Wärtsilä strives to meet or exceed industry sector cyber security best practice and applies appropriate and continuously reviewed controls to protect our assets and our customers.
Wärtsilä operates a formal cyber security programme that leverages both the National Institute of Standards and Technology (NIST) cyber security framework and industry leading technologies. The NIST framework aligns with our wider company culture, striving for efficiency through a programme of continuous improvement. Wärtsilä Cyber Security manages global cybersecurity processes for Wärtsilä and its subsidiaries, steering its operations independently of other operational departments, including acting as an independent and objective assurance function. The Wärtsilä Cyber Security function is led by the Chief Information Security Officer who oversees development and management of the cyber security strategy, working with counterparts across the entire Wärtsilä Group to optimise procedures and deliver a high degree of consistency of implementation.
Risk governance and management are a clearly defined function of Wärtsilä’s culture. The Enterprise Risk Management Programme fully incorporates the consideration of cyber security risks and directly shapes programmes of activity.
Wärtsilä information security policies, procedures and standards document our approach to compliance with applicable regulations and best practices. Where appropriate Wärtsilä voluntarily achieves alignment or certification to the most relevant cyber security standard, regulatory framework or class notation. For Wärtsilä’s own corporate infrastructure, systems and networks, Wärtsilä has implemented an Information Security Management System which is certified against ISO/IEC 27001:2022.
Data Protection and Data Privacy controls have been implemented to safeguard both Wärtsilä and third-party information in line with the provisions of General Data Protection Regulation (GDPR). Physical security provides a first line of defence, all staff are issued with identification, and access to company premises is controlled. CCTV monitoring of sensitive sites provides full traceability in the event of an incident.
The Wärtsilä Security Operations Centre (SOC) operates 24/7 enabling the effective detection and management of security threats and incidents that have any potential to impact on the confidentiality, integrity, or availability of the Wärtsilä information environment. The SOC is supported by a proactive cyber threat intelligence programme augmented by external feeds of contemporary threat information.
Response planning includes the management of communications to stakeholders and notifications where required by applicable laws and regulations. A centrally coordinated global Crisis Management Programme supports dispersed capabilities and functions in our national entities.
Wärtsilä places a strong emphasis on prevention with annual cyber awareness training a mandatory requirement for everybody in the company, from the CEO down. Contemporary threat information actively shapes a continuous awareness programme, ensuring employee awareness is aligned and focussed to the current risk profile we face.
Advanced technical solutions and holistic programmes of activity are employed to build cyber resilience and reduce risk throughout the value chain. Wärtsilä operates a principle-based programme to give control and oversight of potential cyber security risks within our global supply chain. Information security risk management is a constituent part of the vendor management process, covering vendor selection, onboarding, monitoring and risk management.
The Cyber Governance, Risk & Assurance function provides second line of defence assurance and independent oversight to group & business functions’ adherence to policy and procedures. The Wärtsilä Internal Audit function independently provides the third line of defence, evaluating the control environment of constituent businesses and functions, and report findings directly to the board. In addition, external certification and auditing from independent third parties are sought where appropriate or required by law or regulation.