|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Abstract]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|Risk Management and Strategy
We uphold a thorough procedure for evaluating, recognizing, and addressing cybersecurity risks, encompassing threats such as business operations disruption, reporting system vulnerabilities, data breaches, and reputational concerns. The Department of Cybersecurity holds the mandate to implement a range of proactive and responsive measures that influence data processing and facilitate information protection. Moreover, it carries out risk analysis and assessment concerning cybersecurity threats that could affect the Company, working closely with the Cybersecurity Manager and other cybersecurity experts. The functions of our Department of Cybersecurity have been integrated into our general risk systems and processes.
Key responsibilities of the Department of Cybersecurity encompass:
The Cybersecurity Department’s procedures undergo annual reviews, testing, updates, and approval by the Approval Committee. Any necessary updates resulting from these reviews are implemented accordingly.
Incident Response Plan
We have a Cybersecurity Risk Assessment Procedure to identify, assess and manage risks in order to protect the confidentiality, integrity and availability of our networks, systems and associated information. This procedure is part of the Cybersecurity Risk Management Program, which requires periodic updates and its corresponding assessment.
We rely on and use recognized international frameworks, including the NIST SP 800-30, NIST SP 800-37, NIST CSF and MAGERIT frameworks for the identification, assessment, and management of cybersecurity risks relevant to our business.
Our Cybersecurity Risk Management Program includes the following key elements:
During 2024, a cyber incident management simulation exercise was conducted to test the processes of materiality assessment and cyber incident handling. The evaluation team, consisting of executives from the areas involved, convened and analyzed various scenarios of a hypothetical ransomware attack and its material impact on our organization.
Controlled service disruption tests were performed on essential components of the IT infrastructure to verify the performance of recovery mechanisms. The results of these tests were satisfactory in all cases, as contingency measures were successfully activated to maintain operational continuity.
Four independent security tests (Penetration Tests) were conducted on the internet-exposed infrastructure and the internal network to determine our degree of exposure to threats and cyber-attacks.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|We have a Cybersecurity Risk Assessment Procedure to identify, assess and manage risks in order to protect the confidentiality, integrity and availability of our networks, systems and associated information. This procedure is part of the Cybersecurity Risk Management Program, which requires periodic updates and its corresponding assessment.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]
|As of the date of this annual report, the Company has not suffered any material cybersecurity incidents.
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|Governance
We and our Board of Directors consider that cybersecurity risks and their management are of vital importance; we are aware that cybersecurity requires the active participation of the Board of Directors and Senior Management to exercise corporate governance, therefore we have adopted the Cybersecurity Governance Procedure with the goal of establishing a comprehensive cybersecurity governance and management framework adapted to our specific needs. We recognize the critical importance of ensuring operational continuity, information protection and preservation of trust in a vital sector such as energy generation.
Management
Our Cybersecurity Manager at Management leads and oversees our cybersecurity strategy to ensure the comprehensive protection of digital assets, effective cyber risk management, regulatory compliance, and the promotion of a robust security culture, in order to achieve the integrity, confidentiality and availability of our networks, systems and information. Our cybersecurity manager has obtained professional security certifications and advanced training in the field of cybersecurity, training and experience related to the position and cybersecurity.
In the event that the preliminary assessment Cybersecurity Manager suggests that the incident could be significant, our policy stipulates the formation of an Approval Committee consisting of the CEO, CFO, and Cybersecurity Manager. The role of the Approval Committee is to oversee the materiality determination made by the Cybersecurity team. If deemed necessary, the Approval Committee forwards pertinent information to the Audit Committee for review. Should the Audit Committee validate the incident’s materiality, it is then communicated to the Board of Directors, and subsequently, publicly disclosed in accordance with relevant laws and regulations.
The Cybersecurity Manager maintains regular meetings with both the Board of Directors and the Audit Committee to discuss cybersecurity processes, risks, initiatives, and mitigation efforts.
Board of Directors
Our Audit Committee has an agenda on cybersecurity issues, it is the body in charge of supervising our cybersecurity strategy, especially the identification, evaluation and management of cybersecurity risks. The Audit Committee reports to the Board of Directors annually and whenever necessary, in order to update and inform about the cybersecurity strategy, cybersecurity risks, their management for the treatment and effectiveness of cybersecurity controls and potential cyber incidents. In addition, it has set biannual meetings and whenever necessary, with the person responsible for cybersecurity in Management, through which it is informed, exercises oversight and decision making.
To fulfill this duty, the Audit Committee convenes regular meetings and ad-hoc sessions as necessary, during which the Cybersecurity Manager provides reports on cybersecurity events and updates on prevailing risks. Additionally, the Audit Committee engages with the Cybersecurity Manager if a material event arises.
The Cybersecurity Manager communicates significant activities related to cybersecurity incidents in accordance with the Cybersecurity Risk Assessment Procedure to both the Board of Directors and the Audit Committee.
Third-Party Service Provider
Our cybersecurity risk management protocols also encompass monitoring and identifying threats related to our utilization of third-party service providers, as per the terms outlined in our contracts with them. We stipulate in our contracts that third-party services must adhere to our security policies. The Department of Cybersecurity supervises this process, and if any risks are identified, they instruct the providers to comply with our cybersecurity policies.
Training
The Department of Cybersecurity organizes awareness campaigns and training sessions for employees, emphasizing various topics such as creating secure passwords, recognizing phishing attempts, understanding social engineering tactics, data leakage, ensuring security on WhatsApp and social networks, understanding data protection principles, and promoting secure development practices, among other relevant subjects.
Risks from Cybersecurity Threats
As of the date of this annual report, the Company has not suffered any material cybersecurity incidents.
For further details regarding our cybersecurity-related risks, please refer to "Item 3—Key Information—Risk Factors— A cyberattack could adversely affect our business, balance sheet, results of operations and cash flow.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|We and our Board of Directors consider that cybersecurity risks and their management are of vital importance; we are aware that cybersecurity requires the active participation of the Board of Directors and Senior Management to exercise corporate governance, therefore we have adopted the Cybersecurity Governance Procedure with the goal of establishing a comprehensive cybersecurity governance and management framework adapted to our specific needs. We recognize the critical importance of ensuring operational continuity, information protection and preservation of trust in a vital sector such as energy generation.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Audit Committee reports to the Board of Directors annually and whenever necessary, in order to update and inform about the cybersecurity strategy, cybersecurity risks, their management for the treatment and effectiveness of cybersecurity controls and potential cyber incidents. In addition, it has set biannual meetings and whenever necessary, with the person responsible for cybersecurity in Management, through which it is informed, exercises oversight and decision making.
|Cybersecurity Risk Role of Management [Text Block]
|Our Cybersecurity Manager at Management leads and oversees our cybersecurity strategy to ensure the comprehensive protection of digital assets, effective cyber risk management, regulatory compliance, and the promotion of a robust security culture, in order to achieve the integrity, confidentiality and availability of our networks, systems and information. Our cybersecurity manager has obtained professional security certifications and advanced training in the field of cybersecurity, training and experience related to the position and cybersecurity.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|The Cybersecurity Manager maintains regular meetings with both the Board of Directors and the Audit Committee to discuss cybersecurity processes, risks, initiatives, and mitigation efforts.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Our Audit Committee has an agenda on cybersecurity issues, it is the body in charge of supervising our cybersecurity strategy, especially the identification, evaluation and management of cybersecurity risks.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef