|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Abstract]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|Cybersecurity
Framework and Risk Management
In today’s technologically advanced world, data has become increasingly valuable, making information security crucial for the success of any organization. Moreover, with the rise in global attacks on industrial systems, particularly critical infrastructure, it has become imperative to prevent damage to business, operations, reputation, and human lives. Over the years, we have developed a comprehensive set of processes, policies and controls to mitigate Information and cybersecurity risks, drawing on global frameworks and best practices that provide comprehensive protection for our business.
Cybersecurity Strategy and Risk Management
Our layered defense approach integrates policies, processes, training, and cybersecurity technology to protect and monitor our environment.
Our cybersecurity measures are primarily based on the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework. We use NIST best practices to assess our security maturity.
Cyber Defense
Our incident response plan encompasses preparation, detection, response, and recovery from cybersecurity incidents, ensuring legal compliance and minimizing reputational damage.
A 24/7 Computer Security Incident Response Team (CSIRT) manages and coordinates responses to cybersecurity events. Significant incidents that could affect investors’ decisions will be promptly reported to the market as required by the SEC.
We are members of FIRST (Forum of Incident Response and Security Teams), a prominent global forum for cybersecurity teams across various sectors and countries, focusing on prevention and improving global information security.
We collaborate with global cybersecurity teams, sharing threat intelligence and best practices, and engage in workshops, conferences, and partnerships to enhance security, privacy, and technological capabilities.
To reinforce our security measures, we:
We have been enhancing our operational cybersecurity maturity by implementing a robust strategy to safeguard industrial automation and control systems. This includes adopting advanced monitoring tools, strengthening defense in-depth measures, conducting regular vulnerability assessments, simulating industrial cybersecurity incidents and monitoring key performance indicators. These efforts aim to leverage the resilience of critical operations by mitigating cyber risks in an increasingly connected industrial environment.
Risk Management and Digital Controls
We regularly assess and manage risks related to cybersecurity in both corporate and industrial automation and control system environments.
These risks are incorporated into our corporate risk matrix and monitored by senior management.
Our risk management process involves:
We extend our cybersecurity risk management to third-party service providers by:
Currently, we do not maintain cybersecurity incident insurance due to market conditions, but we regularly evaluate available options.
Our business strategy, operations, and financial condition have not been materially affected by cybersecurity threats or previous incidents, but we cannot provide assurance that we will not be materially affected in the future by such risks and any future material incidents.
In the past three fiscal years:
Digital Continuity Program
To ensure our ability to withstand a cyberattack scenario, we have established a comprehensive Digital Continuity Plan. This plan aims to guarantee the uninterrupted functioning of critical processes in the event of a crisis or digital disaster. We have implemented contingency measures for critical digital assets, documented recovery procedures for these assets, and regularly test the effectiveness of our plans.
In managing serious incidents, we follow the Incident Command System, a corporate crisis handling methodology. This methodology is also applied in our cybersecurity practices, ensuring a structured and coordinated response to any significant incident. To further enhance our preparedness, we conduct cybersecurity tabletop exercises, onboardings, and Tone at the Top trainings to new Board of Directors members and Executive Officers. These training sessions cover corporate security information rules, policies, best practices, and expected user behavior.
Training & Awareness
Our Information Security Awareness Plan includes, but is not limited to, the following activities:
|Cybersecurity Risk Management Processes Integrated [Flag]
|false
|Cybersecurity Risk Management Processes Integrated [Text Block]
|Our layered defense approach integrates policies, processes, training, and cybersecurity technology to protect and monitor our environment.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]
|Our business strategy, operations, and financial condition have not been materially affected by cybersecurity threats or previous incidents, but we cannot provide assurance that we will not be materially affected in the future by such risks and any future material incidents.
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|Governance
Management Structure
We have a dedicated Information Security executive management structure (SI), which operates independently from the Information Technology (IT) department. This structure is responsible for overseeing information security initiatives, establishing strategies and guidelines aligned with business objectives, recommending investments to mitigate cyber risks, and providing adequate digital protection for critical assets. Both the SI and IT report to the Chief Corporate Affairs Officer.
The Chief Information Security Officer, Samara Braz, leads the information security efforts and holds multiple qualifications in IT and Information Security, including the following:
Additionally, we have an Information Security Committee (CSI) composed of members appointed by our executive board. The CSI advises on information security matters, aligning them with the National Information Security Policy and our business objectives, with strategic issues discussed quarterly.
The Security Information Management team holds regular meetings to address operational and strategic concerns, in addition to routine interactions. Monthly discussions are held to monitor key security indicators, management processes and project management.
Role of the Board of Directors, Executive Board and Committees
Our senior management receives periodic reports on risks from Petrobras’ corporate risk matrix based on their assessed severity. These reports include strategic risks and risks of very high and high severity – including those related to cybersecurity and information security. They follow a standardized model with an annual timeline for specific risk management actions, detailing managed risks and main response actions. Senior management also monitors the evolution of the risk matrix and the deadlines for response plans.
Strategic risks are those business risks that, due to their relevance to meeting our strategic objectives, are monitored by the Executive Board and Board of Directors, which schedule quarterly presentations. Recently, cybersecurity risks have been classified as strategic due to their relevance, interconnectedness and impact on the business.
The Board of Directors approves the company’s risk profile and oversees the company’s risk management with advice from the Audit Committee.
The CSI evaluates and monitors the Information Security Management System, cybersecurity and information security risks, and the execution of risk treatment plans and guidelines.
The CISO manages information security initiatives, establishes strategies aligned with business objectives and regulation, and recommends investments to mitigate risks and protect critical assets.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|We have a dedicated Information Security executive management structure (SI), which operates independently from the Information Technology (IT) department.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|This structure is responsible for overseeing information security initiatives, establishing strategies and guidelines aligned with business objectives, recommending investments to mitigate cyber risks, and providing adequate digital protection for critical assets.
|Cybersecurity Risk Role of Management [Text Block]
|Role of the Board of Directors, Executive Board and Committees
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Strategic risks are those business risks that, due to their relevance to meeting our strategic objectives, are monitored by the Executive Board and Board of Directors, which schedule quarterly presentations.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|The Board of Directors approves the company’s risk profile and oversees the company’s risk management with advice from the Audit Committee.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef