|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Abstract]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|Risk Management and Strategy
Our Cyber Risk Management and Strategy processes are based on the NIST (National Institute of Standards and Technology at the U.S. Department of Commerce) Cybersecurity Framework, which outlines best practices on cyber security protection. Such international policy framework is structured around five areas: identify, protect, detect, respond, and recover, which we have also adopted and integrated into our risk management routines.
Our process for assessing, identifying, and managing material risks from cybersecurity focuses on identifying and neutralizing cybersecurity threats before a potential attack occurs and potentially compromises our platform’s confidentiality, integrity and availability. As part of our cybersecurity resiliency strategy and in an effort to mitigate potential cybersecurity risks, we employ various measures, including employee training, systems monitoring, and testing and maintenance of protective systems and contingency plans.
We deploy security tools to help bolster our defense detection capabilities, such as web application firewall, endpoint detection and response systems, security information and event management tools.
All projects and engagements with third-party suppliers that involve the implementation of solutions in our environment must comply with our information security requirements, including information security checklists.
We regularly evaluate ourselves for appropriate business continuity and disaster recovery planning, with test scenarios that include simulations and penetration tests. Our software teams include professionals dedicated to the development, security, and operations (DevSecOps) of our systems. Our team of IT specialists conducts periodical vulnerability scan to identify vulnerabilities and risks and propose action plans. Our team of IT specialists meets weekly to assess material risks from cybersecurity threats. The correction of any vulnerabilities is made taking into account key performance indicators (“KPIs”), which we believe to be an efficient tool for risk management.
All of our business units, from digital to industrial automation, are expected to follow pre-determined procedures, active monitoring routines and respond promptly after the occurrence of a security incident.
We have an Information Security Master Plan in place, with the aim of improving our information security environment through the creation of new processes and implementation of new market solutions. The Information Security Master Plan helps guide our information security strategy.
We also have a Cyber Incident Response Plan (CIRP) in place to address and resolve any incidents or cybersecurity issues. In the event of cybersecurity incidents or imminent threats, our IT team first carries out an incident evaluation and investigation. To the extent needed, the IT team may set up a crisis room and escalate the situation to our senior management, while the team works on addressing and resolving the issue and, if needed, reestablishing our systems environment.
We work closely with an IT specialized company, which is currently responsible for maintaining and supporting Braskem’s IT environment. A contract with a third-party company specialized in computer forensic analysis is also in place, covering the potential assistance upon the occurrence of any incidents or threats requiring evidence collecting.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|Such international policy framework is structured around five areas: identify, protect, detect, respond, and recover, which we have also adopted and integrated into our risk management routines.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]
|As of the date of this annual report, and in the past three years, we have not identified any cybersecurity incidents that would have materially affected us, our business strategy, results of operations or financial condition.
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|Governance
Our Board of Directors has delegated oversight over cybersecurity matters to our Statutory Compliance and Audit Committee. Our Statutory Compliance and Audit Committee works with our management to implement processes to monitor cybersecurity matters, receive regular updates on cybersecurity tests, incident response plan and our cybersecurity policies and procedures; ensure that management is conducting regular risk assessments; receive periodic reports related to designated cybersecurity incidents from management; establish with management an agreed upon approach for communication during a cybersecurity incident; monitor material cybersecurity developments through update calls with management and provide guidance on key decisions; review and debrief with management on post-incident remediation; monitor the content and timing of required cybersecurity disclosures; and ensure that we are in compliance with the regulations and rules related to cybersecurity, including but not limited to SEC rules.
We have an Information Security Committee, which was established by our management to manage the cybersecurity risk processes described above. The Information Security Committee is responsible for discussing relevant and critical information security issues and ensuring the engagement and alignment of the main internal parties impacted by our Information Security Program. Decisions regarding cybersecurity risk management and strategy are also made by the Information Security Committee. Its main responsibilities are: to promote adequate knowledge about information security for all Braskem’s employees to periodically review the information security initiatives adopted by us, to evaluate projects involving information security whose risks have been identified by us as relevant, among other responsibilities.
The Information Security Committee is comprised of leaders from the areas of Information Technology, Compliance, Communication, Legal, Industrial Automation, and our offices in Europe, the United States, and Mexico, as well as the Chief Information Security Officer (“CISO”) and the Chief Information Officer (“CIO”). Our CISO and CIO are responsible for coordinating the activities of the Information Security Committee.
Our CISO holds a master’s degree in computer science with specialization in risk management, and has more than 24 years of experience in in the IT sector. He has experience in creating and leading a strategic information security team and has served as CIO and led large multidisciplinary teams in large companies. He has certifications in CCNA, CCNP, CCIE, CQS, MCSE and VCP. The CISO leads the our information security team and, in particular, identifies risks and implements countermeasures in the field of cybersecurity, considering both our internal operations and external scenarios. As part of his duties, the CISO provides relevant information to the officer responsible for Enterprise Risk Management in their regular discussions. The CISO also manages our Information Security Management System (“ISMS”) program. Guided by the principles of several industry-leading standards, such as the NIST Cybersecurity Framework and ISO 27001, the goal of the ISMS program is to continue to strengthen our cyber resilience.
Our CIO holds a systems analysis degree with an MBA in Finance, and has over 20 years of experience in the fields of information technology, innovation, implementation of shared services center, corporate projects with background in the financial and controllership areas. He has experience in, among other areas: (i) integration and unification of the IT area, data center, implementation of processes and systems, consolidation of service areas for several companies and countries (United States, Latin America, Europe and Africa); and (ii) organizational restructuring, acting in crisis management and management changes, with strong influence on the conduct of critical issues with shareholders, investors and key stakeholders.
The Information Security Committee meets on a bi-monthly basis and reviews any cybersecurity-related issues, including the identification and monitoring of any threats and assessment of any KPIs established by our IT team.
A report of the Information Security Committee’s activities is periodically submitted to our executive officers, our Board of Directors, and our Statutory Compliance and Audit Committee for information, which is generally responsible for oversight and strategic guidance with respect to cybersecurity matters. The report includes an overview of the state of our cybersecurity policies and procedures, an update on the most important cybersecurity risks that we face, an update on notable cybersecurity incidents and recent threats, and a summary of the results of our IT team’s recent independent cybersecurity assessments, among other relevant matters.
As of the date of this annual report, and in the past three years, we have not identified any cybersecurity incidents that would have materially affected us, our business strategy, results of operations or financial condition. We cannot guarantee that such incidents will not occur and adversely affect our operations in the future. Our business, results of operations and financial condition may be adversely affected if any past or current vulnerabilities, known or unknown to us, become the target of unauthorized access or intrusion or evolve into security breaches and other incidents, including as a result of third-party action, employee or contractor error, nation state malfeasance, malware, phishing, computer hackers, system error, software bugs or defects, process failure or otherwise.
We and our third-party service
providers and business partners may be unable to anticipate or prevent techniques used in the future to obtain unauthorized access or
to sabotage systems and cannot guarantee that applicable recovery systems, security protocols, network protection mechanisms and other
procedures are or will be adequate to prevent network and service interruption, system failure or data loss. Since techniques used to
obtain unauthorized access change frequently and the sophistication and size of cybersecurity attacks is increasing, we may be unable
to implement adequate preventative measures or stop the attacks while they are occurring. Any actual or perceived security breach or incident
could delay or interrupt our operations, could result in loss, compromise, corruption or disclosure of confidential information, intellectual
property and sensitive and personal data or data we rely on to operate, expose us to a risk incurring significant liability and be subject
to regulatory scrutiny, investigations, proceedings and penalties, and require us to expend significant capital and other resources to
neutralize any incident and implement additional security measures.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our Board of Directors has delegated oversight over cybersecurity matters to our Statutory Compliance and Audit Committee.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our Statutory Compliance and Audit Committee works with our management to implement processes to monitor cybersecurity matters, receive regular updates on cybersecurity tests, incident response plan and our cybersecurity policies and procedures; ensure that management is conducting regular risk assessments; receive periodic reports related to designated
|Cybersecurity Risk Role of Management [Text Block]
|We have an Information Security Committee, which was established by our management to manage the cybersecurity risk processes described above. The Information Security Committee is responsible for discussing relevant and critical information security issues and ensuring the engagement and alignment of the main internal parties impacted by our Information Security Program. Decisions regarding cybersecurity risk management and strategy are also made by the Information Security Committee.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|The Information Security Committee is comprised of leaders from the areas of Information Technology, Compliance, Communication, Legal, Industrial Automation, and our offices in Europe, the United States, and Mexico, as well as the Chief Information Security Officer (“CISO”) and the Chief Information Officer (“CIO”). Our CISO and CIO are responsible for coordinating the activities of the Information Security Committee.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our CISO holds a master’s degree in computer science with specialization in risk management, and has more than 24 years of experience in in the IT sector. He has experience in creating and leading a strategic information security team and has served as CIO and led large multidisciplinary teams in large companies. He has certifications in CCNA, CCNP, CCIE, CQS, MCSE and VCP.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|A report of the Information Security Committee’s activities is periodically submitted to our executive officers, our Board of Directors, and our Statutory Compliance and Audit Committee for information, which is generally responsible for oversight and strategic guidance with respect to cybersecurity matters.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef