As a leading healthcare Group, digital transformation forms an enabler of our worldwide business. This is because innovative technological and therapeutic approaches improve the treatment paths of our patients. Fresenius is continuously digitizing its processes and entering new markets with digital product solutions while always acknowledging the associated cyber risks.

Our goals and ambitions

It is our ambition that both our patients as well as our customers can rely on the cybersecurity of our products and services. Our stakeholders have a high level of trust in the cybersecurity of our products and services. We permanently strive to meet their expectations by strengthening our resilience towards cyberattacks, reducing our cyber risks and thus preventing harm to our patients, customers, or the company.

To do this, we evaluate the ever-changing threat landscape, define minimum security standards for our cyber risk domains, and implement appropriate security measures in a risk-based and cost-effective manner. The Fresenius Group adopted a cybersecurity strategy to be implemented by 2025 that sets targets for the Group and the individual business segments. The main focus areas are reducing risks, increasing resilience to cyberattacks, standardizing the organization, processes, and technologies, and improving the Group-wide level of maturity.

Our approach

At the Fresenius Group, we pursue a holistic approach for the management of cybersecurity. To this end, we bring cybersecurity and business decision-makers in the Group together to execute a joint approach aligned with our strategic objectives. The core of our approach is to determine the right level of protection that balances the added value of cybersecurity with the needs of the business as well as the cost.

We derive our activities based on maturity assessments and cyber-risk analyses, which help us to prioritize the most relevant measures to buy-down risk and carefully track both the progress as well as the effectiveness of implemented measures through our CARE program (Cybersecurity Approach, Roadmap and Execution).

The Opportunities and Risk Report contains further information on cybersecurity and the impact on risk management at Fresenius in 2023 in the Risk areas section.

Organization and responsibilities

The Chief Financial Officer (CFO) of the Group Management Board oversees cybersecurity governance and receives direct reports – weekly and as needed – from the Group Head of Cybersecurity. The latter acts as the Group-wide Chief Information Security Officer (CISO), has overall responsibility for the governance of cybersecurity within the Fresenius Group, and leads the Group Cybersecurity Office (GCSO). In this role, he defines the Group-wide cybersecurity strategy and coordinates this strategy with the respective cybersecurity heads in order to ensure a consistent approach across all business segments. The Group Head of Cybersecurity reports quarterly to the Group Management Board and at least annually to the Supervisory Board.

The GCSO enables and governs cybersecurity across the Fresenius Group. It ensures that cybersecurity is considered and coordinated holistically from a Group perspective, defines the baseline, and monitors its compliance. In addition, it controls the execution of the measures to combat risk. Where necessary, the GCSO advises and supports the business segments in their activities.

Within the Group, overarching committees complement the existing organizational structure. The Cybersecurity Board meets on a monthly basis. It ensures the exchange of information on Group-wide cybersecurity, defines criteria for evaluating and monitoring the development of cybersecurity across the Group, and reviews the progress and results of cybersecurity measures and initiatives. The Cybersecurity Board monitors the adoption and implementation of the Group-wide cybersecurity policies. It ensures that the baseline requirements of the measures to combat risk are met.

The responsible Management Board members of the business segments form the Cybersecurity Steering Committee, formerly CARE Steering Committee, which meets quarterly. The steering committee formally enacted the CARE Governance Charta to emphasize the strategic objectives, the scope, and the responsibilities of the CARE Program.

Accordingly, the Cybersecurity Steering Committee acts as a governance body and as an escalation and decision-making authority for various overarching measures. These include, for example, those for identifying and protecting critical, highly relevant information assets or those for optimizing the development of an appropriate cybersecurity structure.

At business segment level, cybersecurity insurance policies are in place where they were available on the insurance market and where they cover the risks appropriately. In the reporting year, cybersecurity insurance at Group level was evaluated again, but has not yet been taken out, as the transformation process #FutureFresenius is leading to structural changes in the Group. In addition, there are certifications such as ISO / IEC 27001 for our information security management system at Group and business segment level.

We regularly evaluate the strategic cybersecurity risks along the value chain. As part of these bi-annual assessments, we analyze the evolving cyber threat landscape to consider arising threats in order to derive our cybersecurity measures and effectively mitigate our risks.

As part of the Group-wide #FutureFresenius transformation, the Group Management Board decided to further develop the organizational structure of cybersecurity in line with the Group and cybersecurity strategy, starting in the fourth quarter of 2023. The focus here is on strengthening the cybersecurity functions in the business segments and at Group level, as well as on standardizing the process organization.

Security concept

To manage Group-wide cybersecurity and associated risks, we have determined five risk domains. These are managed by the respective Risk Domain Managers. Facilitated by the GCSO, the Risk Domain Managers form Special Interest Groups (SIGs) that define tailored cybersecurity requirements and coordinate risk management activities based on applicable best practices. They exchange expertise and knowledge across all cybersecurity areas throughout the Group. Neither the security concept nor the risk domains have changed compared to 2022.

Our Cybersecurity Policy Framework consists of a set of policies, requirements, and procedures. It forms the foundation for cybersecurity in all business segments and Group functions. Within this framework, the protection requirements of confidentiality, integrity, and availability of digital information, technologies, and systems form the central objective of Fresenius’ cybersecurity efforts along the risk domains. In 2023, the GCSO together with the business segments have defined additional cybersecurity requirements which were adopted in various areas, supplementing the existing framework.

We have initiated and rolled out effectiveness metrics in accordance with the designed cybersecurity metrics system in recent years. We use these key figures to determine whether security controls are operating as intended. This helps us understand cybersecurity risks and how well prepared or resilient we are against cyberattacks. Metrics are collected across all the Group’s cybersecurity environments and are regularly reported to the Cybersecurity Board and Cybersecurity Steering Committee. In addition, they are visualized in a scorecard that allows cybersecurity management to steer Group-wide cybersecurity efforts. The scorecard is also shared with relevant stakeholders such as the Group Management Board and the Supervisory Boards to enhance transparency regarding the overall cyber-risk exposure and inform decision-making.

Our main objective is to prevent cyber risks from materializing. This is where our investments into the early detection of cyber threats are paying off. Recurring analyses and defense processes are automated in order to react even more efficiently. Every incident is thoroughly investigated in order to derive additional measures to improve our overall safety.

Training

At Fresenius, we seek to imbed a human-centered risk model, combining this with our already-implemented Cybersecurity Training & Awareness Program (CTAP). We aim to share knowledge about emerging trends immediately. To this end, we introduce different cybersecurity activities at Fresenius, as well as providing helpful tips on the secure use of devices, be that in the office or at home.

In addition to mandatory training on cybersecurity fundamentals, CTAP offers various courses, videos, and other learning content, for example via, the different digital CTAP learning platforms and intranets. For example, we regularly simulate phishing attacks to internalize the required behavior to be triggered if phishing is suspected. We calculate a personal risk score for all employees enrolled in these training courses, based on their behavior in phishing tests and the number of cybersecurity training sessions they have completed. All CTAP activities are tailored toward Fresenius’ specific risks and are available in several languages. The success of the CTAP activities is measured using predefined success criteria (e. g., the target phishing simulation click rate).

We inform our employees through various channels about current cyber risks and new types of cyber threats. In doing so, we use the knowledge derived from daily phishing attempts, for example, which is analyzed and evaluated by the Cyber Emergency Response Team (CERT). With their help, we can design customized awareness content and roll out training campaigns.

In 2023, 73 new training modules were offered to about 179,000 employees. 25% of the training courses were mandatory. The training focus was on raising employee awareness of social engineering, phishing, new threats related to the use of mobile devices, acceptable use policy, and strengthening fundamental cybersecurity knowledge. On average, 6.7 simulated phishing attempts were sent to employees via email. Overall, 88% of employees were successful in detecting our phishing simulations. Continuous training on cybersecurity is also part of the variable compensation of all employees who participate in Fresenius’ SHARE profit-sharing program. The program is explained in the Employees chapter.

Reporting paths

If Fresenius employees suspect cyber threats, they can contact CERT@fresenius.com, CyberAware@fresenius.com, or any cybersecurity employee. To improve reporting efficiency, suspicious emails may be reported through the Phish Alert Button, which starts an automated analysis and involves the CERT, if required. Our CERT investigates possible threats and incidents in our IT, manufacturing, and health facility environments, as well as suspected violations. If a malicious phishing attempt is detected, the sender is blocked and the security protocols are adapted accordingly.

Overall, our resilience metrics indicate that we experienced only a few severe incidents during the reporting period. From a Group perspective, these did not have a material impact on our business operations.

We abstain from reporting any cybersecurity specifics externally to avoid targeted attacks on our infrastructure.

Audits and monitoring

The Internal Audit departments perform independent audits to improve the effectiveness of the risk management, control and governance processes at Fresenius SE & Co. KGaA and in the divisions of the business segments. This was also the case in 2023, taking into account risk-oriented measures in the area of cybersecurity, such as policies and procedures and their implementation. In 2023, Internal Audit conducted nine audits with a focus on information security.

If weaknesses are identified during the audits, the implementation of the corrective actions defined by management is monitored by Internal Audit as part of the quarterly reviews. For findings with a high potential for damage, the first review takes place after already two months.