Information Security

Information is more at the centre of our lives now than it ever has been, a fact which raises both opportunities and risks. At Mediobanca, one of our key commitments is to keep information secure in the process of developing our services

Through the very nature of our business, we collect, process and manage information of various kinds, regarding our clients and staff, on a daily basis, in both paper and electronic form.
As far as we’re concerned, safeguarding information – its confidentiality, integrity and availability – is a non-negotiable commitment, which not only meets the legal obligations to which our services are subject, but underpins the relationship of trust which we have with our stakeholders.
We work consistently to improve our information risk control management systems, which includes implementing increasingly sophisticated cyber-security solutions and services.

We also work hard to enhance our information security management strategy, to protect information, its integrity, availability and authenticity through its entire life-cycle. In recent years the Group has continued to bolster the security measures put in place to protect confidential data, such as the encryption of data recorded in our databases, and the masking of the data present in the development and testing environments. Particular attention has been focused on the distribution phase, in which secure communications protocols and digital certificates are used.
To ensure information is not accessed without authorization, the need to know, least privilege, and need to use principles are applied in managing logical access by users.

The Mediobanca Group also performs ongoing security checks and risk management activities to ensure that adequate control, organizational and technological measures are in place across the whole scope of the Group’s operations, and runs regular security awareness campaigns for our staff and clients, to increase corporate awareness on information protection issues.

The Information Security Awareness is now well established, and is updated annually in view of the developments in cyber threats for the whole Mediobanca Group.

The main information security and information risk management policies and directives are listed below.

Group information risk management and information security polic

This Policy describes the objectives and general principles which the Mediobanca Group adopts in processing information to ensure its security, supporting the needs of its business and at the same time ensuring that the internal and external regulations on security and risk management are met.
In accordance with the provisions of the Mediobanca Group information risk management framework, the Policy describes the rules and principles adopted by the Group to protect the availability, integrity and confidentiality of data, services, information capital and IT assets, both those of the Group itself and its clients, and the security of the information system and networks used by the Mediobanca Group, on which the continued offering and quality of its financial services depends, even when adverse events occur.
The Policy applies these general principles to the following areas in particular:

  • Organizational security aspects;
  • Training and awareness initiatives in the information security area;
  • Physical and environmental security;
  • Management of the information system (e.g. logical access, vulnerabilities, acquisition, development and maintenance of IT systems);
  • IT incident management;
  • Security aspects in business continuity management.

The general principles set out in the Policy are applied in more detail in the internal regulatory documents compiled for the individual areas (e.g. Policies, Directives, Operating Procedures and Manuals).

This Policy defines the organizational and methodological framework adopted by the Mediobanca Group in the information risk management area, to ensure the ICT resource protection measures implemented are effective and efficient, and to set increasing mitigation measures based on information risk status.

This Directive sets out the criteria and regulations with which users must comply in order to ensure that information is classified and managed appropriately, to guarantee an adequate level of protection for the company’s information capital. The objective of this Directive is to set out rules on the treatment of data to be followed by the user, who represents the first line of defence in protecting information against threats of disclosure, unauthorized modification and theft

This directive sets out the general criteria and rules to be complied with in management of encryption and data masking, in accordance with the IT risk analysis, privacy criticality analysis, and classification of information

provides the criteria and general rules to be observed with regard to managing log management systems and activities

defines the security objectives and principles which third parties must comply with in accordance with the risk appetite defined at company level and consistently with the internal regulations governing the processing of privileged and confidential information

this directive describes the actions to be adopted in order to manage incidents relating to IT systems and the security of information which generate, or could generate disruptions for users or impact on the company’s business, in accordance with the principles established by the external and internal regulations