides a framework for handling cybersecurity threats and incidents, including threats and incidents associated with the use of services provided by third-party service providers, and facilitates coordination in the event of any such threat or incident across different departments of our business. We use this framework together with information collected from external and internal assessments to develop our cybersecurity policies and procedures, such as our acceptable use standard, our vulnerability management standard, our identity and access control standard and our cybersecurity risk management standard, among others. We have also implemented certain incident response processes designed to detect, analyze, and respond to cybersecurity threats and incidents. These processes include steps for assessing the severity of the threat or incident, identifying the source of the threat or incident, including whether it is associated with a third-party service provider, initiating cybersecurity countermeasures and mitigation strategies and informing management and our board of directors of material cybersecurity threats and incidents.
We conduct regular risk assessments to identify and prioritize cybersecurity risks. These assessments involve evaluating potential threats, vulnerabilities, and potential impacts on our systems, data, and operations. We have implemented a range of technical and operational controls, including perimeter protection, endpoint detection and response, modern encryption, access controls, reliable data backups and security monitoring tools. These controls are designed to protect our systems, data and operations from cybersecurity threats and incidents. To assess the effectiveness of our security measures, we conduct penetration testing exercises at least annually. These tests simulate possible real-world cybersecurity attacks and attempt to exploit potential vulnerabilities in our systems and applications. We review the results of such penetration tests and risk assessments and prioritize identified vulnerabilities based on their severity and potential impact. The findings are documented, and a remediation plan is established.
We conduct security awareness and training programs for our employees and third-party service providers. These programs cover topics such as phishing, social engineering, password hygiene, and data protection to assist such employees and third-party service providers in understanding their role in maintaining the security of our systems, data and operations. Additionally, specific security awareness trainings are conducted for employees working in our IT Development & Operations departments. Although we employ vendor due diligence and onboarding procedures, our ability to monitor the cybersecurity practices of our vendors is limited and there can be no assurance that we can prevent or mitigate the risk of any compromise or failure in the information systems, software, networks and other assets owned or controlled by our vendors.
In 2024, we did not identify any cybersecurity threats or incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced an undetected cybersecurity incident. For more information about these risks, please see “Item 3. Key Information—D. Risk Factors—Risks Related to Our Intellectual Property and Information Technology—A security breach or other disruption to our IT Systems could result in the loss, theft, misuse, unauthorized disclosure, or unauthorized access of wholesale partner, consumer, supplier, or sensitive company information or could disrupt our operations, which could damage our relationships with wholesale partners, consumers, suppliers or employees, expose us to litigation or regulatory proceedings, or harm our reputation, any of which could materially adversely affect our business, financial condition or results of operations” in this Annual Report.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|Cybersecurity risk management is an integral part of our overall information security program. We follow a risk-based approach to information security, designed to align our practices with industry standards and regulatory requirements. We are implementing an Information Security Management System (“ISMS”) based on recognized industry governance frameworks, including the International Organization for Standardization, the National Institute of Standards and Technology and the Center for Internet Security Controls. Our existing management system provides a framework for handling cybersecurity threats and incidents, including threats and incidents associated with the use of services provided by third-party service providers, and facilitates coordination in the event of any such threat or incident across different departments of our business.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Cybersecurity Governance
Our board of directors holds overall responsibility for risk management oversight, ensuring that management has processes in place designed to identify, evaluate and address cybersecurity risks and mitigate cybersecurity incidents.
Management is tasked with identifying and assessing material cybersecurity risks on an ongoing basis, establishing monitoring processes, implementing mitigation measures, and maintaining cybersecurity programs. Amer Sports has a dedicated Information Security department, led by the Vice President, Cybersecurity Risk Management and Strategy (VP CSRM). The VP CSRM is supported by a team of experienced information systems security professionals and information security managers specializing in network security, application security, data protection, and incident response.
The VP CSRM is responsible for the prevention, detection, mitigation, and remediation of cybersecurity threats and incidents. With over 20 years of experience in information security, the VP CSRM has successfully developed and implemented cybersecurity strategies and programs, significantly improving the Company’s resilience against evolving cyber threats.
The VP CSRM reports to the Chief Information Officer (CIO), who also brings extensive expertise in IT and cybersecurity. Our Information Security department remains committed to staying abreast of evolving cybersecurity threats and best practices through ongoing education and training, ensuring that team members’ skills remain current in a dynamic cybersecurity landscape.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
Our board of directors holds overall responsibility for risk management oversight, ensuring that management has processes in place designed to identify, evaluate and address cybersecurity risks and mitigate cybersecurity incidents.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Amer Sports has a dedicated Information Security department, led by the Vice President, Cybersecurity Risk Management and Strategy (VP CSRM). The VP CSRM is supported by a team of experienced information systems security professionals and information security managers specializing in network security, application security, data protection, and incident response.
|Cybersecurity Risk Role of Management [Text Block]
|
Management is tasked with identifying and assessing material cybersecurity risks on an ongoing basis, establishing monitoring processes, implementing mitigation measures, and maintaining cybersecurity programs. Amer Sports has a dedicated Information Security department, led by the Vice President, Cybersecurity Risk Management and Strategy (VP CSRM). The VP CSRM is supported by a team of experienced information systems security professionals and information security managers specializing in network security, application security, data protection, and incident response.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|
The VP CSRM is responsible for the prevention, detection, mitigation, and remediation of cybersecurity threats and incidents. With over 20 years of experience in information security, the VP CSRM has successfully developed and implemented cybersecurity strategies and programs, significantly improving the Company’s resilience against evolving cyber threats.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|With over 20 years of experience in information security, the VP CSRM has successfully developed and implemented cybersecurity strategies and programs, significantly improving the Company’s resilience against evolving cyber threats.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
The VP CSRM reports to the Chief Information Officer (CIO), who also brings extensive expertise in IT and cybersecurity. Our Information Security department remains committed to staying abreast of evolving cybersecurity threats and best practices through ongoing education and training, ensuring that team members’ skills remain current in a dynamic cybersecurity landscape.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef