XML 63 R40.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
Our embedded approach to ERM is formalized in a specific policy and is aligned with ISO 31000 (Risk Management). This enables us to:
set and enable our Company strategy, manage our performance, and capitalize on opportunities; and
systematically identify, evaluate and treat specific risk scenarios.
Our ERM improvement roadmap includes, in particular, deploying our risk framework which is based on the following principles:
taking into consideration the interests of our stakeholders;
addressing uncertainty explicitly;
pragmatic and tailored to us;
integral part of our processes and decision-making;
proactive, structured, dynamic, iterative and responsive to change; and
based on the best available information.
Our risk governance, including our governance of cybersecurity risks, is described in the following chart:
image2.jpg
The embedded ERM process takes a holistic view, combining both company-wide top-down and bottom-up perspectives, to ensure that specific risk scenarios are addressed at the right level. The process is implemented as described in the following chart:
image1.jpg
As part of the overall risk framework, we have also designed and implemented a dedicated resilience framework which provides a consistent approach to address risks of potential disruptions of our resources, including potential cybersecurity-attacks. In 2024, we continued to enhance a company-specific methodology underpinning a global dashboard: a range of relevant indicators based on internal or external standards, covering dimensions such as exposure to natural hazards, loss prevention characteristics, facilities robustness, equipment modernization and redundancy, IT infrastructure quality and cyber protection. For every significant site, those indicators are compiled in our “site resilience index”, which is updated on a quarterly basis. Annually, site management teams prepare and update a site improvement plan accordingly.
Cybersecurity risk management is an integral part of the overarching risk framework and seeks to identify and address fast-evolving cybersecurity threats. The management of cybersecurity risks are governed by the Executive Committee and receives regular oversight from the Audit Committee as a standing item. Please see “Item 6. Directors, Senior Management and Employees” for a description of the biographies of our Executive Committee and Audit Committee members.
Furthermore, we have been ISO 22301 (Security and Resilience) certified since 2016. Throughout 2024, our continuous improvements have been subjected to both internal audits and external surveillance audits from the certification body. We have also been certified ISO SAE 21434 (Road Vehicles – Cybersecurity Engineering) since 2022, confirming that we established a certified management system and governance which meets and complies with the requirements of the automotive industry in the field of cyber security process management within product development phases.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block]
Our embedded approach to ERM is formalized in a specific policy and is aligned with ISO 31000 (Risk Management). This enables us to:
set and enable our Company strategy, manage our performance, and capitalize on opportunities; and
systematically identify, evaluate and treat specific risk scenarios.
Our ERM improvement roadmap includes, in particular, deploying our risk framework which is based on the following principles:
taking into consideration the interests of our stakeholders;
addressing uncertainty explicitly;
pragmatic and tailored to us;
integral part of our processes and decision-making;
proactive, structured, dynamic, iterative and responsive to change; and
based on the best available information.
Our risk governance, including our governance of cybersecurity risks, is described in the following chart:
image2.jpg
Risk owners (members of our Senior Management) are appointed for each priority risk area to develop risk response plans, adapt to changing external conditions and enhance monitoring capabilities. The risk response plans are regularly reviewed by our Executive Committee and periodically discussed with our Supervisory Board and Audit Committee.
The embedded ERM process takes a holistic view, combining both company-wide top-down and bottom-up perspectives, to ensure that specific risk scenarios are addressed at the right level. The process is implemented as described in the following chart:
image1.jpg
As part of the overall risk framework, we have also designed and implemented a dedicated resilience framework which provides a consistent approach to address risks of potential disruptions of our resources, including potential cybersecurity-attacks. In 2024, we continued to enhance a company-specific methodology underpinning a global dashboard: a range of relevant indicators based on internal or external standards, covering dimensions such as exposure to natural hazards, loss prevention characteristics, facilities robustness, equipment modernization and redundancy, IT infrastructure quality and cyber protection. For every significant site, those indicators are compiled in our “site resilience index”, which is updated on a quarterly basis. Annually, site management teams prepare and update a site improvement plan accordingly.
Cybersecurity risk management is an integral part of the overarching risk framework and seeks to identify and address fast-evolving cybersecurity threats. The management of cybersecurity risks are governed by the Executive Committee and receives regular oversight from the Audit Committee as a standing item. Please see “Item 6. Directors, Senior Management and Employees” for a description of the biographies of our Executive Committee and Audit Committee members.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block]
Our overall risk approach is managed by our Chief Audit & Risk Executive under the direct responsibility of our Managing Board and the oversight of our Supervisory Board.
Risk owners (members of our Senior Management) are appointed for each priority risk area to develop risk response plans, adapt to changing external conditions and enhance monitoring capabilities. The risk response plans are regularly reviewed by our Executive Committee and periodically discussed with our Supervisory Board and Audit Committee.
Cybersecurity risk management is an integral part of the overarching risk framework and seeks to identify and address fast-evolving cybersecurity threats. The management of cybersecurity risks are governed by the Executive Committee and receives regular oversight from the Audit Committee as a standing item. Please see “Item 6. Directors, Senior Management and Employees” for a description of the biographies of our Executive Committee and Audit Committee members.
We have a specialized Information Security team within the wider Digital Transformation and Information Technology team of the Company, which covers the following:
program definition and steering;
framework, which include third-party security;
awareness and training campaigns;
architecture and engineering;
protection of business solutions (R&D, manufacturing and industrial solutions, business applications);
protection of IT infrastructures;
cybersecurity operations (such as risk-based vulnerability management); and
detection and reactions to information security incidents, as part of the wider crisis management process.
In particular, within our Information Security team, the Cyber Security Incident Response Team monitors on a continuous basis the evolving cyber threats, and detect and analyze incidents. Based on their initial assessments, any significant risk is escalated and would, if required, trigger the assembly of a Corporate Crisis Team ("CCT"). This CCT would lead the Company response (e.g. containment, forensic investigation, system restoration, and any associated business impact). The CCT would periodically inform the Executive Committee of any developments, and the Executive Committee would in-turn keep the Audit Committee and Supervisory Board informed.
In addition, we have created a third-party management function within our procurement department, with the aim to embed cybersecurity risks in the overall management of third parties.
The maturity of our overall risk framework design and implementation, which includes cybersecurity risks, is periodically audited by a leading independent organization. In 2024, an independent third-party performed a cybersecurity maturity assessment. The results and associated improvement plan were presented to the Executive Committee as well as to the Audit Committee of the Supervisory Board.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] Our overall risk approach is managed by our Chief Audit & Risk Executive under the direct responsibility of our Managing Board and the oversight of our Supervisory Board.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
Our overall risk approach is managed by our Chief Audit & Risk Executive under the direct responsibility of our Managing Board and the oversight of our Supervisory Board.
Risk owners (members of our Senior Management) are appointed for each priority risk area to develop risk response plans, adapt to changing external conditions and enhance monitoring capabilities. The risk response plans are regularly reviewed by our Executive Committee and periodically discussed with our Supervisory Board and Audit Committee
Cybersecurity Risk Role of Management [Text Block]
Our overall risk approach is managed by our Chief Audit & Risk Executive under the direct responsibility of our Managing Board and the oversight of our Supervisory Board.
Risk owners (members of our Senior Management) are appointed for each priority risk area to develop risk response plans, adapt to changing external conditions and enhance monitoring capabilities. The risk response plans are regularly reviewed by our Executive Committee and periodically discussed with our Supervisory Board and Audit Committee.
Cybersecurity risk management is an integral part of the overarching risk framework and seeks to identify and address fast-evolving cybersecurity threats. The management of cybersecurity risks are governed by the Executive Committee and receives regular oversight from the Audit Committee as a standing item. Please see “Item 6. Directors, Senior Management and Employees” for a description of the biographies of our Executive Committee and Audit Committee members.
We have a specialized Information Security team within the wider Digital Transformation and Information Technology team of the Company, which covers the following:
program definition and steering;
framework, which include third-party security;
awareness and training campaigns;
architecture and engineering;
protection of business solutions (R&D, manufacturing and industrial solutions, business applications);
protection of IT infrastructures;
cybersecurity operations (such as risk-based vulnerability management); and
detection and reactions to information security incidents, as part of the wider crisis management process.
In particular, within our Information Security team, the Cyber Security Incident Response Team monitors on a continuous basis the evolving cyber threats, and detect and analyze incidents. Based on their initial assessments, any significant risk is escalated and would, if required, trigger the assembly of a Corporate Crisis Team ("CCT"). This CCT would lead the Company response (e.g. containment, forensic investigation, system restoration, and any associated business impact). The CCT would periodically inform the Executive Committee of any developments, and the Executive Committee would in-turn keep the Audit Committee and Supervisory Board informed.
In addition, we have created a third-party management function within our procurement department, with the aim to embed cybersecurity risks in the overall management of third parties.
The maturity of our overall risk framework design and implementation, which includes cybersecurity risks, is periodically audited by a leading independent organization. In 2024, an independent third-party performed a cybersecurity maturity assessment. The results and associated improvement plan were presented to the Executive Committee as well as to the Audit Committee of the Supervisory Board.
Furthermore, we have been ISO 22301 (Security and Resilience) certified since 2016. Throughout 2024, our continuous improvements have been subjected to both internal audits and external surveillance audits from the certification body. We have also been certified ISO SAE 21434 (Road Vehicles – Cybersecurity Engineering) since 2022, confirming that we established a certified management system and governance which meets and complies with the requirements of the automotive industry in the field of cyber security process management within product development phases.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] Our overall risk approach is managed by our Chief Audit & Risk Executive under the direct responsibility of our Managing Board and the oversight of our Supervisory Board.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] Please see “Item 6. Directors, Senior Management and Employees” for a description of the biographies of our Executive Committee and Audit Committee members.
We have a specialized Information Security team within the wider Digital Transformation and Information Technology team of the Company, which covers the following:
program definition and steering;
framework, which include third-party security;
awareness and training campaigns;
architecture and engineering;
protection of business solutions (R&D, manufacturing and industrial solutions, business applications);
protection of IT infrastructures;
cybersecurity operations (such as risk-based vulnerability management); and
detection and reactions to information security incidents, as part of the wider crisis management process.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] The management of cybersecurity risks are governed by the Executive Committee and receives regular oversight from the Audit CommitteeIn particular, within our Information Security team, the Cyber Security Incident Response Team monitors on a continuous basis the evolving cyber threats, and detect and analyze incidents. Based on their initial assessments, any significant risk is escalated and would, if required, trigger the assembly of a Corporate Crisis Team ("CCT"). This CCT would lead the Company response (e.g. containment, forensic investigation, system restoration, and any associated business impact). The CCT would periodically inform the Executive Committee of any developments, and the Executive Committee would in-turn keep the Audit Committee and Supervisory Board informed
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true