Fresenius SE & Co. KGaA
Investor Relations & Sustainability
+49 (0) 6172 608-2485
Ongoing digitization provides great opportunities for health care - with innovative, technological therapeutic approaches or IT applications that reduce the workload of medical personnel. Fresenius is also entering new markets with digital product solutions. At the same time, we know that digitization is associated with risks; e.g., in form of cyberattacks. We work continuously on the security of our digital technologies and systems to best address cyber risks and prevent harm to our patients and the company. All patients must be confident that their health data is protected - this is essential for our business success. Legislators are also increasingly reacting to these growing threats with regulations, which, e.g., require consistent protection of patient data. We review these regulatory requirements across the Group and adapt our existing security architecture as necessary.
At the Fresenius Group, we pursue a holistic concept for the management of cybersecurity. We bring decision-makers of the Group, i. e., the persons responsible for cybersecurity in the respective departments or business segments, together to develop a common approach, aligned with our strategic goals. We align our strategy with the security requirements of our four business segments and the analysis of cyber risks. This approach is reflected in all security guidelines that are applicable throughout the Group. In 2017, the Management Board of Fresenius Management SE initiated the Cybersecurity Approach, Roadmap and Execution (CARE). Starting in 2018, CARE has served as a holistic cybersecurity program that exists alongside the organization and bundles initiatives. The focus is on strengthening our resilience to prevent and defend against cyber attacks. In addition, with CARE, we ensure a consistent level of security throughout the Group. At the beginning of the reporting year, the Management Board of Fresenius Management SE, as a part of CARE, enacted a Group-wide cybersecurity policy. With this policy, we define the structural and operational organization for global cybersecurity governance in the Fresenius Group, which, among other things, forms the framework of CARE. In this way, our cybersecurity policy ensures that cybersecurity is organizationally anchored throughout the Group.
The Opportunities and Risk Report contains further information on cybersecurity and cyber incidents at Fresenius in 2020.
In 2020, we reorganized numerous roles and responsibilities for cybersecurity as part of the implementation of the new Cybersecurity Policy. Since May 2020, the Group Cybersecurity Office (GCSO) is the central organization for managing cybersecurity within the Fresenius Group. It ensures that relevant cybersecurity activities are organized and implemented with individual approaches at the business segment level, monitored and coordinated from a Group perspective. If necessary, the divisions are advised and supported in their activities.
The GCSO is divided into six functions: Cyber Governance & Assurance, Cyber Risk & Economics, Products Security & Architecture, Cyber Defense & Analytics, Cyber Culture & Training and Cyber Program Management. The Cyber Defense & Analytics function is of particular importance: it analyzes cyber threats and defends cyberattacks. It also investigates incidents and develops recommendations for preventive measures to avoid potential cyber incidents in line with risk management.
The Cybersecurity Governance & Assurance function establishes and maintains a Group-wide Integrated Cybersecurity Management System (ICMS). Part of the ICMS is a framework for efficient management and regulation of cybersecurity within the Fresenius Group as well as supporting processes to ensure the alignment of the cybersecurity strategy with the goals and objectives of the company in all risk domains.
The Cyber Risk & Economics function combines strategic cyber risk management with financial and economic know-how to enable risk-based decision-making on effective cyber security investments and thereby continuously improve the Group's security level.
The function Product Security & Architecture is responsible for the cyber security architecture and the risk domains Medical Devices, Manufacturing IT, and Health Facilities.
The Medical Devices risk domain comprises all medical devices and products for which Fresenius has regulatory responsibility in according to applicable regulations and laws. This includes all products that Fresenius manufactures, and those sold under the Fresenius name or under a brand name belonging to Fresenius. The Manufacturing IT risk domain refers to all production, logistics and associated facilities such as laboratories or warehouses. Within these facilities, the risk domain refers to all operating equipment that manage industrial control systems in production facilities (IT/OT equipment) as well as systems, processes and people according to ISA (International Society of Automation) Level 0 to 3. Furthermore, it includes all systems on which the production and delivery of Fresenius products depend. The Health Facilities risk domain refers to all health care facilities operated by Fresenius. Health facilities are all hospitals and clinics as well as other treatment and rehabilitation centers. Within these facilities, the risk domain refers to all IT/OT equipment and systems as well as processes and people relevant to the treatment of patients.
