IT security and cybercrime

Management of the material topic (GRI 3-3)

With the increasing digitalisation of the healthcare system, the risk of cyber attacks is growing. People are one of the greatest risk factors in connection with cyber attacks, as many cyber attacks target employees, for example by means of fraudulent e-mails (phishing). IT security is of great relevance at Galenica. As a healthcare provider, the company processes sensitive information and data. Galenica ensures that such data is protected against unauthorised access and unauthorised changes or losses to safeguard the confidentiality, integrity and availability of data, avoid financial damage and minimise risks. For logistics companies and pharmacies, the protection of IT systems is particularly important in order to ultimately guarantee the security of supply for the population. In addition, IT security contributes to social acceptance and the satisfaction of customers, partners and suppliers, thus strengthening the Swiss healthcare system.

Responsibilities

At Group level, the topic of IT security is coordinated by the Head of Information Security & Quality Assurance. In 2022, Galenica restructured the responsibilities and organisation of IT security. The newly formed IT Security Board is responsible for balancing the interests of IT and the individual Business Units and coordinates IT security-relevant topics and measures. These are implemented by the members in their respective areas. The Board is responsible for the IT security strategy and ensures its implementation. The aim of the strategy is to achieve reliable and efficient IT security across the Group. The Board meets quarterly or as required and began its work in 2023.

Clear guidelines to govern operations

The IT Security Policy defines the objectives relating to information and IT security, the competencies and responsibilities as well as the IT security principles of the Galenica Group. The Policy applies to all companies of the Galenica Group and forms the basis for all written IT security instructions. In addition, the IT Usage Regulations set out the security-related rules of conduct for using IT work equipment, such as the use of private devices, working on the move and working from home. Finally, the IT Security Manual is aimed at employees in the IT departments and lays down the regulations for secure IT operations.

Raising employee awareness

The cooperation of all employees is required to ensure information and IT security. In addition to technical measures, Galenica also promotes awareness of security among employees by means of specific e-learning modules and intranet news. New employees are made aware of the key elements of the IT user regulations on their induction day. Galenica regularly runs e-learning courses on data security and dealing with phishing and cyber attacks. In addition, information on cybercrime is regularly published on the intranet for employees.

↗  Realistic
→ Partially delayed/critical
↘  Critical
=  Achieved
×  Not achieved

In the reporting year, two e-learning courses were offered in the area of IT security and cybercrime. The average participation rate was 88%.

Evaluation of the management approach and measures

• Security audit: The IT Security Policy and its implementation are regularly reviewed by internal functions or external specialists to ensure they are up to date and effective.
• Monitoring: The security monitoring system surveys all IT systems and triggers an alarm in the event of anomalies. This is performed by an external Security Operation Center (SOC).
• E-learning: The participation rate in the e-learning modules on data and cyber security is regularly recorded and evaluated.