|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Risk management and strategy
On November 15, 2023, the Board approved the Information Security Incident Management Policy (the “Cybersecurity Policy”) which establishes guidelines to identify, assess, manage and communicate material risks from cybersecurity incidents. The Cybersecurity Policy is applicable to the Company and its subsidiaries’ information systems and supporting infrastructure in all locations. It also covers processes to oversee and identify risks from cybersecurity threats associated with the use of third-party service providers, being an important part of the Company’s global risk management strategy. In addition to the Cybersecurity Policy, the Company has enacted a cybersecurity risk matrix (the “Cybersecurity Risk Matrix”) to determine cybersecurity risks and align projects to address such risks. Therefore, our actions, plans and projects are aligned with the risks identified within such Cybersecurity Risk Matrix which is reviewed annually by information security officers and authorized by the corporate information security manager.
All strategic information security projects are established in a global strategic plan, based on the analysis of the risks determined and classified in accordance with the Cybersecurity Risk Matrix. Critical risks are addressed by a combination of security services and technology. Also, a global security operation center and an incident response and threat intelligence service are in place. A combination of information security applications and monitoring controls are also used to detect and protect the information assets based on protection layers criteria. Global penetration testing and security reviews are regularly performed in our subsidiaries.
Also, the Cybersecurity Policy created the Information Security Incident Response Committee (the “ISIRC”) which is a non-permanent body, mainly responsible for coordinating and authorizing the strategy and tasks to contain a Cybersecurity Incident and restore normal operation. The members of the ISIRC are:
According to the Cybersecurity Policy, Cybersecurity Incidents must be classified by the local security manager from a technical perspective in critical, high, medium, low, or very low based on the Incident Impact Calculation Matrix. Such classification is reviewed by the ISIRC, from a qualitative and quantitative perspective, and considers factors that are not taken into account in a mathematical calculation, in order to determine the severity of the incident.
The Cybersecurity Policy establishes an incident management process, which can be defined as a plan to manage Cybersecurity Incidents and to ensure that the Company takes immediate action in case of any incidents. The incident management process consists of the following phases: (i) detection; (ii) analysis and early communication; (iii) containment; (iv) eradication; (v) recovery; (vi) documentation and improvement proposals; and (vii) disclosure.
The phase of “detection” involves (i) data gathering and analysis; (ii) identification of indicators of an attack or compromise of the network; and (iii) correlating events and having the intelligence to identify early signs of an attack. Examples of detectable events include data breaches, an unusual number of locked accounts, encrypted files, among others. Upon detection of a Cybersecurity Incident, such incident is immediately reported to the Local Cybersecurity Manager/Responsible who then convenes an ISIRC meeting. As per the Cybersecurity Policy, once a Cybersecurity Incident is identified, the Local Cybersecurity Manager/Responsible shall classify it from a technical perspective based on the Incident Impact Calculation Matrix, prepare the corresponding Cybersecurity Incident Report and create a record of the information and documentation related to the incident. All the information related to the Cybersecurity Incident is then submitted to the ISIRC which shall review the classification provided by the Local Cybersecurity Manager/Responsible and define the severity of the incident.
The Cybersecurity Incidents which individually or in the aggregate are classified by the ISIRC as critical or high, must be reported by the ISIRC to our Executive Committee, which shall analyze if the incident must be disclosed. The Cybersecurity Policy also establishes that in case of detection of any Cybersecurity Incident, it shall be immediately reported to the local cybersecurity officer (local or corporate), who will call an ISIRC meeting. In case of critical or high incident, the Executive Committee must then report it to the Board of Directors of the Company.
In relation to the “containment” strategy, the Cybersecurity Policy establishes that it is dependent on the type of attack and its potential impact on the organization. In any case, after the Cybersecurity Incident has been successfully contained, any element or change produced because of the Cybersecurity Incident must be repaired. This could include, rebuilding affected servers, removing malware, or closing and resetting passwords of breached accounts.
On the “recovery” phase, every affected system should be restored in order to reinstate regular operations.
After receiving information from the ISIRC, the Executive Committee must determine if a Cybersecurity Incident is material, or if any series of related Cybersecurity Incidents taken together are material, in which case it must decide the necessity and extent of any ongoing and annual disclosures. In order to determine the materiality of a Cybersecurity Incident or series of related cybersecurity incidents taken together, our Executive Committee must evaluate the impact of such incident from a quantitative and a qualitative perspective, as well as, if there is a substantial likelihood that a reasonable investor would have considered it important in making an investment decision or if it significantly alters the total mix of available information. As part of the materiality analysis, our Executive Committee may consider both the immediate fallout and any longer-term effects, including on our operations, finances, brand, reputation and customer relationships. If the Executive Committee deems it necessary, could report the Cybersecurity Incident to our Board of Directors, to be involved in the determination of materiality of the incident.
The Head of Legal and Compliance leads the disclosure process if the Cybersecurity Incident is material. In accordance with the terms and conditions of our third-party agreements, our providers are obliged to inform us immediately in the case of detection of a Cybersecurity Incident that could involve the Company in any manner, in which case the local cybersecurity manager must call a ISIRC who must define if it should be reported to the Executive Committee to determine if it is material.
Finally, although our business strategy, results of operations or financial condition have not been materially affected by Cybersecurity Incidents up to this date, we understand that the cybersecurity risks have been increasing, especially as infiltrating technology continues to become increasingly sophisticated, and while we have implemented several measures and procedures to mitigate such risk, such as the Cybersecurity Policy, we must remain vigilant and alert to such risks and keep our systems and procedures updated to the most recent trends.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
On November 15, 2023, the Board approved the Information Security Incident Management Policy (the “Cybersecurity Policy”) which establishes guidelines to identify, assess, manage and communicate material risks from cybersecurity incidents. The Cybersecurity Policy is applicable to the Company and its subsidiaries’ information systems and supporting infrastructure in all locations. It also covers processes to oversee and identify risks from cybersecurity threats associated with the use of third-party service providers, being an important part of the Company’s global risk management strategy. In addition to the Cybersecurity Policy, the Company has enacted a cybersecurity risk matrix (the “Cybersecurity Risk Matrix”) to determine cybersecurity risks and align projects to address such risks. Therefore, our actions, plans and projects are aligned with the risks identified within such Cybersecurity Risk Matrix which is reviewed annually by information security officers and authorized by the corporate information security manager.
All strategic information security projects are established in a global strategic plan, based on the analysis of the risks determined and classified in accordance with the Cybersecurity Risk Matrix. Critical risks are addressed by a combination of security services and technology. Also, a global security operation center and an incident response and threat intelligence service are in place. A combination of information security applications and monitoring controls are also used to detect and protect the information assets based on protection layers criteria. Global penetration testing and security reviews are regularly performed in our subsidiaries.
Also, the Cybersecurity Policy created the Information Security Incident Response Committee (the “ISIRC”) which is a non-permanent body, mainly responsible for coordinating and authorizing the strategy and tasks to contain a Cybersecurity Incident and restore normal operation. The members of the ISIRC are:
According to the Cybersecurity Policy, Cybersecurity Incidents must be classified by the local security manager from a technical perspective in critical, high, medium, low, or very low based on the Incident Impact Calculation Matrix. Such classification is reviewed by the ISIRC, from a qualitative and quantitative perspective, and considers factors that are not taken into account in a mathematical calculation, in order to determine the severity of the incident.
The Cybersecurity Policy establishes an incident management process, which can be defined as a plan to manage Cybersecurity Incidents and to ensure that the Company takes immediate action in case of any incidents. The incident management process consists of the following phases: (i) detection; (ii) analysis and early communication; (iii) containment; (iv) eradication; (v) recovery; (vi) documentation and improvement proposals; and (vii) disclosure.
The phase of “detection” involves (i) data gathering and analysis; (ii) identification of indicators of an attack or compromise of the network; and (iii) correlating events and having the intelligence to identify early signs of an attack. Examples of detectable events include data breaches, an unusual number of locked accounts, encrypted files, among others. Upon detection of a Cybersecurity Incident, such incident is immediately reported to the Local Cybersecurity Manager/Responsible who then convenes an ISIRC meeting. As per the Cybersecurity Policy, once a Cybersecurity Incident is identified, the Local Cybersecurity Manager/Responsible shall classify it from a technical perspective based on the Incident Impact Calculation Matrix, prepare the corresponding Cybersecurity Incident Report and create a record of the information and documentation related to the incident. All the information related to the Cybersecurity Incident is then submitted to the ISIRC which shall review the classification provided by the Local Cybersecurity Manager/Responsible and define the severity of the incident.
