|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Risk Management and Strategy
Our cybersecurity risk management strategy is designed to detect, prevent, monitor and respond to security incidents, minimize unavailability, protect integrity of data and prevent data leakage. We have adopted various processes for the assessment, identification and management of risks arising from cybersecurity threats, which are documented in our Cybersecurity Incident Response Procedure, Directives for Cyber Protection in Embraer Group Companies and Procedures to Monitoring and Responding to Information Security Incidents.
We apply cybersecurity solutions and procedures to ensure the most appropriate and applicable handling, collection, a
nd availability of data and information used by our corporate systems, business processes and products. These procedures and mechanisms are based on best market practices (such as frameworks such as NIST CSF and ISO27001/2) and undergo periodic reviews to ensure their ability to spot, control, and respond to potential global cyber threats.
We have a cybersecurity incident response cycle procedure, which is a four-stage procedure response to be used in case of a cybersecurity incident. The procedure comprises the following stages: (i) the training and preparation of our teams to act promptly in response to cybersecurity incidents by implementing controls based on risk assessments; (ii) incident detection and analysis; (iii) actions for containment, eradication and recovery from the incident; (iv) post-incident activities, which comprises the activities to avoid, prevent and improve actions in case of new incidents. Training to our employees occurs monthly.
As part of our risk management strategy, we contract cybersecurity companies, such as Tempest, AWS, Google and others and independent auditors to assess our cybersecurity controls and procedures annually. We continuously assess and oversee material risks from cybersecurity threats associated with our third-party service providers. Before engaging in business relationships with service providers, the cybersecurity committee evaluates whether they meet our minimum standards relating to cybersecurity procedures, governance and risk management. Our cybersecurity committee is responsible for overseeing and identifying cybersecurity risks. See “—Cybersecurity Governance.” We have a multidisciplinary team that manages data privacy issues under the supervision of the data protection officer, or DPO.
Our Data Protection Office operates under a hybrid model, consisting of representatives from various business departments to support compliance with applicable laws, monitor risks, and demonstrate the organization’s privacy and data protection compliance level in a sustainable and continuous manner.
The Data Protection Officer, or DPO, is part of the Data Protection Office and serves as the primary point of contact between Embraer, national data protection authorities, and data subjects. The DPO is responsible for clarifying doubts and assisting employees in executing activities involving personal data processing operations. Additionally, the DPO proposes topics to the Data Protection Office to address gaps and enhance Embraer’s privacy and data protection governance program, including raising company-wide awareness.
When the DPO identifies a data privacy incident, they must coordinate with the affected departments to: (i) determine the exact moment of its identification; (ii) assess the type of data involved in the incident; (iii) analyze its cause, scope, and consequences; (iv) identify how and where it was detected; and (v) assist in proposing measures to address or prevent the incident, including, if applicable, actions to mitigate potential negative effects, both within the Company and, if necessary, for the affected data subjects.
Cybersecurity Incidents
On November 24, 2020, we suffered a cybersecurity incident in our IT systems, which was later identified as a ransomware attack. The attack resulted in the encryption of an environment of virtual servers hosted in Brazil, prevented access to certain files and resulted in the inadvertent disclosure of data, some of which were made available on the dark web. We have reported the incident to law enforcement authorities.
Immediately after the incident, we employed significant IT resources, took measures to protect and strengthen the security of our systems, isolated the affected environment and repaired our network. As part of our reaction, we hired Tempest Security Intelligence, a leading cybersecurity firm, to investigate the incident and supplement our remediation efforts. Embraer adopted additional measures to strengthen the security of its systems, as well as reporting the incident to competent authorities, in Brazil and abroad. The incident had no significant impact over our revenues, cash flows or any material incremental expenses for the 2020 fiscal year and we have not had any similar incident in the three years ended December 31, 2024. There is also no indication that the accuracy and completeness of any financial information had been affected as a result of the incident.
