The Cyber Resilience Compass 2025

As a leading global energy company, Repsol operates critical infrastructure in highly complex digital, cloud and industrial environments. With digitalization and innovation driving the company’s growth, ensuring protection against potential cyberthreats while preserving operational continuity presents a core priority of Repsol’s operations. Central to Repsol’s resilience strategy is continuous training and education for users, its business operations team and its technical team. This prepares the company to minimize the impact of cyberattacks by enhancing response speed and precision. Frequent crisis simulations with business continuity and technical tests are conducted to improve detection and response capabilities while strengthening the resilience of response teams under stress.Repsol integrates both red-team simulated cyberattack exercises and tabletop decision-making scenarios, sometimes with no prior notice. Employees from all locations participate, and some exercises escalate to the board level. Lessons learned from these exercises lead to continuous improvements, and to strategies and responses being refined. This comprehensive approach ensures Repsol’s cyber resilience is robust and adaptive, safeguarding its infrastructure and supporting ongoing digital growth by enabling quick and effective responses to cyber incidents.CASE STUDY 6 Repsol – Resilience in action: The power of training and simulations Business processes describe an organization’s approach to prioritizing, designing, implementing and adapting functions. This involves: –Prioritizing and tiering business services –Preparing for worst-case scenarios –Building adaptability and resilience into business operations –Reviewing business processes regularly to meet changing priorities Examples of front-line practices that organizations are applying: –Top leadership identifies the most critical business services and tiers them regularly to (re-)prioritize their importance under shifting circumstances. Clarity and prioritization allow enhanced decision-making and effective allocation of resources during a crisis. –Local leadership anticipates failures and builds key business processes to continue operations despite worst-case disruptions. Business processes embed resilience from the outset with redundancy and acceptance of risk built into process design. Similarly, data protection officers (DPOs), CISOs and local leadership establish information governance policies that mitigate the potential impact of significant data breaches by reducing the volume of data at risk. –Teams periodically review and refine business processes to meet changing priorities and incorporate lessons from past incidents. Business processes are able to adjust to internal and external factors, such as regulatory and legislative changes, an evolving risk landscape and business priorities, emerging supply-chain dependencies and shifts in digital infrastructure. Many experts shared examples of collaborating with colleagues within an organization to develop fallback processes, typically as part of business continuity planning. A key challenge is to ensure that these plans consistently include a broad range of relevant cyber risk scenarios. Sectors such as critical national infrastructure and the military often construct business processes to be resilient by design. Examples include eliminating single points of failure, and using the concept of separation of duties, where business process architects assume that an incident will occur and try to minimize its impact. While embedding high levels of inherent resilience into business processes is beneficial, it comes with costs in terms of financial investment and process efficiency. Recent regulations to strengthen operational resilience were cited as a major driver for organizations to focus more on the inherent resilience of their business processes.3.4 Business processes The Cyber Resilience Compass: Journeys Towards Resilience 14