We use a variety of IT systems and processes to optimally support our globalization. Trends in information technology offer various opportunities but also harbor risks.
Risks due to cybercrime and the failure of business-critical applications
Increasing international networking and the related possibility of IT system abuse are resulting in cybercrime risks for us, such as the failure of central IT systems, the loss of the data integrity or the disclosure of confidential data from R&D as well as business activities, the manipulation of IT systems in process control, or an increased burden or adverse impact on IT systems as a result of virus attacks.
We maintain and operate an information protection management system based on ISO 27001. Our governance framework contains organizational, process-related, and technical information security countermeasures based on recognized international standards. In addition, we employ harmonized electronic and physical security controls (e.g. access control and security monitoring) to bolster our ability to handle sensitive data, such as trade secrets.
Cyber Security is part of our Group Corporate Security Office. In addition, we have a Group Chief Information Security Officer and a network of Information Security Officers within the business sectors, each supported by dedicated networks. The individual sectors hold risk ownership and act as our first line of cyber security defense. Our Global Cyber Security function acts as a second line of defense and has responsibilities regarding cyber security risk governance and oversight. Our third line of defense consists of internal audits.
Globally used IT applications form the basis for the contractual delivery of products and solutions. The failure of business-critical IT applications could therefore have a direct influence on our ability to deliver and on the quality of our products. This also applies to the failure of a data center. To achieve the required service quality, we use a quality management system certified to ISO 9001 that also applies to the provision of IT. In addition, to reduce the risk of failure, we operate several redundantly designed data centers. Furthermore, insurance solutions for cybercrime offenses are in place at Group level.
Likewise, complications with the changeover of IT systems could negatively impact the earnings situation. Close monitoring of critical IT projects serves to mitigate this risk.
Despite the mitigation measures applied and functional continuity plans, the effects of cybercrime or the failure of business-critical IT applications and their influence on EBITDA pre and operating cash flow are considered to be possible and with a significant impact.