WithSecure
Material Topics
ESRS 2 – General Disclosures
GOV-1The role of the administrative, management and supervisory bodiesReported
WithSecure's administrative body is the Board of Directors ("the board"). The Board of Directors has seven members, of which six are non-executive. The one executive member is a member elected from WithSecure's personnel.
The Board of Director's Audit Committee is the supervisory body of WithSecure. The Audit Committee is neither a decision-making nor an executive body. The Board of Directors appoints from among itself the members and the Chair of the committee. The Audit Committee has four members, of which three are non-executive. The independence of the members is determined based on their independence of the company, not independence of major shareholders.
In terms of the Board of Directors' roles and responsibilities, WithSecure's Board of Directors is the highest administrative body in charge of sustainability matters in the company. As sustainability is incorporated into WithSecure's business strategy in form of the sustainability program, sustainability matters are a scheduled agenda item in Board of Directors' meetings annually. The Board of Directors approves the high-level priorities and objectives regarding sustainability. The Sustainability report is approved by the Board of Directors, as part of the approval of the Board of Directors report.
The Board of Directors is also involved in approving the identified sustainability-related impacts, risks and opportunities and determining that their mitigation and management has been adequately integrated into the company's sustainability program. The Global Leadership Team (GLT) members set and accept the sustainability-related targets on an operational basis. The progress in targets is presented to the Board of Directors annually. The Board has the final authority to approve these targets when they review and approve the full annual report.
Board Composition and Diversity:
- Board of Director's gender diversity ratio (percentage of women): 29%
- Board of Director's independent board members ratio: 86%
- Audit Committee's gender diversity ratio (percentage of women): 50%
- Audit Committee's independent board members ratio: 75%
GOV-2Information provided to and sustainability matters addressed by the undertaking's administrative, management and supervisory bodiesReported
The Audit Committee oversees this progress by reviewing and monitoring the status of the company's strategic sustainability related targets. As the Audit committee members are also members of the Board of Directors, they are also involved in setting the sustainability related targets. In addition to overseeing these targets and sustainability reporting, the Audit Committee also reviews policies and makes recommendations to the Board of Directors, who have the authority to approve these policies.
Material Impacts, Risks and Opportunities Addressed:
| Topic | Sub-topic | Type | Description |
|---|---|---|---|
| E1 Climate change | Climate change mitigation | Financial opportunity | Customers moving to cloud environments in search of modern, cost-effective, secure and sustainable solutions continues to present a major business opportunity for WithSecure. |
| S1 Own workforce | Working conditions | Financial opportunity | Improved employee retention can impact business positively through better sales and lower costs. |
| S1 Own workforce | Working conditions | Financial risk | Shortcomings in working conditions or employee wellbeing can increase costs through leaves of absence for physical or mental reasons. In the worst case, such shortcomings can lead to security risks that could cause reputational damage. |
| S1 Own workforce | Equal treatment and working opportunities for all | Financial opportunity | Promoting diversity, equity and inclusion (DEI) will increase WithSecure's ability to attract talent. In the long run there will also be cost savings for retaining talent at WithSecure. |
| S1 Own workforce | Equal treatment and working opportunities for all | Financial risk | Shortcomings in training and skills management can lead to losing out on business opportunities. Additional financial risks associated with this are related to attrition, brain leakage and disengagement of employees. |
| S4 Consumers and end-users | Information related impacts for consumers and end-users | Positive impact | WithSecure's largest impact on sustainability comes from the work on building and supporting digital society, through its customers and end-users. WithSecure's value chain enables a well-working digital society, and therefore creates widespread positive impacts. |
| S4 Consumers and end-users | Information related impacts for consumers and end-users | Financial opportunity | WithSecure's core business revolves around cyber security. An opportunity for us is that we are able to meet the many needs of our end-users. |
| S4 Consumers and end-users | Information related impacts for consumers and end-users | Financial risk | WithSecure faces risks from security and privacy perspective, as the company can be an attractive target for malicious activities. |
| G1 Business conduct | Corporate culture | Financial risk | Corporate culture is important as the related privacy risk is heightened compared to other industries as its potential impact on reputation is significant. |
| G1 Business conduct | Protection of whistle blowers | Positive impact | WithSecure has established a confidential and secure whistleblowing channel, enabling anonymous reporting of any concerns of misconduct. |
| G1 Business conduct | Management of relationships with suppliers including payment practices | Positive impact | WithSecure wants to conduct its business to a high ethical standard. The aim is to maintain a positive impact on its supply chain through emphasis on ethical business practices. |
| G1 Business conduct | Management of relationships with suppliers including payment practices | Financial risk | Maintaining strong supplier management processes and best practices requires investments, incurring possible additional costs. |
GOV-3Integration of sustainability-related performance in incentive schemesReported
Sustainability-related performance – including climate-related considerations – has not been integrated into WithSecure's incentive schemes. The incentivising metrics and methods need to be adequately functioning and serve WithSecure's business model and operational industry. WithSecure explores potentially suitable metrics and inclusion methods of sustainability-related matters into incentive schemes.
GOV-4Statement on due diligenceReported
WithSecure's Board of Directors and the President and CEO are responsible for the company's governance. WithSecure's corporate governance practices are based on applicable Finnish laws, the rules of Helsinki Stock Exchange (NASDAQ Helsinki Oy) and the regulations and guidelines of Finnish Financial Supervisory Authority as well as the company's Articles of Association.
WithSecure's sustainability due diligence process ensures that the company identifies, prevents, mitigates and accounts for how WithSecure addresses the actual and potential negative impacts the company might have both in its own operations as well as within the value chain.
Due diligence has been embedded in the governance, strategy and business model of WithSecure. This is showcased through the level of information provided to and the sustainability matters addressed by the company's administrative, management and supervisory bodies.
Core Elements of Due Diligence:
| Core Element | Reference |
|---|---|
| Embedding due diligence in governance, strategy and business model | Section "GOV-1, GOV-2 The role of, information provided to and sustainability matters addressed by the administrative, management and supervisory bodies" |
| Engaging with affected stakeholders in all key steps of the due diligence | Section "SBM-2 Interests and views of stakeholders" |
| Identifying and assessing adverse impacts | Section "SBM-3 Material sustainability-related impacts, risks and opportunities" |
| Taking actions to address those adverse impacts | Topic-specific action descriptions |
| Tracking the effectiveness of these efforts and communicating | Topic-specific target descriptions and related performance statuses |
Affected stakeholders are engaged with in all key steps of the due diligence process. Their views were integrated in the double materiality analysis to identify WithSecure's material impacts, risks and opportunities ensuring that they have had the possibility to influence and guide the company's conduct.
WithSecure's due diligence is an ongoing process that responds to changes both in the company's operations as well as the surrounding environment and society. The company is planning on updating its double materiality analysis during the year 2025 to ensure that the most current information and stakeholder views are taken into account.
GOV-5Risk management and internal controls over sustainability reportingReported
Risk Management
Risk management and internal control processes at WithSecure seek to ensure that risks related to the business operations of the company are properly identified, evaluated, monitored and reported in compliance with the applicable regulations.
WithSecure's Board of Directors defines the principles of risk management and internal controls which are followed within the company. The Audit Committee assists the Board of Directors in the supervision of WithSecure's risk management function. The CEO is accountable for ensuring that the risk management principles are implemented and applied constantly and consistently across the organization.
The primary goal of WithSecure's risk management principles is to empower the organization to identify and manage risks more effectively. The potential negative impact and probability of different situations arising from WithSecure's business operations on the company, its customers, or its partners are monitored as part of the risk management process.
WithSecure promotes continuous risk evaluation by the company's personnel. The relevant operational risks identified through the risk management process are regularly reviewed by the CEO and Global Leadership Team. Risk Management is an integrated part of WithSecure's governance and management, and the risk management process is aligned with the ISO-31000 standard. The Audit Committee regularly conducts a review of top operational risks and evaluates the effectiveness of the risk management system.
Internal Control
Internal Control, supported by Risk Management, is an important element of WithSecure's management system. The Board of Directors is responsible for ensuring that the operating principles for internal control have been defined, and that the company monitors the functioning of internal control.
WithSecure has defined its objectives for internal control based on the globally applied principles. Internal control consists of e.g. policies, processes, procedures as well as control and monitoring activities. Internal Control is designed to provide a high level of assurance regarding the achievement of WithSecure's objectives in following categories: • Effectiveness, efficiency and transparency of operations on all levels in accordance with the WithSecure strategy • Reporting, including financial and non-financial, external and internal, to the Board, management, shareholders and stakeholders being complete, reliable, relevant and timely • Compliance with applicable laws, regulations and WithSecure policies and instructions
Sustainability Reporting
In WithSecure's sustainability reporting, the role of internal control is important to ensure transparency and accountability. The internal control catalogue and Internal Control Operating Principles include dedicated sections to ensure that WithSecure's sustainability reporting is conducted timely and accurately, following the relevant regulations. Sustainability-related matters are regularly addressed by the administrative, management and supervisory bodies.
SBM-1Strategy, business model and value chainReported
As part of WithSecure's strategy, WithSecure has implemented a sustainability program, to ensure that sustainability issues are addressed in the company's strategy. The leading guideline of WithSecure's sustainability program is Maximizing Net Impact – on the planet, people and society. The objective of the program is to ensure that sustainability is embedded in all the company's decisions. WithSecure also wants to ensure transparency of the company's activities to the users of its reporting.
WithSecure offers cyber security products and services for business customers globally. The company's role of protecting the digital society and preventing damages and losses caused by cybercrime is its most important contribution to a more sustainable world. With this role, WithSecure's activities will always generate a positive impact on society. By preventing cyberattacks, WithSecure helps businesses to avoid financial losses and data breaches, which supports economic stability and trust in digital society. A well-functioning digital society is a major enabler of sustainability. Through its efforts, WithSecure helps create a secure digital society, reducing the need for materials and transportation. This supports a more sustainable world.
Business Model and Value Chain
WithSecure's business model is based on providing cyber security software and services to its customers. The company's clientele consists of other companies, mainly sales partners and their customers who then make up the end-user base of WithSecure's services.
Defining WithSecure's value chain ensured that the materiality assessment considered sustainability topics, sub-topics and sub-sub-topics broadly and throughout the value chain. All the ESRS Standard topics have been screened throughout WithSecure's value chain.
Value Chain Overview:
- Upstream: Equipment and materials manufacturing, where for example hardware and data transmission networks for WithSecure's suppliers is processed. The value chain continues to WithSecure's suppliers who provide WithSecure with software and cloud services, equipment and third-party services, such as marketing.
- WithSecure Operations: Digital product design and cyber security solutions
- Downstream: WithSecure's sales partners, and lastly WithSecure's customers companies and end users, including WithSecure's customer companies and their employees.
People are also at the heart of WithSecure's sustainability endeavours. WithSecure employs highly skilled experts around the world and want to support their wellbeing and growth opportunities. The company's aim is to reach the sustainability goals with the support of the 961 employees divided between the 15 offices globally. The major office locations are Helsinki (Finland), London (UK), Kuala Lumpur (Malaysia) and Poznan (Poland). The rest of the global offices are scattered across Europe, North America, Japan, and Asia Pacific.
WithSecure does not operate in the fossil fuel sector or with chemical production, controversial weapons, and cultivation and production of tobacco. WithSecure's internal operations must always follow high ethical standards. None of WithSecure's products and services are banned in certain markets. For corporate responsibility reasons, WithSecure has however chosen to not conduct business with any Russian or Belarussian parties, even in cases where it would be permitted by the export control regulations.
WithSecure's sustainability related goals are followed on group level, which aligns with the financial reporting being followed based on one segment. Due to the nature of the business, revenue is reviewed at group level. There are no separate sustainability goals per individual product or service group, customer category, geographical area or stakeholder relationship.
SBM-2Interests and views of stakeholdersReported
WithSecure has identified six different groups of stakeholders. Three stakeholder groups – namely the employees, the partners, and the investors and financial analysts – have participated in the company's double materiality analysis directly. This ensures that their views have been integrated in WithSecure's material impacts, risks and opportunities related to the scope of the standard topics ESRS S1 "Own workforce" and ESRS S4 "Consumers and end-users".
Other stakeholders' views were gathered through different means, such as surveys and interviews. As a part of the information gathering, the stakeholder groups' expectations for WithSecure were determined, the engagement and their possibilities of communicating with WithSecure were evaluated, and the expected outcomes as well as activities were also identified.
Stakeholder Engagement Overview:
| Stakeholder Group | Expectations for WithSecure | Engagement Methods | Examples of Expected Outcomes and Activities |
|---|---|---|---|
| Employees | Fair compensation, Secure working environment, Equity, diversity of workplace, Professional development, Work/life balance support | Townhalls, other regular and ad hoc communications, Continuous development – training opportunities, Personal Development Plan maintenance, Employee surveys, Employee rep Board member | Increasing awareness on WIDE topics and Code of conduct, Sharing knowledge of sustainability, Enhancing PDP process and follow-up, Equal pay (or similar) assessments |
| Partners / Direct customers | Reliable products, easy interface, Fair compensation model, Seamless collaboration and business support, Up-to-date knowledge of cyber security world | Partner Advisory Board, Partner programs, Regular engagement via sales teams, Support in technical matters, training, Assistance in ESG queries, answering 3rd party platform questions (EcoVadis, CDP) | Up to date sustainability website, Ability to provide CO2 footprint/eur to customers, Increasing energy efficiency of products |
| End-customers | Reliable products, Support in case of emergencies | Feedback received and improvements to products | Sharing knowledge on cyber security, Up to date Incident Response services for smaller customers |
| Investors and financial analysts | Consistent growth, Predictability of results, Transparency of communication, Good governance | Regular meetings, attending group meetings and presentations, Capital Market Days, ESG ratings of 3rd parties | Up to date sustainability website, Improvement of ESG ratings |
| Suppliers | Fair compensation for products/services, Favourable terms & conditions, Good business ethics | Supplier onboarding and verifications if necessary, Cyber security scanning of IT related vendors | Develop a lean way of managing supply chain sustainability |
| Regulators | Compliance with regulations, Transparent sustainability reporting | Participation in key legislation preparations regarding cyber security as an advisory body, Following up regulation to ensure compliance | Alignment of activities on sustainability with regulation |
WithSecure's stakeholder inclusion in the double materiality analysis process highlights the company's commitment to actively listen to and engage with its stakeholders. To enable the understanding of the stakeholders' expectations and concerns, an ongoing engagement is maintained. The continuous dialogue facilitates the communication of WithSecure's sustainability efforts and processes.
The administrative, management and supervisory bodies of WithSecure are informed about the views and interests of affected stakeholders regarding WithSecure's sustainability-related impacts. Most recently, the views and interests of affected stakeholders were thoroughly determined as part of the double materiality analysis.
SBM-3Material impacts, risks and opportunities and their interaction with strategy and business modelReported
As a step towards preparing for the CSRD reporting and to identify WithSecure's material sustainability-related impacts, risks and opportunities, the company conducted a double materiality assessment (DMA) during the year 2023. The assessment was conducted against the EFRAG ESRS (European Sustainability Reporting Standards). This assessment and the related DMA assumptions have been updated during the year 2024 to reflect new insights, stakeholder feedback, and changes in the regulatory environment.
