|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Abstract]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|Cybersecurity Risk Management and Strategy
Our processes for assessing, identifying and managing material risks from cybersecurity threats are integrated into our risk management system. We use a variety of tools and processes to collect relevant data and identify, monitor, assess and manage material cybersecurity risks. We invest in cybersecurity defense solutions, including (but not limited to) prevention, detection and response tools and processes. We also have a dedicated local security operations center team, including specially trained personnel (the “Security Operations Team”) led by our Technology Operations Director, which is responsible for front-line cybersecurity risk detection and management with the assistance of our critical infrastructure management team. Our local Security Operations Team is supported by a global security operations team, which operates 24 hours a day, seven days a week covering 100% of our footprint via automated tools, alerts, relevant security log review across tools, using analytics to correlate logs across all different tools, and it engages in ongoing monitoring and testing of our systems and defenses with respect to cybersecurity threats.
We engage independent third parties on an as-needed basis to assess our cybersecurity capabilities. The results of these assessments are shared with the Board of Directors, including the Fiscal Council. We also perform periodic penetration testing and drills at least annually.
We provide cybersecurity awareness trainings to our employees which are designed to provide guidance for identifying and reporting cybersecurity risks and promote familiarity with our cybersecurity policies, and we require employees in certain roles to complete additional role-based, specialized cybersecurity trainings. We also leverage internal communications to promote awareness and conduct phishing exercises and provide training to employees.
We have adopted and implemented an incident response plan, which provides a structured approach for managing, escalating and remediating cybersecurity incidents, as further described below under “Cybersecurity Governance.” We also have a business continuity plan in place that covers critical infrastructure. We also have in place a local information security policy and supporting policies and standards covering key risk domains such as asset management, asset control, network security, incident management, third-party risk management and internet and technology use. We review these plans annually and updates them as needed.
Cybersecurity is also an important part of our Third-Party Risk Management Program. Through this program, we seek to identify, assess and manage risks, including cybersecurity risks, associated with our external service providers. We take a risk-based approach to conducting due diligence in the vendor onboarding process, and we seek to leverage the use of contractual terms to further mitigate risk. We also assess aspects of our vendors’ cybersecurity posture in certain circumstances.
To date, we have not identified any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect us or our business strategy, results of operations or financial condition. See “Risk Factors- Information technology failures, including failures to implement upgrades and new technologies effectively or those that affect the privacy and security of customer and business information, could disrupt our operations.”
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|Our processes for assessing, identifying and managing material risks from cybersecurity threats are integrated into our risk management system. We use a variety of tools and processes to collect relevant data and identify, monitor, assess and manage material cybersecurity risks.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]
|To date, we have not identified any risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect us or our business strategy, results of operations or financial condition. See “Risk Factors- Information technology failures, including failures to implement upgrades and new technologies effectively or those that affect the privacy and security of customer and business information, could disrupt our operations.
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|Cybersecurity Governance
Our management plays an active role in assessing and managing material risks from cybersecurity threats. Our Technology Operations Director and our Information Technology Vice-President Officer lead efforts to identify, analyze and manage cybersecurity threats and incidents, leveraging their experience and qualifications. Our Technology Operations Director has over 13 years’ experience in cybersecurity. Before joining Ambev, he worked as Head of Cybersecurity for one of the biggest health care companies in the world. He holds a bachelor’s degree in information security, Master of Business Administration degrees in cybersecurity and business management, CISSP, CCISO and CISM certifications and completed an extension course in Information Security at the Massachusetts Institute of Technology. Our Information Technology Vice-President Officer has almost 20 years’ experience in cybersecurity in private sector. Before joining Ambev, he served as Technology, Solutions Architecture and Customer Solutions Director at a Global Tech Company s and was also part of the Enterprise Architecture department at an automobile company in Belgium. He also holds a degree in computer science from Universidade de Campinas – UNICAMP and a degree in Innovation and Entrepreneurship from the Vlerick Leuven-Gent Management School. For further information on our Information Technology Vice-President Officer, see “Item 6. Directors, Senior Management and Employees—A. Directors and Senior Management—Officers.”
The Technology Operations Director and the Information Technology Vice-President Officer are supported by a team of professionals, including both legal experts and technical professionals who are well-versed in the detection, assessment and mitigation of cybersecurity incidents and events and whose job function is dedicated, in whole or in part, to cybersecurity risk management.
We have also established a cross-functional Privacy and Cybersecurity Committee, led by our Legal & Compliance Vice-President Officer, to coordinate and align effective cybersecurity governance, assessment and reporting. The Privacy and Cybersecurity Committee is composed of the Vice Presidents of Legal and Compliance, and Technology, as well as the Directors of Technology, Cybersecurity, Compliance and Digital Ethics, and Internal Controls, and other internal technical and legal experts. This committee is responsible for making strategic decisions to ensure the alignment of privacy, data protection, cybersecurity, and AI governance programs with the Company's objectives. Its duties include setting goals, approving key performance indicators, prioritizing actions, allocating resources, supporting the Data Protection Officer (DPO), evaluating high-risk decisions, and approving related policies. Additionally, the Committee reviews cybersecurity incidents to assess materiality and disclosure obligations.
Our Board of Directors, together with the Fiscal Council, oversees the Company’s internal control and overall risk management system. Without prejudice to the responsibilities of the board as a whole and as part of its oversight of the Company’s risk management system, the Fiscal Council and the Governance Committee oversee cybersecurity risk management, review the process by which management assesses, manages and mitigates the company’s exposure to cybersecurity risks. The Technology Operations Director and the Information Technology Vice-President Officer report periodically to members of the Fiscal Council and the Governance Committee. The Privacy and Cybersecurity Committee also provides briefings and updates on its work to the Governance Committee. In addition, the Governance Committee report annually to the Board of Directors on cybersecurity.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Without prejudice to the responsibilities of the board as a whole and as part of its oversight of the Company’s risk management system
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|the Fiscal Council and the Governance Committee oversee cybersecurity risk management, review the process by which management assesses, manages and mitigates the company’s exposure to cybersecurity risks.
|Cybersecurity Risk Role of Management [Text Block]
|Our management plays an active role in assessing and managing material risks from cybersecurity threats. Our Technology Operations Director and our Information Technology Vice-President Officer lead efforts to identify, analyze and manage cybersecurity threats and incidents, leveraging their experience and qualifications.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Our Board of Directors, together with the Fiscal Council, oversees the Company’s internal control and overall risk management system.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|We have also established a cross-functional Privacy and Cybersecurity Committee, led by our Legal & Compliance Vice-President Officer, to coordinate and align effective cybersecurity governance, assessment and reporting. The Privacy and Cybersecurity Committee is composed of the Vice Presidents of Legal and Compliance, and Technology, as well as the Directors of Technology, Cybersecurity, Compliance and Digital Ethics, and Internal Controls, and other internal technical and legal experts. This committee is responsible for making strategic decisions to ensure the alignment of privacy, data protection, cybersecurity, and AI governance programs with the Company's objectives. Its duties include setting goals, approving key performance indicators, prioritizing actions, allocating resources, supporting the Data Protection Officer (DPO), evaluating high-risk decisions, and approving related policies. Additionally, the Committee reviews cybersecurity incidents to assess materiality and disclosure obligations.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|The Technology Operations Director and the Information Technology Vice-President Officer report periodically to members of the Fiscal Council and the Governance Committee. The Privacy and Cybersecurity Committee also provides briefings and updates on its work to the Governance Committee.
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef