|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Risk Management and Strategy
Cybersecurity has been identified as one of the most significant risks in today’s business environment, and we have classified it as such within our risk management framework. Our Risk Management Policy provides an integrated vision of managing this risk. It includes strategies and performance monitoring regularly reporting to the Audit Committee and the Board of Directors. These bodies are tasked with overseeing our risk management efforts. Our risk management processes are independently audited to comply with the Sarbanes-Oxley Act. These rules apply to our Group Divisions, wholly owned and controlled subsidiaries, and are recommended for entities we jointly control, affiliates, and other investments.
Our comprehensive cybersecurity risk management program is designed to safeguard the integrity of our information and maintain the resilience of our cyber environment. It includes the following measures:
•Conforming our cyber practices to internationally established cybersecurity framework best practice standards set out by the National Institute of Standards and Technology Cybersecurity Framework (NIST-CSF).
•Utilizing material components in our cybersecurity framework, such as multifactor authentication, identity governance and administration, privilege access management, network firewalls, web application firewalls, antivirus, endpoint detection and response, vulnerability assessment/management, external offensive security testing and penetration testing, threat intelligence services, security awareness training platform and Security Operation Center (24/7).
•Involving a comprehensive team responsible for day-to-day cybersecurity related matters including our Information Security team, Privacy, Legal, Compliance, Audit, Human Resources, and Corporate teams.
•Conducting annual cybersecurity awareness training for employees, interns, contractors and executive management team involved in our systems using a security awareness training platform that includes regular phishing testing with additional reinforcement training if necessary.
•Maintaining a robust incident response plan which includes definition of Copel’s communication team (Crisis Commission) with representatives from various areas such as IT, Legal, Compliance, Investor Relations, Marketing, Data Protection Officer and business areas. This team is responsible for internal communication, including reports to the boards of directors and deliberations regarding the progress of external communication to the various stakeholders involved.
•Regularly reviewing, testing, updating and approving cybersecurity processes by conducting penetration testing, external offensive security testing vulnerability scanning and attack simulation.
•Involvement in broader industry initiatives and organizations relating to cybersecurity such as collaborating with organizations across different industries to share best practices, fight cybercrime, enhance privacy, discuss new technologies, and advance capabilities in these areas.
We also engage with companies specialized in cybersecurity and information security consulting and auditing to evaluate the structure and test the effectiveness of our processes and to provide trainings. Our cybersecurity risk management processes extend to the oversight and identification of cybersecurity risks from our association with our use of third-party service providers.
Our Information and Cybersecurity Policy outlines the key strategies we follow to safeguard our corporate information and other assets. It helps us manage risks effectively and ensure the ongoing operation of our business. Additionally, we have a Privacy and Data Protection Policy that governs how we collect, use, and share information obtained through our websites. This policy adheres to the requirements of the Brazilian General Personal Data Protection Law (“LGPD”).
In 2024, our business strategy, results of operations and financial condition have not been materially affected by risks from cybersecurity threats, including as a result of previous cybersecurity incidents. We cannot provide assurance that they will not be materially affected in the future by such risks and any future material incidents.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
Our comprehensive cybersecurity risk management program is designed to safeguard the integrity of our information and maintain the resilience of our cyber environment. It includes the following measures:
•Conforming our cyber practices to internationally established cybersecurity framework best practice standards set out by the National Institute of Standards and Technology Cybersecurity Framework (NIST-CSF).
•Utilizing material components in our cybersecurity framework, such as multifactor authentication, identity governance and administration, privilege access management, network firewalls, web application firewalls, antivirus, endpoint detection and response, vulnerability assessment/management, external offensive security testing and penetration testing, threat intelligence services, security awareness training platform and Security Operation Center (24/7).
•Involving a comprehensive team responsible for day-to-day cybersecurity related matters including our Information Security team, Privacy, Legal, Compliance, Audit, Human Resources, and Corporate teams.
•Conducting annual cybersecurity awareness training for employees, interns, contractors and executive management team involved in our systems using a security awareness training platform that includes regular phishing testing with additional reinforcement training if necessary.
•Maintaining a robust incident response plan which includes definition of Copel’s communication team (Crisis Commission) with representatives from various areas such as IT, Legal, Compliance, Investor Relations, Marketing, Data Protection Officer and business areas. This team is responsible for internal communication, including reports to the boards of directors and deliberations regarding the progress of external communication to the various stakeholders involved.
•Regularly reviewing, testing, updating and approving cybersecurity processes by conducting penetration testing, external offensive security testing vulnerability scanning and attack simulation.
•Involvement in broader industry initiatives and organizations relating to cybersecurity such as collaborating with organizations across different industries to share best practices, fight cybercrime, enhance privacy, discuss new technologies, and advance capabilities in these areas.
We also engage with companies specialized in cybersecurity and information security consulting and auditing to evaluate the structure and test the effectiveness of our processes and to provide trainings. Our cybersecurity risk management processes extend to the oversight and identification of cybersecurity risks from our association with our use of third-party service providers.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|false
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Governance
Board of Directors
The Cybersecurity and Information Security Committee (CSCI) is an auxiliary collegial body to the Board of Directors created with the mission of ensuring the direction and strategic definitions related to support, processes and compliance, relating to cybersecurity and company security. information, equally considering the areas of controls, business and information technology.
It also aims to contribute to ensuring that the Company is led by principles that are in line with Copel and Corporate Governance values, with guidelines that impact all interested parties.
The Committee is made up of members of the Governance, Risk and Compliance Board, the Vice-Presidency of Strategy, New Business and Digital Transformation, the Distribution Board, the Generation and Transmission Board and a member of the Board of Directors. The body, by its deliberation, may invite the Director of the area involved in the matter in question and the President of Copel Holding to assist in decision-making.
The board of directors and Statutory Audit Committee are primarily responsible for the oversight of risks from cybersecurity threats. To fulfill this responsibility, the Statutory Audit Committee is responsible for ensuring the quality and efficiency of internal control and risk management systems, including the supervision of the information security strategy, with annual registration in the Report of the Statutory Audit Committee (Relatório do Comitê de Auditoria Estatutário) with updates through Quarterly Reports where management informs the board on strategic key indicators, ongoing initiatives and significant incidents and their impact.
Management
The cybersecurity risk management processes described above are managed by Marcos Henrique Marçal Camillo, Chief Information Officer – CIO (Superintendent of Information Technology), who has five years of experience in the position. The Information Security department carries out the process of prevention, detection, mitigation, and remediation of cybersecurity incidents. They inform the CIO through reports that detail the incident, the response, the measures taken, and cybersecurity performance indicators. The CIO monitors these indicators and reports, reviews security policies, and regularly communicates with the Information Security department. Reports are generally made weekly or monthly, or immediately in case of serious incidents. Additionally, the CIO is responsible for monitoring and annual review of the Cybersecurity Program.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Board of Directors
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|The cybersecurity risk management processes described above are managed by Marcos Henrique Marçal Camillo, Chief Information Officer – CIO (Superintendent of Information Technology), who has five years of experience in the position.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|The board of directors and Statutory Audit Committee are primarily responsible for the oversight of risks from cybersecurity threats.
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef