|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Cybersecurity Risk Management and Strategy
We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. These risks include, among other things: operational risks, intellectual property theft, fraud, extortion, harm to employees or customers and violation of data privacy or security laws.
Identifying and assessing cybersecurity risk is integrated into our overall risk management systems and processes and are based on best practices provided by international standards such as the National Institute of Standards and Technology ("NIST"), European Union Agency for Cybersecurity (“ENISA”), Cloud Security Alliance (“CSA”), ISO/IEC 27001, ISO/IEC 27701 and comply with applicable local data privacy legislation and the Sarbanes-Oxley Act. Cybersecurity risks related to our business, technical operations, privacy and compliance issues are identified and addressed through a multi-faceted approach including third party assessments, internal IT audit, IT security, governance, risk and compliance reviews. To defend, detect and respond to cybersecurity incidents, we, among other things: (i) conduct proactive privacy and cybersecurity reviews of systems and applications, (ii) audit applicable data policies, (iii) perform penetration testing using external third-party tools and techniques to test security controls, continuously and automated testing and validating cybersecurity defenses against threats in real time, helping to reduce exposure and prioritize remediation efforts. We also rely on the support of PwC (a multinational auditing and business consulting firm) for internal auditing for SOC, 24x7 monitoring and IT assets, (iv) conduct employee training, (v) monitor emerging laws and regulations related to data protection and information security (including our consumer products) and (vi) implement appropriate changes.
We have implemented incident response and breach management processes which have the following stages: (i) preparation, (ii) identification and reporting, (iii) initial analysis, registration and appointment of the incident response team, (iv) prioritization of the incident, (v) containment, remediation and recovery and (vi) post-incident activities. Such incident responses are overseen by the Incident Management Team. Security events and data incidents are evaluated, ranked by severity and prioritized for response and remediation. Incidents are evaluated to determine materiality as well as operational and business impact, and reviewed for privacy impact. Incidents that may have severe impacts on the company will be addressed in accordance with the Cyber Crisis Response Plan.
We also conduct exercises to simulate responses to cybersecurity incidents. Our team of cybersecurity professionals then collaborate with technical and business stakeholders across our business units to further analyze the risk to the company, and form detection, mitigation and remediation strategies. As part of the above processes, we regularly engage external auditors and consultants to assess our internal cybersecurity programs and compliance with applicable practices and standards.
Our risk management program includes thorough third-party risk assessments, now conducted using our internal methodology. To maintain consistent evaluation accuracy and completeness, our overarching cybersecurity maturity assessments continue to leverage the AON framework and align with NIST CSF 2.0 and ISO/IEC 27001. This approach ensures robust evaluation of cybersecurity risks associated with third-party service providers, potential fourth-party risks, and the handling of sensitive data.
We describe whether and how risks from identified cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition, under the heading “We depend significantly on automated systems and any cyberattacks, breakdown, hacking or changes in these systems may adversely affect us” included as part of our risk factor disclosures at Item 3D of this annual report.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|To defend, detect and respond to cybersecurity incidents, we, among other things: (i) conduct proactive privacy and cybersecurity reviews of systems and applications, (ii) audit applicable data policies, (iii) perform penetration testing using external third-party tools and techniques to test security controls, continuously and automated testing and validating cybersecurity defenses against threats in real time, helping to reduce exposure and prioritize remediation efforts. We also rely on the support of PwC (a multinational auditing and business consulting firm) for internal auditing for SOC, 24x7 monitoring and IT assets, (iv) conduct employee training, (v) monitor emerging laws and regulations related to data protection and information security (including our consumer products) and (vi) implement appropriate changes.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Cybersecurity Governance
Cybersecurity is an important part of our risk management processes and an area of focus for our board of directors and management.
Board Oversight
The Information Security Management System (ISMS) established to safeguard the critical information assets of our company. The ISMS operates under the oversight of the Corporate Risks and Compliance Department, represented by the Director Robson Braga da Costa.
The ISMS is designed with a comprehensive approach to information security, encompassing four key teams:
•Governance, Risk Management, and Compliance (GRC): This team establishes the overarching security framework, including policies, procedures, and standards. They conduct risk assessments, ensuring compliance with relevant regulations and industry best practices.
•Cybersecurity (CIS): This team takes a proactive approach to defending our systems and data from cyber threats. They deploy firewalls, intrusion detection/prevention systems, and vulnerability management programs. Additionally, they conduct security awareness training for employees.
•Data Protection & Privacy (DPP): This team ensures the airline meets all data protection and privacy regulations. They manage data classification, implement data loss prevention (DLP) solutions, and oversee incident response procedures in case of data breaches.
Reporting and Oversight
The Information Security team reports directly to the Corporate Risks and Compliance Director, providing regular updates on security posture, identified risks, and implemented controls. Our board of directors receives periodic reports on ISMS effectiveness, ensuring alignment with the organization's overall strategy and risk management framework.
The structured approach to Information Security scope
Comprehensive Security: Addresses information security from all angles, including governance, risk, compliance, identity, access control, cyber threats, and data protection.
Centralized Management: Provides a single point of accountability for information security within the Corporate Risks and Compliance Department.
Risk-Based Approach: Focuses resources on the most critical risks to the airline's information assets.
Alignment with Regulations: Ensures compliance with relevant data protection and privacy regulations.
Improved Security Culture: Fosters a culture of security awareness across the organization.
We believe that the ISMS structure we have implemented provides a robust framework for protecting our airline's sensitive information. The dedicated teams and clear reporting structure ensure a proactive approach to information security, minimizing risks and safeguarding valuable data assets.
Azul reinforces that has not experienced any material cybersecurity incident recently and continues to monitor and continually seeks to improve its security measures.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|board of directors
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
The Information Security team reports directly to the Corporate Risks and Compliance Director, providing regular updates on security posture, identified risks, and implemented controls. Our board of directors receives periodic reports on ISMS effectiveness, ensuring alignment with the organization's overall strategy and risk management framework.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef