|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2025
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Our cybersecurity risk program, managed by our Chief Information Security Officer and the information security team, is conducted under our enterprise risk management framework and operates on a risk-based approach in assessing risks from cybersecurity threats, as follows:
•Cybersecurity Threat Scenarios. Our cybersecurity risk assessment process consists of identifying and compiling a catalogue of top cybersecurity threat scenarios relevant to PMI, which facilitates risk assessments with our IT and business stakeholders.
•Cybersecurity Maturity Assessment. Our risk exposure from relevant cybersecurity threat scenarios is mitigated by evaluating existing cybersecurity capabilities and corresponding maturity to identify and address areas for improvement.
•Cybersecurity Threat Assessment. To establish PMI’s current and target cybersecurity risk exposure, residual risk exposure from the most relevant cybersecurity threat scenarios across IT platforms and regions is evaluated and measured based upon the cybersecurity maturity assessments.
•Cybersecurity Risk Program. PMI has a cybersecurity risk program to enhance its ability to identify, prevent, mitigate, respond and recover from disruptive cybersecurity threats and incidents and to reduce cybersecurity risk exposure. Improvements in our cybersecurity defense capabilities are prioritized based upon the results of cybersecurity threat assessments and cybersecurity maturity assessments. Identified issues from these assessments form the improvement initiatives under our cybersecurity risk program. As discussed in more detail below under “Governance,” the program’s key improvement initiatives, their implementation status, and the overall progression in our cybersecurity capability maturity are regularly presented to the applicable governing body within PMI. In addition, our cybersecurity risk program operates in coordination with the following:
Cyber Defense. Our dedicated cyber defense team provides services to identify, help prevent, detect and respond against cybersecurity threats and intrusions and collaborates with internal and external stakeholders to help protect PMI’s information, mitigate operational disruptions and maintain business continuity. The cyber defense team’s controls and procedures identify and enable escalation of cybersecurity incidents to the applicable governing body within PMI, as appropriate, to meet disclosure and reporting requirements for such incidents.
Third-Party Cyber Risk Management. Some of our information systems and networks are developed, supplied, or managed by third-party service providers. Our third-party cyber risk management process analyzes and seeks to control risks associated with outsourcing products or services, such as “supply chain” style cyberattacks, and identifies preventative and detective controls to mitigate third-party vendor and service provider cybersecurity risks that could adversely impact our business and operations.
Education and Awareness. PMI regularly and annually provides its in scope workforce with mandatory cybersecurity awareness education and training addressing information security related tasks in line with our evolving information security policies, standards, procedures, and practice as well as supplemental role-based training and awareness programs.
We engage external assessors, auditors and other third parties to independently evaluate our cybersecurity risk management process and related controls, including the relevance to PMI of identified cybersecurity scenarios and the results of cybersecurity maturity assessments. The outcome of such evaluations, audits or reviews are reported to the Corporate Risk Governance Committee and to the Audit & Risk Committee, and our cybersecurity policies, standards and processes are adjusted, as necessary.
PMI follows a risk evaluation process for issues identified through internal audits, security assessments, third-party cybersecurity risk assessments, or self-assessment disclosures, and resulting information technology risks are recorded for risk remediation, transfer, avoidance, or acceptance as appropriate. Some of our information systems are managed by specialist third-party service providers, and we work with internal specialists to protect systems and data from unauthorized access and other cybersecurity threats.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|Our cybersecurity risk program, managed by our Chief Information Security Officer and the information security team, is conducted under our enterprise risk management framework and operates on a risk-based approach in assessing risks from cybersecurity threats
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|The Audit and Risk Committee of our Board of Directors oversees our policies and practices with respect to risk assessment and risk management, including a review, in coordination with our management, of PMI’s management of cybersecurity.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our Chief Information Security Officer presents reports to the Audit and Risk Committee or to the full Board of Directors at least quarterly, which reports include cybersecurity risk status along with key performance indicators and key risk response strategies and plans.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our Chief Information Security Officer presents reports to the Audit and Risk Committee or to the full Board of Directors at least quarterly, which reports include cybersecurity risk status along with key performance indicators and key risk response strategies and plans.
|Cybersecurity Risk Role of Management [Text Block]
|
The Corporate Risk Governance Committee receives quarterly reports on the Company’s overall cybersecurity risk exposure including the individual top cybersecurity threat scenario residual risk ratings and the plan and status of the cybersecurity risk program, to facilitate calibration with other enterprise risk domains and validation of the risk response plans. The Corporate Risk Governance Committee includes our Group CEO PMI; Chief Risk Assurance Officer; Chief Global R&D Officer; Chief Information Security Officer; Global Head Enterprise Risk Management; Group Chief Financial Officer; Group Controller; Vice President, Associate General Counsel & Corporate Secretary; Vice President, Associate General Counsel & Group Chief Compliance Officer, Group Chief Legal Officer; Chief Global Operations Officer; Chief Global Communications Officer; and our Chief Global Digital & Information Officer.Cybersecurity incidents that have been determined to meet established SEC reporting consideration thresholds are promptly communicated to the Disclosure Committee, which is responsible for evaluating the potential materiality of such incidents and ensuring the accuracy, timeliness and completeness of related disclosures under applicable reporting obligations, and other relevant communications or presentations. The Disclosure Committee’s membership includes the following executives: the Vice President, Associate General Counsel & Corporate Secretary; the Group Chief Legal Officer; the Group Chief Financial Officer; the Group Controller; the Chief Risk Assurance Officer; and the Vice President, Investor Relations & Financial Communication. In addition, the Chief Information Security Officer serves as an advisor to the Disclosure Committee.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Our Chief Information Security Officer presents reports to the Audit and Risk Committee or to the full Board of Directors at least quarterly, which reports include cybersecurity risk status along with key performance indicators and key risk response strategies and plans.
The Corporate Risk Governance Committee receives quarterly reports on the Company’s overall cybersecurity risk exposure including the individual top cybersecurity threat scenario residual risk ratings and the plan and status of the cybersecurity risk program, to facilitate calibration with other enterprise risk domains and validation of the risk response plans. The Corporate Risk Governance Committee includes our Group CEO PMI; Chief Risk Assurance Officer; Chief Global R&D Officer; Chief Information Security Officer; Global Head Enterprise Risk Management; Group Chief Financial Officer; Group Controller; Vice President, Associate General Counsel & Corporate Secretary; Vice President, Associate General Counsel & Group Chief Compliance Officer, Group Chief Legal Officer; Chief Global Operations Officer; Chief Global Communications Officer; and our Chief Global Digital & Information Officer.Cybersecurity incidents that have been determined to meet established SEC reporting consideration thresholds are promptly communicated to the Disclosure Committee, which is responsible for evaluating the potential materiality of such incidents and ensuring the accuracy, timeliness and completeness of related disclosures under applicable reporting obligations, and other relevant communications or presentations. The Disclosure Committee’s membership includes the following executives: the Vice President, Associate General Counsel & Corporate Secretary; the Group Chief Legal Officer; the Group Chief Financial Officer; the Group Controller; the Chief Risk Assurance Officer; and the Vice President, Investor Relations & Financial Communication. In addition, the Chief Information Security Officer serves as an advisor to the Disclosure Committee.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|The Chief Information Security Officer has served in various roles in information technology and information security for over 25 years, including in the telecommunications and management consultancy sectors and serving as the Chief Information Security Officer of two large public companies. The Chief Global Digital & Information Officer holds an engineering degree and has served in various senior positions in information technology for over 20 years, including serving as Senior Vice President, IT Sales, and Global Chief Information Officer at a public company. The Group CEO PMI has served in various positions in finance and general management at PMI for over 30 years, including as Chief Financial Officer and Chief Operating Officer, and holds a master’s degree in economics. The Group Chief Financial Officer has over 15 years of experience in finance and management, having held several executive positions in charge of finance, legal affairs information systems and industry administration at various companies. The Group Chief Legal Officer has served at PMI for 20 years in several positions within the Legal & Compliance department, including as Vice President and Associate General Counsel of various regions, and holds two master’s degrees having studied law, management and finance.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Our Chief Information Security Officer presents reports to the Audit and Risk Committee or to the full Board of Directors at least quarterly, which reports include cybersecurity risk status along with key performance indicators and key risk response strategies and plans.
The Corporate Risk Governance Committee receives quarterly reports on the Company’s overall cybersecurity risk exposure including the individual top cybersecurity threat scenario residual risk ratings and the plan and status of the cybersecurity risk program, to facilitate calibration with other enterprise risk domains and validation of the risk response plans. The Corporate Risk Governance Committee includes our Group CEO PMI; Chief Risk Assurance Officer; Chief Global R&D Officer; Chief Information Security Officer; Global Head Enterprise Risk Management; Group Chief Financial Officer; Group Controller; Vice President, Associate General Counsel & Corporate Secretary; Vice President, Associate General Counsel & Group Chief Compliance Officer, Group Chief Legal Officer; Chief Global Operations Officer; Chief Global Communications Officer; and our Chief Global Digital & Information Officer.Cybersecurity incidents that have been determined to meet established SEC reporting consideration thresholds are promptly communicated to the Disclosure Committee, which is responsible for evaluating the potential materiality of such incidents and ensuring the accuracy, timeliness and completeness of related disclosures under applicable reporting obligations, and other relevant communications or presentations. The Disclosure Committee’s membership includes the following executives: the Vice President, Associate General Counsel & Corporate Secretary; the Group Chief Legal Officer; the Group Chief Financial Officer; the Group Controller; the Chief Risk Assurance Officer; and the Vice President, Investor Relations & Financial Communication. In addition, the Chief Information Security Officer serves as an advisor to the Disclosure Committee.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef