This document contains the Information Security Policy of the companies comprising the GVC Gaesco Group’s companies (GVC Gaesco Holding, GVC Gaesco Valores, GVC Gaesco Gestión, GVC Gaesco Pensiones and GVC Gaesco Correduría), hereinafter GVC GAESCO, that enacts the basic principles of action and management of the organisation in terms of Information Security.
Security is understood as an integral process consisting of all technical, human, material and organisational elements related to the information systems, excluding any type of specific action or temporary treatment.
The rest of the documents related to Information Security of the GVC GAESCO Group shall be aligned with the guidelines contained in this Information Security Policy.
The continuing digital transformation of our society, the impact on strategic sectors, such as the financial sector, the new cybersecurity scenario and the advance of application technologies are producing significant changes at international level.
It has also become clear that information systems are increasingly exposed to cyberspace threats, noticing an increase in cyberattacks, both in volume and frequency and in sophistication with greater-technical and operational skilled agents and actors.
These threats arise in a high dependence context on information and communication technologies in our society and great interconnection of information systems.
The aim of this Information Security Policy is to establish a common regulatory framework for the GVC GAESCO Group to identify, develop and implement the technical and organisational measures required to ensure the security and protection of information, privacy of persons included, as well as information systems that support the activity of the GVC GAESCO Group.
This document will be published on the GVC GAESCO Group's intranet and communicated to all relevant parties, especially to internal staff handling the GVC GAESCO Group's information assets.
This document will also be published on the GVC GAESCO Group's website to share it with the relevant parties from outside the organisation.
The information related to, in particular, personal data of employees, customers, and suppliers, as well as the systems that support it, represent strategic assets for GVC GAESCO, who intends to protect them against threats such as errors, sabotage, terrorism, extortion, industrial espionage, privacy violations, service interruptions and natural disasters, in order to ensure the efficient and effective achievement of defined business objectives.
GVC Gaesco Top Management is committed to leading and promoting security at all levels, in accordance with the Security Policy and the objectives defined therein.
a) Scope
The GVC GAESCO Group protects the resources involved in the information management related to the normal development of its functions, in compliance with the current legislation, preserving the confidentiality and privacy of information and ensuring their availability, integrity and maintenance. These objectives also cover the information systems used for the development of its activity.
The GVC GAESCO Group is determined to establish conditions of trust when using electronic media and the continuous provision of its services, by adopting the required measures to protect the organisation's information systems from those threats to which they are exposed and to ensure the security of information systems, minimise risks and thus consolidate the basis for preventing, detecting, reacting to and recovering from any possible incidents that may arise.
This Information Security Policy is intended to the entire scope of action of the GVC GAESCO Group, that is, all resources, services and business processes that make up the GVC GAESCO Group.
b) Information Security Objectives
The objectives to achieve are addressed to:
• Guarantee, ensure and implement the appropriate and necessary security measures on all resources, processes, functions, and services directly and indirectly related to internal and external users, and to customers, suppliers, partners and other third parties, for the purposes of ensuring the availability, confidentiality, and integrity of information, according to the applicable legislation.
• Guarantee the continuity, security and quality of the services offered.
• Implement and maintain continuous improvement processes to enhance the efficiency and effectiveness of the information security measures.
• Minimise potential security incidents and their impact should they occur.
• Have the means, by which the different users of the services and processes of the GVC GAESCO Group make proper use of the information, information systems and resources used in the development of their functions, obligations, and responsibilities, as well as those that do not compromise the security of the information of the GVC GAESCO Group.
• Align with international best practices and standards on security information and/or cybersecurity field in force at any time.
• Implement appropriate security measures on the information and personal data in hard copy or electronically processed electronically that the GVC GAESCO Group manages within the scope of its competences.
• This information shall be governed by the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals as regards the processing of personal data and the free movement of such data, as well as by Organic Law 3/2018, of 5 December, on the Protection of Personal Details and the guarantee of digital rights (LOPDGDD).
In accordance with the abovementioned objectives, this Information Security Policy seeks to adopt the following security principles, ensuring:
Availability: the information and the information systems can be used at the required time and form.
Confidentiality: data and information systems shall only be accessed by duly authorised persons.
Integrity: information and information systems accuracy against alteration, loss, or destruction, either accidental or fraudulent way.
Legality: information is processed in accordance with the regulatory framework.
Training: in accordance with the principle of comprehensive security, ensure an adequate level of information security awareness and training for all staff of the organisation.
Incident management: risks analysis and management as an essential part of the organisation's security process, keeping the environment under control and minimising risks, in accordance with prevention, detection, reaction and recovery measures, and establishing protocols for the exchange of incident-related information.
c) Regulatory Compliance
This Information Security Policy and other associated documentation are aligned with the current legal scope of laws, rules and regulations that apply to the GVC GAESCO Group, with respect to any material or territorial scope.
Please refer to the following document for further information: Cumplimiento requisitos legales
d) Implementation of resources
Top Management of the GVC GAESCO Group declares its commitment to guarantee, within the scope of its functions and responsibilities, the necessary resources provision to implement and maintain the processes related to the security information of the GVC GAESCO Group and their continuous enhancement. The aim is to achieve the strategic objectives, the dissemination, consolidation, and compliance with the Information Security Policy hereof, as well as implementing the appropriate distribution and publication mechanisms so as it can be known by the relevant users.
e) Roles and responsibilities
Any user affected by this Policy shall require to:
• Always comply with the organisation's Information Security Policy, Information Security rules, procedures, and instructions.
• Take an active role in the cybersecurity of any assets that are subject to protection within the scope of this Policy.
• Maintain professional secrecy and confidentiality about the Organisation's information.
• Report in accordance with the corresponding regulations, suspicious or anomalous situations, security incidents, and nonconformities or breaches of security of the information systems and/or assets of the organization.
The liability of the Information Security falls on the person assigned with the duties of the Information Security Management System (ISMS) manager.
Regarding the breach of the Information Security Policy of the GVC GAESCO Group and the rest of the documents related to the information security, by anyone to whom they apply and that jeopardises the security of information in any of its dimensions, the Top Management of the GVC GAESCO Group reserves the right to initiate the corresponding actions according to the codes and internal rules of behaviour and the legal framework in force.
f) Compliance monitoring
The degree of implementation of the policy hereof will be periodically measured (at least annually) through self-assessments coordinated by the ISMS manager and through internal or external audits (at least annually), and whenever substantial changes occur in the GVC GAESCO Group's information systems. The approval of this policy is carried out in the Top Management Review, as indicated in the ISMS.
g) Information Security Regulations
This Information Security Policy will be supported and complemented by a set of specific documents. These documents are the so-called Information Security Regulations and will be based on the best market practices and aligned with the specific requirements of the GVC GAESCO Group.
h) Classification of Information
All information shall be classified by virtue of its importance to the organisation and shall be treated according to that classification, in accordance with Classification of Information Document.
i) Audit
Information systems shall be periodically subjected to internal or external audits to verify the correct functioning of the security implemented in them, determining degrees of compliance and recommending corrective measures.
j) Suppliers and Third Parties
All relevant purchases of goods or services or which have an impact on the services or systems of the GVC GAESCO Group will be subject to a risk analysis process.
Information security requirements for the mitigation of risks associated with the supplier should be agreed with the supplier and documented and should follow the dictates of established security regulations that complement this policy.
k) Liabilities for non-compliance
The breach of the Policy hereof and its derived Regulations shall be considered a serious offence, leads to the application of the Disciplinary Regime regulations, without prejudice to any other responsibilities that may arise.
Similarly, any collaborating member, subcontractor or consultant who fails to comply with this Policy will be subject to removal from GVC GAESCO Group premises and termination of the relationship with the Organisation.
l) Exception handling
Any exception to this Information Security Policy must be registered and reported to the head of the ISMS of the GVC GAESCO Group. These exceptions will be analysed to assess the risk that might cause to the company. Considering the categorisation of these risks, they must be assumed by the requestor of the exception together with those business responsible.
m) Climate change
The GVC Gaesco Group has carried out an analysis of the services provided by the organisation as well as the normal operations to provide them. As a result of such analysis, no aspects that might impact on climate change have been found beyond those generated by air conditioning services and vehicle emissions that provide services to the organisation, in any case, complying with the regulatory requirements.
Once analysed the requirements of the interested parties, none of those has been found as specifically related to the climate change.
Based on both analysis, it is concluded that there is no need to implement measures further than the applicable legal standards and requirements.
n) Approval and review
The Information Security Policy is formally approved by the Management Bodies of the companies composing the GVC GAESCO Group; it shall be pointed out in the corresponding minutes and shall be in force until its replacement by a new version. Likewise, the Policy hereof shall be reviewed annually and whenever significant changes happen that require to adapt it to the new technical and/or organisational circumstances, preventing so from becoming out of date.
For these purposes, their adequacy, timeliness, and accuracy shall be regularly reviewed. Any resulting modifications shall be proposed by the ISMS manager for validation.
o) Effective date
The Information Security Policy will come into force on the date of its publication on the company's Intranet and distribution to all elements affected by it.
Signed by GVC GAESCO Top Management.
Approved by the Board of Directors on March 23, 2024.