The number of noteworthy cybersecurity incidents refers to incidents defined by given legal conditions (from the Network and Information Systems Directive), which OMV, as a critical infrastructure provider, is obliged to report. The measurement of this metric is validated by an external body during the yearly ISO/IEC 27001:2022 audit assessments to evaluate the effectiveness of the implemented ISMS operations.
The number of confirmed breaches of customer privacy data is calculated by counting verified incident reports submitted by processors legally obligated to notify OMV of such breaches. The measurement of this metric is not validated by an external body other than the assurance provider.