Corporate, Information and Cybersecurity

Protecting our company from criminal attacks and unauthorized activities is crucial for our continued existence, our business activities and our reputation.

Strategy and governance

As a scientific, technology-intensive company, BASF is confronted with crime, terrorism, sabotage, espionage and other security risks in a rapidly changing business environment. We consider the protection of our employees, sites, plants, information and communication systems and our intellectual property against interference by third parties to be vitally important. We systematically record physical and transitory risks from corporate, information and cybersecurity as part of our general opportunity and risk management.

A global team is responsible for our corporate security. To ensure rapid and effective implementation of security measures, we have defined appropriate structures and processes and laid them down in binding Group-wide requirements. Our sites and Group companies are responsible for implementing and complying with these internal requirements and the legal specifications. The Environmental Protection, Health, Safety and Quality (EHSQ) unit in the Corporate Center conducts regular audits to monitor this.

Responsibility for information and cybersecurity lies with the Chief Financial Officer, who is also the Chief Digital Officer. The Chief Information Security Officer is responsible for the strategic direction. A global cybersecurity team is tasked with protecting BASF’s IT (information technology) and OT (operational technology) systems against hacker attacks and ensuring information security. In order to initiate and monitor suitable security measures, the organization is structured according to a global best practice framework (Identify, Protect, Detect, Respond and Recover). Our IT security management system, which is certified in accordance with DIN EN ISO/IEC 27001:2017, is the main tool for managing information and cybersecurity in the BASF Group. It is crucial to ensure the confidentiality, integrity and availability of our data and IT infrastructure while demonstrating compliance with applicable laws and regulations. We want to use the system to meet regulatory compliance requirements for our critical infrastructure. The Environmental Protection, Health, Safety and Quality unit in the Corporate Center conducts regular audits to monitor this.

Corporate security

One cornerstone of corporate security is site security. The tasks performed by our security teams range from access controls at our sites to defense against industrial espionage. Aspects of human rights relevant to site security are a component of the global code of conduct and qualification requirements for our internal and external security personnel.

For investment projects and strategic plans, we analyze the potential safety and security risks, and define appropriate safety and security concepts. Our guiding principle is to identify risks for the company at an early stage, assess them and derive appropriate safeguards.

We inform business travelers and transferees about appropriate protection measures prior to and during travel in countries with elevated security risks. We continuously adjust our travel recommendations. With a globally standardized travel search system, we are able to locate and contact employees in affected areas following serious incidents.

Information and cybersecurity

Information security and cybersecurity are becoming increasingly important for our company. In addition to protecting data and IT infrastructure, they form the basis for successful digitalization and the implementation of new business models. BASF applies the “security by design” principle to critically review and optimize IT applications from a cybersecurity perspective as early as the design phase. We are continually improving our ability to prevent, detect and react to security incidents with various measures and training offers.

Around the world, we work to sensitize our employees about protecting information and know-how. In 2023, we continued to raise employees’ risk awareness with regular mandatory online training for all employees and complementary offerings such as seminars, case studies and interactive training. Our global network of information protection officers comprises around 600 employees. They support the implementation of our uniform requirements and hold events and seminars on secure behaviors. Around 70,000 employees were trained on the basics of cybersecurity and information protection in 2023.