Global Information Security Policy
Pirelli “Information Security Policy” expresses the company's approach on Information Security matters, guaranteeing consistency and compliance with the organization's strategic direction and the applicable legal, regulatory, and contractual requirements for the information systems security.
In particular, the Policy defines the main key characteristics of information that make it valuable to an organization (Confidentiality, Integrity, Availability) providing for a model to appropriately manage the risks that may affect any corporate information and related IT asset.
 English Version (34,3 KB) |
Italian Version (33,9 KB) |
| German Version (100 KB) |
Portuguese Version (615 KB) |
| Spanish Version (432 KB) |
-
Information and Cyber Security Overview
-
Information is an asset, which has significant importance for Pirelli due to its competitive and innovative value. Hence, Pirelli is inherently responsible to provide appropriate levels of protection to data and information against loss, damage, theft, or malware threats.
Due to the increase in the number of cyber-attacks at global level and the objective of Pirelli to ensure proper protection of data and business processes, the Organisation is focused on pursuing the following objectives:- to support corporate strategy by making information security an enabling factor for its business;
- to comply with laws and regulations on information security wherever Pirelli operates;
- to safeguard the assets and protect data and confidential information of Pirelli Group, including the ones of its employees, subsidiaries, third parties and business partners, including customers;
- to respond proactively and effectively to the increase in cyber threats;
- to identify risks, relevant events, updating Pirelli information security strategy to manage them.
To this end, Pirelli has established an Information Security Department with the task of assessing the risks linked to cybersecurity, including the ones related to the supply chain, and of guaranteeing the preparation of adequate, effective organisational and technical measures to mitigate the risks and handle any critical events.
The Information Security Department reports hierarchically to the General Manager Corporate and functionally to the Chief Digital Officer.
In 2021 Pirelli established the Information Security Committee with the aim of assisting top management to manage Information and Cyber Security risks.
Specifically, the Information Security Committee is responsible for:- approving the risk management strategy and Information Security objectives for the Organisation;
- assessing the alignment of the Information Security strategy and related initiatives with the Organisation’s overall objectives;
- ensuring compliance with internal and external Information Security regulations;
- ensuring the assignment of roles, responsibilities and resources for Information Security initiatives;
- evaluating, at least annually, the results with respect to the strategies and objectives defined in the field of Information Security, defining actions and initiatives for continuous improvement, considering any changes in the scenario of internal and external risks.
The Information Security Committee is composed by:
- General Manager Corporate;
- Head of Information Security (Executive Manager responsible for Information and Cyber Security management);
- Representatives of the main functions of the Organisation impacted by Information and Cyber Security issues.
In addition, Information Security function reports the status of Information and Cyber Security risks, significant events and updates on Information Security strategy to the following committees:
- Operational Risk Committee;
- Board Committee Audit, Risks and Corporate Governance Committee.
Where appropriate, induction meetings are also held for Control Bodies and members of the Board of Directors, whose director in charge of establishing and maintaining the Internal Control System, and therefore responsible for Information and Cyber Security, is Pirelli CEO.
In the following, a selection of activities carried out considering the risks identified is provided. They are intended as indicative and not exhaustive examples:- definition of business continuity/contingency plans and incident response procedures (tested at least once a year);
- external perimeter audit and vulnerability analysis (internal and external audits of the management system, third-party vulnerability testing, including simulated attacks);
- audit of IT infrastructure and information security management systems by third parties (auditors, external contractors based on industry best practices and standards such as VDA-TISAX, ISO 27001, NIST);
- continuous monitoring of security events is performed 24/7, collecting data from different internal and external sources (i.e., Threat intelligence, international CSIRT);
- the Pirelli Group has defined an incident response plan that includes several phases, ranging from identification through to the implementation of the corrective actions necessary to prevent similar events from recurring;
- the roles involved, communication channels and escalation procedures are part of a structured and formalized process, which also includes both internal and external communication flows. The process also foresees that incidents, suspicious activities and any vulnerabilities are promptly reported by both employees and third parties to the Information Security Function;
- the Pirelli Group also has Crisis Management processes in place (including significant incidents), integrated with Business Continuity plans, which enable the activation of structured escalation procedures and the definition and implementation of rapid and effective actions in response to unforeseen or exceptional events. The objective is to ensure the restoration of operations in the shortest possible time and to minimize potential damages;
- in addition, the Pirelli Group defines and maintains an Information Security Training and Awareness Plan, aimed at aligning and verifying employees’ competencies and their knowledge of internal procedures, ensuring an adequate level of awareness and reliability in terms of information security. The plan includes the implementation of cybersecurity awareness and training initiatives through testing, ad hoc training, training courses and communication activities, with the objective of updating users on the applicable rules (including the escalation processes to be followed in case of suspicious events), on appropriate behaviors and on the main cybersecurity risks.
Pirelli defined a multi-year plan to comply with VDA-TISAX certification: in 2025 Pirelli covered with TISAX certification its headquarter, central Data center and 9 sites, growing the percentage of the assets covered by the certification from 6% to a subset of whole Pirelli group assets (installations, systems) that covers the 76% of Pirelli group IT infrastructure and information security management system.
-