Governance and ethics

231 Organisation Model

Italian Legislative Decree 231/01, entitled ‘Regulations on the administrative liability of legal persons, companies and associations, including those without legal personality’, introduced the liability of Entities for administrative offences committed by natural persons in the interest or to the advantage of the Entities themselves. Thus, an Entity’s autonomous liability for offences arising within its sphere has been provided for, in addition to the specific liability of the material author of the offence.

 

Namirial has adopted its own model of organisation, management and control (“231 Organisation Model”) for the prevention of offences committed in the interest or to the advantage of the company and has appointed a Supervisory Body (“Organismo di Vigilanza”) with autonomous powers of initiative and control, in compliance with the law.

Purpose

Through its 231 Model, Namirial intends to:

– meet the requirements expressed by the regulations on the administrative liability of entities, analysing the potential risks of unlawful conduct relevant under Legislative Decree 231/2001 and enhancing the control structures designed to prevent such conduct from taking place;

– promoting and encouraging a corporate culture oriented towards ethicality, correctness and transparency of activities;

– determine, in all those who work on behalf of the Company within the scope of the so-called sensitive activities, the awareness that they may incur, in the event of violation of the provisions herein, disciplinary and/or contractual consequences as well as criminal and administrative sanctions that may be imposed on them;

– reiterate that unlawful conduct is strongly condemned, since it is contrary not only to the provisions of the law, but also to the ethical principles of the Company;

– enable the Company, through continuous monitoring, to intervene promptly to prevent and/or oppose unlawful conduct contrary to the law and company rules.

Structure

The structure of 231 Model consists of:

Code of Ethics, described below;

General Section, which describes the contents of Legislative Decree 231/2001, the purposes of 231 Model and the specific governance rules of the model itself, the Supervisory Body and the system of sanctions;

Special Sections, which describe, for each process/corporate area at risk pursuant to Italian Legislative Decree 231/2001, the relevant offences, the behavioural principles to be complied with, and the control measures to be put in place to prevent risks.

Code of Ethics

Purpose

Namirial’s Code of Ethics has as its main objective the clear definition of fundamental ethical values and contains the general principles that must inspire the conduct of the Company’s corporate bodies and their members, employees and collaborators and consultants in order to promote, through self-discipline and corporate governance techniques, the creation and maximisation of value for shareholders, for those who work in the company, and for the customers to whom the Company is addressed. It establishes, as an inescapable principle of the Company’s work, respect for the laws and regulations in force and sanctions the principles of conduct to be followed by all recipients in the daily performance of their work activities and assignments.

Recipients

The Code of Ethics applies to all those who are employed by or collaborate with the Company.

Download Code of Ethics

 

 

Anticorruption Policy

Purpose

The Anticorruption Policy outlines the general principles and rules of conduct to be followed in the performance of activities, the prohibited behaviours and the safeguards identified by the Company to mitigate the risk of corruption.

Recipients

The policy applies to Namirial, its subsidiaries/affiliates and all Namirial’s partners, insofar as compatible, and is also shared with the other investee companies in order to promote principles and conduct consistent with those expressed by the Company.

In general, the policy applies to all those who collaborate professionally with Namirial, as well as to any other person, wherever located, who acts, in any capacity, in the name and/or on behalf of the Company, within the limits of their duties and responsibilities.

Download Anticorruption Policy

Whistleblowing

Purpose

Namirial has adopted a Whistleblowing Policy with the aim of strengthening control over the effective application of and compliance with the Code of Ethics, the provisions and principles of internal policies and procedures, laws and regulations, as well as to guarantee the integrity of the company and to effectively address potential issues at an early stage, reducing the risk of possible significant damage to the company’s business and reputation.

In particular, this policy regulates the process of sending, receiving, analysing and processing reports from anyone, including in confidential or anonymous form, concerning violations or suspected violations:

  • of the Code of Ethics;
  • of the rules of conduct, prohibitions and control principles set out in the 231 Model, as well as the commission of unlawful conduct relevant under Legislative Decree 231/200;
  • of applicable laws, acts having the force of law or regulations;
  • internal procedures adopted by the Company.
Recipients

The policy applies to directors, managers, employees as well as anyone who is, has been, or is about to enter into a working relationship / interest  with the Company, as more fully detailed in the Whistleblowing Policy.

Communication channels

The above-mentioned reports may be forwarded, for the attention of the Committee, by means of:

  • “Whistleblowing” digital platform available at the following link https://namirial.segnalazioni.net/ , which allows the Whistleblower to send reports in written and/or oral form (via voice messaging) either by recording his/her data or anonymously;
  • mail (e.g., letter, registered mail with return receipt), to the attention of the Committee of NAMIRIAL S.p.A. at Via Caduti sul Lavoro 4, 60019, Senigallia (AN), either by providing his/her data or anonymously;
  • in-person meeting with the Committee to be requested via e-mail or face-to-face.

The Committee can be contacted through the following addresses:

  • e-mail: whistleblowing@ethics.namirial.com, or
  • mail: to the attention of the Committee of NAMIRIAL S.p.A. at Via Caduti sul Lavoro 4, 60019, Senigallia (AN).

