|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Risk Management and Strategy
We maintain a comprehensive process for assessing, identifying and managing material risks from cybersecurity threats as part of our overall risk management system and processes.
We understand the importance of preserving trust and protecting personal and other confidential and sensitive information. Cybersecurity is a critical component of our overall risk management system and we have established an information security and cybersecurity framework to help safeguard the confidentiality, integrity and access of our information assets, and to ensure regulatory, contractual and operational compliance. We utilize policies, software, training programs and hardware solutions to protect and monitor our environment, including multifactor authentication, firewalls, intrusion detection and prevention systems, vulnerability and penetration testing, and identity management systems.
Our information security and cybersecurity framework and infrastructure comply with and incorporate the Information Security Management System (“ISMS”) and Personal Information and Information Security Management System
(“ISMS-P”)standards, which significantly overlap with International Organization for Standardizations (“ISO”) standards. Our certifications under such standards are valid for three years, and we are subject to an annual audit to maintain such certifications.
Our Chief Information Security Officer (“CISO”), under the supervision of our board of directors and the ESG Committee, oversees our approach to managing cybersecurity and digital risk and regularly engages with cross-functional teams including legal, human resources, facilities and corporate risk. We also carry insurance that provides protection against potential losses arising from cybersecurity incidents and annually review our policy and levels of coverage based on current risks.
We conduct annual information security awareness training for all directors, officers and employees and enhanced training for specialized personnel, such as personal information handlers, location information handlers and information security managers, and publish periodic cybersecurity newsletters to highlight any emerging or urgent security threats. We also conduct cyber awareness training and run tabletop exercises to simulate responses to cybersecurity incidents, and use the findings to improve our practices, procedures and technologies.
We also engage with a range of external experts, including cybersecurity assessors and consultants, to assess and report on the effectiveness of our cybersecurity and data privacy controls, and our internal incident response preparedness, as well as to help identify areas for continued focus and improvement. In addition, we engage outside legal counsel regarding cybersecurity issues such as regulatory compliance, materiality determinations, disclosure obligations and best practices for oversight, as needed. Since 2006, we have been a member of CONCERT, a Government-sponsored organization which allows members to share best practices, fight cybercrime, enhance privacy, discuss new technologies and better understand the evolving regulatory environment and advance capabilities in these areas.
Our cybersecurity risk management processes extend to the oversight and identification of threats associated with our use of third-party service providers. We review our vendors’ cybersecurity practices before we enter into business transactions with them, and we seek to contractually obligate vendors to operate their environments in accordance with strict cybersecurity standards. We also develop contingency plans for business continuity if our vendors are subject to a cyberattack that impacts our use of their systems. Furthermore, we assess the risks faced by our partners, including branch offices and stores in our extensive distribution network, at least once a year in order to assess risks and identify threats and vulnerabilities, and implement corrective measures. Since 2015, we have been engaging third-party assessors to conduct annual audits of our distribution network and have been conducting remote diagnoses of all personal information-processing personal computers on a weekly basis.
Our internal audit department conducts annual audits to review and evaluate the effectiveness of our internal controls relating to information security and disclosure obligations.
On April 19, 2025, we became aware of a malware attack against our information technology infrastructure, which we believe resulted in the leakage of certain USIM information of our 5G and LTE network subscribers. Upon becoming aware of such incident, we promptly deleted the malware and segregated the targeted equipment, and we have yet to find any instance of actual or attempted misuse of such information. We have also alerted the Government authorities and our customers of such attack. In addition, we have also been taking further measures to mitigate the potential impact of such attack, including by engaging in a comprehensive audit of our entire network system, strengthening our monitoring efforts against USIM swap frauds and unauthorized authentication attempts, immediately suspending the use of our wireless services upon identifying suspicious account activities involving the affected subscriber information and offering free USIM protection services and free replacement of USIM cards to our subscribers to block any unauthorized misuse of their USIM information. While we are currently investigating, including in cooperation with the Government authorities, such incident and striving to continue to further strengthen our cybersecurity measures, we are unable to predict the results of any future investigations or regulatory actions by the Government, including any imposition of regulatory or other sanctions, or the full extent of harm that may be caused by such incident at this time. Actual or perceived breaches of our cybersecurity of a material nature or material harm to the market perception of the effectiveness of our cybersecurity measures may require us to incur significant legal and financial exposure, including legal claims and regulatory fines and penalties, monetary compensation to our customers, damage to our reputation and a loss of confidence of our customers, which could have a material adverse effect on our business, financial condition and results of operations.
Other than as describe above, our business, financial condition and results of operations
have not been materially affected by risks from cybersecurity threats, including as a result of previous cybersecurity incidents, but we cannot provide assurance that they will not be materially affected in the future by such risks and any future material incidents.
Governance
Management
The cybersecurity risk management processes described above are primarily managed by our CISO, who also serves as our Chief Privacy Officer and has been acting in such role since 2019. Our CISO has more than 20 years of experience in the area of information technology and more than six years of experience in the area of information protection. Our CISO maintains the following internationally recognized certificates: ISO27001, ISO27017 and ISO27018.
