Data security

By virtue of the nature of our business, on a daily basis, we collect, process and manage a significant volume of data and information, both in paper and digital format.

The protection of information, as well as its integrity, reliability and usability is an essential commitment for us, which forms the basis of a relationship of trust with our customers and fulfils the legislative obligations that apply to our services.

We are working all the time to improve our IT and security risk management control system, including through the implementation of cyber security solutions and services, such as cyber intelligence.
We are also continuously working to enhance our strategy for managing information security and for guaranteeing the protection, integrity and availability of data throughout its entire life cycle. Particular attention is focused on the distribution phase, in which secure communications protocols and digital certificates are used.

In managing logical access by users to information, the need to know principle and the principle of least privilege are followed.

In recent years the Group has continued to reinforce the security measures put in place to protect confidential data, such as the encryption of data recorded in our databases, and the masking of the data present in the development and testing environments.

The Mediobanca Group also carries out continuous security checks and risk management activities to ensure that adequate control, organizational and technological measures are in place across the Group’s whole scope of operations, and runs regular Security awareness campaign for our employees and clients, intended to increase corporate awareness of issues relating to the need to protect the information we manage.

The Information Security Awareness programme is now well established and is updated annually in line with the developments in terms of cyber threats for the whole Mediobanca Group.

Group policies and directives on data security risk management

describes the objectives and general principles which the Mediobanca Group adopts in processing information to ensure its security, supporting the needs of its business and at the same time ensuring that the internal and external regulations on security and risk management are met

defines the organizational and methodological framework adopted by the Mediobanca Group in the IT and security risk management area, to ensure the IT resource protection measures implemented are effective and efficient, and to set increasing mitigation measures based on IT and security risk status

This Directive sets out the criteria and regulations with which users must comply in order to ensure that information is classified and managed appropriately, to guarantee an adequate level of protection for the company’s information capital. The objective of this Directive is to set out rules on the treatment of data to be followed by the user, who represents the first line of defence in protecting information against threats of disclosure, unauthorized modification and theft

This directive sets out the general criteria and rules to be complied with in management of encryption and data masking, in accordance with the IT risk analysis, privacy criticality analysis, and classification of information

provides the criteria and general rules to be observed with regard to managing log management systems and activities

defines the security objectives and principles which third parties must comply with in accordance with the risk appetite defined at company level and consistently with the internal regulations governing the processing of privileged and confidential information

this directive describes the actions to be adopted in order to manage incidents relating to IT systems and the security of information which generate, or could generate disruptions for users or impact on the company’s business, in accordance with the principles established by the external and internal regulations