For secunet effective corporate governance is one of the main prerequisites for achieving corporate objectives and increasing corporate value.

Corporate governance spans a company’s entire system for management and monitoring including its organisation, business policy principles and guidelines as well as internal and external control and monitoring mechanisms. Outstanding and transparent corporate governance ensures responsible management and control of a company in alignment with the creation of value. It promotes trust in secunet on the part of investors, financial markets, business partners and staff as well as the general public.

Reporting on Corporate Governance

An effective and transparent organisation, as well as responsible and reliable Corporate Governance is very important at secunet Security Networks AG. The Company’s Management Board and Supervisory Board firmly believe that good Corporate Governance is key to the continued success of the Company on the market.

The term Corporate Governance describes the regulatory framework for the management and supervision of companies. In a general sense, this framework must be designed in such a way that the Management Board and Supervisory Board work to ensure that the company continues to exist and creates value sustainably. Recommendations and proposals for how this requirement can be implemented in the control and management of companies are summarised in the German Corporate Governance Code. The Code serves the purpose of increasing trust in companies listed on the German stock exchange.

The Management Board and Supervisory Board of secunet Security Networks AG therefore regularly check the implementation of the German Corporate Governance Code at secunet Security Networks AG. In the financial year 2017, the Management Board and Supervisory Board of secunet Security Networks AG once again carefully deliberated on the recommendations and proposals of the German Corporate Governance Code, in the respective versions as amended on 5 May 2015 and 7 February 2017. The Declaration of Conformity set out below regarding the German Corporate Governance Code (Deutscher Corporate Governance Kodex, DCGK) was agreed on the basis of these deliberations. This declaration is permanently available on our website and constantly updated to reflect any amendments.

In accordance with Item 3.10 of the German Corporate Governance Code and Article 289a of the German Commercial Code (Handelsgesetzbuch, HGB), the Management Board and Supervisory Board give the following report:

 

Management and supervisory structure

secunet Security Networks AG is subject to German stock corporation law. As a German public limited company, it has a dual management and supervisory structure consisting of a Management Board and a Supervisory Board. The Management Board consisted of two members in the 2017 financial year, but was expanded to include an additional member from 1 January 2018. The Supervisory Board is made up of six members. The Management Board and Supervisory Board work together closely and on the basis of mutual trust in their management and supervision of the Company.

Supervisory Board

The Supervisory Board performs the tasks assigned to it by law and by the Company’s Articles of Association. It supervises and advises the Management Board with regard to the management of the Company. At regular intervals, the Supervisory Board discusses business performance and planning, as well as the strategy and its implementation. It discusses the 6-month financial reports and quarterly updates with the Management Board before their publication, and approves the Annual Financial Statements of secunet Security Networks AG and the Group, taking into consideration the audit reports prepared by the auditors and its own examination. The Supervisory Board monitors the accounting process, the effectiveness of the internal control system, risk management and internal audit, as well as the auditing of the financial statements. Its tasks and responsibilities also include appointing members to the Management Board. Management Board decisions of fundamental importance, such as major acquisitions, disposals and financial measures, require the consent of the Supervisory Board. An extraordinary meeting of the Supervisory Board is convened as and when necessary should significant events arise. The Supervisory Board has drawn up rules of procedure for its work. Its Chairman coordinates the work carried out within the Supervisory Board, chairs its meetings and represents its interests externally.

In accordance with the Articles of Association, the Supervisory Board of secunet Security Networks AG comprises six members. The current terms of the members of the Supervisory Board end with the Annual General Meeting 2019, in which the next Supervisory Board elections are due to take place. The knowledge, skills and professional experience required to fulfil the remit are taken into account when drawing up the nominations for election to the Supervisory Board. In addition, the Supervisory Board has defined specific targets for its composition in accordance with Item 5.4.1 of the German Corporate Governance Code, and has drawn up a skills profile for the panel as a whole. The purpose of the skills profile is to ensure that the members of the Supervisory Board possess all the knowledge and experience considered essential in light of the activities of the secunet Group.

Taking into account the Company’s specific situation, at the next election of its members, the  Supervisory Board will strive to achieve diversity among candidates with the requisite professional and personal qualities. Among suitable candidates, the Supervisory Board will look for international experience, independence and an appropriate proportion of female members. At least one Supervisory Board position in the elections due to take place in 2019 is reserved for a female member in  accordance with the recommendation in Item 5.4.1 of the German Corporate Governance Code.

One or more Supervisory Board members should also have many years of special experience abroad, acquired as a result of working abroad or due to a foreign country of origin. In addition, the Supervisory Board should have at least two independent members in the sense of Item 5.4.2 of the German Corporate Governance Code.

The Supervisory Board will take the above-mentioned objectives into account in its suggestions for appointments, which it will publish to the Annual General Meeting 2019 for Supervisory Board elections, and will also strive to fulfil the skills profile for the overall panel.

In any event, in the opinion of the Supervisory Board, two members of the Supervisory Board at present are independent in the meaning of Item 5.4.2 of the German Corporate Governance Code. They are Dr Elmar Legge and Wolf-Rüdiger Moritz. At least one member of the Supervisory Board possesses many years of international experience.

The current composition of the Supervisory Board also complies with the specifications of the skills profile. The members of the Supervisory Board possess the professional and personal qualifications deemed necessary. They are all familiar with the sector in which the company is active and have the essential knowledge, skills and experience for the company.

The Supervisory Board has no committees. In the opinion of the Supervisory Board, this is not necessary, as the Supervisory Board comprises only six members. In a panel of this size, efficient operation of the Supervisory Board can be guaranteed without the formation of committees.

 

Management Board

The Management Board, as the body responsible for managing the Company, conducts the Company’s business under its own responsibility and in the Company’s interests. Its aim is to increase its value on a sustainable basis. In particular, it determines the principles of the Company’s policy and is also responsible for developing the Company’s strategy, for planning and setting the Company’s budget, for allocating resources, and for controlling and managing the Company’s business divisions and divisions. Specific measures described in the Management Board’s rules of procedure require the approval of the Supervisory Board. The Management Board is responsible for preparing the Company’s quarterly updates, the Annual Financial Statements of secunet Security Networks AG, and the Consolidated Financial Statements.The Management Board works closely with the Supervisory Board. It informs the Supervisory Board regularly, comprehensively and without delay – by means of written and verbal reports – of all issues important to the Company as a whole with regard to strategy and strategy implementation, planning, business performance, the financial and earnings situation, and entrepreneurial risks. The Supervisory Board is included without delay in all decisions fundamental to the company.

 

Targets for the appoinment of women

In addition, the Supervisory Board has also implemented the requirements of the legislation that came into force on 1 May 2015, regarding the equal participation of women and men in management positions. A target of 0% was set for the proportion of women on the Management Board and the Supervisory Board, and at management level directly under the Management Board, for the implementation period up to 30 June 2017. A target of 9% was applied for the second level of management under the Management Board. Further details on this topic can be found in the Corporate Governance Report for the 2015 financial year. The determined targets were met.

In its meeting on 4 May 2017, the Supervisory Board established a target of 17% for the Supervisory Board, relating to the implementation period from 1 July 2017 to 30 June 2022, with the goal of electing at least one woman to the Supervisory Board in the next rotational Supervisory Board Elections at the Annual General Meeting 2019. In the same meeting, the Supervisory Board also maintained the previously determined target of 0% for the Management Board relating to the implementation period up to 31 May 2019, because no expansion of the Management Board was intended at the time of the decision.

With regard to the two management levels below the Management Board, the Management Board set the following targets for the period from 1 July 2017 to 30 June 2022: 0% for the first level and 11% for the second level. In view of the small size of the Company, the limited number of management positions and the associated low level of fluctuation, the Management Board is of the opinion that more ambitious targets would not currently be realistic. The Management Board would, however, like to reiterate its intention to move towards a higher proportion of management positions being held by women (as far as possible).

In the 2017 financial year, the proportion of women at the second management level below the Management Board increased to 10.5%, thereby exceeding the target.

 

Responsible risk management

Good Corporate Governance also means that the Company must take a responsible approach to risk. Systematic risk management as part of our value-oriented Group management ensures that risks are identified and evaluated at an early stage, and that risk positions are optimised. The Management Board reports regularly to the Supervisory Board on the current development of key risks. Details of risk management at secunet Security Networks AG can be found in the Management Report. It also contains the report on the key characteristics of the internal control and risk management system relating to accounting.

Transparent Corporate Governance

Transparency in Corporate Governance is very important to the Management Board and Supervisory Board of secunet Security Networks AG. Shareholders, all participants in the capital market, financial analysts, shareholder associations and the media are provided with comprehensive, regular and up-to-date information regarding the Company’s position and regarding key changes to the Company’s business.

secunet Security Networks AG reports to its shareholders four times a year on business performance and on the financial and earnings situation, and makes all reports and information permanently available to shareholders on the Company’s website at www.secunet.com. The dates for the regular financial reporting are listed in the financial calendar. If any circumstances arise at secunet Security Networks AG that might significantly influence the stock market price of secunet Security Networks AG, this will be disclosed via ad hoc notifications. The financial calendar and ad-hoc announcements are available to view on the website of secunet Security Networks AG under >> Company >> Investor Relations >> News and Publications.

 

Shareholders and the Annual General Meeting

The shareholders of secunet Security Networks AG may exercise their rights, including voting rights, at the Annual General Meeting. Shareholders can exercise their voting right at the Annual General Meeting themselves or choose an agent or company proxy bound by their instructions to exercise the voting right. The Annual General Meeting takes place in the first eight months of the financial year. The Chairman of the Supervisory Board normally chairs the Annual General Meeting. Ahead of the Annual General Meeting, shareholders receive comprehensive information about the past financial year and about the individual items on the agenda of the upcoming Meeting by way of the Annual Report and invitation to the Meeting. All relevant documents and information on the Annual General Meeting, together with the Annual Report, are also available on our website.

In accordance with the provisions of law, the auditors are appointed by the Annual General Meeting. At the Annual General Meeting on 4 May 2017, the Essen branch of the auditing firm KPMG AG was appointed as auditors for secunet Security Networks AG and Group auditors for the secunet Group for the 2017 financial year, and was therefore selected to perform an auditor’s review of the Condensed Financial Statement and the Interim Management Report of secunet Security Networks AG and the secunet Group by 30 June 2017.

Shareholders are notified about important dates by means of a financial calendar published in the Annual Report, in the quarterly updates and on the Company’s website.

Further detailed information about secunet Security Networks AG is available on our website at  www.secunet.com.

 

Corporate Governance Guidelines

The Articles of Association of secunet Security Networks AG form the basis of our Company. The Company’s Articles of Association, the current Declaration of Conformity, the Declarations of Conformity for previous years and further Corporate Governance documents can be found online at www.secunet.com under >> The Company >> Investor Relations >> Compliance and Corporate Governance.

The Management Board has introduced a Code of Conduct for the Company and its employees, summarising the business principles of secunet Security Networks AG. These principles are a crucial part of how secunet Security Networks AG sees itself, and of the expectations that it strives to meet. The Code of Conduct is a set of standards of conduct for dealing with all the economic, legal and moral challenges that we face in our day-to-day business activities, and is intended to serve as a benchmark and guide when working with customers, suppliers and other business partners, as well as for our conduct towards our competitors. It also governs our conduct in financial matters and trading in secunet shares, their derivatives and other financial instruments. The Company has set up a compliance unit to handle questions arising in connection with the Code of Conduct.

In accordance with the provisions of Item 4.1.3 Clause 3 of the German Corporate Governance Code, the company has provided its employees with an opportunity to report, under protection, legal violations within the company by means of an electronic whistleblower system. This option is also available to third parties. 

 

Management Board and Supervisory Board remuneration

secunet Security Networks AG complies with statutory regulations and the recommendations of the German Corporate Governance Code and discloses the remuneration of each individual member of the Management Board. In this Annual Report (more specifically, in the remuneration report, which forms part of the Management Report), we detail the remuneration of the members of the Management Board and of the Supervisory Board.

 

Information on stock option programmes and similar securities-based incentive systems

No stock option programmes or similar securities-based incentive systems exist for members of Company bodies or members of the Company.

 

Notification of transactions under Article 19 of the EU Market Abuse Regulation (Directors’ Dealings)

Article 19 of the European Market Abuse Directive (EU) No. 596 / 2014 requires members of Company bodies (Supervisory / Management Boards) and certain executives, as well as closely related parties, to disclose transactions in secunet shares or related financial instruments where the sum total of suchtransactions reaches 5,000 euros within a single calendar year. Directors’ Dealings disclosures are also published on our website under Investor Relations. No Directors’ Dealings were reported in the financial year 2017.

 

Accounting and auditing of the financial statements

secunet Security Networks AG prepares its Consolidated Financial Statements and Consolidated Interim Financial Statements in accordance with the International Financial Reporting Standards (IFRS). The Annual Financial Statements of secunet Security Networks AG are prepared in accordance with German commercial law (HGB). The Annual and Consolidated Financial Statements are compiled by the Management Board and audited by the auditors and the Supervisory Board. Quarterly updates and the 6-month report are discussed by the Management Board and Supervisory Board prior to their publication.

secunet Security Networks AG’s Consolidated and Annual Financial Statements have been audited by KPMG AG Wirtschaftsprüfungsgesellschaft, Essen branch, the auditors appointed by the 2017 Annual General Meeting. The audits were performed in accordance with Article 317 HGB and with due consideration for the generally accepted standards for the audit of financial statements in Germany promulgated by the Institut der Wirtschaftsprüfer (IDW). The undersigned auditors for the Annual Financial Statements and Consolidated Financial Statements of secunet Security Networks AG are Mr Martin C. Bornhofen and Dr Dominic Sommerhoff.

It was also contractually agreed with the auditors that they inform the Supervisory Board without delay of any potential grounds for exclusion or bias and of any findings or occurrences of significance to the Supervisory Board’s remit that came to light during the auditing of the financial statements.

The Condensed Consolidated Interim Financial Statements and the Interim Group Management Report as at 30 June 2017 were subjected to an auditor’s review by KPMG AG Wirtschaftsprüfungsgesellschaft.

 

Declaration of conformity under Article 161 of the German Stock Corporation Act

The management and supervisory boards of companies listed on the German stock exchange are legally obliged, in accordance with Article 161 of the German Stock Corporation Law (Aktiengesetz, AktG), to annually declare whether the official recommendations of the “Government Commission on the German Corporate Governance Code” applicable at the time of making the declaration have been fulfilled and will be fulfilled. The Company is furthermore required to disclose which recommendations of the Code have not been applied or will not be applied and to explain the reasons for this. This  Declaration of Conformity is printed in full below, with explanations. The Declaration of Conformity can also be found on secunet Security Networks AG’s website under >> The Company >> Investor Relations >> Compliance and Corporate Governance. Declarations of Conformity issued in the last five years are permanently available on the website.

secunet Security Networks AG complies with, and will continue to comply with, the recommendations of the Government Commission on the German Corporate Governance Code, as amended in the respective versions in force on 5 May 2015 and 7 February 2017 and published by the German Ministry of Justice in the official part of the Federal Gazette, with the following exceptions:

3.8 Para. 3 An excess should be agreed in D & O insurance for the Supervisory Board.
Explanation: The secunet Supervisory Board conducts its business with the utmost sense of responsibility. An excess would not give rise to any additional improvement or incentive.

5.1.2 Para. 2 Clause 3 An age limit should be set for Management Board members.
Explanation: secunet Security Networks AG does not stipulate an age limit for Management Board members, as the age of the particular Management Board member is not a blanket criterion for suitability to hold a position on the Management Board. An age limit would therefore generally limit the selection of suitable candidates to an unreasonable degree.

5.3.1 Depending on the specifics of the company and the number of its members, the Supervisory Board shall form professionally qualified committees.
Explanation: The Supervisory Board of secunet Security Networks AG has no committees. In the opinion of the Supervisory Board, this is not in fact necessary, as the Supervisory Board comprises only six members. In a panel of this size, efficient operation of the Supervisory Board can be guaranteed without the formation of committees.

5.3.2 The Supervisory Board should set up an Audit Committee.
Explanation: The Supervisory Board consists of six members. Due to the number of Supervisory Board members and the composition of the Supervisory Board, setting up a separate Audit Committee would not increase the efficiency of the work performed by the Supervisory Board in relation to accounting, risk management, compliance and the auditing of the financial statements.

5.3.3 The Supervisory Board should form a Nomination Committee.
Explanation: The Supervisory Board of secunet Security Networks AG consists of only six members. All members are elected by the shareholders. An additional Nomination Committee has therefore not been set up.

5.4.1 Section 2 Clause 1 The Supervisory Board should stipulate specific targets with regard to its composition and draw up a skills profile for the overall panel. With regard to its composition,
taking into account the Company’s specific situation, it should adequately take into consideration its international operations, potential conflicts of interest, the number of independent Supervisory Board members as defined in Number 5.4.2, an age limit to be determined for Supervisory Board members and a regular limit to be determined for the length of membership in the Supervisory Board as well as diversity.

Explanation: The Supervisory Board of secunet Security Networks AG has not determined a regular limit for the length of membership in the Supervisory Board. In the view of the Supervisory Board such a restriction is not necessary with regard to efficient operation of the panel, especially since the panel’s work can benefit from the experience of long-standing members.

5.4.6 Para. 1 Clause 2 When setting the remuneration of Supervisory Board members, chairmanship and committee memberships are to be taken into account.
Explanation: Since the Supervisory Board has no committees, there is currently no question of a special chairmanship and committee membership remuneration.

 

secunet Security Networks AG

Essen, 22 March 2018

- The Management Board -          - The Supervisory Board -

Declaration of conformity under section 161 AktG

The Management Board and Supervisory Board of secunet Security Networks AG hereby issue the following Declaration of Conformity regarding the recommendations of the Government Commission on the German Corporate Governance Code according to Article 161 of the German Stock Corporation Act (Aktiengesetz, AktG).

secunet Security Networks AG complies with the recommendations of the Government Commission on the German Corporate Governance Code, as amended in the version of 7 February 2017 and published by the German Ministry of Justice in the official part of the Federal Gazette on 24 April 2017, with the exceptions stated below. Furthermore, secunet Security Networks AG has complied with the recommendations subject to the exceptions below since it issued its last Declaration of Conformity in November 2016 and will continue to comply with the recommendations subject to these exceptions in future:

3.8 Para. 3 An excess should be agreed in D&O insurance for the Supervisory Board.
Explanation: The secunet Supervisory Board conducts its business with the utmost sense of responsibility. An excess would not give rise to any additional improvement or incentive.

5.1.2 Para. 2 Clause 3 An age limit should be set for Management Board members.
Explanation: secunet Security Networks AG does not stipulate an age limit for Management Board members, as the age of the particular Management Board member is not a blanket criterion for suitability to hold a position on the Management Board. An age limit would therefore generally limit the selection of suitable candidates to an unreasonable degree.

5.3.1 Depending on the specifics of the company and the number of its members, the Supervisory Board shall form professionally qualified committees.
Explanation: The Supervisory Board doesn’t have any committees. In the opinion of the Supervisory Board, this is not in fact necessary, as the Supervisory Board comprises only six members. In a panel of this size, efficient operation of the Supervisory Board is also guaranteed without the formation of committees.

5.3.2 The Supervisory Board should set up an Audit Committee.
Explanation: The Supervisory Board consists of six members. Due to the number of Supervisory Board members and the composition of the Supervisory Board, setting up a separate Audit Committee would not increase the efficiency of the work performed by the Supervisory Board in relation to accounting, risk management, compliance and the auditing of the financial statement.

5.3.3 The Supervisory Board should form a Nomination Committee.
Explanation: The Supervisory Board of secunet Security Networks AG consists of only six members. All members are elected by the shareholders. An additional Nomination Committee has therefore not been set up.

5.4.1 Para. 2 Clause 1 The Supervisory Board shall determine concrete objectives regarding its composition, and shall prepare a profile of skills and expertise for the entire Board. Within the company-specific situation the composition of the Supervisory Board shall reflect appropriately the international activities of the company, potential conflicts of interest, the number of independent Supervisory Board members within the meaning of number 5.4.2, an age limit and a regular limit to Supervisory Board members’ term of office, both to be specified, as well as diversity.
Explanation: The Supervisory Board of secunet Security Networks AG has not determined a regular limit for the length of membership in the Supervisory Board. In the view of the Supervisory Board such a restriction is not necessary with regard to efficient operation of the panel, especially since the panel's work can benefit from the experience of long-standing members.

5.4.6 Para. 1 Clause 2 When setting the remuneration of Supervisory Board members, committee chairmanship and committee memberships are to be taken into account.
Explanation: The Supervisory Board doesn't have any committees; there is therefore currently no question of a special committee chairmanship and committee membership remuneration.

 

secunet Security Networks AG

Essen, 16 November 2017

- The Management Board -          - The Supervisory Board -

 


Former Statements:

 

German corporate governance code:

    Remuneration of the Management Board and Supervisory Board

     

    The remuneration report summarises the principles used to determine the remuneration of the Management Board of secunet Security Networks AG and sets out the amount and structure of the income received by its members. It sets out the principles behind, and amount of, the remuneration received by the Supervisory Board, and also provides information on the shareholdings of Management Board and Supervisory Board members.

    Remuneration of the Management Board

    The Supervisory Board of secunet Security Networks AG is responsible for determining the remuneration of the Management Board.

    In the 2017 financial year, the remuneration package for the members of the Management Board who were active in the 2017 financial year was made up of five components: a fixed annual salary, a variable bonus, a special bonus, ancillary non-cash benefits and a contribution to the retirement pension. During the 2017 financial year, the Supervisory Board decided to conclude ancillary  agreements to the contracts of employment for the acting members of the Management Board in 2017 with regard to the payment of a special bonus. Hereinafter, the Supervisory Board may, at its discretion, decide to pay a special bonus in the amount of up to 100 thousand euros per financial year in recognition of special developments or burdens, or if the members of the Management Board have made exceptional contributions.

    The Management Board remuneration package is broken down as follows:

    • The fixed component is paid monthly in the form of a salary.

    • The variable component is based on the Company’s results. It consists of one short-term component and one long-term component. The short-term component is measured on the basis of sales revenue and EBIT for the current financial year (2017 in this case), while the long-term component is measured based on the average EBIT of the past three financial years (2015 – 2017 in this case).

    • At its discretion, the Supervisory Board has awarded each of the members of the Management Board a special bonus in the amount of 100 thousand euros for its extraordinary contributions in the 2017 financial years.

    • Non-cash and other benefits essentially comprise the taxable values of company car usage.

    • The retirement pension contributions paid to members of the Management Board are set out in their individual contracts of employment. These pension commitments provide for a life annuity with provision for dependants.

    Management Board contracts do not expressly provide for any severance payment in the event that the employment relationship is prematurely terminated. In addition, Management Board contracts do not include any specific regulations to govern the event that a “change of control” occurs – that is when one or several shareholders acting jointly obtain the majority voting rights of secunet Security Networks AG and exert a dominating influence, causing secunet Security Networks AG to become a dependent company by means of the conclusion of an intercompany agreement within the meaning of Article 291 of the German Stock Corporation Law (Aktiengesetz, AktG), or in the event of the merger of secunet Security Networks AG with other companies.

    The Management Board members do not receive any additional remuneration for the performance of their duties in the subsidiaries.

    Following the recommendations of the German Corporate Governance Code (Deutscher Corporate Governance Kodex, DCGK), the remuneration of the secunet Security Networks AG Management Board is constituted as follows:

    Total remuneration of the members of the Management Board in financial year 2017 was 1,159 thousand euros (previous year: 958 thousand euros).

    The pension entitlements of the Management Board members were as follows as at 31 December 2017:

    Owing to the right, in accordance with Article 67 Para. 1 and 2 of the Introductory Act to the German Commercial Code (Einführungsgesetz zum Handelsgesetzbuch, EGHGB), to choose to annually add 1 / 15 to the difference resulting from the change in valuation under the German Accounting Law Modernisation Act (Bilanzrechtsmodernisierungsgesetz, BilMoG), there is a shortfall between the scope of HGB obligation and provision set aside, amounting to a total of 84 thousand euros.

    At 31 December 2017, as on the same day of the previous year, no Management Board members held any secunet shares.

    The members of the Management Board of the company were not granted any loans during the reporting period.

    Furthermore, in the previous financial year no member of the Management Board was promised or granted any benefits by a third party in respect of his activity as a member of the Management Board.

    Remuneration of the Supervisory Board

    The remuneration of the Supervisory Board is laid down in Section 17 of the Articles of Association of secunet Security Networks AG. It is based on the tasks and responsibilities of the members of the Supervisory Board.

    The remuneration of the Supervisory Board is regulated as follows: The members of the Supervisory Board receive a fixed payment amounting to 8 thousand euros. The Chairman of the Supervisory Board receives a payment amounting to 16 thousand euros, and the Deputy Chairman of the Supervisory Board receives 12 thousand euros. If changes are made within the Supervisory Board during the year, remuneration is granted on a pro-rata basis. Travel expenses associated with Supervisory Board activities are refunded separately after being invoiced.

    For the 2017 financial year, Supervisory Board salaries totalled 60.0 thousand euros (previous year: 60.0 thousand euros).

    For the individual members of the Supervisory Board, the demands can be presented as follows:

    The members of the Supervisory Board do not receive any loans from the Company. As at 31 December 2017, as on the same day of the previous year, no Supervisory Board members held any secunet shares. In the year under review, members of the Supervisory Board did not receive any other remuneration or benefits for services provided personally, in particular consulting and agency services.

    As at 22 March 2018

    Forecast, Opportunities and Risk Report

    1. Risk report

    1.1 Risk management objectives and methods

    Risk management within the secunet Group is conducted by a risk committee. This is composed of the Management Board, the COO (Chief Operating Officer) and the CTO (Chief Technical Officer), the head of the corporate strategy department, the commercial manager and the head of service and process management. It meets regularly, once every quarter. Any developments that could jeopardise the fulfilment of objectives, or which may even threaten the survival of the Company, are subjected to intense analysis, scrutiny and assessment by the risk committee. The aim of doing this is to ensure that information about risks, and the associated financial implications, is detected as early as possible in order to implement suitable measures. The existing opportunities and associated potential for results can also be detected and leveraged within the planning and controlling process.

    As part of the preparation for meetings of the risk committee, a comprehensive risk inventory takes place in each area of the Company. Following a bottom-up approach, the risks are identified and aggregated, then assessed according to their damage extent and probability of occurrence.

    The Company-specific risks surveyed in this manner are then discussed, implementing a top-down approach, as part of the risk committee meetings. The effects of risks and opportunities are not netted. A net presentation is shown when evaluating the effects of risks, i.e. the effects of any risk minimisation measures already taken are considered as part of the evaluation. Depending on the probability-weighted damage value of the risks (risk value), the further treatment of the risks is then determined. This ranges from pure documentation where the value is not critical (the probability-weighted damage value in the 2017 financial year was up to 0.5 million euros in EBIT losses) and further observation (monitoring – for a risk value of up to 1.2 million euros in the 2017 financial year) to the need to take immediate action (warning limit – at a probability-weighted damage value of over 1.2 million euros in the 2017 financial year). The value limits defined above are re-determined annually based on the planned annual result. Insofar as the identified risks are quantifiable, the corresponding risk values (relating to the reporting date) are adopted in the reporting system.

    Proposals for countermeasures are then drawn up, if required. The Management Board examines these measures and implements them promptly. During the course of the 2017 financial year, several instances of risk were identified and necessitated measures. For the main part, these related to the areas of distribution and production. Operation damage management implemented in each of these cases was able to contribute to reducing the relevant risk value to significantly below the warning threshold in all cases.
    The early risk detection and risk management system of secunet Security Networks AG is being  continuously developed and improved.

     

    1.2 Individual risks

    The risks for secunet Group, and therefore also for secunet Security Networks AG as the Group parent company, are divided into the following main categories according to their effects on value creation levels.

    • Risks to the company infrastructure: these are risks arising from the framework conditions of the company’s development, such as strategy and organisation, as well as supporting functions, e.g. finance and controlling, legal and HR.

    • Product management risks: these are risks from the divisions responsible for planning and coordinating the market-readiness of products and solutions from secunet Group.

    • Distribution risks: these are risks in all areas connected with distribution.

    • Risks in production: these are risks which arise in connection with the provision of products and solutions, as part of consultancy and development projects and in the supply of hardware, for example.

    As in previous years, risks in the 2017 financial year were primarily focused on the areas of distribution (acquisition of orders) and production (project processing).

    1.2.1 Competitive environment (distribution risk)

    secunet Group generates a large part of its sales revenues with the SINA product family. These products bring competitive advantages to secunet several ways: Firstly by representing an area of technological leadership; also because of the wide range of approvals and certifications awarded to individual products. Risks that endanger this competitive advantage are regularly assessed, but not currently apparent.

    The risk committee keeps itself up-to-date on any risks that could endanger secunet’s technological superiority in the market. To this end, the status of technological development of secunet’s products is checked and the opinion of expert employees sought on whether, and to what extent, the Company’s technological advantage is threatened by competitors’ product developments. If necessary, risk reduction measures are triggered. These may take the form of accelerated development cycles, for example, or the inclusion of new application scenarios for secunet solutions.

    The competitive national environment also means there is a risk that rival businesses will attempt to challenge secunet’s privileged market position in terms of business with German government agencies. If this were to happen, secunet would be exposed to much greater competitive pressure in this target customer segment. This risk is also regularly assessed and evaluated by the risk committee and the Management Board.

    In the recent past in particular, the competitive environment that secunet operates in has been consolidated through increased concentration. New competitors have also emerged. A market that was once split into many providers, including smaller providers, has developed a structure with larger market participants. These trends are closely monitored and their potential consequences evaluated as part of ongoing risk management and secunet’s strategic management.

    Overall, the stated risks arising from the competitive environment at the time of creating this report are deemed to be manageable and therefore not critical.

    As a result of increasing attention on the topic of IT security, an increasing demand for products and solutions in the field of IT security is expected. As a result, the market for IT security is also becoming more attractive for suppliers who have not previously been active in it. These potential new suppliers are increasing competitive intensity and could endanger the market position of secunet – particularly in the Business Sector. This is of particular concern to certified consultants, IT companies and the consulting areas of auditing companies. The assessment that the risk of increased competitive intensity is in balance with the opportunity for market growth due to increasing awareness in the public realm is still valid.

    1.2.2 Customer structure (distribution risk)

    Customer structure risk exists to the extent that secunet conducts the majority of its business with public sector authorities and organisations. The loss of segments of demand from this customer group can have very negative effects on sales revenue and results. This risk has been discussed in depth by the risk committee. Investments in IT, and notably in IT security, are seen as particularly important for the smooth delivery of projects for the public sector, particularly in a world where information technologies play an increasingly important role. The risk of a downturn in demand from public sector customers is therefore constantly monitored, although it is currently considered to be relatively low. At the same time, a temporary shift in expected orders is a possibility, for example during “provisional” budget management, during which federal authorities are only able to use limited expenditure. This can cause a significant shift in sales revenue for an individual year; service revenues can even be completely missing because these cannot be repeated if capacities are fully utilised. Another risky area regarding the foreseeability of sales revenues relates to the often long-term decision-making processes for major projects. Measures for risk limitation in this case include the use of key account managers in distribution as well as regular coordination in partnership with major customers.

    The fact that a significant proportion of procurements from public customers take place on the basis of framework agreements can present itself as a risk in the event that these framework agreements are re-tendered. The associated distribution risk is taken into account by secunet’s operational units and is reduced to an acceptable level through risk-reducing measures.

    In order to be better placed in the medium term to react to the potential risk of a decline in demand from public sector customers, and in order to reduce and compensate for any resulting decline in sales revenue and results, secunet will continue to devote intensive efforts to the development of its activities for the private sector target group.

    A further risk can be seen in the fact that a large part of the sales revenue is concentrated on a few public consumers and companies. If one of these major customers is absent for even a short period of time, and the corresponding expected orders are shifted, secunet’s attainment of annual objectives may be endangered at the very least. In this case too, the use of key account managers in distribution can help towards risk reduction. Thanks to their close contact with the customer, they can ensure a timely reaction to changes in demand.

    In addition, it is seen as a risk area for the further growth of secunet that the business results are still heavily influenced by the demand from the national environment. As a result, the expansion of high-performance international distribution, tapping of new markets and the acquisition of additional customers abroad will remain a focus of efforts for the future development of the Company. One strategic measure is the pooling of international distribution activities in the company founded for this purpose.

    1.2.3 Product development risks (production risk)
    Various ongoing projects are being carried out to ensure the technological enhancement of the SINA product family, and a number of them have significant volume. The development project for the secunet Konnektor also has a substantial scope. To this extent, it is justifiable to consider the risks for secunet arising from such development projects.

    As part of the development of new products, the following risks are discussed and evaluated regularly:

    • Risk of a possible decline in demand: the product fails to prove itself on the market.

    • Risk of undesirable technical developments: the product contains defects that lead to warranty claims.

    • Risk of failure to complete the product in time: the development project takes considerably more time than estimated.

    To date, the risks associated with developing new products that subsequently prove unsuccessful on the market have not been of primary significance for secunet. Its high-security IT solutions are tailored precisely to customers’ requirements; secunet products are generally not designed without a specific need in mind. Most of the products developed by secunet are made to order and are accordingly financed by the customer. This largely relates to the SINA product family in the High Security business division. Even when it comes to biometrics and sovereign documents, product innovations such as the secunet biomiddle biometric middleware, or the Golden Reader Tool platinum edition were developed as a result of issues raised during consulting activities. Therefore, no development risks exist in terms of potentially waning demand.

    Potential warranty claims are taken into account by creating appropriate risk provisions.

    The greatest risk for development projects is underestimation of the time required before new solutions are ready for acceptance. This can lead to expenditure of time and personnel, which limits the profitability of these projects. In order to keep these risks as low as possible, secunet uses extensive project planning and control mechanisms in different locations, paired with a dedicated reporting line. This part of the risk analysis and risk management is identical to the activities that apply for major projects. In the area of development projects, the risk at the time of creating this report is classified as low.

    1.2.4 Major projects: Distribution and project management (distribution and producation risk)

    secunet is primarily active in the project business. Many projects relate to infrastructures and solutions that have been designed on an individual basis. In addition, IT security infrastructures are often associated with high investment volumes. There are two main risks for such major projects: the distribution risk and the project management risk. In addition, there are specific risks for very long-term major projects.

    Distribution risk is a result of the costly, and often protracted, tendering and decision-making procedures to meet customer requirements. This places great limitations on the ability to plan for sales revenues, leading to a potential associated volatility in secunet’s business. This distribution risk is continuously monitored as part of risk management and in the ongoing Management Board meetings and, if necessary, it is countered with suitable measures. These measures for reducing the distribution risk also often consist of establishing close contact, and thus ongoing cooperation with the customer, through the use of dedicated key account managers, for example.

    The project management risk arises after the commissioning of major projects: these projects are characterised by multiple uncertainties in their implementation due to the sheer fact of their size.

    The risk may then consist of a failure to maintain schedules and project budgets. secunet takes these risks into account by way of a comprehensive project management system which is used to regularly create management reports for project managers, division heads and the Management Board. The risks arising from major projects are continuously monitored – in the same way as development risks – with comprehensive project planning and control mechanisms, in conjunction with a risk-oriented  reporting system. In the event of deviation from the set targets, measures to reduce the risk are resolved and implemented immediately. These can consist of making additional capacity available for processing the project or discussing deviations with the customer in order to bring expectations into line with the altered framework conditions.

    In very long-term projects that extend over periods of more than five years, there may be additional risks, for example because the solutions implemented reach the end of their technological service life (update problems, problems with outdated technology). Furthermore, a replacement risk may be posed by suppliers who disappear from the market over the course of such projects.

    As part of the risk inventory in the fourth quarter of 2017, risks arising from major projects were valued at 1.0 million euros. secunet counters these risks with strict risk monitoring by project managers and the timely implementation of measures. Examples of these measures could include the securing of rights to solutions considered to be critical, or accounting precautions for provisions.

    1.2.5 Product technical safety risk (product management and production risk

    The secunet Security Networks AG product portfolio is concentrated on solutions in the area of cyber security. In the case of the SINA product family in particular, these solutions are protected and approved at a high level in cryptographic terms.

    One risk that is evaluated on an ongoing basis in connection with the technical properties of these products is the effect of any possible – as-yet-undetected – security weaknesses in these solutions. In this context, the focus is on the question of whether and to what extent the security promise made to its customers by secunet in connection with the solution as a whole might be compromised as a result of security holes in individual components.

    A comprehensive process of ongoing risk identification and assessment takes place in this area for the purposes of risk minimisation. As part of this process, secunet collects and evaluates findings about potential security risks from a wide range of sources. If even one vulnerability of the systems seems possible as a result of this evaluation, customers are informed immediately and supported in closing the potential security hole.

    This process of monitoring and solving potential technical security risks is implemented in close collaboration with the company’s development and approval partner, the German Federal Office for Information Security (BSI).

    In view of the risk minimisation measures in use, the economic risk connected with technical product security is believed to be low.

    1.2.6 Warehousing risk (distribution risk)

    Warehousing risks are also increasing alongside the growth in product business for secunet Security Networks AG. On the one hand, this is due to the risk associated with the ability to deliver at short notice, which can be countered by suitably networked material planning. At the same time, hardware components in particular are becoming obsolete because of accelerating technical progress. Where applicable, inventories lose their value because of this technical ageing process. As part of the risk inventory in the fourth quarter of 2017, the warehousing risk is valued at 0.9 million euros. secunet stays abreast of these risks through professional inventory optimisation.

     

    2. Opportunities

    The driving factors outlined below continue to have a positive effect on the future growth of secunet:

    2.1 Growth via increasing awareness

    Increasing sensitivity to IT security issues in recent years has received strong support as a result of reporting on cyber security threats (such as interception cases, attempted and successful hacking of the networks of authorities and companies, attacks on critical infrastructures) over the same time period. Investigation into the medium- to long-term assessment of risk among companies and decision-makers reveal that much greater importance will be placed on cyber security going forward. The topic of cyber security is the focus for a wide range of investigations and seminars, as well as publications. Cyber incidents are increasingly at the centre of risk assessments – no longer just those conducted on behalf of authorities, but also by private companies. For example, cyber risks have consistently been included in the top three risks on the Allianz Risk Barometer for the top business risks in Germany. A positive trend in the demand for high-quality, trustworthy solutions “made in Germany” can be derived from this. This applies both for authorities, which are adding IT system and infrastructure security to their existing efforts, and to companies, which counter the now-specific risks of economic / industrial espionage with appropriate safeguards. An additional group is made up of providers of critical infrastructures for which IT security is becoming ever more important (see also “Growth via increasing regulation”). With the relevant distribution activities aimed at authorities and companies, secunet intends to participate in this positive development of demand.

    The increasing interest in IT security, driven also by media attention, and the subsequent growth in demand are also resulting in increasing competition. This must be taken into account when evaluating opportunities.

    2.2 Growth via increasing regulation

    The German federal government wants to increase the protection of critical infrastructures such as energy and telecommunications networks as well as that of IT systems. To this end, ITSiG was passed in July 2015. This results in growth opportunities at many different levels:

    • The legislation will particularly affect operators of critical infrastructures – i.e. facilities that are of central importance to the community – such as energy supply, for example. In the future they will need to meet specific IT security requirements. This will result in potential demand for implementation concepts to meet these requirements.

    • Furthermore, the draft legislation further extends the role of the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) and takes its growing significance as the focal point for IT security into account. Among other things, the BSI should be empowered to inspect and evaluate IT products and systems on the market with regard to their IT security, and to publish the results if necessary. This could give rise to positive stimulus in the product business.

    2.3 Growth through new markets

    IT security solutions “made in Germany” enjoy a good reputation across the world due to their quality and trustworthiness. There is rising international demand for solutions offered at the level of quality provided by secunet. Under the pressure of interception cases and cyber attacks coming to light, demand is likely to stimulate even greater differentiation between producer countries, from which secunet also benefits. In addition, many secunet products are approved for use in an international context, for example by the EU and NATO.

    The expansion of foreign activities via secunet’s own distribution and via local multipliers will contribute to raising these potentials.

    2.4 Growth through acquisitions

    In addition to organic growth on domestic and foreign markets, secunet has for years pursued the objective of triggering additional growth through M & A activities. Growth in the product area through acquisition of the relevant solution providers is promising. The market for companies with high-quality, reliable IT security solutions for processing classified information – in which secunet is an active player – is split into many small to medium-sized providers. In addition, the M & A business is currently characterised by very high price expectations on the part of sellers. The process of identifying promising targets at acceptable prices is time-consuming as a result, but is nonetheless being pursued on an ongoing basis.

     

    3. Overview of risks and opportunities

    An overview of opportunities and risks which could impact on the further development of the secunet Group shows a promising evaluation overall.

    The assessment revealed that the risks at the time of creating the report can generally be kept at bay and controlled, and the identified risks, both individually and as a whole, do not threaten the continued existence of the Company in terms of illiquidity or excessive debts in the reporting period of at least one year. In the operative management of the Group, measures were continuously taken to prevent a worsening of the risk situation. At the same time, the use of the opportunities described above is being driven forward by a number of activities. No key risks are present as at the balance sheet date.

    The presentation and evaluation of risks and opportunities also apply in the same way for secunet Security Networks AG.

     

    4. Forecast

    The framework conditions for the 2018 financial year give reason for optimism.

    • The macroeconomic prospects for growth are positive: The German Federal Government expects growth of 2.4% in the price-adjusted gross domestic product for the current year.

    • For the domestic market, we are still expecting growing demand. This affects both the Public Sector, i.e. business with public customers, and the Business Sector, which serves companies in the private sector.

    • The foreign market holds significant growth potentials; secunet is generally well-positioned to realise these. The secunet International GmbH & Co. KG employees in international distribution have many years of experience in the Group and in dealing with international customers.

    • During the course of the year, the secunet Group again increased its number of productive employees and can therefore convert increasing demand and high capacity utilisation into good business results.

    • secunet’s products and solutions have an excellent reputation and enjoy growing demand both in Germany and abroad.

    Nevertheless, risks might also be encountered in the coming year.

    • secunet is still largely dependent on the procurement activities of the German federal authorities. At the present time, the effects of changing domestic policy cannot yet be assessed. Negative implications for secunet could include the postponement or cancellation of planned projects.

    • The provisional budget management measures – taken by the Federal Authorities as a result of the protracted process to form a government that followed the parliamentary elections in September 2017 – continue to be seen as a particular risk in 2018. Although this budgetary risk had not yet had any effect at the end of the 2017 financial year, the possible effects on business results in the first few months of the 2018 financial year are difficult to predict. The Management Board expects development to be rather muted.

    • Project business also holds both opportunities and risks: The scope of investment decisions for major projects, especially if these are part of a political process, can significantly delay the start of expected procurements. In addition, ongoing major projects always face the potential risk of incalculable delays or budget overruns.

    • Commissions in the consultancy business of secunet Security Networks AG were largely the result of long-term, comprehensive framework agreements. Therefore, there is a degree of uncertainty in respect of future capacity utilisation in the case of new tendering processes arising from such framework agreements.

    • The attention focusing on IT security as a topic is driving the expectation of increasing demand. However, driven by the same attention, increasing competition is also apparent, with consequences that cannot yet be foreseen.


    At the time of issuing this report, the Company and the Group are in a good position in the opinion of the Management Board:

    • The Company’s economic and financial situation is good; previous growth was achieved without declines in profitability, there are no loans and liquid funds are high.

    • secunet has high-performing, motivated and highly qualified employees – providing an excellent basis of expertise.

    • The Company’s existing product and service portfolio has done well in terms of standing up to competition, and is continuing to expand in close cooperation with customers and their needs.

    • The Company is well-known as a provider of high-quality and trustworthy IT security to meet the highest demands, and therefore has a stable and reliable (existing) customer structure.

    • The market for IT security is growing; dynamic technological development in IT continually creates new applications and demands, which opens up great opportunities, especially in the area of IT security. secunet will be able to meet this demand well in future, with optimised and new services, products and solutions.

    At the time this report was prepared, secunet Group was in a good position. During the past financial year, sales revenue and the EBIT increased sharply once again, and 2017 consequently ended with excellent results. The company’s Management Board is generally optimistic about business development for the coming year 2018. The aforementioned provisional budget management measures – arising as a consequence of protracted government formation processes in Germany – are considered the most significant uncertainty at the time of creating this report. Taking into account this potentially detrimental factor, and in view of the very good business results already achieved in 2017, the Management Board expects that sales revenue for the coming 2018 financial year will be slightly lower than that of the previous year. Because the effects of the provisional budget management measures are limited to the Public Sector, the Business Sector division is expected to make a slightly higher contribution to total Group sales revenue.

    In line with expected sales revenue development, the Management Board is expecting the Group EBIT for 2018 to be slightly lower than in the previous year. Due to expenditure relating to the continued development of the secunet health Konnektor, the Business Sector division is not expected to make a significantly higher contribution to the overall sales revenue in 2018.

    The following assumptions apply to the forecast for secunet Security Networks AG following the commencement of operations by new companies secunet International GmbH & Co. KG and secunet Service GmbH: secunet Security Networks AG will represent around 90% of sales revenue and around 75% of the EBIT of the secunet Group. Because no significant change is to be expected in the weighting of both companies for the time being, and therefore no substantial alterations are to be expected in these ratios, the forecast for secunet Security Networks AG with regard to these ratios is computationally derived from the Group forecast. There is no need to consider our foreign subsidiaries secunet SwissIT AG in Switzerland and secunet s.r.o. in the Czech Republic separately, since both companies have ceased operations and are in liquidation. Accordingly, the Management Board is expecting a slight decline in sales revenue and a moderate decrease in EBIT for secunet Security Networks AG - adjusted for the effect of the spin-offs.

    As at 22 March 2018

    Directors' Dealings

    Article 19 of the European Market Abuse Directive (EU) No. 596 / 2014 requires members of Company bodies (Supervisory / Management Boards) and certain executives, as well as closely related parties, to disclose transactions in secunet shares or related financial instruments where the sum total of such
    transactions reaches 5,000 euros within a single calendar year. Directors’ Dealings disclosures are also published on our website under Investor Relations. No Directors’ Dealings were reported in the financial year 2017.

    Constitution of secunet Security Networks AG

    I. General Provisions

    Section 1 Company, registered office and fiscal year

    (1) The corporation manages the company secunet Security Networks Aktiengesellschaft

    (2) Its registered office is in Essen.

    (3) The fiscal year is the calendar year.

    Section 2 Purpose of the company

    (1) The purpose of the company is to provide security services in telecommunication and information technology, in particular consultancy and system solutions for information security, as well as the production and sale of security products and systems, and associated activities.

    (2) The company is authorised to serve the purpose of the company in all transactions and measures that seem appropriate. It may also found, acquire and invest in other companies with the same or a related purpose, as well as managing such companies or limiting itself to stake management. It may outsource some or all its operations to affiliated companies or cede some or all of its operations to affiliated companies.

    Section 3 Notification and informing

    (1) The corporation's notifications are provided in the Federal Gazette.

    (2) Information can also be transferred to owners of listed securities in the corporation by means of data transfer.

     

    II. Capital stock and shares

    Section 4 Capital stock

    (1) The corporation's capital stock is €6,500,000 (in words: six million five hundred thousand euros).

    (2) The capital stock is apportioned into 6,500,000 no-par value shares, which are bearer shares. €1,278,229.70 of the capital stock consists of capital stock in Secunet Networks GmbH, which was converted by means of a change of form pursuant to Sections 190 et seqq, Reorganisation of Companies Act (Umwandlungsgesetz, UmwG).

    Section 5 Shares

    (1) The shares are bearer shares. If, in the event of a capital increase, the resolution on the increase of capital does not determine whether the new no-par value shares are bearer or registered shares, they shall be bearer shares.

    (2) Uniform certificates can be issued in relation to several shares. The shareholders shall have no right to securitise their shares.

    (3) A duplicated signature from the Management Board shall suffice for execution. In other respects, the form and content of the share certificates as well as the profit share and renewal coupons are determined by the Management Board with the approval of the Supervisory Board. The same applies for bonds and interest coupons.

    (4) In other respects, a resolution on the increase of capital may stipulate the profit participation of new no-par value shares, by way of derogation from Section 60, Para. 2, Clause 3, Stock Corporation Act (Aktiengesetz, AktG).

     

    III. Management Board

    Section 6 Composition of the Management Board

    (1) The Management Board consists of one or several members. Deputy members of the Management Board may be appointed.

    (2) The Supervisory Board is responsible for determining the number and appointment of members of the Management Board and of deputy members of the Management Board, and revoking their appointment; the Supervisory Board is also responsible for nominating a member of the Management Board as the Chair of the Management Board, as well as additional Management Board members as deputy Management Board members.

    Section 7 Representation

    (1) If only one member of the Management Board has been appointed, this individual shall represent the corporation alone. If several members of the Management Board have been appointed, the corporation shall be represented by two members of the Management Board or by one member of the Management Board in combination with an authorised officer.

    (2) Deputy members of the Management Board shall have the same rights as ordinary members of the Management Board with respect to representing the corporation externally.

    (3) The Supervisory Board may grant all or some of the members of the Management Board power of sole representation, and release them from the restrictions of Section 181 German Civil Code, (Bürgerliches Gesetzbuch, BGB) in the event of multiple representation. This does not affect Section 112 AktG.

    (4) The Management Board manages the corporation's transactions in accordance with the provision of the law, of the Articles of Association, and of the rules of procedure issued by the Supervisory Board.

    (5) The Management Board manages the corporation under its own responsibility, and makes decisions about all matters of fundamental importance. Notwithstanding this overall responsibility, each member of the Management Board independently manages the business area allocated to him/her by the schedule of responsibilities.

    (6) The Management Board must undertake appropriate measures, in particular setting up a monitoring system, in order that the existence of developments that put the corporation at risk are detected at an early stage.

    Section 8 Rules of procedure, and passing of resolutions by the Management Board; transactions requiring approval

    (1) The Supervisory Board issues the rules of procedure for the Management Board.

    (2) Resolutions of the Management Board are passed with a simple majority vote. Alternative majority requirements and additional regulations regarding the passing of resolutions by the Management Board may be put in place in the rules of procedure.

    (3) The Supervisory Board defines certain types of transactions that the Management Board is only permitted to undertake with advance approval from the Supervisory Board. The approval of the Supervisory Board may be issued in advance in the form of a general authorisation for a certain set of designated transactions.

     

    IV. Supervisory Board

    Section 9 Composition and term of office for the Supervisory Board

    (1) The Supervisory Board consists of six members.

    (2) Members of the Supervisory Board are selected by the Annual General Meeting, unless otherwise stipulated by the Articles of Association or statutory provisions.

    (3) Unless the Annual General Meeting expressly specifies a shorter period of time, members of the Supervisory Board are appointed for a period up to the conclusion of the Annual General Meeting that passes a resolution, on discharge for the fourth fiscal year after the start of the term of office. The fiscal year in which the term of office begins is not included in this. A successor to any member of the Supervisory Board who leaves before the expiry of his/her term of office is appointed for the remainder of the term of office of the member who left prematurely.

    (4) Members of the Supervisory Board may vacate their position by means of a written declaration addressed to the Chair of the Supervisory Board or to the Management Board, without stating reasons and subject to a notice period of four weeks; alternatively, if they state good cause, no notice period shall apply.

    Section 10 Responsibilities and powers of the Supervisory Board

    (1) The rights and obligations of the Supervisory Board are determined in accordance with statutory provisions, regulations of Articles of Association, and rules of procedure issued in accordance with Section 13.

    (2) Members of the Supervisory Board have equal rights and obligations. They are not bound to orders and instructions. In practising the office, they must apply the care of a reputable and diligent inspector of managers.

    (3) They must maintain confidentiality with respect to the company's confidential information and secrets, namely business or trade secrets, which have become known to them through their activity on the Supervisory Board. In particular, they are required to maintain confidentiality with respect to any confidential reports and confidential advice that they receive. If a member of the Supervisory Board wishes to pass to third parties information which may in any way be confidential or may in any way relate to company secrets, the member is required to inform the Chair of the Supervisory Board of this in advance, and provide him/her with the opportunity to provide a re-sponse.

    (4) Members of the Supervisory Board who breach their obligations are required to com-pensate the corporation for the damage caused by the breach, as joint and several debtors.

    (5) The Supervisory Board is authorised to put in place changes and supplements to the Articles of Association by means of a majority vote, provided that these changes and supplements only affect the wording.

    Section 11 Declarations of intention on the part of the Supervisory Board

    Declarations of intention on the part of the Supervisory Board are issued in the name of the Supervisory Board by the Chair; if the Chair is not present, they are issued by his/her deputy.

    Section 12 Chair of the Supervisory Board and his/her deputy

    The Supervisory Board selects from its members a Chair and a deputy for the term of office determined in Section 9 Para. 3 of these Articles of Association. The vote is taken directly after the Annual General Meeting, in which the members of the Supervisory Board for the shareholders to be selected by the Annual General Meeting are appointed, at a meeting that is not convened separately.
    If the Chair or his/her representative leaves his/her office before the expiry of the term of office, the Supervisory Board must make a new selection for the remaining term of office of the individual who has left.

    Section 13 Rules of procedure and committees of the Supervisory Board

    (1) The Supervisory Board provides the rules of procedure.

    (2) The Supervisory Board may form committees and, in as far as is legally permissible, also transfer decision-making authorities to them.

    Section 14 Convening the Supervisory Board

    (1) The Supervisory Board must hold at least two meetings in each half of the calendar year.

    (2) It must be convened immediately if necessary for business reasons, or if a member of the Supervisory Board or if the Management Board demands that the meeting is convened, stating the purpose and reasons for this. The meeting of the Supervisory Board must take place within two weeks of being convened in these cases.

    (3) The Chair of the Supervisory Board is responsible for drafting and determining the agenda, as well as the format of the meeting. Suggested resolutions must also be transferred together with the invitation.

    (4) The meeting is convened in writing, by fax, or by email, stating the agenda as well as the format of the meeting, with a notice period of two weeks. In urgent cases, the Chair may shorten the notice period and convene the meeting verbally by telephone.

    Section 15 Passing of resolutions by the Supervisory Board

    (1) The Supervisory Board is quorate if all members have been invited and at least half of members participate in passing the resolution. A member also takes part in the resolution if he/she abstains from voting.

    (2) The type of vote is determined by the Chair of the Supervisory Board, unless the rules of procedure issued by the Supervisory Board contains specific regulations in this respect.

    (3) Unless otherwise stipulated by law or the Articles of Association, resolutions are passed with a simple majority of votes cast. The same also applies for elections.

    (4) If there is a tied vote, a new debate shall only take place if the majority of the Supervisory Board resolves upon this. Otherwise, a new vote must be conducted immediately. In the event of a new vote regarding the same subject, the Chair of the Supervisory Board shall have two votes, including if this produces a tied vote.

    (5) If a member of the Supervisory Board is not present, this individual may have a written vote submitted through another member of the Supervisory Board. This also applies for issuing a vote in the event of a new voting process regarding the same subject. The submission of a written vote is only effective if the resolution passed does not deviate in content from the announced content of the resolution.

    (6) Resolutions passed about subjects the treatment of which has not been notified at least one week before the meeting, as well as votes outside meetings, are only permitted if not objected to immediately by any member of the Supervisory Board.

    (7) A member of the Supervisory Board may not participate in a vote regarding a subject on the agenda if the resolution concerns the undertaking of a legal transaction with him/her, or the initiation of a legal dispute between him/her the company.

    Section 16 Supervisory Board minutes

    Minutes must be produced both of meetings of the Supervisory Board and of votes that take place outside meetings; these minutes must be signed by the Chair of the Supervisory Board.

    Section 17 Supervisory Board remuneration

    (1) Each member of the Supervisory Board receives remuneration of €8,000 for his/her activity after the conclusion of the fiscal year. The Chair of the Supervisory Board receives double the amount given to an ordinary member of the Supervisory Board, i.e. an amount of €16,000; his/her deputy shall receive 1.5 times the amount given to an ordinary member of the Supervisory Board, i.e. €12,000.

    (2) Members of the Supervisory Board who are only part of the Supervisory Board during a portion of the fiscal year receive pro rata remuneration in accordance with Para. (1) based on the proportion of the whole fiscal year for which they are part of the Supervisory Board.

    (3) Members of the Supervisory Board also receive compensation for the expenses they incur whilst exercising their office. Any VAT to be paid on their receipts is reimbursed to members of the Supervisory Board by the corporation.

    (4) Members of the Supervisory Board may also receive further remuneration in addition to the remuneration defined in Para. (1), provided that this additional amount is resolved upon by the Annual General Meeting with the required majority.

     

    V. Annual General Meeting

    Section 18 Convening the Annual General Meeting

    (1) The Annual General Meeting takes place at the corporation's registered office or in a major German city with more than 200,000 inhabitants. The Annual General Meeting is convened by the Management Board or, in legally stipulated cases, by the Supervisory Board. The statutory specifications apply for the

    convocation period.

    (2) The ordinary Annual General Meeting is held within the first eight months of each fiscal year. Extraordinary Annual General Meetings may be convened as often as seems required in the interests of the corporation.

    Section 19 Participation in and process for the Annual General Meeting

    (1) Only shareholders who register for the Annual General Meeting and verify their authorisation are authorised to participate in the Annual General Meeting, and to exercise their voting right. The registration and verification of authorisation must be received by the corporation at the address notified in the convocation at least six days before the Annual General Meeting, whereby the day of receipt is not included in the six days.

    (2) A certificate regarding share ownership, issued by the custodian institute in written format (Section 126b BGB) in German or English, is sufficient for authorisation in accordance with Para. 1. The certificate of share ownership must relate to the start of the 21st day before the Annual General Meeting.

    (3) The chair of the meeting is authorised to permit the complete or partial transfer of image and sound of the Annual General Meeting using a method that he/she may determine in further detail. This transfer may also take a form that provides unrestricted access for the public.

    Section 20 Voting right in the Annual General Meeting

    (1) Each share grants one vote in the Annual General Meeting.

    (2) The voting right may be exercised by an authorised agent. Beyond the scope of Sec-tion 135 AktG, authorisation is issued and revoked and empowerment is verified to the corporation in written format (Section 126b BGB). The corporation offers an electronic method for the transfer of the certificate of empowerment, within the invitation to the Annual General Assembly. If the shareholder empowers more than one per-son, the corporation may refuse one or several of these individuals.

    Section 21 Chairmanship in the Annual General Meeting

    (1) The Chair of the Supervisory Board acts as chair in the Annual General Meeting (AGM); if the Chair of the Supervisory Board is unable to chair the AGM, his/her deputy will do so; if the deputy is also unable to chair the AGM, a member of the Supervisory Board to be determined by the Supervisory Board shallchair the AGM. If the Chair is not taken by any member of the Supervisory Board, the leader of the meeting is elected by the Annual General Meeting.

    (2) The Chair leads negotiations and determines the sequence of dealing with items on the agenda, the type and sequence of votes, and the sequence of verbal contributions. The Chair may appropriately limit the time for which each shareholder is entitled to ask questions and speak.

    Section 22 Passing of resolutions by the Annual General Meeting

    Resolutions of the Annual General Meeting are passed with a simple majority of votes cast unless the Articles of Association or mandatory legal provisions provide otherwise.

     

    VI. Annual financial statement, management report, appropriation of balance sheet profit

    Section 23 Annual financial statement and management report; discharge of the Management Board and Supervisory Board

    (1) The Management Board must issue and submit to the auditor the management report and annual financial statement for the previous fiscal year in the first three months of each fiscal year.

    (2) After receipt of the audit report, the annual financial statement and the management report together with the audit report and the suggestion for the resolution of the Annual General Meeting regarding the appropriation of balance sheet profit must be submitted to the Supervisory Board.

    (3) The Supervisory Board must state a position on these submissions within one month of receipt.

    (4) The annual financial statement, management report, report from the Supervisory Board and the suggestion from the Management Board regarding the appropriation of balance sheet profit must be made accessible to each shareholder from the time of the convocation of the ordinary Annual General Meeting onward, in accordance with statutory specifications.

    (5) The Annual General Meeting shall, in the first eight months of each fiscal year, pass a resolution after receiving the report to be provided by the Supervisory Board pursu-ant to Section 171 Para. 2 AktG, regarding the discharge of the Management Board and of the Supervisory Board, regarding the appropriation of balance sheet profit, regarding the choice of auditor, and – in the cases specified by law – regarding the assessment of the annual financial statement.

    (6) If the corporation is required to create a consolidated financial statement and a group management report, paragraphs 1-5 shall apply mutatis mutandis for the consolidated financial statement and the group management report.

     

    VII. Other conditions

    Section 24 Partial nullity

    If any provision in the Articles of Association is invalid, this shall not impact the validity of the other provisions in the Articles of Association.

    Section 25 Costs

    The corporation shall bear the costs of founding, which comprise 20,000 Deutschmark.

    Annual auditors

    On 9 May 2018 the annual general meeting of secunet Security Networks elected KPMG AG Wirtschaftsprüfungsgesellschaft, branch office Essen, to serve as the annual auditor and consolidated annual auditor for the financial year 2017.

    The general annual meeting of secunet Security Networks AG also elected KPMG AG Wirtschaftsprüfungsgesellschaft, branch office Essen, to serve as the annual auditor and consolidated annual auditor for the financial year 2017 and as the auditor for the review of the condensed financial statements and of the interim management report as at 30 June 2018.