In order to streamline our information protection and privacy governance regime, we operate an integrated control center led by our CISO to prevent common malicious and abusive Internet activities, such as spam, hacking of personal information, distributed
attacks and dissemination of viruses, worms and other destructive or disruptive software, and to respond in real time when a situation arises. We also hold an Information Protection Committee meeting every week under the leadership of our CISO. Furthermore, key executive officers such as our Chief Operating Officer and Chief Serious-accident Prevention Officer manage company-wide information security risks under the leadership of our Chief Executive Officer.
denial-of-service
Board of Directors
Our board of directors is committed to mitigating data privacy and cybersecurity risks and recognizes the importance of these issues as part of our risk management framework. While the board of directors, with assistance from the ESG Committee, maintains ultimate responsibility for the oversight of our data privacy and cybersecurity program and risks due to the complexities of the risks involved or the importance of cybersecurity-related risks to stakeholders, it has delegated certain responsibilities to our CISO who heads an execution organization composed of executive officers with relevant experience. In addition, our board of directors receives annual review reports covering the status of the company’s management and protection of personal credit information from our CISO. For information security issues that have a company-wide impact, our board of directors convenes a crisis response situation room to directly engage with and advise our CISO, and the CISO reports to the board of directors the results of work performed based on such advice.
Our board of directors’ principal role is one of oversight, recognizing that management is responsible for the design, implementation and maintenance of an effective program for protecting against and mitigating data privacy and cybersecurity risks. Members of the board of directors stay apprised of the rapidly evolving cyber threat landscape and provide guidance to management as appropriate in order to address the effectiveness of our overall data privacy and cybersecurity program.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
We maintain a comprehensive process for assessing, identifying and managing material risks from cybersecurity threats as part of our overall risk management system and processes.
We understand the importance of preserving trust and protecting personal and other confidential and sensitive information. Cybersecurity is a critical component of our overall risk management system and we have established an information security and cybersecurity framework to help safeguard the confidentiality, integrity and access of our information assets, and to ensure regulatory, contractual and operational compliance. We utilize policies, software, training programs and hardware solutions to protect and monitor our environment, including multifactor authentication, firewalls, intrusion detection and prevention systems, vulnerability and penetration testing, and identity management systems.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Board of Directors
Our board of directors is committed to mitigating data privacy and cybersecurity risks and recognizes the importance of these issues as part of our risk management framework. While the board of directors, with assistance from the ESG Committee, maintains ultimate responsibility for the oversight of our data privacy and cybersecurity program and risks due to the complexities of the risks involved or the importance of cybersecurity-related risks to stakeholders, it has delegated certain responsibilities to our CISO who heads an execution organization composed of executive officers with relevant experience. In addition, our board of directors receives annual review reports covering the status of the company’s management and protection of personal credit information from our CISO. For information security issues that have a company-wide impact, our board of directors convenes a crisis response situation room to directly engage with and advise our CISO, and the CISO reports to the board of directors the results of work performed based on such advice.
Our board of directors’ principal role is one of oversight, recognizing that management is responsible for the design, implementation and maintenance of an effective program for protecting against and mitigating data privacy and cybersecurity risks. Members of the board of directors stay apprised of the rapidly evolving cyber threat landscape and provide guidance to management as appropriate in order to address the effectiveness of our overall data privacy and cybersecurity program.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
Our board of directors is committed to mitigating data privacy and cybersecurity risks and recognizes the importance of these issues as part of our risk management framework. While the board of directors, with assistance from the ESG Committee, maintains ultimate responsibility for the oversight of our data privacy and cybersecurity program and risks due to the complexities of the risks involved or the importance of cybersecurity-related risks to stakeholders, it has delegated certain responsibilities to our CISO who heads an execution organization composed of executive officers with relevant experience. In addition, our board of directors receives annual review reports covering the status of the company’s management and protection of personal credit information from our CISO. For information security issues that have a company-wide impact, our board of directors convenes a crisis response situation room to directly engage with and advise our CISO, and the CISO reports to the board of directors the results of work performed based on such advice.
|Cybersecurity Risk Role of Management [Text Block]
|Our board of directors is committed to mitigating data privacy and cybersecurity risks and recognizes the importance of these issues as part of our risk management framework. While the board of directors, with assistance from the ESG Committee, maintains ultimate responsibility for the oversight of our data privacy and cybersecurity program and risks due to the complexities of the risks involved or the importance of cybersecurity-related risks to stakeholders, it has delegated certain responsibilities to our CISO who heads an execution organization composed of executive officers with relevant experience.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Our Chief Information Security Officer (“CISO”), under the supervision of our board of directors and the ESG Committee, oversees our approach to managing cybersecurity and digital risk and regularly engages with cross-functional teams including legal, human resources, facilities and corporate risk. We also carry insurance that provides protection against potential losses arising from cybersecurity incidents and annually review our policy and levels of coverage based on current risks.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our board of directors’ principal role is one of oversight, recognizing that management is responsible for the design, implementation and maintenance of an effective program for protecting against and mitigating data privacy and cybersecurity risks. Members of the board of directors stay apprised of the rapidly evolving cyber threat landscape and provide guidance to management as appropriate in order to address the effectiveness of our overall data privacy and cybersecurity program.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef