|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Risk management and strategy
Our risk management framework includes those related to cybersecurity. The processes range from the identification of potential risks, their analysis, monitoring, as well as the recording of incidents
thatallow a more robust risk assessment both internally and for third parties
.
The management framework also contemplates the treatment and escalation of risks at different levels of the company and according to their level of exposure. In addition, internal and external audits assess the adequacy of the established framework.
Our Cyber Incident Management Policy defines guidelines for the efficient management of these events, in order to minimize impacts and contain their propagation.
Given the current integration of the technological infrastructure, effective cyber incident management and mitigation of associated risks are critically important. Vulnerability to technical failures and the possibility of significant impacts on the confidentiality, integrity, and availability of information require a proactive and structured response. In reference to the above, we maintain a proactive and structured approach to cyber incident management and information security, with the aim of protecting our assets and ensuring the continuity of our services.
As mentioned above, we are committed to protecting information assets with the aim of securing service delivery and containing the impact of security events. The activities contemplated in the cyber incident management policy are aligned with:
We have established metrics and tools that include: indicators, control reports, evaluation of the tasks developed and identification of opportunities for improvement, which allow us to control deviations from the defined standards and establish corrective action plans for efficient response to incidents. This information is regularly presented to the Technology and Information Security Governance Committee at each of its meetings.
The formalized regulatory framework includes procedures for optimizing cyber incident management, minimizing impacts, containing the spread, collecting lessons learned, and defining tasks for incident identification, response, and resolution. The results along with the metrics feed into training plans and continuous improvement activities along with a permanent update of vulnerability management. The policy states that relevant Cyber Incidents must be recorded in a Cyber Incident repository with all actions from the moment the incident was detected to its final resolution, allowing integrated analysis for the improvement of processes and systems. Duly formalized processes have been implemented for the forensic investigation of
incidents, with audit trails of the systems and technological devices that make up the services provided by the Bank.
The policy states that significant cyber incidents must be recorded in a cyber incident repository detailing all actions from detection to final resolution, allowing integrated analysis for the improvement of processes and systems.
Duly formalized processes have been implemented for the forensic investigation of incidents, with audit records of the systems and technological devices that make up the services provided by the Bank.
The response to a cyber incident must be immediate and preventive. In addition, it must include root cause analysis and the necessary forensic analysis, as well as a long-term solution that prevents the incident from recurring and a documented record of the problem.
Upon the occurrence of a cyber incident involving the violation of customers’ personal data, which is considered significant, it is reported to the Compliance area of the Integral Risk Management Department, in compliance with the regulations in force (Law No. 25,326—Personal Data Protection).
We have a Cyber Incident Response Test Plan that allows us to evaluate the technical capabilities, coordination and timely communication between areas. We have procedures in place to manage, control and document cyber incident management activities. These activities are reflected in three specific action plans:
These plans are coordinated in order to respond comprehensively to cyber incidents. The objective of these plans is based on the following points:
During 2024 and to date, there have been no cybersecurity incidents materially affecting us. Considering the nature of the business and the changing technological environment in which we operate, we are exposed to risks related to cybersecurity which have been described in the risk factors section below.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
Given the current integration of the technological infrastructure, effective cyber incident management and mitigation of associated risks are critically important. Vulnerability to technical failures and the possibility of significant impacts on the confidentiality, integrity, and availability of information require a proactive and structured response. In reference to the above, we maintain a proactive and structured approach to cyber incident management and information security, with the aim of protecting our assets and ensuring the continuity of our services.
As mentioned above, we are committed to protecting information assets with the aim of securing service delivery and containing the impact of security events. The activities contemplated in the cyber incident management policy are aligned with:
We have established metrics and tools that include: indicators, control reports, evaluation of the tasks developed and identification of opportunities for improvement, which allow us to control deviations from the defined standards and establish corrective action plans for efficient response to incidents. This information is regularly presented to the Technology and Information Security Governance Committee at each of its meetings.
The formalized regulatory framework includes procedures for optimizing cyber incident management, minimizing impacts, containing the spread, collecting lessons learned, and defining tasks for incident identification, response, and resolution. The results along with the metrics feed into training plans and continuous improvement activities along with a permanent update of vulnerability management. The policy states that relevant Cyber Incidents must be recorded in a Cyber Incident repository with all actions from the moment the incident was detected to its final resolution, allowing integrated analysis for the improvement of processes and systems. Duly formalized processes have been implemented for the forensic investigation of
incidents, with audit trails of the systems and technological devices that make up the services provided by the Bank.
The policy states that significant cyber incidents must be recorded in a cyber incident repository detailing all actions from detection to final resolution, allowing integrated analysis for the improvement of processes and systems.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]
|During 2024 and to date, there have been no cybersecurity incidents materially affecting us. Considering the nature of the business and the changing technological environment in which we operate, we are exposed to risks related to cybersecurity which have been described in the risk factors section below.
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Information Technology Governance is a shared responsibility between Senior Management and the Bank’s Board of Directors, in order to ensure that the decisions adopted are aligned with the defined strategies.
Our Board of Directors is responsible for promoting a culture of technology and information security risk management throughout the organization, as well as for promoting the implementation of an effective information security management framework.
The Information Technology and Security Governance Committee should monitor and evaluate the performance of the information technology management framework and contribute to its optimization. This Committee is responsible for overseeing the comprehensive management of cyber- incidents and
relatedreports, keeping the Board of Directors duly informed of the issues discussed and the decisions adopted. This Committee is comprised of three directors, the Chief Executive Officer, the Systems Manager, and members of the Senior Management (including the Systems Manager, and
Government and
ManagementControl Manager), all of whom are officers with experience
and expertise in the field.
Senior Management is responsible for implementing strategies, plans and policies for the management of technology and information security, including the level of exposure to risks, ensuring that our Board of Directors is updated on the aforementioned activities. To this end, he/she must know and understand the risks related to technology and information security, guaranteeing their inclusion in the established management programs and defining plans for
themitigation of the risks detected.
For effective control and operation, the Information Technology and Security Governance Committee areas are correctly defined, with clear and
non-overlappingresponsibilities, respecting the principles of controls by opposition and functional segregation.
Those responsible for the areas of Information Technology and Security coordinate, monitor and report on the execution of activities in accordance with the guidelines defined by Senior Management.
|Cybersecurity Risk Role of Management [Text Block]
|
Our Board of Directors is responsible for promoting a culture of technology and information security risk management throughout the organization, as well as for promoting the implementation of an effective information security management framework.
The Information Technology and Security Governance Committee should monitor and evaluate the performance of the information technology management framework and contribute to its optimization. This Committee is responsible for overseeing the comprehensive management of cyber- incidents and
relatedreports, keeping the Board of Directors duly informed of the issues discussed and the decisions adopted. This Committee is comprised of three directors, the Chief Executive Officer, the Systems Manager, and members of the Senior Management (including the Systems Manager, and
Government and
ManagementControl Manager), all of whom are officers with experience
and expertise in the field.
Senior Management is responsible for implementing strategies, plans and policies for the management of technology and information security, including the level of exposure to risks, ensuring that our Board of Directors is updated on the aforementioned activities. To this end, he/she must know and understand the risks related to technology and information security, guaranteeing their inclusion in the established management programs and defining plans for
themitigation of the risks detected.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|
The Information Technology and Security Governance Committee should monitor and evaluate the performance of the information technology management framework and contribute to its optimization. This Committee is responsible for overseeing the comprehensive management of cyber- incidents and
relatedreports, keeping the Board of Directors duly informed of the issues discussed and the decisions adopted. This Committee is comprised of three directors, the Chief Executive Officer, the Systems Manager, and members of the Senior Management (including the Systems Manager, and
Government and
ManagementControl Manager), all of whom are officers with experience
and expertise in the field.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|This Committee is comprised of three directors, the Chief Executive Officer, the Systems Manager, and members of the Senior Management (including the Systems Manager, and
Government and
ManagementControl Manager), all of whom are officers with experience
and expertise in the field.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
The Information Technology and Security Governance Committee should monitor and evaluate the performance of the information technology management framework and contribute to its optimization. This Committee is responsible for overseeing the comprehensive management of cyber- incidents and
relatedreports, keeping the Board of Directors duly informed of the issues discussed and the decisions adopted. This Committee is comprised of three directors, the Chief Executive Officer, the Systems Manager, and members of the Senior Management (including the Systems Manager, and
Government and
ManagementControl Manager), all of whom are officers with experience
and expertise in the field.
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef