CSIRT - Cyber Security Incident Response Team

Intesa Sanpaolo established the CSIRT, Cyber Security Incident Response Team, with the objective to intercept and analyze cyber threats and incidents that may cause potential impacts on the Group, assess cyber security events and give timely recommendations and indications to its Constituency.

Our objective

The objective of Intesa Sanpaolo’s CSIRT consists of:

  • Identifying the threat that may cause potential impacts on Intesa Sanpaolo Group through constant Threat Intelligence activities;
  • Identifying the incidents that occurred and caused impacts on Intesa Sanpaolo Group through constant Threat Intelligence activities;
  • Assessing the threats landscape and coordinate responses to prevent potential impacts on the Group;
  • Keeping the Group Constituency informed on potential threats and on attackers’ tactics, techniques and procedures (TTPs), possibly earlier than these are actively exploited;
  • Operating at close contact with internal functions and stakeholders, by grating the assessment of impacts, as well as the definition and the correct addressing of response actions and remediation plan, in case of incident;
  • Actively developing and promoting an information sharing network with the Group’s Constituency and with external national and international stakeholders.
Environment of Expertise

ISP-CSIRT grants support to manage the potentially critical threats and incidents occurring at Intesa Sanpaolo Group. The support level provided by ISP-CSIRT varies based on incident type and severity, related impacts, perimeter and involved/interested targets.

ISP-CSIRT is also committed in maintaining informed its Constituency on potential threats and attackers’ tactics, techniques and procedures (TTPs) through information sharing on the CISP platform, possibly earlier than these are actively exploited.


Intesa Sanpaolo CSIRT’s constituency is composed by all Intesa Sanpaolo Group’s entities, including the Holding Company and the affiliated entities.

Constituency’s members are mainly engaged in the following countries: Italy, Russia, Albania, Czech Republic, Slovenia, Slovakia, Croatia, Romania, Egypt, Serbia, Bosnia Herzegovina, Hungary and any other country in which Intesa Sanpaolo Group is present.


The ISP-CSIRT’s Services portfolio is organized on the basis of three kind of services: reaction services, pro-active services and management services.

Here follow the specific services’ scopes:

  • Cyber Threat Surveillance
  • Cyber incident Response
  • Alerts & Warning
  • Information Sharing

ISP-CSIRT supports and coordinates cyber incident response activities within its Constituency, granting that these are managed effectively and efficiently. In case of an incident, ISP-CSIRT supplies support on the following aspects of incident management:

  • Threat/Incident triage
    • Gathering, correlation and analysis of information supplied by threat intelligence sources;
    • Incident classification with the goal to determine the event severity, based on related impacts and with the support of business functions and involved Group entities.
  • Incident/Threat management coordination
    • Coordination of stakeholders and internal communication as well as escalation process;
    • Identification of the appropriate countermeasures and coordination of involved stakeholders’ response actions;
    • Constant monitoring of incident evolution and the implementation state of assigned tasks.
  • Incident Resolution/Threat countermeasures activation
    • Support to involved entities to identify and implement the appropriate countermeasures;
    • Support the recovery of possibly impacted services to their initial state.
How to contact CSIRT

The main method to contact ISP-CSIRT is through an e-mail sent to the address: csirt@intesasanpaolo.com.

The mailbox is constantly monitored in business hours: Monday-Friday 8.30 a.m. 5.00 p.m., CET (GMT+0100 and GMT+0200 from last Sunday of March to last Sunday of October), except holydays in Italy.

In case an incident had to be reported outside ISP-CSIRT Constituency, please include the following information, preferably using encrypted e-mails:

  • Advisor’s reference (name, e-mail address, telephone number);
  • Date and time of the occurrence of the event, if known;
  • Type of incident;
  • Description  of the incident;
  • IP address/addresses, FQDN(s) and any other relevant technical information with the appropriate observations;
  • Any relevant artifact or registry related to the event;

ISP-CSIRT supports the TLP Protocol (Traffic Light Protocol) related to the Information Sharing; the information acquired with the tags WHITE, GREEN, AMBER or RED will be managed according to the provided methodologies.

ISP-CERT - Critical Event Readiness Team

Intesa Sanpaolo has established the Critical Event Readiness Team (CERT) which, in the management of cybersecurity events and operational continuity, is responsible for the classification of events and the reporting of incidents to the relevant Authorities. In addition, the CERT ensures the coordination of external communications, that should be necessary to face critical/emergency events. Moreover, it coordinates the activities of identification of the appropriate countermeasures to be activated in order to mitigate potential impacts and ensure the continuity of service to Customers.

Our Mission

The mission of Intesa Sanpaolo CERT consists of:

  • Analyze the economic, regulatory and reputational potential  impacts of a cybersecurity and business continuity incident in order to determine the severity of an event (event classification);
  • Based on the outcome of the classification, the CERT enables the appropriate internal escalation and decision-making process to define appropriate event response strategies;
  • Manage critical/emergency reporting activity to the relevant national and international Authorities, in accordance with the regulatory requirements in force (Incident Reporting);
  • Coordinate activities to identify appropriate predefined countermeasures to be triggered to mitigate the impacts of an event and ensure continuity of customer service;
  • Ensure the coordination of external communications to the different stakeholders in relation to the specificity of the incident managed and the countermeasures activated, ensuring the uniformity and consistency of all communications.
Contacting CERT

Intesa Sanpaolo CERT can be contacted through the following e-mail address: cert@intesasanpaolo.com.

Hours of operations:  Monday to Friday, 8.30am to 5pm, Central European time zone, except Italy public holidays.