Global Information Security Policy
Pirelli “Information Security Policy” expresses the company's approach on Information Security matters, guaranteeing consistency and compliance with the organization's strategic direction and the applicable legal, regulatory, and contractual requirements for the information systems security.
In particular, the Policy defines the main key characteristics of information that make it valuable to an organization (Confidentiality, Integrity, Availability) providing for a model to appropriately manage the risks that may affect any corporate information and related IT asset.
 English Version (34,3 KB) |
Italian Version (33,9 KB) |
| German Version (100 KB) |
Portuguese Version (615 KB) |
| Spanish Version (432 KB) |
-
Information and Cyber Security Overview
-
Information is an asset, which has significant value for Pirelli due to its competitive and innovative value. Hence Pirelli is inherently responsible to provide appropriate levels of protection to data and information against loss, damage, theft, or malware threats.
Due to the increase in the number of cyber-attacks at global level and the desire of Pirelli to ensure proper protection of data and business processes, the Organisation is focused on pursuing the following objectives:- to support corporate strategy by making information security an enabling factor for its business;
- to comply with laws and regulations on information security wherever Pirelli operates;
- to safeguard the Group’s assets and protect data and confidential information of Pirelli, its employees, subsidiaries, third parties and business partners, including customers;
- to respond proactively and effectively to the increase in cyber threats.
- to identify risks, relevant events, updating Pirelli information security strategy to manage them.
To this end, Pirelli has established an Information Security Department with the task of paying particularly close attention to assessing the risks linked to cybersecurity, including in respect of the supply chain, and of guaranteeing the preparation of adequate, effective organisational and technical measures to mitigate the risks and handle any critical events.
The Information Security Department reports hierarchically to the General Manager corporate and functionally to the Chief Digital Officer.In 2021 Pirelli established the Information Security Committee with the aim of assisting top management in the management of Information and Cyber Security risks.
Specifically, the Information Security Committee is responsible for:- approving the risk management strategy and Information Security objectives for the Organisation;
- assessing the alignment of the Information Security strategy and related initiatives with the Organisation’s overall objectives;
- ensuring compliance with internal and external Information Security regulations;
- ensuring the assignment of roles, responsibilities and resources for Information Security initiatives;
- evaluating, at least annually, the results with respect to the strategies and objectives defined in the field of Information Security, defining actions and initiatives for continuous improvement, considering any changes in the scenario of internal and external risks.
The Information Security Committee is composed by:
- General Manager Corporate;
- Head of Information Security (Executive Manager responsible for Information and Cyber Security management);
- Representatives of the main functions of the Organisation impacted by Information and Cyber Security issues.
In addition, the status of Information and Cyber Security risks, significant events and updates on Information Security strategy are periodically reported to the following committees:
- Operational Risk Committee;
- Board Committee Audit, Risks and Corporate Governance Committee.
Where appropriate, induction meetings are also held for Control Bodies and members of the Board of Directors whose director in charge of establishing and maintaining the Internal Control System and therefore responsible for Information and Cyber Security, is Pirelli CEO.
The following provides a selection of activities carried out in the view of the risks identified, intended as indicative but not exhaustive examples:- implementation of cyber security awareness initiatives through testing, ad hoc training, training courses and communication with the aim of updating users on rules (including the escalation processes to be followed by in the event of suspicious events), correct behaviors and on the main cyber security risks;
- definition of business continuity/contingency plans and incident response procedures (tested at least once a year);
- external perimeter audit and vulnerability analysis (internal and external audits of the management system, third-party vulnerability testing, including simulated attacks);
- audit of IT infrastructure and information security management systems by third parties (auditors, external contractors based on industry best practices and standards such as VDA-TISAX, ISO 27001, NIST);
- continuous monitoring of security events is performed 24/7, collecting different internal and external sources (i.e Threat intelligence, international CSIRT). Events are classified basing on the urgency and impact and managed in compliance with internal procedures which identify stakeholders, roles and responsibility and escalation to Business Continuity Plans, adopting a comprehensive approach during the whole phases of incident management (from the detection to lessons learned).
Pirelli defined a multi-year plan to comply with VDA-TISAX certification: in 2024 Pirelli covered with TISAX certification AL2 HQ, central Data center and 7 sites, rowing the percentage of the assets covered by the certification from 6% to a subset of whole Pirelli group assets (Plant, systems) covering the 70% of Pirelli group IT infrastructure and information security management system.
-