Information and Cybersecurity In an increasingly interconnected global environment, information is exposed to a rapidly growing variety of risks, threats, and vulnerabilities. OMV invests in information and cybersecurity to protect technology, assets, and critical information as well as to protect our reputation and avoid any damage or monetary loss resulting from unauthorized access to our systems and data. Keeping OMV free from security gaps and potential security risks is essential for the whole business. Specific Policies and Commitments Our internal IT1 Information Technology (IT) is a set of cybersecurity strategies that prevents unauthorized access to organizational assets, such as computers, networks, and data. It maintains the integrity and confidentiality of sensitive information, blocking the access of sophisticated hackers./OT2 OT Security is defined as Operational Technology (OT) hardware and software that detects or causes a change through the direct monitoring and/or control of physical devices, processes, and events in the enterprise. OT is common in Industrial Control Systems (ICS), such as a SCADA system. Security Directive lays out the details of the IT/OT Security Framework, through which topic- or security-domain-related security standards and policies are continually aligned and managed. The security framework in total consists of approximately 50 regulatory documents and is harmonized with the ISO 27000-series (ISO 27K) recommendations for IT controls and domains. Management and Due Diligence Processes We run an Information Security Management System (ISMS) which is based on ISO 27K standards and certified accordingly, with external surveillance and recertification processes applied annually. One of the basic principles of an ISMS is covering the continuous improvement cycle in order to identify, prevent, mitigate, and remediate potential information security leakages or gaps. Preventive, Technical, Detective, and Reactive Measures We lower the risk of security breaches by introducing new tools, individual detection strategies, and response plans in order to maintain a strong perimeter for our physical as well as our cloud environment. Technical housekeeping measures ensure a solid foundation with up-to-date hardware and software as well as adequate information security processes. We implement security patches and offer guidelines in order to provide consistent hardware and software life cycles. Detective and reactive measures are designed and executed on an ongoing basis to create transparency around existing risks, security gaps, and vulnerabilities. In order to protect our assets and eliminate intruders, we integrate detective and reactive measures to mitigate possible damage and take remediation measures to ensure a fast and total recovery. Examples of such measures include: Permanent vulnerability scans on cyber assets Implementing a holistic multifactor authentication (MFA) functionality Running continuous internal and external penetration tests on critical applications/systems External audits as quality insurance (ISO 27K, PCI-DSS, NIS, etc.) Training We run regular and intensive measures to keep our employee’s information security awareness at an adequate level. The awareness efforts are either based on general topics of information security interest, on ad-hoc demands as timely countermeasures on dedicated use cases, or even target-group focused topics, and set upon different formats such as: Mandatory e-learnings including knowledge check Topic-based videos Classroom trainings Anti-phishing email campaigns My News platform to share news via the intranet and blog postings Incident Reporting and Escalation Processes OMV operates continuous 24/7 security monitoring. Potential findings are processed via a Security Information and Event Management (SIEM) intelligence and supplemented by Level 1, Level 2, and Level 3 analysts. Escalation procedures exist to ensure timely remediation of security incidents on a 24/7 basis. OMV’s Cyber Defense Team classifies the incident and triggers the incident response process, then activates all required functions via automatic and manual alerts sent by voice message and SMS. All remediation actions follow predefined “runbooks” in order to ensure efficient and timely processing. A clear communication plan ensures the proper information is disseminated to all relevant stakeholders. Business Continuity/Contingency Plans and Incident Response Procedures OMV runs cyber emergency exercises on a yearly cycle with external expertise. The cyber emergency exercises focus on dedicated realistic threat scenarios in order to test related mitigation procedures and processes. The tabletop exercise consists of a series of “injects.” Each inject represents an event or a piece of information which is discovered as the scenario unfolds and is related to the security incident at hand. The audience of this scenario usually consist of up to 30 participants, including representatives from the IT Security, IT Management, and OT Security teams, and others. After each inject, a corresponding review and evaluation of the process is conducted, including an appraisal determining lessons learned and mitigations. 2021 Activities The following key activities were carried out across the Group in 2021: OMV did not face any noteworthy incident that it would be obligated to report according to the Austrian Network and Information Security (NIS) legislation, the transposition of the EU Directive 2016/1148. In 2021, we introduced the KnowBe4 platform, a state-of-the-art tool to provide information security awareness and training content in appealing formats in order to further increase employee awareness. OMV also ran several initiatives to further increase and develop its cyber-attack resilience and reduce cyber risk exposure, such as: A holistic information security program consisting of a series of targeted projects to implement or enhance technical or procedural measures with focus on information security capabilities A continuous program to constantly evaluate the IT maturity level and its progress using external assessments An intensive set of activities to keep information security awareness at an adequate level OMV did not face any noteworthy incident that it would be obligated to report according to the Austrian Network and Information Security (NIS) legislation, the transposition of the EU Directive 2016/1148. Outlook OMV is dedicated to continuous improvement processes and implementing related measures. Other strategic aims and core endeavors are to further increase the basic IT maturity level, to further extend cyber-defense capabilities and threat resilience beyond the already established high level, and having recertification of the comprehensive information security governance structures in place. 1 Information Technology (IT) is a set of cybersecurity strategies that prevents unauthorized access to organizational assets, such as computers, networks, and data. It maintains the integrity and confidentiality of sensitive information, blocking the access of sophisticated hackers. 2 OT Security is defined as Operational Technology (OT) hardware and software that detects or causes a change through the direct monitoring and/or control of physical devices, processes, and events in the enterprise. OT is common in Industrial Control Systems (ICS), such as a SCADA system. schließen IT Information Technology schließen OT Operational Technology schließen ICS Industrial Control System schließen ISO International Organization for Standardization schließen ISMS Information Security Management System schließen MFA multifactor authentication schließen PCI-DSS Payment Card Industry Data Security Standard schließen NIS Network and Information Security schließen SIEM Security Information and Event Management schließen EU European Union schließen IT Information Technology schließen OT Operational Technology Corporate SecurityPeople