As laid out in our Strategy 2030, our goal is to accelerate growth without compromising profitability or sustainability, for example through automation and digital customer solutions. This is supported by reliable and resilient implementation, strict compliance with all applicable regulations and robust cybersecurity actions. We use, create and store a significant amount of data in the course of our business activities, including personal data, and must ensure that the confidentiality, integrity and availability of data is protected. We moreover require our suppliers to implement and maintain appropriate and effective safeguards and controls to ensure the security of our systems and information, including personal data, as specified in our Information Security Code of Conduct for Partners.
Cybersecurity is of particular importance for the success of our business. We therefore subject ourselves to continuous independent assessment by BitSight, an external rating agency. The result of that assessment (“rating”) is steering- and remuneration-relevant for Board of Management members and upper management.
Material impacts and risks identified (ESRS 2 SBM–3)
As part of the materiality assessment, we identified potential positive impacts relating to cybersecurity as well as actual risks.
MATERIAL RISKS, OPPORTUNITIES AND IMPACTS IDENTIFIED
ESRS sustainability matter
Material impacts and their interaction with the business model1
Impact on the value chain
Entity-specific: cybersecurity
IT and information security
Cybersecurity incidents can disrupt global supply chains leading to negative financial impacts and business losses.
Risk
(current)
Yes
Safeguards to avoid fraud arising from phishing can improve employee awareness of cybersecurity and preventive actions. This helps to maintain and improve security and customer trust.
Positive impact (potential)
Yes
Cybersecurity can have spillover effects impacting the global stability of the commodity trade and postal market.
Positive impact (potential)
Yes
Entity-specific:
data protection
Personal data
protection
Infringements of data protection laws can lead to significant fines, negative financial impacts and reputational damage.
Risk
(current)
Yes
1 The ESRS distinguish between “actual” and “potential” impacts and between “current” and “anticipated” risks. Actual impacts are those that occurred at least once during the business year; potential impacts did not occur. The effects of current risks could materialize during the current reporting period, whereas anticipated effects would not materialize until later periods.
Policies related to cybersecurity
Our cybersecurity management activities protect the information of the Group, our business partners and our employees as well as company IT systems from unauthorized access or manipulation and data misuse. Personal data is used ethically and responsibly, and the fundamental rights and freedoms of individuals are respected. Artificial intelligence (AI) opens up a wide range of possibilities, but it also comes with increasing risks for the Group due to its increasing use by cybercriminals. In addition, how to use generative AI in a compliant manner is a general compliance topic. In this regard we take continuous action to minimize risk, such as holding regular training courses for our employees and monitoring all of our networks and IT systems globally via our Cyber Defense Center, along with regular information security incident simulations.
The Group Chief Information Security Officer (Group CISO) reports directly to the CEO. The IT Board determines the cybersecurity strategy and defines and manages Group-wide actions for cybersecurity, the protection of systems and data, and digitalization processes.
The organization of the Group CISO (Chief Information Security Office) protects the Group from cyber threats and supports cybersecurity activities. The focus is on both strategic and tactical aspects of security of relevance to the entire Group. Those actions include Group-wide frameworks covering cybersecurity, incident and risk management processes, sensitivity training and other training programs as well as solutions intended to ensure and improve the security and resilience of our operating processes. Our cybersecurity management activities protect the information of the Group, of our business partners and our employees as well as IT systems from unauthorized access or manipulation and data misuse. Cybersecurity management also ensures uninterrupted availability and the ability to take action with confidence. Our internal guidelines and processes are based on ISO 27002 and our data centers are certified in accordance with ISO 27001.
We limit access to our systems and data such that employees can only access the data they need to perform their duties. All systems and data are backed up on a regular basis, and critical data is replicated across data centers. In addition, we fix potential security vulnerabilities and protect system functionality by updating our software on a regular basis.
A variety of communication actions and training sessions help our employees become more aware of possible cybersecurity risks. All employees and executives with a corporate email address are regularly sensitized via phishing simulations. We also draw the management’s attention to current risks by means of IT crisis simulations. Participation in “Information Security Awareness” training is mandatory for all employees with a corporate email address. Employees who have already completed the training must update their certification every two years.
Handling personal data
Data protection is a fundamental component of our product and service quality. At the same time, efficient data protection management helps us to avoid the risk of statutory penalties and loss of reputation. Our Group Data Privacy Policy and our data protection management system set the standard for Group-internal global transfers of data and for handling personal data in line with data protection laws. Many countries around the world have already set out the requirements for processing personal information in data protection legislation. We hold mandatory online training for those of our employees with a workplace system to familiarize them with how to conduct themselves in a manner compliant with data protection laws. The global review processes of the Group’s data protection function and those in place within the individual divisions are aimed at ensuring adherence to data protection laws all over the world.
Targets related to managing material impacts, risks and opportunities
We also subject ourselves to an independent assessment from an external rating agency (BitSight); the resulting performance indicator (rating) is steering- and remuneration-relevant.
This rating is based on the technical analysis of any vulnerabilities and alerts the rated company to potential security risks; this is done daily by an automated service. Unlike self-assessments, an external cybersecurity rating offers greater transparency and enables comparison with other companies thanks to standardization. We compare our performance with DAX 40 companies as well as with key accounts and logistics companies that are not included in the DAX 40. The target value is determined by our aspiration to be within the upper quartile of our peer group. The result accounts for 10% of the annual bonus calculated for the Board of Management.
As of year-end, we have achieved 750 of a possible 820 points in BitSight’s cybersecurity rating (2023: 750). The target of 690 points for the year under review was thus exceeded. For 2025, the aim is for the BitSight cybersecurity rating to be within the upper quartile of the peer group and thus, amount to at least 710 points. Should BitSight change its rating scale, we will adjust this figure in line with the change.
