|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Cyber Risks Management:
Gerdau employs a risk-based information security process that aligns with both the National Institute of Standards and Technology (NIST) and the ISO 31000 framework. This approach is applied to conduct risk assessments for technologies, third-party suppliers, as well as its IT and OT networks.
The relevant results of these assessments are reported and presented to the corporate risk management team and the Board of Directors on a regular basis.
We have identified and mapped the main cyber risks faced by the Company, with the most relevant ones being threats of hacker attacks such as ransomware on corporate systems, cyberattacks targeting infrastructure and industrial systems, and unauthorized access to sensitive data. Our proactive approach involves continuous assessment and monitoring of these risks within the cybersecurity risk management process.
Risk Mitigation Strategies:
We have implemented various strategies to mitigate these risks, emphasizing investments in security technologies such as firewalls, disk encryption, detecting and respond systems (EDR), Data Loss Prevention systems and intrusion detection systems.
We have a security awareness program in place to train our employees against cyberfrauds and social engineering attacks.
There is an OT cybersecurity framework currently in the implementation phase to address vulnerabilities in the industrial control systems and operational technology environments.
We also operate a Global Security Operations Center, which monitors and manages security tools 24/7, 365 days a year, including Security Information and Event Management (SIEM) technology. This enables us to promptly identify and respond to threats and incidents.
Additionally, we maintain an internal team specialized in cybersecurity management and incident response. Continuous employee training and partnerships with security experts for assessment and audits further strengthen our cybersecurity measures.
Despite the cybersecurity measures Gerdau is implementing to mitigate these risks, there is no guarantee that these measures will be sufficient to protect Gerdau’s systems and other assets from significant harm. Furthermore, future cybersecurity incidents may have a material adverse effect on the Company, impacting its results of operations, financial condition, or causing reputational harm and other adverse consequences.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
Cybersecurity Disclosure:
Cybersecurity is a significant concern due to the importance of information technology to the successful conduct of our business operations. For that reason, Gerdau maintains a cybersecurity program to safeguard information assets and operations from both external and internal cyber threats.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|We also have an internal team with qualified specialists and analysts to conduct and evaluate the adequacy of the security and data protection controls and the corporate information security program, providing regular reports to executives and the Board of Directors.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|CISO, dedicated to leading the Information Security and Data Protection effort
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The CISO presents the Security Roadmap and the cybersecurity matters to the Board of Directors at least annually
|Cybersecurity Risk Role of Management [Text Block]
|
Information Security Governance:
Gerdau maintains a dedicated structure for Information Security Governance and we have an executive, known as CISO, dedicated to leading the Information Security and Data Protection effort.
The CISO of Gerdau is an experienced and qualified professional in information security and related areas. With extensive international experience in leading critical projects and global teams, he has over 27 years of executive experience in corporate IT, with more than 22 years specifically focused on information security executive roles.
Before joining Gerdau, he worked at companies such as Hewlett-Packard (HP), Electronic Data Systems (EDS), and Netshoes (retail e-commerce), and has experience in the industrial sector with EMS – Pharmaceuticals industry.
He holds a bachelor’s degree in information technology, a postgraduate degree in Business Administration, an MBA in Cybersecurity, and a specialization in Cyber Risk Management. Additionally, he has numerous international certifications in Information Security and Data Privacy, including EXIN Information Security, EXIN Certified Data Protection Officer, Cyber Risk Management from Fundação Getulio Vargas (FGV), and Modulo Certified Security Officer from Modulo Security Solutions.
We also have an internal team with qualified specialists and analysts to conduct and evaluate the adequacy of the security and data protection controls and the corporate information security program, providing regular reports to executives and the Board of Directors.
This team is responsible for:
Additionally, Gerdau has contracts with globally recognized information security service providers to offer advisory and operational support in the areas of information security and data protection.
The CISO presents the Security Roadmap and the cybersecurity matters to the Board of Directors at least annually.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|CISO
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|
The CISO of Gerdau is an experienced and qualified professional in information security and related areas. With extensive international experience in leading critical projects and global teams, he has over 27 years of executive experience in corporate IT, with more than 22 years specifically focused on information security executive roles.
Before joining Gerdau, he worked at companies such as Hewlett-Packard (HP), Electronic Data Systems (EDS), and Netshoes (retail e-commerce), and has experience in the industrial sector with EMS – Pharmaceuticals industry.
He holds a bachelor’s degree in information technology, a postgraduate degree in Business Administration, an MBA in Cybersecurity, and a specialization in Cyber Risk Management. Additionally, he has numerous international certifications in Information Security and Data Privacy, including EXIN Information Security, EXIN Certified Data Protection Officer, Cyber Risk Management from Fundação Getulio Vargas (FGV), and Modulo Certified Security Officer from Modulo Security Solutions.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
We also have an internal team with qualified specialists and analysts to conduct and evaluate the adequacy of the security and data protection controls and the corporate information security program, providing regular reports to executives and the Board of Directors.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef