XML 80 R33.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Technology is a fundamental element in our Company’s permanent engagement with innovation and continuous improvement in the area of risk management and cybersecurity management strategy. As cybersecurity threats are becoming increasingly sophisticated and rapidly evolving, we have implemented processes for overseeing and identifying material risks from potential cybersecurity threats. Cyber risk management is a core component of our Company’s governance structure, and our cybersecurity processes are integrated into the Company’s overall risk management system and processes. Our primary focus is information security.

Our Information Technology governance framework is composed of policies, procedures, standards, and methodologies to identify and manage risks among other aspects, which are governed by reference frameworks and best practices.

SCC’s information security strategy is led by the Technology and Information Security Director (“TISD”), with review and support from the Chief Information Security Officer (“CISO”) of Grupo Mexico. The main purpose of SCC’s information security strategy is to identify and manage technological risks that could affect the Company's objectives and to strengthen our Company’s resilience. As part of management’s oversight of cybersecurity, the information security strategy is presented on an annual basis to SCC’s Audit Committee of the Board of Directors, which reports to

the full Board of Directors, with additional review and oversight by AMC’s Risks Committee. In addition, we conduct a quarterly follow-up of our cybersecurity strategy’s execution progress and any significant cybersecurity incidents are rigorously monitored.

Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block]

We utilize the Cybersecurity Framework of the NIST to outline the activities and authorize personnel to handle information security and cybersecurity incident responses within the Company. This procedure outlines the phases of the incident response process, including detection and analysis; containment and intelligence development; eradication and remediation; recovery; and post-incident activities. Assessments include the qualitative and quantitative factors that are essential for determining materiality on information security and cybersecurity incidents.

In instances where a cybersecurity incident is classified and declared as material, our process is designed to meticulously document in a comprehensive report, all critical details such as the date and time of identification of the incident, a concise description of the incident's nature and scope, the impact of the incident on the Company's operations, and its current status (remediated or is undergoing remediation), in order to be clearly informed by the Company.

Information security and cybersecurity incidents undergo thorough review and assessment by the Information Security Subdirector, in collaboration with cybersecurity specialists and experts. Those incidents classified as material are reported to the Technology and Information Security Director, relevant Business Directors, and the Board’s Audit Committee, with additional review by AMC's Productivity and Risk Committees. Simultaneously, these processes allow cybersecurity incidents classified as “material” to be promptly disclosed to the SEC in a Form 8-K report within 4 business days of the Company’s determination that such incident is in fact a “material” incident.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block]

Risk Committee and Productivity Committee

The Company’s holding company, AMC, has the following Committees, that convene several times a year:

AMC Productivity Committee
AMC Risks Committee

These committees provide support to the Company's Board of Directors with respect to information security and cybersecurity matters. In particular, the Risk Committee provides oversight of the Company’s risk management, cybersecurity, and operational compliance activities, as well as a means of bringing risk issues to the attention of management.

Disclosure of the Board’s Roles and Responsibilities

The Board of Directors is responsible for global oversight of our strategic and operational risks. The Audit Committee assists the Board of Directors with this responsibility by reviewing and discussing our risk assessment and risk

management practices, including cybersecurity risks, with members of management. The Audit Committee, in turn, periodically reports its findings to the Board of Directors.

Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] In particular, the Risk Committee provides oversight of the Company’s risk management, cybersecurity, and operational compliance activities, as well as a means of bringing risk issues to the attention of management.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] The Board of Directors is responsible for global oversight of our strategic and operational risks. The Audit Committee assists the Board of Directors with this responsibility by reviewing and discussing our risk assessment and risk management practices, including cybersecurity risks, with members of management.
Cybersecurity Risk Role of Management [Text Block] Our management possesses significant expertise in the assessment and management of cybersecurity risks.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] The Audit Committee is responsible for overseeing the Company’s overall risk management strategies, including cybersecurity risks and disclosures.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] TISD, and the Information Security Subdirector (“ISD”), has extensive experience in the areas of information technology, information security risk management, and cybersecurity. Specific to cybersecurity, the TISD and the ISD have the expertise to provide insights into the nature of cyber threats, the Company’s readiness, and actions that should be taken to mitigate such risks.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] To keep the Audit Committee informed, our information security strategy is periodically presented to the Audit Committee, which reports to the full Board of Directors.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true