Key Actions
The key actionsKey actions are defined as those requiring CAPEX of EUR >5 mn for their implementation. CAPEX includes additions to property, plant, and equipment and to intangible assets (incl. IFRS 16 right-of-use assets), expenditures for acquisitions, and equity-accounted investments and other interest for pre-defined sustainability CAPEX categories. Decommissioning assets, government grants, borrowing costs, and other additions that by definition are not considered capital expenditure are not included in CAPEX figures. Within the boundaries of applicable accounting standards, expenditure incurred during project implementation is generally capitalized, thus included in the CAPEX figures. Figures are not validated by external bodies. implemented and planned to achieve our policy objectives and targets are mentioned below. The ambition to reach an overall cybersecurity maturity level of 4.0 (in a range of 1 to 5) indicates in direct correlation the efficiency of the ISMS-related policy framework and the resulting threat resilience, which is reflected in the number of noteworthy cybersecurity incidents. As the human factor is key to ensuring cybersecurity in daily operations, awareness raising measures in a range of formats are developed and released to train our employees accordingly. In 2024, no action related to the material topic of cybersecurity exceeded our key actions monetary threshold of EUR 5 mn. Consequently, this topic is not referenced to the financial statement.
OMV seeks to align its long-term funding policy with the Company’s sustainability strategy. For this reason, OMV is assessing opportunities of sustainable financing and sustainability-linked funding, which links the cost of a financing instrument to the achievement of specific strategic sustainability targets. For the implementation of the key actions included in the table below, no sustainable financing instrument is currently outstanding.
Key action |
Manage and improve cybersecurity1 |
||||
|---|---|---|---|---|---|
Status |
Planned |
||||
Expected outcome |
Manage and/or improve cybersecurity |
||||
Contribution to policy objective/target |
Contributes to OMV ambition to reach an overall cybersecurity maturity level of 4.0 (from the range 1–5) based on the Capability Maturity Model Integration (CMMI) reference model. A high maturity level reflects our overall ability to withstand cyber threats and protect our technology, assets, and critical information from risks, which could have a range of impacts, such as reputation damage, financial loss, or data leakage. |
||||
Scope |
Own operations |
||||
Time horizon |
Mid-term |
||||
Remedy |
n.a. |
||||
Progress |
Assessment |
||||
CAPEX 2024 |
EUR mn |
No actions above key actions threshold |
|||
CAPEX 2025-2029 |
EUR mn |
~5 |
|||
Related IROs |
G1-5 |
||||
|
|||||
In addition to the key actions defined to address the material IROs, actions that do not meet this threshold but are equally important in addressing the negative impact related to a potential advanced cyberattack on OMV’s IT/OT convergence systems which could result in malfunctions and disruptions in essential plant process controls are also included.
Risk Assessments and Audits
An important aspect stipulated in the IT/OT Security Directive is to assess risks related to cyber assets in IT and OT. OMV has been managing an information security/excellence program since 2019. Each year, various projects are conducted based on pre-evaluation processes that consider resource allocation principles and their impact on reducing cyber risks. The implementation of these projects increases the overall information security maturity level of OMV, helping reduce exposure to cyber threats. The scope is focused on our own operations. Risk assessments are an ongoing process, while the OMV ISMS operations are subject to yearly external audits to verify its compliance and efficiency with a related certification. The latest certification according to ISO/IEC 27001:2022 was granted in June 2024.
Technical, Detective, and Reactive Measures
Based on the guidelines of the IT/OT Security Directive, the risk of security breaches is lowered by introducing new tools, individual detection strategies, and response plans to maintain a strong perimeter for our physical and cloud environments. Technical housekeeping measures ensure a solid foundation in the form of up-to-date hardware and software, as do adequate information security processes. We implement security patches and offer guidelines to provide consistent hardware and software life cycles.
Detective and reactive measures are designed and executed on an ongoing basis to create transparency around existing risks, security gaps, and vulnerabilities. We integrate these measures to protect our assets from intruders, mitigate possible damage, and ensure a fast and full recovery. Examples of such measures include continuous vulnerability scans of cyber assets, breach and attack simulations to evaluate potential attack surfaces, continuous internal and external penetration tests on critical applications/systems, and external audits as quality assurance (ISO 27000, PCI-DSS NIS, etc.). This comprehensive approach ensures that we proactively address potential threats and maintain robust security across our systems. The scope is focused on our own operations. The introduction and identification of new tools, individual detection strategies, and response plans is an ongoing process. In 2024, approximately 500 IT projects were guided by the IT security governance function (2023: 400) to ensure defined security requirements are covered, thereby protecting OMV assets according to their specific needs.
Training
Raising awareness of and providing training on cybersecurity to employees within our own operations is an essential requirement outlined in the IT/OT Security Directive. OMV runs regular and intensive training sessions annually to maintain an adequate level of employees’ awareness of information security. These awareness efforts cover a range of topics, including general information security issues, ad hoc demands as timely countermeasures for specific use cases, and target group-focused subjects. The training formats include mandatory e-learning sessions with knowledge checks, topic-based videos, classroom training sessions, anti-phishing email campaigns, and sharing news via the MyNews platform on the intranet and internal blog posts. This multifaceted approach ensures comprehensive and continuous learning to effectively enhance our employees’ knowledge of information security. In 2024, more than55 different types of awareness measures were conducted (e.g., classroom exercises, online training sessions, email phishing campaigns, mandatory e-learning, MyNews published on the Intranet) to help mitigate the risks of advanced cybersecurity and at the same time contribute to the positive impact related to the mature information management system regarding personal data protection (2023: approximately 65).
IT Business Continuity
The information security continuity of our own operations is embedded in OMV’s business continuity management systems, as outlined in our IT/OT Security Directive. OMV tests its IT business continuity plans and IT incident response procedures annually through cyber emergency exercises. These are run on specific formats (i.e., in 2024 by participating in the Cyber Europe 24 exercise) and focus on realistic threat scenarios in order to test the corresponding mitigation procedures and processes. These exercises consist of a series of “injects.” Each inject represents an event or a piece of information that is discovered as the scenario unfolds and is related to the security incident at hand. The audience for this scenario usually consists of representatives from several functions including IT Security, senior IT Management, OT Security teams, and Communications. After each inject, a corresponding review and evaluation of the process is conducted, including an appraisal determining lessons learned.