The cyber risk management process is an essential process within the information security management system (“ISMS”) of Evotec. The ISMS is a framework of policies and controls that manage information security and risk systematically and across the Company and is aligned with the baselines of ISO 27001, an international framework for information security. Information security risk management is incorporated into Evotec’s enterprise risk management system alongside other Company risks, all of which are overseen by the Company’s Supervisory Board. Cybersecurity risks are identified and evaluated by the Infosec team, reviewed, and approved by the management board and reported on to the Supervisory Board as part of the annual management review of company risks.

As previously disclosed, on April 6, 2023, Evotec was the victim of a ransomware incident that impacted our operations. The incident resulted in loss of sales and increased operating expenses related to response and recovery. The incident materially affected the Company, including our business strategy, results of operations, and financial condition. We have incurred costs resulting from the incident as we set up a new IT environment, and have incurred other recovery costs, and expect, due to the scope of the recovery and improvement activities, to continue incurring such costs. There is no guarantee that the risks from that incident or any future cybersecurity incident will not materially adversely affect Evotec in the future. For additional information about Evotec’s cybersecurity risks and the incident experienced in 2023, see Item 3 and Item 5 of this report. The Company has implemented the first iteration of a new and more secure IT environment, utilizing the guidance of expert third parties to consult on recommended security solutions and IT components. The migration of all IT-supported business processes into this new environment, as well as the continuous maintenance and improvement of the new environment remain constant priorities for the Company. The cyber incident has ultimately led to cybersecurity being given an even higher strategic and operational importance and greater financial resources.

In addition to implementing a new and secure IT environment, Evotec has processes in place to identify, analyze, and evaluate risks from cybersecurity threats.

Risk assessments are performed at least annually, focusing on the probability and potential impact of cybersecurity risks. Interim risk assessments are performed on a continual basis as needed, including but not limited to:

The Company has established a cybersecurity incident response process for responding to cybersecurity incidents with defined roles and responsibilities that facilitate coordination between the Chief Information Security Officer (“CISO”) and the IT, compliance, and business departments. The incident response process describes how to prepare for, detect, respond to, and recover from cybersecurity incidents, including processes to identify, assess the severity of, mitigate, and remediate the incident, as well as to comply with applicable legal and reporting obligations.

External consultants are often engaged to assist with IT projects, conduct risk analyses on behalf of the Company, or otherwise support the information security team. The Company also engages third parties to audit Evotec’s risk assessment process, in addition to the internal audits that we conduct.

We outsource elements of our information technology including infrastructure, platform, and software services, and as a result, several third-party vendors may or could have access to confidential information. Risks arising from cooperation with service providers are considered an integral part of the supplier assessment process. If the third party is determined to be of high risk, the Company will decline engagement.

The cyber risk management process is an essential process within the information security management system (“ISMS”) of Evotec. The ISMS is a framework of policies and controls that manage information security and risk systematically and across the Company and is aligned with the baselines of ISO 27001, an international framework for information security. Information security risk management is incorporated into Evotec’s enterprise risk management system alongside other Company risks, all of which are overseen by the Company’s Supervisory Board. Cybersecurity risks are identified and evaluated by the Infosec team, reviewed, and approved by the management board and reported on to the Supervisory Board as part of the annual management review of company risks.

As previously disclosed, on April 6, 2023, Evotec was the victim of a ransomware incident that impacted our operations. The incident resulted in loss of sales and increased operating expenses related to response and recovery. The incident materially affected the Company, including our business strategy, results of operations, and financial condition. We have incurred costs resulting from the incident as we set up a new IT environment, and have incurred other recovery costs, and expect, due to the scope of the recovery and improvement activities, to continue incurring such costs. There is no guarantee that the risks from that incident or any future cybersecurity incident will not materially adversely affect Evotec in the future. For additional information about Evotec’s cybersecurity risks and the incident experienced in 2023, see Item 3 and Item 5 of this report. The Company has implemented the first iteration of a new and more secure IT environment, utilizing the guidance of expert third parties to consult on recommended security solutions and IT components. The migration of all IT-supported business processes into this new environment, as well as the continuous maintenance and improvement of the new environment remain constant priorities for the Company. The cyber incident has ultimately led to cybersecurity being given an even higher strategic and operational importance and greater financial resources.

The Company currently employs a CISO with more than 10 years of professional experience in cyber and information security, including information risk management, who runs the ISMS, and coordinates with internal and external stakeholders regarding the Company’s information security. The CISO informs the members of the Management Board about cyber risks and current developments. Depending on the severity of a particular incident, it is the responsibility of the CISO to notify members of senior management. This includes status information about implementation of measures for prevention, detection, mitigation, and remediation of cyber security incidents. The Management Board reports on cybersecurity risks to the Supervisory Board on an annual basis or as necessary. Material matters, including material cybersecurity incidents, are communicated to the Supervisory Board by the Management Board.

The Company currently employs a CISO with more than 10 years of professional experience in cyber and information security, including information risk management, who runs the ISMS, and coordinates with internal and external stakeholders regarding the Company’s information security. The CISO informs the members of the Management Board about cyber risks and current developments. Depending on the severity of a particular incident, it is the responsibility of the CISO to notify members of senior management. This includes status information about implementation of measures for prevention, detection, mitigation, and remediation of cyber security incidents. The Management Board reports on cybersecurity risks to the Supervisory Board on an annual basis or as necessary. Material matters, including material cybersecurity incidents, are communicated to the Supervisory Board by the Management Board.

The Company currently employs a CISO with more than 10 years of professional experience in cyber and information security, including information risk management, who runs the ISMS, and coordinates with internal and external stakeholders regarding the Company’s information security. The CISO informs the members of the Management Board about cyber risks and current developments. Depending on the severity of a particular incident, it is the responsibility of the CISO to notify members of senior management. This includes status information about implementation of measures for prevention, detection, mitigation, and remediation of cyber security incidents. The Management Board reports on cybersecurity risks to the Supervisory Board on an annual basis or as necessary. Material matters, including material cybersecurity incidents, are communicated to the Supervisory Board by the Management Board.