The DMA includes topics where WithSecure could have a material impact (inside-out approach) and those posing financial risks or opportunities (outside-in approach). Following CSRD requirements, only material topics are included in the sustainability report. Both internal and external stakeholders participated in the assessment to identify material sustainability topics across the value chain.
Summary of Material Impacts, Risks and Opportunities:
| ESRS Standard | Main Impacts, Risks and Opportunities | Financial Impact | Likelihood | Impact Materiality | Impacts on |
|---|---|---|---|---|---|
| E1 Climate change | Climate change mitigation presents financial opportunities as customers move to cloud environments. The company's products have a material impact on protecting digital society and enabling sustainable activities of end-customers. | Medium-term | 75-100% | Concentrated to widespread, Minimal to low scale, Difficult remediability | Own operations, upstream and downstream value chains |
| S1 Own workforce | Employees are key to company success. Maintaining a diverse, equal, competent and adaptable workforce is very significant. | Short-, medium- and long-term | 50-100% | Limited to concentrated scope, Minimal to high scale, Remediable | Own operations |
| S4 Consumers and end-users | Large impacts on protecting digital society and enabling sustainable activities of end-customers. Data privacy and security are very significant matters for a cyber security company. | Short-, medium- and long-term | 75-100% | Very widespread scope, Absolute scale, Very difficult remediability | Downstream value chain |
| G1 Business conduct | Good governance and business ethics are fundamentally important for a company operating in "trust business". | Short- and medium-term | 75-100% | Concentrated to widespread scope, Low to high scale, Difficult to very difficult remediability | Own operations, upstream and downstream value chains |
Material Sub-topics Identified:
- Climate change mitigation (E1)
- Working conditions (S1)
- Equal treatment and working opportunities for all (S1)
- Information-related impacts for consumers and/or end-users (S4)
- Corporate culture (G1)
- Protection of whistleblowers (G1)
- Management of relationships with suppliers including payment practices (G1)
Non-material Environmental Topics: WithSecure has assessed various environmental impacts and determined that E2 Pollution, E3 Water and Marine Resources, E4 Biodiversity and Ecosystems, and E5 Circular Economy are not material topics. These impacts are considered to be of low significance, narrow in scope, and have a low likelihood of occurrence for WithSecure's operations due to the nature of the business as a software and services company.
WithSecure believes that the DMA presented fairly reflects the impacts, risks and opportunities WithSecure faces. Through the DMA, WithSecure identified its material sustainability-related impacts, risks, and opportunities. Stakeholder views and interests were integrated into this assessment and the outcomes.
IRO-1Description of the processes to identify and assess material impacts, risks and opportunitiesReported
Background
The Double Materiality Assessment has been carried out as an iterative process with the support of third-party advisors. The initial materiality assessment was conducted in 2022. It was expanded into a double-materiality analysis in 2023 which again was complemented in 2024, to align with the updates of the regulation.
The Double Materiality Assessment topics were selected on the basis of European Sustainability Reporting Standards (ESRS), valid drafts and published standards at the time of each assessment round.
Parameters Used and Scope of Analysis
The same assessment methodology and assumptions were used for assessing all the ESRS topics, possible impacts, risks, and opportunities as well as their materiality. First the value chain perspective was considered. The time horizons were defined and WithSecure's upstream and downstream value chains were assessed. Stakeholders – including silent stakeholders – were engaged in this value chain assessment.
After scoping the value chain, the ESRS topics were evaluated holistically to assess possible material themes based on the scope of the value chain and own operation's assessments. Additionally relevant legal and regulatory landscape was considered.
Financial Materiality Assessment
The process of assessing the materiality of the risks and opportunities is multifaceted:
- Time horizon: Defines the timeframe in which the identified risk or opportunity will occur
- Likelihood: Assessed on a scale from 25% (more likely not to happen) to 100% (actual risk/opportunity)
- Magnitude: Based on the potential impact on related revenue, related costs and group EBITDA
Impact Materiality Assessment
For impact materiality, the assessment uses 3 dimensions in addition to time horizon and likelihood:
- Scale: How significant the positive or negative impact of WithSecure is on the topic
- Scope: How widespread the company's impact is (limited to widespread)
- Irremediability: To what extent negative impacts can be remedied and restored relatively easily
Climate-related Hazards Assessment
The process for identifying climate-related hazards at WithSecure considers one general high-emission scenario across its own operations, upstream, and downstream value chain. This assessment covers short-term and medium-term horizons. WithSecure has also assessed the extent to which its assets and business operations are exposed and sensitive to transition events. No material climate-related hazards or risks were identified.
Environmental Impact Screening
Due to the nature of WithSecure's business, the industry it operates in as well as the locations of its offices as a cybersecurity company, its business activities have been assessed to have a limited impact on pollution, water and marine resources, biodiversity and ecosystems, and circular economy. WithSecure has conducted a screening of its locations, which are all rented offices in established big cities, and found they are not near biodiversity-sensitive areas.
Outcome
WithSecure's double materiality assessment consists of impact materiality and financial materiality. The material impacts, risks and opportunities for WithSecure fall under four ESRS topics: E1 Climate change, S1 Own workforce, S4 Consumers and end-users and G1 Business conduct. Seven different ESRS sub-topics were identified:
- Climate change mitigation (E1)
- Working conditions (S1)
- Equal treatment and working opportunities for all (S1)
- Information-related impacts for consumers and/or end-users (S4)
- Corporate culture (G1)
- Protection of whistleblowers (G1)
- Management of relationships with suppliers including payment practices (G1)
IRO-2Disclosure requirements in ESRS covered by the undertaking's sustainability statementReported
The tables below describe all the ESRS disclosure requirements in ESRS 2 and the identified material topics E1, S1, S4 and G1 that have set the framework for the preparation of the sustainability report.
Cross-cutting standards – ESRS 2 "General disclosures"
| Standard section | Disclosure requirement | Section/report | Additional information |
|---|---|---|---|
| BP-1 | General basis for preparation of the sustainability report | BP-1 General basis for preparation of sustainability report | |
| BP-2 | Disclosures in relation to specific circumstances | BP-2 Disclosures in relation to specific circumstances | |
| GOV-1 | The role of the administrative, management and supervisory bodies | GOV-1, GOV-2 The role of, information provided to and sustainability matters addressed by the administrative, management and supervisory bodies | |
| GOV-2 | Information provided to and sustainability matters addressed by the undertaking's administrative, management and supervisory bodies | GOV-1, GOV-2 The role of, information provided to and sustainability matters addressed by the administrative, management and supervisory bodies | |
| GOV-3 | Integration of sustainability-related performance in incentive schemes | GOV-3 Integration of sustainability-related performance in incentive schemes | |
| GOV-4 | Statement on sustainability due diligence | GOV-4 Statement on due diligence | |
| GOV-5 | Risk management and internal controls over sustainability reporting | GOV-5 Risk management and internal controls over sustainability reporting | |
| SBM-1 | Strategy, business model and value chain | SBM-1 Strategy, business model and value chain | See also Business model and value chain |
| SBM-2 | Interests and views of stakeholders | SBM-2 Interests and views of stakeholders | |
| SBM-3 | Material impacts, risks and opportunities and their interaction with strategy and business model | SBM-3 Material sustainability-related impacts, risks and opportunities | Also detailed per each ESRS topic in respective sections |
| IRO-1 | Description of the process to identify and assess material impacts, risks and opportunities | IRO-1 Description of the process to identify and assess material impacts, risks and opportunities | |
| IRO-2 | Disclosure requirements in ESRS covered by the undertaking's sustainability statement | IRO-2 Disclosure requirements in ESRS covered by the undertaking's sustainability report | Detailed per each ESRS topic |