The Cyber Culture & Training function enables the cybersecurity teams of the four business segments to set up, run, and continuously improve their individual Cybersecurity Training & Awareness Program (CTAP). Through the Cybersecurity Training & Awareness Program, we inform our employees about the latest cyber threats and help them to recognize and protect themselves against cyberattacks in their everyday work.
The Cyber Program Management function coordinates and manages change management within the framework of the Group-wide cybersecurity program CARE. This includes, in particular, Group-wide coordination and structuring as well as monitoring and reporting of cyber security initiatives, and the implementation of measures that continuously improve the protection of digital information and adapt checks to current threat situations. Cyber Program Management also supports stakeholder management, particularly with regard to the cross-divisional Special Interest Groups (SIGs) and the Cybersecurity Board, to improve Group-wide cooperation.
The Group Head of Cybersecurity leads the GCSO. He has overall responsibility for the governance of cybersecurity within the Fresenius Group. In the business segments, the respective Business Segment Heads of Cybersecurity are responsible for the activities in their area of responsibility. At the level of Fresenius SE & Co. KGaA, the Corporate Head of Cybersecurity is responsible for the individual corporate functions. The Group Head of Cybersecurity defines the Group-wide cybersecurity strategy and coordinates this strategy with respective cybersecurity heads in order to ensure a common approach across all business units.
Fresenius has identified five cybersecurity risk domains throughout the Group: Enterprise IT, Manufacturing IT, Medical Devices, Health Facilities, and People. The risks identified include, for example, interruption to manufacturing or quality management systems, the unauthorized disclosure or manipulation of patients' health data, and the interruption or integrity loss of core enterprise IT systems. Each risk area is managed by its own Risk Domain Manager – both at Group level and in the four business segments. Among other things, they define cybersecurity requirements and coordinate risk management activities. The Risk Domain Managers are in contact with each other and promote the use of best practices and the exchange of expertise and knowledge across all cybersecurity risk-domains.
At the operational level, the four business segments are responsible for their cybersecurity management. The business segments establish and report on strategic objectives and appropriate strategies for addressing risks. The objectives are based on the Group-wide cybersecurity strategy and are defined independently by the Business Segment Heads of Cybersecurity. They are responsible for implementation in the business segments.
In addition, the cross-divisional Cybersecurity Board meets at least once a month. It consists of the Group Head of Cybersecurity, the Corporate Head of Cybersecurity, and all Business Segment Heads of Cybersecurity. It ensures the exchange of information on the Group-wide cybersecurity strategy between the business segments and Group functions, defines criteria for evaluating and monitoring the development of cybersecurity across the Group, and reviews the progress and results of cybersecurity measures and initiatives. In addition, the Cybersecurity Board monitors the adoption and implementation of the Group-wide cybersecurity policy.
Those responsible for cybersecurity usually have many years of experience in cybersecurity management. They have extensive knowledge and appropriate professional certifications.
The Group Head of Cybersecurity reports directly to Rachel Empey, Management Board member of Fresenius Management SE. She is informed about cybersecurity-related topics on a weekly basis and as required. The Chief Financial Officers of the business segments, for Fresenius Vamed the member of the Management Board responsible for the service business, meet quarterly in the CARE Steering Committee to organize regular reporting across the business segments. The Risk Domain Managers report to their respective Head of Cybersecurity. The Business Segment Heads of Cybersecurity submit technical reports to the respective member of the CARE Steering Committee. In the future, the Business Segment Heads of Cybersecurity will additionally report to their business segment Management Board on a quarterly basis; the reporting processes are currently being established. In addition, the Data Protection, Enterprise Risk Management and Compliance Departments regularly exchange information on cybersecurity issues.
Our Cybersecurity Policy Framework consists of a set of policies, requirements and procedures. It forms the foundation for cybersecurity in all business segments and Group functions. Within this framework, we define confidentiality, integrity, and availability as our central objectives for protecting data, technologies, and systems. It was approved by the Management Board of Fresenius Management SE and the management committees of the four business segments.
The new cybersecurity guideline is based on the Fresenius Code of Conduct and follows internationally recognized standards and best practices. It defines the overarching policy structure for cybersecurity in the Fresenius Group. In addition, the GCSO, in cooperation with the four business segments, defines further guidelines for the five cyber risk domains Enterprise IT, Manufacturing IT, Medical Devices, Health Facilities, and People. They establish Group-wide minimum security standards for these risk areas. The four business segments also have specific minimum security standards for cybersecurity management, which take into account specific regulatory requirements or local legislation. Minimum security standards already established in the four business segments are leveraged as Group-wide standards where appropriate.
The objective of our cybersecurity program CARE, which covers all risk domains, is to increase the maturity level of our cybersecurity capabilities, strengthen our resilience to cyber attacks and continuously reduce our cyber risks. We evaluate the ever-changing threat landscape, define minimum security standards for our cyber risk domains, and implement appropriate security measures in a targeted, risk-based, and cost-effective manner. The Cybersecurity Board annually develops Group-wide and business-unit-specific operational objectives and measures to safeguard the confidentiality, integrity and availability of our data – and to continuously enhance the cybersecurity of our IT infrastructures, manufacturing, health facilities and medical devices. These are coordinated via the Group Head of Cybersecurity and submitted to the CARE Steering Committee established at management board level, and are reported on regularly.
In 2020, the GCSO conducted a cyber risk analysis of our business processes. Each business segment identified specific cyber risks. The cyber risks of Fresenius Medical Care and Fresenius Kabi are closely related to production: this includes possible failures of and disruption to central systems, e.g. of manufacturing and quality management systems. Another key risk is the theft of intellectual property, trade secrets, and strategic documents. At Fresenius Helios and Fresenius Vamed, the focus is on patients and medical devices: risks include the potential failure of systems to protect patients and their health information. Other risks include the disclosure or manipulation of patient data, failures in patient treatment due to business disruptions, and the interruption of systems that store and process health data. Based on this cyber risk analysis, we continuously develop our security measures. Our Risk Report contains extensive information on the effects of cyber risks on risk management, in our Annual Report 2020.
To minimize cyber risks, we have implemented security architectures and concepts that include preventive and detective measures. We are able to detect cyber threats at an early stage by monitoring our networks as well as our endpoints such as desktops, servers, and mobile devices. The security of applications that handle sensitive patient or personal data is regularly reviewed by what are known as penetration tests, which simulate targeted attacks. Critical systems, such as central communication or clinical information systems, are subject to dedicated protection concepts, which can, for example, deal with the failure of a system.
We continuously monitor existing and potential threats using the latest security technologies. Recurring analysis and defense processes are automated in order to be able to react even more efficiently to incidents.
In 2020, we launched the Cybersecurity Training & Awareness Program (CTAP). The goal is to raise the awareness of all Fresenius employees on cyber threats and attacks. In addition to mandatory training on data protection and information security, CTAP offers various courses, games, videos, and other cybersecurity learning content. For example, we use the digital CTAP learning platform to provide information about cyber threats. We regularly simulate phishing attacks to check the effectiveness of the training and to provide users with information on an appropriate response if phishing is suspected. With phishing attackers use websites or e-mails, e.g., to gain access to user data. We calculate a personal risk score for employees based on their behavior in phishing tests and the number of cybersecurity training sessions they have completed. All CTAP activities are tailored toward Fresenius' specific risks and are available in several languages. Participation is currently voluntary. The success of the CTAP measures is measured using predefined success criteria.
The phishing tests carried out in the reporting year 2020 have shown that the intensive training activities have raised security awareness of employees and resulted in a significant increase in the number of reported phishing cases.
In addition, we continuously inform our employees through various channels about current cyber risks and new types of cyber threats. We also organize a Cybersecurity Awareness Month in October each year.
If Fresenius employees suspect cyber threats, they can contact CERT@Fresenius.com, CyberAware@Fresenius.com, and any cybersecurity employee. Early warnings and alarms via the monitoring mechanisms are automated. In addition, our internal Cyber Emergency Response Team (CERT) investigates possible attacks on our IT infrastructure, manufacturing, and health facilities, suspected violations, as well as reports from affected persons and regulatory authorities.
Our cybersecurity management is subject to random checks at regular intervals by the Internal Audit department. We continuously monitor and improve the effectiveness of our measures. Our networks, systems, and devices are regularly and comprehensively checked for weaknesses by independent auditors in the course of penetration tests. In addition, various certification authorities such as the U.S. Food and Drug Administration (FDAFDA (U.S. Food & Drug Administration)Official authority for food observation and drug registration in the United States.) or German TÜV, as well as various auditing companies, are involved in the review processes of our cybersecurity management. For security reasons, we cannot make any statements about specific review processes.
Digitalization and innovation