|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management Strategy And Governance [Abstract]
|Cybersecurity Risk Management Processes For Assessing Identifying And Managing Threats [Text Block]
|
Our business processes and operations depend significantly on the implementation and maintenance of technology infrastructure and data systems, as well as telecommunication services, both for our corporate and operational segments. On the corporate side, we are heavily dependent on the enterprise resource planning system and other interconnected systems, as well as the network and cloud infrastructure. On the operational side, we are strongly dependent on our systems responsible for monitoring and operating our industrial environment, as well as the infrastructure of the operation centers and equipment that are part of the infrastructure for sending or receiving data to the ONS operating environments or to other agents’ operation centers.
We have adopted various measures to actively monitor our networks, systems, and technology assets to map cybersecurity-related risks, such as recurring penetration tests, an endpoint and network detection and response platform, security information and event management and threat intelligence. We also implemented measures to mitigate and prevent events that may compromise the availability, integrity and confidentiality of the information and systems, or that cause damage, loss of information, financial loss, service interruptions, undue dissemination of information or damage to our reputation. Each year, we engage an accounting firm to carry out an assessment and issue a report detailing the level of risk related to our information security-related activities.
These initiatives aim to mitigate risks and strengthen information security management, establishing internal guidelines, acquiring tools and services, improving procedures, carrying out awareness campaigns and training, reducing vulnerabilities and detecting incidents in a timely manner, more effective. We have secured insurance policies for cybersecurity for projects and commitments with third-party vendors, who must comply with our security requirements.
We assess third-party risk in all technology-related contracts, based on three Criteria: access to our network, physical connections, or receipt of important data. Suppliers undergo additional screening, being classified into risk levels (low, medium, high or critical). For high or critical risk suppliers, we implement specific action plans and testing of intrusion.
As of the date of this Annual Report, and in the past three years, we have not identified any cybersecurity incidents that would have materially affected us, our business strategy, results of operations or financial condition. We cannot guarantee that such incidents will not occur and adversely affect our operations in the future. Our business, results of operations and financial condition may be adversely affected if any past or current vulnerabilities, known or unknown to us, become the target of unauthorized access or intrusion or evolve into security breaches and other incidents, including as a result of third-party action, employee or contractor error, nation state malfeasance, malware, phishing, computer hackers, system error, software bugs or defects, process failure or otherwise.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
We have adopted various measures to actively monitor our networks, systems, and technology assets to map cybersecurity-related risks, such as recurring penetration tests, an endpoint and network detection and response platform, security information and event management and threat intelligence. We also implemented measures to mitigate and prevent events that may compromise the availability, integrity and confidentiality of the information and systems, or that cause damage, loss of information, financial loss, service interruptions, undue dissemination of information or damage to our reputation. Each year, we engage an accounting firm to carry out an assessment and issue a report detailing the level of risk related to our information security-related activities.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight And Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected Or Reasonably Likely To Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Role Of Management [Text Block]
|
We have a cyber incident management process, which defines criteria and recommends techniques and tools to detect and monitor cyber threats. Our cyber crisis management guidelines establish procedures to be followed in the event of cyber incidents or crises, specifying the responsibilities of each team involved. These guidelines are part of our general information security policy, approved by our Executive Directors. We have a Chief Information Security Officer (CISO) who manages the implementation of our information security plan based on the National Institute of Standards and Technology across all subsidiaries, as well as several complementary regulations for our group. The CISO is responsible for all information security areas and reports to our Executive Directors, Board of Directors and Audit Committee.
In addition, we have also developed a personal data privacy program, phishing program, cyber incident response program, third-party risk monitoring and business continuity plan, as well as maintaining a security operations center to monitor vulnerabilities and handle any incidents. We also recently launched a project to improve cybersecurity in an operational technology environment, in line with the Operation Procedure Manual - Operational Routine (RO-CB.BR.01) of the ONS. Training and further qualifications on this subject are also routinely carried out at the Corporate University of our companies.
|Cybersecurity Risk Management Positions Or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions Or Committees Responsible [Text Block]
|We have a Chief Information Security Officer (CISO) who manages the implementation of our information security plan based on the National Institute of Standards and Technology across all subsidiaries, as well as several complementary regulations for our group.
|Cybersecurity Risk Process For Informing Management Or Committees Responsible [Text Block]
|The CISO is responsible for all information security areas and reports to our Executive Directors, Board of Directors and Audit Committee.
|Cybersecurity Risk Management Positions Or Committees Responsible Report To Board [Flag]
|true
|X
- References
+ Details
No definition available.
|X
- References
+ Details
No definition available.
|X
- References
+ Details
No definition available.
|X
- References
+ Details
No definition available.
|X
- References
+ Details
No definition available.
|X
- References
+ Details
No definition available.
|X
- References
+ Details
No definition available.
|X
- References
+ Details
No definition available.
|X
- References
+ Details
No definition available.
|X
- References
+ Details
No definition available.
|X
- References
+ Details
No definition available.
|X
- References
+ Details
No definition available.