This type of cybersecurity incident has become more and more sophisticated over time, especially as threat actors have become increasingly well-funded by, or themselves include, governmental actors with significant means. We expect that sophistication of cyber threats will continue to evolve as threat actors increase their use of AI and machine-learning technologies. In the year ended December 31, 2024, we had no complaints pertaining to breach of privacy by collaborators and customers, as well as no leaks, thefts, or losses of customer data, nor cybersecurity incidents. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced an undetected cybersecurity incident.
For additional information on our cybersecurity exposure, see Item 3. Key Information—D. Risk Factors—Cybersecurity—Failure to adequately protect against risks relating to cybersecurity could materially and adversely affect us.”
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
Our cybersecurity risk management strategy is designed to detect, prevent, monitor and respond to security incidents, minimize unavailability, protect integrity of data and prevent data leakage. We have adopted various processes for the assessment, identification and management of risks arising from cybersecurity threats, which are documented in our Cybersecurity Incident Response Procedure, Directives for Cyber Protection in Embraer Group Companies and Procedures to Monitoring and Responding to Information Security Incidents.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]
|
On November 24, 2020, we suffered a cybersecurity incident in our IT systems, which was later identified as a ransomware attack. The attack resulted in the encryption of an environment of virtual servers hosted in Brazil, prevented access to certain files and resulted in the inadvertent disclosure of data, some of which were made available on the dark web. We have reported the incident to law enforcement authorities.
Immediately after the incident, we employed significant IT resources, took measures to protect and strengthen the security of our systems, isolated the affected environment and repaired our network. As part of our reaction, we hired Tempest Security Intelligence, a leading cybersecurity firm, to investigate the incident and supplement our remediation efforts. Embraer adopted additional measures to strengthen the security of its systems, as well as reporting the incident to competent authorities, in Brazil and abroad. The incident had no significant impact over our revenues, cash flows or any material incremental expenses for the 2020 fiscal year and we have not had any similar incident in the three years ended December 31, 2024. There is also no indication that the accuracy and completeness of any financial information had been affected as a result of the incident.
This type of cybersecurity incident has become more and more sophisticated over time, especially as threat actors have become increasingly well-funded by, or themselves include, governmental actors with significant means. We expect that sophistication of cyber threats will continue to evolve as threat actors increase their use of AI and machine-learning technologies. In the year ended December 31, 2024, we had no complaints pertaining to breach of privacy by collaborators and customers, as well as no leaks, thefts, or losses of customer data, nor cybersecurity incidents. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced an undetected cybersecurity incident.
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Cybersecurity Governance
Our
board of directorsoversees our cybersecurity committee, which is responsible to make strategic decisions on cybersecurity, approve cybersecurity policies and has full and unrestricted authority to implement projects and mitigation actions, as applicable. The cybersecurity committee meets on a monthly basis, or anytime the chief information security officer (CISO) deems necessary, to periodically monitor, at a high level, our projects related to cybersecurity and advises on measures and improvements to enhance our management of cybersecurity issues. The cybersecurity committee is composed of:
Additionally, cybersecurity is constantly on the agenda at meetings of our Audit, Risk and Ethics Committee and our board of directors.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The cybersecurity committee is composed of:
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The cybersecurity committee meets on a monthly basis, or anytime the chief information security officer (CISO) deems necessary, to periodically monitor, at a high level, our projects related to cybersecurity and advises on measures and improvements to enhance our management of cybersecurity issues.
|Cybersecurity Risk Role of Management [Text Block]
|The cybersecurity committee meets on a monthly basis, or anytime the chief information security officer (CISO) deems necessary, to periodically monitor, at a high level, our projects related to cybersecurity and advises on measures and improvements to enhance our management of cybersecurity issues.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Our
board of directorsoversees our cybersecurity committee, which is responsible to make strategic decisions on cybersecurity, approve cybersecurity policies and has full and unrestricted authority to implement projects and mitigation actions, as applicable.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|Our
board of directorsoversees our cybersecurity committee, which is responsible to make strategic decisions on cybersecurity, approve cybersecurity policies and has full and unrestricted authority to implement projects and mitigation actions, as applicable.
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef