Despite the exceptional circumstances we all went through in 2020 as a result of the COVID-19 pandemic, Madrileña Red de Gas continued innovating and working to ensure the company’s ongoing improvement in a range of areas and across the organisation, securing the involvement and commitment of all our various business units. Notable MRG initiatives include those relating to the new regulatory framework, the risk management policy, cybersecurity, telecommunications and personal data protection.

1.1 BOARD OF DIRECTORS

Consilia Asesores, S. L. President
(Pedro Mielgo, legal representative)
Dennis van Alphen Director
Martijn Verwoest Director
Andrew Scott Wilkie Director
Qingtong Li Director
Dong Dong Director
Simon Davy Director
Romain Bruneau Director
Pierre Benoist d’Anthenay Director
María Martín Secretary (non-Director)

 

1.2 EXECUTIVE COMMITTEE

Alejandro Lafarga General Director
Rafael Fuentes Legal Director
Inés Zarauz Financial Director
David Ortiz Carreras Expansion Director
Glen Lancastle Operations Director
María Vázquez Human Resources Director
Félix Blasco Network Operations Director

 

1.3 REGULATORY FRAMEWORK

The Spanish gas sector is regulated by Law 34/1998, of October 7, on the Hydrocarbon Sector, reformed by Law 12/2007, of July 2, Royal Decree-Law 13/2012 and Law 8/2015, of 21 May, as well as by Law 18/2014, of 15 October, and by its implementing provisions, particularly Royal Decree 1434/2002, of 27 December, Royal Decree 949/2001, of 3 August, and Royal Decree 984/2015, of 30 October, due to their importance.

The gas and electricity sector is regulated by the Ministry for Ecological Transition and the Demographic Challenge, whereas the National Commission on Financial Markets and Competition (CNMC) is the regulatory authority entrusted with the tasks of maintaining and ensuring effective competition and the transparent functioning of the Spanish energy sector. Until the publication of Law 3/2013, of 4 June, these functions were performed by the National Energy Commission (CNE), which has since been integrated into the CNMC. The Autonomous Communities also have powers to develop and implement regulations within their scope of their particular authority.

In early 2019, Royal Decree-Law 1/2019, of 11 January, was signed into law with urgent measures to adapt the authority of the CNMC to the requirements resulting from Community law related to Directives 2009/72/EC and 2009/73/EC of the European Parliament and the Council of the European Union, dated 13 July 2009, on common standards for the domestic electricity and gas markets. Said decree modified Law 3/2013, of 4 June, on the creation of the CNMC; Law 34/1998, of 7 October, on the hydrocarbon sector; Law 24/2013, of 26 December, on the electricity sector; and Law 18/2014, of 15 October, approving urgent measures for growth, competitiveness and efficiency. The main modifications in this regard are as follows:

• The regulatory body’s independence to approve its regulatory memoranda is guaranteed.
• In relation to the payment for gas and electricity transport and distribution activities and for liquefied natural gas (LNG) plants (except for underground natural gas storage), the CNMC will approve the methodology, the payment parameters, the regulatory basis of assets and the annual payment for the activity. The CNMC also approves the methodology for tariff rates, and their structure and specific values, whereas the Ministry for Ecological Transition and the Demographic Challenge approves the structure of tariffs, their methodology and their values, as well as the methodology and conditions of access and connection to the electricity and natural gas transport and distribution networks, regulation of the operating rules for organised markets, and payment to the electric system operator and the gas system technical manager.

In 2020, the memoranda and resolutions approved by the CNMC include:

• Memorandum 1/2020, of 9 January, establishing the methodology to pay the gas system technical manager.
• Memorandum 2/2020, of 9 November, establishing the natural gas balance regulations.
• Memorandum 4/2020, of 31 March, establishing the methodology to pay for natural gas distribution.
• Memorandum 6/2020, of 22 July, establishing the methodology to calculate tariff rates for transport, local networks and regasification of natural gas.
• Memorandum 8/2020, of 2 December, establishing reference unit values for investment and for operation and maintenance for the 2021-2026 regulatory period, as well as the minimum requirements for audits of investments and costs in natural gas transport facilities and LNG plants.
• Memorandum of 17 December 202, establishing the amount to pay the gas system technical manager for 2021 and the quota for its financing.
• Memorandum of 17 December 202, establishing the tariff adjustment for the activity of distribution applicable to companies providing distribution in the 2021-2026 regulatory period. In the case of Madrileña Red de Gas, this adjustment amounts to €24,516,919.
• Proposed resolution of 29 December 2020 from the CNMC, establishing the payment for the “2021 gas year” (from 1 January to 30 September 2021) for companies carrying out regulated activities relating to LNG plants, and to natural gas transport and distribution (RAP/DE/008/20). This proposal, which is in the process of being heard, forecasts a provisional payment for Madrileña Red de Gas of €104,279,650.35 in 2021.

Information exchange between supplier and distributor (SCTD) and regulation

On 30 December 2019, Spain’s Official State Gazette published the entry into force of the new formats of files for exchanging information between distributors and suppliers, both for electric power and for natural gas, which had been approved by the CNMC on 18 December that year.

The new 2.0 version of formats standardises operations, includes new regulations and introduces operational improvements detected over the three years of experience with version 1.0, such as protecting consumers’ rights with regard to termination and guaranteed supply, real-time consultation of contract information and considerations regarding gas multi-contracts.

These new formats were implemented at MRG in two phases: the first on 6 July 2020, and the second on 4 January 2021. That both phases were successful is down to the flexible working methods used during implementation, consisting of fortnightly sprints, with continuous monitoring of any blockages and risks among all those involved, and a working line was established between business, systems and our technology partners Atos (which maintains the global SCTD communication system) and DxC Technology (which ensures the functionality of our SAP system).

Two fundamental aspects of the project’s success are the battery of integrated regression tests carried out between gas suppliers to guarantee that developments function as they should, and the coordination between all Madrileña Red de Gas business units, due to the cross-cutting nature of the project, ensuring the entire company was involved.
 

Implementation of the new 2.0 formats was a success due to flexible working methods, continuous monitoring of any blockages and risks, and the working line established between business, systems and our technology partners Atos

 

1.4 PREVENTION OF CRIMINAL OFFENCES

In accordance with Organic Law 1/2015, of 30 March, Madrileña Red de Gas ensures that its management model for the prevention of criminal offences is kept up to date, including its map of criminal risks and its prevention protocol.

MRG has a firm commitment to adopting any new measures to guarantee the prevention of criminal offences. In 2020, the established monitoring system was analysed using the corresponding risk management tools, analysing the degree of compliance and the level of effectiveness. This led to the approval of an action plan to ensure ongoing improvement of the monitoring process.

MRG has always maintained that it is essential for all members of staff to be informed on this matter. To help improve understanding and the management model’s reach with regards to preventing criminal offences, training courses were held on both general and specific topics, according to the needs detected by the annual monitoring process.

 

1.5 CYBERSECURITY

In a hyperconnected world, where most activities are managed online using electronic devices, ensuring the security of operations and information is essential for MRG. The notion of conducting business without information systems and the technology that supports them is simply unthinkable in today’s world. These systems and the technology behind them are targeted by cybercriminals, who use a range of techniques to access company networks, hold data for ransom, install malware and compromise company or user assets. Cybercrime threats change and evolve, and every day new risks emerge that attempt to harm a company’s processes, assets and information.

This new reality means that cybersecurity is our greatest challenge. To understand and manage all the risks involved in cyber attacks, we operate with a global, coordinated approach, supported by our corporate strategy.

In the first half of 2020, we drew up an ambitious action plan for 2021-2023 that ensures we are in a leading position with regard to cybersecurity

By studying different factors inherent to the gas sector, along with our strategic objectives and the most stringent requirements of the market, we analysed what the company’s current level of cybersecurity was, and what it needed to be.

With the help of the consultants Deloitte, in the first half of 2020 we assessed the level of cybersecurity in our processes and networks, identifying the risks that currently affect or might in the future affect our business processes, and an ambitious action plan was drawn up for the 2021-2023 period that ensures we are in a leading position in terms of cybersecurity.

Additionally, by migrating our systems to Amazon Web Services (AWS), we were able to benefit from a network designed to protect data, identities, applications and devices. As a result, we have improved our capacity to adhere to requirements in central compliance and security, such as in matters of data location, protection and confidentiality.

With AWS we were also able to automate security tasks that were previously performed manually, thus reducing human configuration errors and raising the levels of security. These actions carried out on the infrastructure deployed in AWS are focused on:

EBS volume encryption

In order to comply with various security policies, all the EBS volumes attached to virtual EC2 servers needed to be encrypted. This encryption enables MRG to protect information by turning it into illegible code that cannot be easily unencrypted by anyone not authorised to access it. Encryption software is used to encrypt each bit of information in a disk volume, preventing unauthorised access to any stored information.

Antimalware software installation

By installing an antimalware agent, MRG can prevent, detect and remedy any malicious software found on individual computer devices. Cloud-based antimalware software was the option we chose, as with antimalware technology of this kind files can be analysed in the cloud rather than on the server, thus freeing up computing resources and ensuring a speedier response.

In compliance with security policies, the ESET operative installed the ERA Agent antivirus software on all EC2 virtual servers deployed in the Madrileña Red de Gas AWS account. As a result we detected 37 servers that did not have the agent installed, leading to a multiple installation using Ansible playbooks.

Once all the agents had been installed on the different virtual servers, they were all checked to be working, to ensure the project was successful.

Various other initiatives were also carried out in 2020 with the aim of raising awareness among our users, who are the primary way that cyber threats find their way in, and of strengthening the security of our networks and infrastructures. These included:

• Cybersecurity auditing of remote meter reading devices.
• Programme to raise awareness among users.
• Implementing a password manager.
• Configuring and organising an SIEM-SOC.
• Encrypting infrastructure volumes.
• Installing antimalware software in the infrastructure.
• Disk encryption.
• Network segmentation.

Finally, we performed more than two thousand checks on our processes. All peripheral SCADA, HMI, PLC and RTU systems were checked, as were all IT systems, and we conducted ten awareness-raising campaigns and training initiatives among our users, as well as identifying as many as 28 new projects for the 2021-2023 action plan.

 

1.6 TELECOMMUNICATIONS

Telecommunications and remote working tools have become key elements of the new business world. Although they have a recurring cost, which in the past would have been of little added value, today it is more necessary than ever to ensure they are secure, capable and optimised.

In order to guarantee the availability of remote work tools, while also optimising costs and seeking added value in telecommunications for the business, MRG has conducted an audit of all our telecommunications assets, both externally and internally, aimed at reviewing:

• Agreements with telecommunications providers.
• Conditions such as tariffs, continuities and services.
• Average monthly spend on mobile and fixed telephony and connections.
• Number of devices.
• Needs of each business unit for communications and data.

As a result of this audit, we were able to reduce the overall budget by 25% by restructuring all telecommunications services: updating contracts to actual needs, securing better tariffs, removing unnecessary services, extending basic services, such as the data tariff for employees (from 1GB to 5GB), and making technological improvements to the data network and the switchboard.

Back in 2010, MRG was the first distributor to implement Gmail as a company email tool. In 2020 we updated the company email and workspace suite with the G Suite Business edition of Google Workspace, adding unlimited space to our Gmail and Google Drive accounts, and increasing communication security. Adjustments were also made to active accounts, which have since been reduced by as much as 30%.

 

1.7 CORPORATE RISK MANAGEMENT

According to the internal rules of procedure at Madrileña Red de Gas, the Risks and Auditing Committee reports directly to the Board of Directors and operates in accordance with said rules, which define the committee’s objectives, functions and composition. This committee is made up of representatives from the Board of Directors, the Executive Committee and the risk management department.

The contents of its agenda are discussed in regular committee meetings, which are held prior to each Board of Directors’ meeting. The schedule is agreed on at the beginning of each financial year. Recurring topics include monitoring the map of corporate risks, the most relevant risks and the established or proposed checks and mitigation plans, accounts audits, and policy on preventing crime and cybersecurity risks.

Risk management is addressed in the regular meetings of the Executive Committee, and information on how the risks map is evolving is included in the monthly reports sent out to our shareholders

Recommendations can then be issued, intended for the risk management department and/or for the Board of Directors. As a result of COVID-19, a map of specific risks was defined, setting out risks of a financial nature, such as the potential impacts on operating margins, liquidity and credit risk, and risks relating to difficulties in conducting operations in the homes of users affected by the pandemic, the availability of resources for the continuity of operations and/or failures in the supply chain, monitoring the functionality of business continuity plan and checks to monitor the prevention of risks in the workplace.

The company’s risk management policy involves progressively conducting cross-cutting analyses of the risks relating to the business and corporate units that are most closely linked to the processes involved. Likewise, risk management forms part of the agenda at the regular meetings of the Executive Committee, and information on how the risks map is evolving is included in the monthly reports sent out to our shareholders.

Currently, the MRG risks map sets out the ten most common risks, which are evaluated by applying a criterion based on:

• The probability of a risk occurring, on a scale of one to ten.
• The combined effect on net present value and reputational impact, both on a scale of one to ten. The effect on net present value considers both the direct economic impact for the next 20 years and any possible sanctions.

The MRG risks map covers emerging risks through regular updates of its content. It also adds new high-level checks to those already in place. A series of action plans have been implemented to help mitigate the consequences of these risks.

The most recent evolutions recorded on the risks map relate to sector-based regulatory changes that come into force in 2021, and the collection of associated risks. These have been properly defined and assessed as more detailed information on them has emerged about the potential consequences these changes could have if they materialise. A strategy has also been developed to prevent and mitigate any potential impacts of these risks.

 

1.8 CORPORATE SOCIAL RESPONSIBILITY

For the fifth year in a row, Madrileña Red de Gas took part in the GRESB Infrastructure initiative, providing information on corporate social responsibility as requested. The results provide an overall view of how the company has evolved with respect to previous financial years and our degree of maturity in this regard in comparison with other companies in the sector. Following in-depth analysis of the results, improvements were identified for implementation as part of the company’s environmental, social and corporate governance (ESG) model. These improvements will help ensure progress over the course of 2021.

The ESG Report includes specific chapters on environmental, social and corporate governance, drawn up according to the Global Reporting Initiative (GRI) standard. The references have been identified for the content of this standard, making it easier for the information to be located. The report was also checked externally by the testing, inspection and certification company BVQi.

 

1.9 DATA PROTECTION

The Madrileña Red de Gas data protection model is based on how ISO management systems are structured, so it can take full advantage of existing synergies with other systems in place. Based on the company’s information security and personal data protection policy, the MRG data protection officer has an active role on the Executive Committee, the Risks and Auditing Committee and the Cybersecurity Committee. We also have a management manual that has been developed in accordance with more than ten particular personal data protection procedures, which are regularly revised to ensure their content is always up to date. By implementing the risk and impact assessment model in the different data protection treatments, data protection management is now organised around the identified priorities and opportunities. Improvements continue to be developed to help identify stakeholders in this regard.

This management model also includes interacting with stakeholders by making the personal data protection policy and information on how personal data is processed available on the company’s website to ensure stakeholders are kept up to date. We also use the various ways that we communicate with users to inform them that this information is available. The model also covers active management of the data protection officer’s mailbox.

The following lines of action are all fully integrated into our management model:

• Actions to coordinate business activities with data processor managers on matters relating to data protection, through meetings, unifying criteria and best practice agreements.
• Monitoring the data protection performance of our chain of suppliers, through the information provided by the Repro-Achilles website on the maturity of their privacy policies, as well as through the auditing reports issued by the Repro-Achilles community.
• Interaction with the Spanish Data Protection Agency (AEPD) with regard to various processes involved in protecting individuals’ rights.
• Record of data protection incidents, which are investigated to help introduce improvements to how information is managed.

Regarding personal data protection, in 2020 there was a significant focus on managing the rights of data subjects, dealing with incidents and resolving queries

Finally, the most relevant activities regarding personal data protection in 2020 were chiefly focused on managing the rights of data subjects, managing incidents and resolving queries. Many of these have been in relation to how current legislation is interpreted and to individuals exercising their personal data protection rights.

There has also been an ongoing review of personal data protection clauses in contracts, incorporating our specific contractual clauses where needed with the aim of covering all the particularities of the wide range of services that are contracted.

New developments with regard to previous years include a significant increase in the use of the data protection officer’s mailbox, which went from receiving 300 requests in 2019 to 800 in 2020. Also notable was the notification received from the AEPD of a data protection security breach. When investigated, it became clear that there was a need for improved automated information management mechanisms. Finally, the first sanction proposed by the AEPD on data protection matters is pending a definitive ruling from the courts.

Furthermore, and with the aim of promoting internal data protection culture, the MRG internal regulation library released information on revisions and updates made over the course of the year, ensuring that the documentation it contains is kept up to date.