|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Abstract]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|Risk
Management and strategy
We have a risk management model (the “Risk Management Model”) in place, which is an integral part of our organization’s culture and activities and is present at all levels in the Company’s processes and projects. It is integrated with our internal control and management systems to achieve organizational efficiency and effectiveness and rational decision-making. It is aligned with the best practices in the field (ISO 31000:2018, COSO 2013 and COSO-ERM 2017).
Our current Risk Management Model has 2 levels:
• Level 1 - Strategic: risks that could arise from business decisions, the implementation of decisions or the ability to respond to industry/market changes. Regarded as high-level risks and the Senior Management’s responsibility, their impact often affects the Company in general.
• Level 2 - Operational: risks that may cause an impact as a result of human performance, the design and effectiveness of internal processes and/or systems and as a consequence of external events. Their impact is often limited to specific activities as they relate to specific and defined processes and projects.
At both levels, but with different scope, cybersecurity risks are considered, inasmuch as any vulnerability in information systems could have severe implications, including disruptions in the supply of electricity, loss of sensitive information, damages to the infrastructure and risks to public safety.
The identified risks are analyzed and valued according to likelihood and impact in order to determine risk severity/criticality. Additionally, control activities in place are identified and supplementary mitigating actions as well as those responsible for them are determined.
The Risk Management Model is based on an iterative approach. Therefore, we constantly monitor the internal and external contexts with the aim of verifying that the assessment of the identified risks and the established mitigating actions remain applicable. In turn, we monitor if new events that could turn into emerging risks have emerged.
Through the Information Security Department, we implement and apply the processes for mitigating cybersecurity risks following the best practices in the field (ISO 27001:2022, CIS Controls and NIST).
Fostering a proactive attitude towards cybersecurity, we implement robust security controls, such as firewalls, intrusion monitoring and detection systems, multi-factor authentication and data encryption, to protect the networks and systems against unauthorized access. We have also implemented incident response plans to take fast and effective action in the event of a cyberattack, thereby minimizing downtime and potential damages.
In order to carry out some of our activities, the Information Security Department engages the services of advisors and consultants who are experts in the field. Some of the contracted services are:
• The operation of the Security Operation Center (SOC).
• The carrying out of regular pen tests, both on the infrastructure and the applications.
• The permanent monitoring of vulnerabilities to identify security gaps.
• The improvement of the internal security processes maturity, based on industry standards.
• The strengthening of the Disaster Recovery Plan (DRP).
• The annual reviews of IT general controls (ITGC) defined for the Information Security process.
In 2024, the following milestones were achieved:
• Implementation of a new solution to enhance threat detection and response capabilities (XDR) to improve security.
• Implementation of a Security Orchestration, Automation, and Response (SOAR) system to coordinate, execute, and automate tasks for cyberattack prevention and response.
• In cloud service management, the Zero Trust security posture was strengthened, based on the premise that organizations should not automatically trust anything, even if it comes from internal sources.
• Strengthening of Operational Technology (OT) network security by defining new and more secure architectures for Smart Meter connectivity, increasing network security and segregation.
• Continued work and improvements (expanding the scope) in the Vulnerability Management process, allowing for the identification, assessment, and remediation of security vulnerabilities in systems and the software running on them.
• Update of the Disaster Recovery Plan (DRP), establishing a new regulatory framework, procedures, and technical guidelines for recovery. Additionally, a risk matrix was developed to assess new scenarios
Finally, staff training and awareness are fundamental aspects. Therefore, awareness raising programs on cybersecurity and information safeguarding are provided, through phishing drills, newsletters and interactive modules.
We have not identified any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, operations results, or financial condition. However, we cannot eliminate all cybersecurity risks or provide assurances that we have not experienced an undetected cybersecurity incident in the past or that we will not experience such an incident in the future. Any significant disruption to our service or access to our systems could result in revenue loss, legal actions, regulatory penalties, reputational harm, among other consequences. Additional information on cybersecurity risks we face can be found in “Item 3. Key Information - Risk Factors”.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|We have a risk management model (the “Risk Management Model”) in place, which is an integral part of our organization’s culture and activities and is present at all levels in the Company’s processes and projects. It is integrated with our internal control and management systems to achieve organizational efficiency and effectiveness and rational decision-making.
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]
|We have not identified any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, operations results, or financial condition.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Governance
Although the Company’s Risk Management Model is implemented by Senior Management, with the assistance of the Risk Management Department, it is important to point out that risk management is the responsibility of the Board of Directors, Senior Management and of each employee, regardless of the duties of their positions.
We have a Risk Committee that is comprised of the Chief Executive Officer, the Operational Directors and the Compliance Officer. The Risk Committee’s main responsibilities include: promoting a risk management culture, ensuring the development, implementation and appropriate functioning of the Risk Management Model, and participating actively in each of the stages of the process. In turn, the Risk Committee actively participates in the critical event response process with the aim of assessing the event’s impact and materiality.
The Information Security Department has defined the KPIs for the cybersecurity process, which make it possible to measure the Company’s posture as well as the efficiency of protection measures. In turn, the Department immediately informs the Risk Committee about critical incidents.
The Risk Management Department presents, at least on a quarterly basis, its management reports to the Risk Committee, and, in such meetings, severity/criticality levels are updated or new risks to be dealt with, if appropriate, are identified. Additionally, the Department presents, at least on an annual basis, a report to the Audit Committee, which is responsible for overseeing the application of the Company’s information policies on risk management. The Audit Committee is comprised of experienced and qualified members to audit and assess the risksfaced by the Company, the internal controls and the corporate governance processes to competently direct the Company towards its objectives.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Although the Company’s Risk Management Model is implemented by Senior Management, with the assistance of the Risk Management Department, it is important to point out that risk management is the responsibility of the Board of Directors, Senior Management and of each employee, regardless of the duties of their positions.
|Cybersecurity Risk Role of Management [Text Block]
|We have a Risk Committee that is comprised of the Chief Executive Officer, the Operational Directors and the Compliance Officer. The Risk Committee’s main responsibilities include: promoting a risk management culture, ensuring the development, implementation and appropriate functioning of the Risk Management Model, and participating actively in each of the stages of the process. In turn, the Risk Committee actively participates in the critical event response process with the aim of assessing the event’s impact and materiality.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|The Risk Management Department presents, at least on a quarterly basis, its management reports to the Risk Committee, and, in such meetings, severity/criticality levels are updated or new risks to be dealt with, if appropriate, are identified.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|The Information Security Department has defined the KPIs for the cybersecurity process, which make it possible to measure the Company’s posture as well as the efficiency of protection measures. In turn, the Department immediately informs the Risk Committee about critical incidents.
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef