|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Ensuring adequate levels of protection and cybersecurity for its operations and business processes is a priority for LATAM group, as well as safeguarding the information of its customers, investors, employees and suppliers. To achieve its protection and cybersecurity objectives, the Company has a team that is thoroughly trained to provide comprehensive support in areas such as cybersecurity governance, risk and compliance, vulnerability management, awareness and training, data protection, cybersecurity architecture, offensive prevention, network team operations, identity and logical access management, cyber defense, and threat intelligence. These areas are interconnected and deeply involved in the risk management process, under the leadership of the Chief Information Security Officer (“CISO”), André Pires Magalhaes. Additionally, the company maintains a cybersecurity operating model based on the NIST Cybersecurity Framework (“CSF”).
In light of these priorities, LATAM group has designed a robust cybersecurity risk management process that is continuously being improved to adapt to the latest standards and trends. In 2024, the Cybersecurity Team has developed a comprehensive initiative to transition from a qualitative methodology to a quantitative approach (i) allowing for a more accurate and objective assessment of risks, (ii) facilitating informed decision-making with concrete data, (iii) ensuring effective resource allocation and (iv) strengthening compliance with regulatory requirements, which have been evolving due to the advent of emerging technologies.
By the end of 2024, the Company deployed a new Governance, Risk and Compliance (“GRC”) platform to support the quantification of cybersecurity risks, configuring it to address risks associated with the Flight Operations area. Currently, progress stands at 35%, with expectations of achieving 100% quantification of cybersecurity risks by the first half of 2025. Alongside the transition from qualitative to quantitative risk assessment and management, the process continues to be based on best practices from ISO/IEC 27000, ISO/IEC 31000 standards, and international guidelines such as those from the National Institute of Standards and Technology (“NIST”). This approach primarily focuses on the identification, contextualization, evaluation, treatment, monitoring, communication and awareness of cybersecurity risks, incorporating guidelines aligned with the new methodology.
Additionally, cyber risk management extends to monitoring and identifying threats associated with the use of outsourced service providers. For this reason, a third-party risk management program has been designed and is continuously implemented, based on a framework that includes international best practices such as ISO/IEC 27000 and
31000 to manage these risks in a timely manner, in addition to NIST SP 800-161 for assessing maturity levels. Through this program, LATAM group classifies suppliers according to their critical risk levels and implements appropriate strategies to verify their internal controls, which, in turn, strengthens our cybersecurity controls. The Company’s critical external service providers are continuously monitored using automated tools and are contractually obligated to report any incidents that affect their services, business and data to the group.
To strengthen third-party cybersecurity risk management, we are in the process of implementing a supplier portal as a Cybersecurity Management initiative. This portal will allow us to automate and self-manage the process of evaluating the cybersecurity risk of our third parties by creating a system that enables LATAM group suppliers to self-evaluate, present their action plans to mitigate and reduce identified risks, and facilitate monitoring. Currently, this initiative is in its final phase, with completion estimated in the first quarter 2025.
In 2024, the Company’s offensive prevention capabilities were enhanced through the execution of ethical hacking and pen-testing activities in a continuous, coordinated, and scheduled manner on mission-critical systems by the Red Team. Supported by strategic suppliers, this team expanded prevention capabilities, increased the number of systems evaluated, planned for evaluation in the next period and implemented control panels available to the CISO and his immediate employees in terms of seniority, ensuring continuous monitoring of the status of cybersecurity offensive prevention operations.
During 2024, the technical vulnerability management program was refined and strengthened by incorporating vulnerabilities and threats detected by the Red Team for timely remediation. This interaction is complemented by an improvement in the traceability of the vulnerability dissemination and awareness program, optimizing the Company’s cybersecurity control environment. Additionally, new control panels were created, allowing for permanent monitoring of vulnerabilities and their respective status.
To improve technological vulnerability management processes, LATAM group is continuously evaluating new security tools that were previously used to detect vulnerabilities in the source code of systems were migrated to state-of-the-art alternatives, thereby increasing the scope of detection and identification of vulnerabilities in this technological layer.
LATAM group has also engaged in efforts to improve the security staff’s knowledge on cybersecurity and develop technological projects aimed at strengthening LATAM group’s protections against cybersecurity risks. Moreover, it has incorporated new technologies, such as the use of AI, aimed at optimizing both new and existing processes within the group.
As a key complement to adequate cyber risk management, in 2024 LATAM group worked on strengthening the Intelligence and Threat Hunting program, enhancing research and communication capabilities between areas responsible for prevention, protection, and detection, thereby increasing the Company’s preventive capabilities against emerging threats.
Moreover, during 2024, as emerging cybersecurity enhanced and the use of cutting-edge technologies like AI in process automation and optimization gained relevance, the Cybersecurity Team maintained strategies aimed at raising awareness and strengthening the Company’s cybersecurity culture. This included reinforcing tactical and operational actions to raise awareness among stakeholders about cybersecurity standards and best practices, executing a continuous training and awareness plans that included updates to electronic learning programs based on international best practices in information security and cybersecurity (for all positions within the Company), and conducting continuous campaigns simulating social engineering attacks.
Cybersecurity risk management requires implementing an extended strategy that ensures protection, detection and swift response to attacks and threats to the Company’s operations. During 2024, the Company promoted strengthening defensive cybersecurity strategies, which enabled the expansion of response and recovery capabilities in the event of any cybersecurity incidents., including the strengthening of an outsourced service for the management of the Security Operations Center (“SOC”), responsible for detecting cyber incidents through the System Information and Event Management (“SIEM”) tool, which includes designing and implementing improvements in both internal and external communication flows regarding possible cyber incidents. Moreover, the Company’s Emergency Response Plan and the Cyber Emergencies Committee (“CEC”) were strengthened during 2024, serving as valuable precedents of LATAM’s Emergency Response Committee, which is in turn composed by IT leaders with the purpose of giving a quick and effective response in case of a technological crisis of high global impact within the Company.
During the first semester of 2024, in order to ensure the protection of its clients’ transactional data, LATAM strengthened and adapted controls. These improvements in its data protection strategy allowed the Company to obtain certifications by the Payment Card Industry Data Security Standard (“PCI”) in 23 markets in which it operates, representing its sixth consecutive PCI certification and reaffirming its commitment to offer secure services to its clients, aligned with the latest technological trends while complying with applicable regulatory requirements. Additionally, during 2024, LATAM group improved its compliance levels with applicable local data protection and privacy legislation, mainly through the deployment of new strategies to verify and ensure compliance more rigorously, alongside the enactment of Chilean National Law No. 21,719, which regulates the protection and processing of personal data, establishing the National Data Protection Agency as a supervisory entity. These new requirements are currently in the implementation phase and will become effective on December 1, 2026.
In line with the regulatory requirements applicable to LATAM, the Cybersecurity Team has strengthened its strategy to continuously monitor compliance with general technology controls, including cybersecurity controls to ensure that they maintain the appropriate level of compliance.
During 2024, the Red Team conducted a test plan of simulated automated attacks in order to improve both administrative and technical mechanisms and controls that comprise the Company’s cybersecurity control responses. Additionally, a cyber-crisis program was implemented to strengthen LATAM’s capacity to prevent and address potential cybersecurity incidents. The program features transversal governance by a multidisciplinary team composed of multiple departments, including cybersecurity, technology, legal, corporate risk, communications, human resources, among others, who participate in simulations of high-impact cybersecurity incidents to address their treatment and management, aiming to strengthen the Company’s security tools and ensure the continuous development of internal controls to effectively face cybersecurity threats.
Periodic self-assessments were also conducted through the deployment of a technical assurance program, based on the continuous evaluation of the effectiveness of cybersecurity processes, mechanisms, and/or controls, contributing to the timely management of cybersecurity risks, positioning cybersecurity as a necessary business component of the Company.
Moreover, during 2024 MANDIANT and GM Sectec conducted periodic independent evaluations of its cybersecurity program, with the objective of independently verifying the effectiveness and efficiency of Company’s control mechanisms while helping LATAM to remain vigilant to potential threats and attacks that could compromise the availability of business services or threaten the privacy and integrity of information held by the Company.
Additionally, during 2024 LATAM group conducted a collaborative effort with the Technology Department in order to create a technological resilience program, consisting of five aspects to be applied to all of the Company’s technologies: (i) back-up availability; (ii) high availability capacity; (iii) disaster recovery plan; (iv) alert management and monitoring; and (v) the implementation of the concept of creating infrastructure as code (“IaC”), which allows the Company’s technological infrastructure to be managed in an automated manner, through the use of a template instead of a manual process, facilitating and streamlining the availability of technological infrastructure that supports new services.
Over the last four fiscal years, the Company’s business strategy, operational results, and financial condition have not been materially affected by cybersecurity threats due to the above mentioned efforts conducted by LATAM in the cybersecurity area. Although there can be no assurance that the Company will not be materially affected in the future by such risks, LATAM is focused on continuously developing strategies that adapt to new trends, while maintaining traditional strategies that sustain the Company’s cybersecurity management.
IT disruption of Microsoft and CrowdStrike
In July 2024, a major global technology disruption affecting multiple industries was triggered by a flaw in a software update to the CrowdStrike Falcon platform. The disruption triggered outages in Microsoft’s systems, affecting millions of Windows operated devices, which resulted in airlines, banks and media outlets experiencing significant problems in their operations.
Although the disruption was not a cybersecurity incident, LATAM group’s technical and business teams quickly implemented the protocols established to safeguard the technological environment, successfully avoiding any operational interruptions in flights and critical systems. Consequently, no flights were cancelled during the technological disruption.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|Ensuring adequate levels of protection and cybersecurity for its operations and business processes is a priority for LATAM group, as well as safeguarding the information of its customers, investors, employees and suppliers. To achieve its protection and cybersecurity objectives, the Company has a team that is thoroughly trained to provide comprehensive support in areas such as cybersecurity governance, risk and compliance, vulnerability management, awareness and training, data protection, cybersecurity architecture, offensive prevention, network team operations, identity and logical access management, cyber defense, and threat intelligence.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
With regard to cybersecurity governance, LATAM has defined an organizational structure with specialized and dedicated personnel, as well as formal high-level hierarchical bodies, equipped with the powers and competencies required to manage information security and cybersecurity. As part of this organizational structure, the CISO plays a crucial role in risk management and is responsible for designing and maintaining an effective system to identify, monitor, control, and mitigate data protection and cybersecurity risks. The CISO reports to the Vice President of IT (“CIO”), Juliana Ríos, who in turn reports to the CEO of the Company, Roberto Alvo. For further information, see “Item 6. Directors, Senior Management and Employees.”
Throughout 2024, the CISO role was held by André Pires Magalhaes, who has academic training in Electronic Engineering at the University of Sao Paulo (Brazil, 2000) and an MBA in Corporate Management at the Getulio Vargas Foundation (Rio de Janeiro, Brazil, 2004). André also holds international certifications in Information Security and Governance, including ITIL Foundation V3 (2012), CRISC (2010), ISO/IEC 27001 Audit Leader (2010), CGEIT (2009), CISM (2008), and CISA (2007). He has a professional career spanning 21 years in Risk Management and Information Security, focusing on management, strategy, and project management activities. André has successfully led cybersecurity and information security teams in various economic sectors across South America, including companies such as FALABELLA Corporated, Banco Santander Chile, PRODUBAN Chile (ISBAN), General Motors (Chile, Peru, and Brazil), CPM Brazis Technology (Brazil), Natura Cosmetics (Brazil), and Alcoa Aluminio S.A (Brazil).
LATAM group also has an Executive Committee for Technological Risks, composed of the CISO and the CTOs from the IT & Digital Vice Presidency, which supervises compliance with strategic information security planning, ensures the implementation of necessary measures to mitigate identified risks and promotes a risk management strategy at all levels of the organization.
At the executive level, LATAM group upholds its commitment to cybersecurity and effective risk management through periodic sessions held by its Executive Committee, which assesses the Company’s tolerance to cybersecurity risks and ensures the allocation of resources, personnel, infrastructure, and necessary tools for proper risk management. The CISO provides monthly reports to the Executive Committee on the outcomes of strategies aimed at adequate risk management, including periodic evaluations by independent experts on the Company’s cybersecurity management program, such as MANDIANT and GM Sectec.
The primary role of the Board of Directors and the Executive Committee is to oversee the Company’s security management program, acknowledging that management is responsible for designing, implementing, and maintaining an effective program to protect and mitigate data privacy and cybersecurity risks. Frederico Curado has experience in risk management, including cybersecurity risks, particularly while acting as Executive Vice President of Planning and Development in 1995 at Embraer where he led important innovations in the aeronautical industry and promoted the development of new technologies in aircraft manufacturing. Additionally, Sonia Villalobos is certified in Cybersecurity Oversight by the Software Engineering Institute at Carnegie Mellon University, a credential that reinforces her knowledge of the cybersecurity threat landscape, the respective responsibilities of the board and management in cyber-risk oversight and crisis preparedness strategies.
The Board receives annual information security and privacy training provided by the CISO. During quarterly meetings, the CIO presents the status of cyber threats and the effectiveness of mitigation measures to the Board. Independent third-party providers also report on cybersecurity issues through their periodic internal control reports.
The Audit Committee of LATAM is responsible for independently supervising the Company’s risk management, including data privacy and cybersecurity risks, which are managed by the Internal Audit department. This includes incorporating strategic metrics, reviewing the status of ongoing initiatives, significant incidents and their impact, emerging threats in the sector, as well as the results of internal audits.
Finally, the Cybersecurity Team annually reviews and updates its governance documents, including the Information Security Policy, which serves as the main document outlining the general guidelines to secure the Company’s information and technological assets, and the Information Security Program Plan. This plan is published on the group’s website and corporate intranet for information and consultation by clients, employees, suppliers, shareholders and potential investors. Compliance with the information security and cybersecurity documentary framework is also reviewed annually by the Internal Audit team and independent third parties who conduct compliance reviews associated with regulatory standards and laws such as PCI DSS, SOx, and IOSA.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
The primary role of the Board of Directors and the Executive Committee is to oversee the Company’s security management program, acknowledging that management is responsible for designing, implementing, and maintaining an effective program to protect and mitigate data privacy and cybersecurity risks. Frederico Curado has experience in risk management, including cybersecurity risks, particularly while acting as Executive Vice President of Planning and Development in 1995 at Embraer where he led important innovations in the aeronautical industry and promoted the development of new technologies in aircraft manufacturing. Additionally, Sonia Villalobos is certified in Cybersecurity Oversight by the Software Engineering Institute at Carnegie Mellon University, a credential that reinforces her knowledge of the cybersecurity threat landscape, the respective responsibilities of the board and management in cyber-risk oversight and crisis preparedness strategies.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
The Board receives annual information security and privacy training provided by the CISO. During quarterly meetings, the CIO presents the status of cyber threats and the effectiveness of mitigation measures to the Board. Independent third-party providers also report on cybersecurity issues through their periodic internal control reports.
|Cybersecurity Risk Role of Management [Text Block]
|
At the executive level, LATAM group upholds its commitment to cybersecurity and effective risk management through periodic sessions held by its Executive Committee, which assesses the Company’s tolerance to cybersecurity risks and ensures the allocation of resources, personnel, infrastructure, and necessary tools for proper risk management. The CISO provides monthly reports to the Executive Committee on the outcomes of strategies aimed at adequate risk management, including periodic evaluations by independent experts on the Company’s cybersecurity management program, such as MANDIANT and GM Sectec.
The primary role of the Board of Directors and the Executive Committee is to oversee the Company’s security management program, acknowledging that management is responsible for designing, implementing, and maintaining an effective program to protect and mitigate data privacy and cybersecurity risks. Frederico Curado has experience in risk management, including cybersecurity risks, particularly while acting as Executive Vice President of Planning and Development in 1995 at Embraer where he led important innovations in the aeronautical industry and promoted the development of new technologies in aircraft manufacturing. Additionally, Sonia Villalobos is certified in Cybersecurity Oversight by the Software Engineering Institute at Carnegie Mellon University, a credential that reinforces her knowledge of the cybersecurity threat landscape, the respective responsibilities of the board and management in cyber-risk oversight and crisis preparedness strategies.
The Board receives annual information security and privacy training provided by the CISO. During quarterly meetings, the CIO presents the status of cyber threats and the effectiveness of mitigation measures to the Board. Independent third-party providers also report on cybersecurity issues through their periodic internal control reports.
The Audit Committee of LATAM is responsible for independently supervising the Company’s risk management, including data privacy and cybersecurity risks, which are managed by the Internal Audit department. This includes incorporating strategic metrics, reviewing the status of ongoing initiatives, significant incidents and their impact, emerging threats in the sector, as well as the results of internal audits.Finally, the Cybersecurity Team annually reviews and updates its governance documents, including the Information Security Policy, which serves as the main document outlining the general guidelines to secure the Company’s information and technological assets, and the Information Security Program Plan. This plan is published on the group’s website and corporate intranet for information and consultation by clients, employees, suppliers, shareholders and potential
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|As part of this organizational structure, the CISO plays a crucial role in risk management and is responsible for designing and maintaining an effective system to identify, monitor, control, and mitigate data protection and cybersecurity risks.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|
Throughout 2024, the CISO role was held by André Pires Magalhaes, who has academic training in Electronic Engineering at the University of Sao Paulo (Brazil, 2000) and an MBA in Corporate Management at the Getulio Vargas Foundation (Rio de Janeiro, Brazil, 2004). André also holds international certifications in Information Security and Governance, including ITIL Foundation V3 (2012), CRISC (2010), ISO/IEC 27001 Audit Leader (2010), CGEIT (2009), CISM (2008), and CISA (2007). He has a professional career spanning 21 years in Risk Management and Information Security, focusing on management, strategy, and project management activities. André has successfully led cybersecurity and information security teams in various economic sectors across South America, including companies such as FALABELLA Corporated, Banco Santander Chile, PRODUBAN Chile (ISBAN), General Motors (Chile, Peru, and Brazil), CPM Brazis Technology (Brazil), Natura Cosmetics (Brazil), and Alcoa Aluminio S.A (Brazil).
LATAM group also has an Executive Committee for Technological Risks, composed of the CISO and the CTOs from the IT & Digital Vice Presidency, which supervises compliance with strategic information security planning, ensures the implementation of necessary measures to mitigate identified risks and promotes a risk management strategy at all levels of the organization.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|The CISO reports to the Vice President of IT (“CIO”), Juliana Ríos, who in turn reports to the CEO of the Company, Roberto Alvo. For further information, see “Item 6. Directors, Senior Management and Employees.”
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef