Cybersecurity and data processing

SBM-1 – MARKET POSITION, STRATEGY, BUSINESS MODEL(S) AND VALUE CHAIN

Protected assets

Digital products and services (IT), industrial systems (OT), internet-connected assets (IoT) and information generated in business processes are crucial for the creation of value for our stakeholders.

In general, the data expressed below are obtained from the technological platforms that support the security processes (MS Defender, Sentinel, Knowbe4, GlobalSuite). For this purpose, the source system is used as a reference and they are subsequently consolidated in Microsoft Office technologies. Evidence of data extraction is kept for those systems in which the retention period is shorter than the fiscal year for which they are obtained. These values have not been validated by a third party, although due diligence has been exercised with respect to their evolution throughout the fiscal year by their respective managers, taking into account possible deviations with respect to the defined thresholds. As far as possible, efforts have been made to standardize the data, providing them on a monthly or annual basis.Ferrovial monitors compliance with safety objectives and provides feedback to the corresponding governing bodies.

Ferrovial’s Security Model allows it to adapt to the changing and challenging environment in terms of cyber threats, providing the necessary resources to (I) guarantee the confidentiality, integrity and availability of its digital assets, (II) ensure due regulatory, legal and contractual compliance in the performance of its business activity and (III) provide resilience to the Company’s value proposition.

GOVERNANCE

Ferrovial deploys and updates its Cybersecurity Governance Model, which is aligned with the business and with the achievement of its objectives. This model is based on an effective Risk Management program and a series of Cybersecurity Capabilities, based on international standards and best market practices, which are audited and reviewed regular throughout the year.

Annually, a global cybersecurity risk assessment is performed across all Ferrovial’s business units and subsidiaries, analyzing the exposure of assets to cyber threats and their potential impact. In addition, compliance with cybersecurity capabilities is reviewed, and a roadmap is developed to ensure that the residual risk level remains within the risk thresholds in accordance with the risk appetite established by the Company.

The Company has a Global CISO and local CISOs for each business and subsidiary. Their roles and responsibilities in cybersecurity are clearly defined, as well as the relationship and reporting model across the business units.

Ferrovial’s governing bodies have an updated view of the state of cybersecurity. Thus, the Global CISO reports periodically to Ferrovial’s Management Committee and to the Management Committees of the divisions, generally reporting on the security strategy and program, as well as about the main security risks and threats.

In addition, the Global CISO, at the request of the Audit and Control Committee, provides information on the security strategy and program, the level of internal control, the main security risks and threats, and how they are being managed. The Global CISO also reports periodically to the Board of Directors, providing information about the strategy, the security program, the main security risks and threats, and how they are being managed.

Compliance is one of the fundamental practices within Cybersecurity Governance. As part of the Compliance Program, actions are being implemented to adapt the cybersecurity governance model to the SEC Rules on Cybersecurity published by the SEC in June 2023 and the NIS2 directive, in force in the European Union since January 2023.⁵

During 2024, initiatives were carried out to improve the Company’s exposure surface, to promote automation and the use of AI in threat detection and response processes, and to adopt market technologies to obtain a quantified view of risk and materiality in terms of cybersecurity. As part of the SOx adaptation process, the internal control model for financial information was strengthened and automated and integrated into Ferrovial’s Control Framework.

MODEL

Ferrovial has a Corporate Cybersecurity Policy. It was approved by the CEO in 2022 and applies to all divisions and subsidiaries and can be consulted at the Company’s website.¹ Its principles and objectives are aligned with the business strategy. Its implementation is carried out through a set of Security Policies that encompasses the organization, people, processes and technologies, formalized in a set of Security Principles based on best market practices, highlighting the NIST CSF and the ISO 27001 standard (in which Ferrovial has been certified since 2012).

The Cybersecurity Model adheres to the principle of continuous improvement established by the ISO 27001 standard (Plan, Do, Check, Act). The strategy is executed through a program with initiatives to develop new capabilities or strengthen current ones. The Model is periodically and systematically measured and reviewed through internal or third-party auditing processes, automated tools and by capturing and evaluating KGIs, KPIs and KRIs. The results of these reviews are supervised by the Cybersecurity team and are part of the elements that are regularly reported to Ferrovial’s Governing Bodies.

Ferrovial has a Cybersecurity Risk Assessment and Management Program, based on best market practices such as ISO 31000 and FAIR (Factor Analysis of Information Risk), which provides both a qualitative and quantitative view of this risk. Ferrovial is currently working to automat this process and enhancing our quantification capabilities, using a market CRQ (Cyber Risk Quantification) tool. This tool incorporates GRC (Governance Risk & Compliance) capabilities that complement other such tools already deployed.

The cybersecurity strategy to be deployed throughout 2025 will focus on (I) evolving cybersecurity capabilities to strengthen the automation and orchestration of detection and response processes, (II) leveraging AI to support security processes, (III) protecting digital identity, (IV) increasing necessary control of the supply chain, (V) strengthening OT capabilities and (VI) ensuring due diligence and good governance regarding cybersecurity.

¹European Directive 2022/2555 of the European Parliament and of the Council (NIS 2): Cybersecurity legislation adopted for the entire European Union. Date of entry into force:
01/03/2023. Expected date for national transposition: 10/17/2024 (still pending in several member states). Date of reporting to the Commission of the list of essential and important
entities: 04/17/2025.

“Associated material impacts, risks and opportunities”This concept is related with ESRS and double materiality. This concept is NOT related with materiality of Cyber Incidents considered by SEC.

SBM-2 INTEREST AND VIEWS OF STAKEHOLDERS

CULTURE

During 2024, Ferrovial continued with its strategy of promoting a cybersecurity culture with a user-centric approach. Phishing drills were conducted, at least every two weeks, along with Smishing, QRishing and Vishing exercises. User response improved, both in threat detection and reporting suspicious messages. An increase in the notification of suspicious emails from phishing exercises was observed compared to the previous year.

The improvement in user behavior is evidenced by the downward trend in 2024, both in the level of personal risk and in the predisposition of users to succumb to this type of threat.

Users have visibility of both their risk level, based on their profiles, their daily actions, and behavior in phishing drills and training. This feedback helps individuals understand their current performance, encouraging the detection and management of these threats and encouraging them to undertake voluntary training actions to improve their personal rating. After the drills, the level of risk of becoming a victim to such attacks is measured and subsequent cycles of training, awareness and coaching are adapted to the specific needs identified.

Among the training activities promoted this year, the series “The Inside Man” merits mention, with chapters distributed weekly to all employees. Each episode in the series offers tips on protecting against cybersecurity threats such as social engineering, phishing and cyberattacks.

Ferrovial also develops specific training for different groups with specially selected content. This includes training in Secure Application Development for developers and architects of digital products, and the course on Safety in Industrial Control Systems for personnel involved with Operation Technologies (OT).

In 2024, the biannual Congratulations/Rewards campaigns continued, congratulating the employees who best respond to the awareness activities promoted from the Cybersecurity Directorate, and supporting the most vulnerable users with additional educational resources.

LEGAL, REGULATORY AND CONTRACTUAL COMPLIANCE

Within the Cybersecurity Directorate is the Cybersecurity Compliance area, responsible for identifying the applicable legislation on this topic, as well as the requirements necessary to ensure compliance. In performing its activity, it is regularly supported by Ferrovial’s Legal Counsel and Compliance teams.

Compliance is implemented through the Security Model, by verifying the degree of compliance with the applicable requirements. Whenever a new law or regulation is identified, or an update to a previously applicable law one is published, the degree of coverage with respect to the new requirements is analyzed and, if appropriate, the model is enhanced in the event that any of them are not fully or partially covered.

The most relevant regulations covered by the Security Model include, but are not limited to: (I) Data Protection (EU GPDR and LOPDGDD), (II) Sarbanes Oxley Act (SOx), (III) SEC Rules on Cybersecurity, (IV) Internal Control System for Financial Information (SCIIF), (V) SWIFT regulations (Society for Worldwide Interbank Financial Telecommunication), (VI) NIS2 directive, (VII) PCI DSS regulations, (VIII) Crime Prevention Model as stipulated in the Penal Code, (IX) National Security Scheme (Spanish “ENS”), (X) ISO 27001 standard and various local regulations in the geographies where Ferrovial operates relating to the protection of Essential Services and Critical Infrastructures, and Privacy.

There are ongoing programs for adapting to some of the aforementioned regulations: (i) SOx, (II) SEC Rules on Cybersecurity, (III) NIS2, (IV) TX-Ramp.

Likewise, the Cybersecurity Directorate ensures compliance with the security requirements defined in the specifications, tenders and contracts across various business units. This is because it is a member of the teams that analyze and prepare the specifications and decide when they will be integrated into Ferrovial’s Cybersecurity Model.

SBM-3 – MATERIAL IMPACTS, RISKS AND OPPORTUNITIES AND THEIR INTERACTION WITH STRATEGY AND BUSINESS MODEL

THREAT DETECTION, CORRELATION AND CYBERINTELLIGENCE

The Company has SOC (Security Operations Center) capabilities to protect its data centers, perimeters, endpoints and cloud environments. This service responds to alerts generated by SIEM (Security Information and Event Management) tools and detects use cases defined by Ferrovial’s Cybersecurity Directorate, that require activation.

Currently there is a SOAR (Security Orchestration Automation and Response) platform that enables the coordinated integration and operation of various prevention and protection tools, facilitating automated detection and response, as well as orchestration within the structured incident management playbooks and change management process.

The organization also integrated advanced cybersecurity platforms and processes to protect and detect information-related compromises in order to address use cases such as unauthorized access, anomalous transmission of large volumes of data, and exfiltration, either physical storage or via cloud services.

Cyber intelligence capabilities are a key factor in protecting organizations and enabling early detection and rapid response to security threats and incidents. For this reason, new tools were deployed for the advanced detection of corporate identity compromises and the distribution of associated information in commonly used illegal channels. This capability extends to the corporate level as well as to the business units and subsidiaries of the Group.

Although the Company has been working on cybersecurity for years with advanced machine learning, pattern analysis and automation tools, the evolution of artificial intelligence has enabled greater integration and the availability of new AI-related capabilities. These include retroactive investigation of potential incidents, real-time vulnerability detection, information protection for use in collaborative tools, and detection of and response to identity attacks.

Finally, the Company exchanges threat information and manages incidents in coordination with national and international cybersecurity agencies.

CYBERATTACK RESPONSE

The Company has a CSIRT (Computer Security Incident Response Team) that responds to events detected by the SOC (Security Operations Center) that may become security incidents. This team has DFIR (Digital Forensics and Incident Response) capabilities to analyze, contain, mitigate and prevent such events. The periodic identification of IoC’s (Indicators of Compromise) and TTP’s (Tactics, Techniques and Procedures) essential for enhancing protection and detection mechanisms and the SOC’s response, both manual and automated.

Ferrovial also has cybersecurity posture tools that enable real-time assessment of compliance with certain security parameters and controls, of the managed IT infrastructure (in data centers and cloud environments) and of endpoints. This enables the generation of a comprehensive risk and control overview related to the security recommendations issued by manufacturers, market security standards and frameworks, as well as the development of action plans to improve the posture.

Ferrovial has an incident response protocol based on best market practices (INCIBE-CERT Guide, ISO/IEC 27035 and NIST). In addition, a global procedure was deployed for the identification and reporting of material cyber incidents to regulatory bodies (SEC, National and International Cybersecurity Agencies, AEPD, among others). Communication with regulators, authorities, clients and other stakeholders, through mechanisms within the specific deadlines established, is one of the key elements for Ferrovial to ensure transparency and due diligence.

Detection and response capabilities are systematically evaluated through Breach & Attack simulations using commercially available technologies.

It is important to note that, during 2024, there were no material cybersecurity breaches to Ferrovial’s information systems.

RESILIENCE AND CYBER RESILIENCE

The Company established Contingency Plans and Recovery Plans to respond to and recover from disruptive events. The Crisis Management Protocol involves different Ferrovial departments and divisions, according to the protocols established for each of them. Response and recovery plans for incidents and disruptive events are tested at least once a year.

Similarly, as part of the Vendor Risk Management (VRM) process, critical suppliers must provide evidence of regular testing of their recovery plans to ensure availability and the required recovery parameters

Throughout 2024, Ferrovial has carried out various tabletop simulations, testing different crisis scenarios for the organizational structure, procedures and capabilities required in the coordination of detection, response and recovery actions in the event of cyberincidents.

The Company also has a cyber insurance policy that provides various types of coverage for disruptive events and cyber incidents that may occur within the context of the work performed by Ferrovial, business units and subsidiaries; these include financial, incident response and legal coverage. It is worth noting that it has not been necessary to activate this policy, as no material cyberincidents have occurred.

THIRD PARTY RISK MANAGEMENT

Ferrovial has a Vendor Risk Management (VRM) process that establishes the security requirements that third parties must comply with based on the service they provide to the Company or their access level to the Company’s information and assets. The process establishes evaluations of third parties based on the criticality of their products and services.

Suppliers’ complete security requirement assessment questionnaires for each product or service with an IT component that they provide for Ferrovial, including evidence of compliance. The questionnaires are analyzed by the Cybersecurity VRM team to establish the risk level of the supplier-service combination. If a higher risk level is identified, safeguards are required both in the contracts and in the suppliers’ own capabilities.

Assessments may be based on reports issued by third parties, certifications, ratings or other audit and review techniques that provide the necessary information to determine the degree of compliance with cybersecurity hygiene measures by third parties.

EXTERNAL VERIFICATION AND VULNERABILITY ANALYSIS

The Company conducts an ongoing review of its Cybersecurity Model to identify potential improvements and address vulnerabilities. Each year, security audits and reviews are conducted, including:

• Internal and third-party audits associated with the renewal of ISO 27001 certification.
• Security audits within the framework of the EEFF audit (ITGC and ITCC)
• External audit by SWIFT (Society for Worldwide Interbank Financial Telecommunication)
• Audits performed by Internal Audit (third line of defense)
• SOₓ IT ToD & ToE
• Cybersecurity questionnaires required by clients
• Dow Jones Sustainability Index (DJSI)
• ESG Sustainability Report (dual materiality)
• Ad-hoc security reviews according to annual planning
• Regular breach & attack exercises, combined with threat hunting
• Vulnerability reviews in data centers, endpoints, perimeters and cloud environments, as well as in industrial environments
• Vulnerability reviews in the source code
• Review of Ferrovial’s cybersecurity rating
• Vendor Risk Management (VRM)
• Crisis simulations (tabletop exercises)

Cybersecurity Management, consolidates, assigns, plans and monitors the implementation of the different action plans arising from the assessments, reviews and audits performed.

Management review process is formally performed every year and one of the purposes is to review the achievement of Cybersecurity planned actions. This is overseen by the Global CISO considering different inputs such as KGI and KPIs, results of audit and review processes, follow up of risk treatment plans. Improvement actions are taken accordingly if needed.

IRO MANAGEMENT

Ferrovial adopts a comprehensive and structured approach to managing the material Impacts, Risks, and Opportunities (IROs) related to cybersecurity, ensuring alignment with best practices, regulatory requirements, and business priorities. This approach is based on robust governance, proactive risk management, and continuous improvement of cybersecurity capabilities.

The management of material IROs in cybersecurity includes:

1. Governance and Organizational Framework: Ferrovial’s cybersecurity governance model is led by the Global Chief Information Security Officer (CISO), supported by local CISOs across business units. Regular reporting to the Management Committee and Board of Directors ensures oversight of strategy, key risks, and mitigation measures. The governance model also ensures compliance with standards such as ISO 27001, the NIS2 Directive, and SEC cybersecurity rules.
2. Risk Management and Threat Assessment: Annual global cybersecurity risk assessments quantify risks using advanced tools such as Cyber Risk Quantification (CRQ) and GRC platforms, identifying the exposure of critical assets and maintaining risk thresholds within acceptable limits.
3. Threat Prevention, Detection and Response: Advanced technologies like SOAR and cyber intelligence tools, along with organizational measures such as the SOC (Security Operations Center), detect and respond to threats. Artificial intelligence enhances retroactive incident analysis, real-time vulnerability detection, and identity protection.
4. Incident Management and Resilience: Incident response protocols based on best practices such as ISO/IEC 27035 ensure effective mitigation.
   The CSIRT team uses advanced digital forensics to investigate incidents, supported by regular breach simulations and comprehensive cyber insurance policies.
5. Third-Party Risk Management: The Vendor Risk Management (VRM) process requires suppliers to meet stringent cybersecurity criteria. Regular assessments and contractual safeguards are in place for high-risk suppliers.
6. Cultural Transformation and Awareness: Training programs and phishing simulations promote a “security-first” mindset among employees, with recognition campaigns rewarding those who excel in cybersecurity practices.
7. Continuous Improvement and External Verification: Regular audits, breach simulations, and vulnerability assessments ensure the cybersecurity framework remains effective and up-to-date.