CYBERSECURITY POLICY

CERTIFICATE OF TRANSPOSITION OF DIRECTIVE (EU) 2022/2555 “NIS2”

INTRODUCTION AND REFERENCE REGULATIONS

Cybersecurity is a fundamental priority for MCM. This policy establishes the commitment of the Management to adopt a “Cybersecurity Model”, aimed at protecting the company’s IT systems, as well as the information contained therein, from internal and external threats. In developing the Model, MCM avails itself of the support of a company specialized in consultancy services in the field of “Data Governance & Protection”, which collaborates in the certification of what is attested in this document. In developing the Model, MCM identifies EU Directive 2022/2555 “NIS2” as the reference regulatory framework, certifying its full implementation.

OBJECTIVES

The adoption of an effective “Cybersecurity Model” pursues the following objectives:

  • protect corporate information from unauthorized access, modification, disclosure or destruction;
  • ensure business continuity, minimizing cybersecurity risks;
  • comply with applicable IT security regulations and standards;
  • contribute to increasing the national and community level of cybersecurity, to protect society and markets.

SCOPE OF APPLICATION

This policy applies to all employees, collaborators, suppliers and third parties who access the computer systems and company information of MCM.

CYBERSECURITY PRINCIPLES

MCM undertakes to adopt adequate and proportionate technical, operational and organizational measures to manage the risks posed to the security of IT and network systems, used in its business or in the provision of its services, as well as to prevent or minimize the impact of incidents for the recipients of its services. The measures adopted are based on a multi-risk approach, aimed at protecting IT systems and include:

  • risk analysis and IT system security policies;
  • incident management plans and sharing of information on threats;
  • business continuity plans.

RESPONSIBILITY, TRAINING, AWARENESS

  • Company Management: exercises decision-making power in the field of Cybersecurity; assigns roles and responsibilities; approves security measures; supervises their implementation.
  • IT Staff: is responsible for implementing, monitoring and updating IT security measures.
  • Employees: follow security policies, procedures and rules; participate in security training; promptly report any incidents.
  • Suppliers and third parties: must comply with the same security standards applicable to internal employees and ensure adequate protection measures.

MCM will provide regular training and updates on cybersecurity to all employees, to ensure awareness and understanding of Cybersecurity best practices. MCM will select suppliers who guarantee adequate security standards, periodically monitoring their level of reliability.

POLICY REVIEW

The application of this policy will be regularly monitored and, if necessary, integrated in the event of significant changes in cyber threats or regulatory requirements. The Management is therefore committed to continuously improving its Cybersecurity posture, to protect its resources, consolidate the trust of stakeholders and contribute to the development, security and progress of the company.