We are a strategic asset for the country, therefore the protection of our resources, starting with human capital as well as tangible and intangible assets, is of vital importance for the entire Company, for shareholders and for “Sistema-Italia”.
With this in mind, we are committed to develop, incorporate and disseminate, within the Group, the best practices, standards and guidelines to identify, manage and mitigate our security risks in compliance with human rights, with the belief that effective prevention and protection strategies are an ethical as well as an economic value in management and business activities.
From this point of view, we ensure a constant process of security risk management, aimed at guaranteeing the highest level of protection for employees and tangible and intangible assets in order to achieve our social and business development objectives.
In this process - with a view to achieving comprehensive security levels - we constantly seek an informed and responsible adherence of all employees who, through their active involvement, enable the dissemination of the security culture in all our workplaces.
As stated in our Policy, the Security Function is entrusted with the exclusive task of protection and safeguard, which is declined in 4 main dimensions:
- Protection of persons;
- Protection of information;
- Protection of physical assets;
- Protection of business integrity.
Protection of persons
People are the main success factor in defining and achieving the Group's objectives. We are committed to protecting their Safety and Security, in Italy and abroad, supporting Management in fulfilling the Duty of Care provided for by Italian, EU and destination country regulations.
As part of our commitment to continuous improvement, we have decided to fully integrate the guidelines contained in the international standard UNI ISO 31030:2021 Travel Risk Management which, following a rigorous Risk Management approach, allows us to identify and assess the risks present at destinations, inform and train those concerned, and activate prevention and/or mitigation measures.
Lastly, we prepare the Company to deal with crisis situations that may involve personnel abroad, by monitoring the surfacing of possible threats (Early Warning) and coordinating the response to critical situations, through Crisis Committees chaired by the Employers and composed of the functions deemed necessary.
Protection of information
Information is of vital importance for business operations and the maintenance of the strategic advantage.
For this reason, we implement the necessary security measures to guarantee its safeguard, availability and integrity, also evaluating every action to ensure its correct use, through organisational and physical measures that, due to the nature of the information, may also pertain to the national interest security perimeter.
In this context, we operate in compliance with specific sector regulations, promoting knowledge of the regulations and continuous training of the personnel in charge.
Protection of physical assets
Physical assets are a necessary means for business continuity and the achievement of corporate objectives. To this end, we adopt a physical security risk assessment methodology based on international best practices, subject to constant verification of its effectiveness, in order to implement and update the appropriate containment actions, carried out through an approach aimed at harmonising the physical, technological and organisational nature of the security measures adopted, in compliance with specific sector regulations.
Protection of business integrity
We pursue the safeguard of the principles of legality, ethics and transparency - the foundations of sustainable business - by means of a thorough process of verification of the reputational requirements of our supply chain; integrity due diligence checks conducted on corporate third parties are thus instrumental in preserving our business from criminal contamination.
In this regard, attentive and vigilant to any possible interference that could, even potentially, attack the integrity of our business and of our actions in the market, we have established enhanced cooperation with the Ministry of the Interior through the signing of the National Legality Framework Protocol, which helps to promote a widespread and extended culture of legality to protect Fincantieri and the trust of our stakeholders.
More generally, safeguarding passes through knowledge of the threats that expose our business; for this reason, we constantly expand our knowledge base with a continuous process of threat intelligence focused on subversive, organised, common and terrorist criminal threats.
WHICH OBJECTIVES DO WE HAVE ON THIS TOPIC?
Governance and business integrity: 2018-2022 Sustainability Plan objectives and targets
Maintenance of the Corporate Governance system and risk management (including sustainability risk) in line with international best practice
Structure an Emergency Response & Crisis Management process in Safety & Security
Implement the project which consists of:
• Appointment of the Crisis Management Team (CMT) and deputies
• Periodic CMT training
• Definition of methods for activating and managing the CMT
• Virtual Crisis Management Room
• Definition of standards for future physical Control Room
Creation of a single CMT through official appointments, training and equipping a Virtual Crisis Room
Reduce decision-makers' engagement times in relation to recovery measures. Be resilient, and ensure regulatory compliance and reduction of damage to human resources, company property and reputation
In 2019, a Crisis Management system (abroad) was activated and, insofar, 15 contingency plans have been drawn up and updated for the most important foreign sites and locations where the Company operates.
Implementation of the International Ship and Port Facility Security Code (ISPS Code)
Implement the project which consists of:
• Updating of the security plans for those sites subject to the ISPS Code
• Personnel training
• Adoption of the security process methodology even in those sites where compliance with the regulation is not compulsory
100% Italian sites
• Regulatory compliance
• Resilience to criminal and/or terrorist threats
• A high level of expertise of personnel with security tasks
• Awareness of personnel who access the sites
In 2021, the implementation of the International Ship and Port Facility Security (ISPS) Code was concluded. The concerned methodology was also adopted by those plants for which the legislation is not mandatory. Moreover, training of Fincantieri employees continued with the provision of an interactive and customized e-learning course aimed at familiarizing them with security issues.
CYBER SECURITY: 2018-2022 SUSTAINABILITY PLAN OBJECTIVES AND TARGETS
Guarantee the protection of computer systems and data by minimizing the risk of network breaches, corruption of sensitive data or processes and develop the cyber security strategy for products and services
Develop a central information technology system and industrial platforms to bolster protection of industrial networks
Develop a central IT system and industrial platforms to bolster protection in order to:
• Expand the perimeter of the technological protection infrastructure in order to counter modern cyber security threats (email security review, anti malware evolution, Sandbox development, upgrade SIEM software development, etc.)
• Automate cyber incident detection and management processes
• Develop tools, processes and methodologies to support compliance with Regulation (EU) No. 2016/679 (GDPR) and international data protection and security standards (ISO 27001/9001)
• Adopt a program to protect the industrial networks supporting ship production (OT / SCADA security)
Fincantieri S.p.A. and Italian subsidiaries (Marine Interiors Cabins, Luxury Interiors Factory, Marine Interiors, Seanergy A Marine Interiors Company, Isotta Fraschini Motori, Cetena, Fincantieri Infrastructure, Seastema)
• Minimize the risk of data loss
• Reduce damage to image
• Protect intellectual property
• Comply with data protection regulations
In 2021, all of the projects mentioned in the description/target have been completed with the aim of developing a central information technology system and industrial platforms to bolster protection of industrial networks.