 

Download Whistleblowing Policy

Information Security

Cyber Security Statement

Namirial Group (the “Group”) is the organizational entity identified by the company Namirial S.p.A and its owned or controlled subsidiaries. Controlled subsidiary (the “Subsidiary”) means any subsidiary of Namirial S.p.A, 50% or more of the outstanding equity interests of which are owned by Namirial S.p.A and its direct or indirect subsidiaries and of which the company possesses, directly or indirectly, the power to direct or cause the direction of the management or policies, whether through the ownership of voting equity interests, by agreement or otherwise.

For us “Information Security” means to ensure that all information and information systems, on which the Group depends, including those related to customers, employees and our business partners data are adequately protected, guaranteeing the security of the company’s services and the continuity of our business activities. The current context, characterized by the ongoing evolution of cyber threats and the more stringent regulations imparted by the authorities, presents several major challenges to businesses.

Security Systems

We are committed to guaranteeing that the Group is constantly equipped with appropriate security systems, thus becoming increasingly more reliable for our stakeholders.

More specifically, we pledge to:

  • protect the company’s services and strengthen its security standards
  • define internal security regulations and monitor their implementation
  • define a solid management process for the IT risks
  • ensure the implementation of security measures for the management of cyber threats
  • raise awareness and understanding around the issue among all employees

We have therefore developed a strategy to continuously improve the Group’s security level, in four key areas.

4 Key Areas to Improve Security

Business Enablement

Be prepared to the new cyber threats affecting new digital businesses and support the development of business

New Cyber Threats

Be resilient to cyber attacks with proper prevention, detection and response capabilities

Governance

Be efficient to manage information security process, to address cyber risk management and ensure regulatory compliance

People, Skills & Education

Be aware of cyber risks and acquire proper competences to face the new cyber challenges

Cyber Security Transformation Program

The Group has developed a long-term cyber security program to address the cyber security issues analyzed. This includes suitable countermeasures for specific situations. All projects defined and included in the program are regularly reviewed according to a schedule while the long-term strategy is reviewed annually.

The cyber security program has been agreed upon by the Executive Management of the Group.

To strengthen the security and the IT risk management, the Board of Directors has set up a steering committee specifically dedicated to defining and developing the security strategy of the Group as well as governing and monitoring the corporate IT risks. This committee, operating at group level, is named Corporate Security & IT Risk Steering Committee and its effective members are the CEO, CFO, CHRO, CTO and the CISO.

We believe that the human factor is crucial to protect our information. In fact, we have developed a cyber security awareness program for all our employees in the form of periodical simulated phishing attacks and a miniseries of instructional videos. All the material is available on internal portals dedicated to employees. The episodes relate to specific information security areas, for example the smartphone and tablet security and social engineering.

Namirial S.p.A, the company of the Group that provides the qualified trust services and other services regulated by the Italian supervisory body AgID, also provides the IT services and infrastructures to the main Group companies and is certified according to the following standards:

  • ISO/IEC 27001:2013
  • ISO/IEC 27017:2015
  • ISO/IEC 27018:2015
  • Regulation (EU) 910/2014 eIDAS as Qualified Trust Service Provider
  • ETSI EN 319 401 for Electronic Identification Trust Service
  • Regulation (EU) 910/2014 eIDAS item 24 for the supplying of Trust Services of IT Documents Storage
  • AgID regulations for document Long Time Preserving
  • AgID regulations for SPID (Italian public system for digital identity)

The ISO/IEC 27k series certifications are tailored to implement the sectoral standards related to Namirial services with no exclusions in the Statement of Applicability; security controls reflect those required by the ETSI 319 401 and by AgID directives.

We have been undergoing annual audits for ISO/IEC certifications and all the previous standards by Bureau Veritas and by the national supervisory body AgID since 2010, as well as being regularly audited for the financial report.

The compliance to such regulations is assured by the Corporate Legal & Compliance Risk Steering Committee formed by the CFO, legal and compliance officers, and the lead auditor.

To avoid conflicts with standards and regulations for which the company is audited, and by virtue of the certifications held, Namirial will not implement on its services specific security policies issued and provided by its Customers.

Moreover, due to the criticality of the services provided, Namirial does not share documents or information relating to its security systems and controls to respond to the requests for additions and clarifications regarding the security of information made by third parties, be they Customers, Suppliers and/or Partners.

For this purpose, Namirial has international and technical certifications that can be verified on public sites with legal and contractual value. In fact, the protection of the confidentiality, integrity and availability of information, object of the Namirial activities, could be compromised if certain information were made available outside the Namirial context and/or were in some way subject to any form of unauthorized publication. Furthermore, some systems and protections are partially or totally integrated in services subject to technical, regulatory, contractual and legal security constraints therefore they won’t be disclosed to third parties.

Namirial is continually adapting to the changing cybersecurity landscape and to stay ahead threats to our systems and applications. However, keeping our customer and employee information safe is not achieved by technology alone, it takes alert employees, customers and partners, who know how to recognize and report issues. For this reason, we allow our customers and partners to submit vulnerabilities and/or security events they may discover on any public-facing website or application owned, operated or controlled by Namirial through a Responsible Disclosure Program.