The Cybersecurity Incidents which individually or in the aggregate are classified by the ISIRC as critical or high, must be reported by the ISIRC to our Executive Committee, which shall analyze if the incident must be disclosed. The Cybersecurity Policy also establishes that in case of detection of any Cybersecurity Incident, it shall be immediately reported to the local cybersecurity officer (local or corporate), who will call an ISIRC meeting. In case of critical or high incident, the Executive Committee must then report it to the Board of Directors of the Company.
In relation to the “containment” strategy, the Cybersecurity Policy establishes that it is dependent on the type of attack and its potential impact on the organization. In any case, after the Cybersecurity Incident has been successfully contained, any element or change produced because of the Cybersecurity Incident must be repaired. This could include, rebuilding affected servers, removing malware, or closing and resetting passwords of breached accounts.
On the “recovery” phase, every affected system should be restored in order to reinstate regular operations.
After receiving information from the ISIRC, the Executive Committee must determine if a Cybersecurity Incident is material, or if any series of related Cybersecurity Incidents taken together are material, in which case it must decide the necessity and extent of any ongoing and annual disclosures. In order to determine the materiality of a Cybersecurity Incident or series of related cybersecurity incidents taken together, our Executive Committee must evaluate the impact of such incident from a quantitative and a qualitative perspective, as well as, if there is a substantial likelihood that a reasonable investor would have considered it important in making an investment decision or if it significantly alters the total mix of available information. As part of the materiality analysis, our Executive Committee may consider both the immediate fallout and any longer-term effects, including on our operations, finances, brand, reputation and customer relationships. If the Executive Committee deems it necessary, could report the Cybersecurity Incident to our Board of Directors, to be involved in the determination of materiality of the incident.
The Head of Legal and Compliance leads the disclosure process if the Cybersecurity Incident is material. In accordance with the terms and conditions of our third-party agreements, our providers are obliged to inform us immediately in the case of detection of a Cybersecurity Incident that could involve the Company in any manner, in which case the local cybersecurity manager must call a ISIRC who must define if it should be reported to the Executive Committee to determine if it is material.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|The Board of Directors has also decided to include cybersecurity as a permanent item of the agenda of its meetings and to receive a report with a summary of any cybersecurity event, even not material, on a quarterly basis. Additionally, and as required by internal policies, the Board of Directors must be informed of any critical or high impact security incident detected at any time
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Executive Committee
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
The Cybersecurity Incidents which individually or in the aggregate are classified by the ISIRC as critical or high, must be reported by the ISIRC to our Executive Committee, which shall analyze if the incident must be disclosed. The Cybersecurity Policy also establishes that in case of detection of any Cybersecurity Incident, it shall be immediately reported to the local cybersecurity officer (local or corporate), who will call an ISIRC meeting. In case of critical or high incident, the Executive Committee must then report it to the Board of Directors of the Company.
|Cybersecurity Risk Role of Management [Text Block]
|
The Information Security Department of the Company (the “Information Security Department”) is responsible for implementing and maintaining an organization-wide information security framework, from the perspective of normative governance (policies, standards, and procedures) but also from the technological capabilities to achieve the necessary security standards to minimize the risk of the Company from cyber security attacks.
The Information Security Department reports to the Executive Committee through the Head of Legal and Compliance. The Head of Legal and Compliance is technically and strategically assisted by the Information Security Corporate Manager, who is also supported by a specialized group of information technology and security engineers and highly specialized worldwide leaders and researchers. See “Item 6. Directors, Senior Management and Employees—A. Directors and Senior Management—Background of Our Officers and Directors.”
The Information Security Corporate Manager has more than twenty years of progressive experience in all aspects of technology risk management, and has a deep understanding of strategic and tactical aspects of information technology security, internal control over information technology and operational processes over critical assets and infrastructure. The Information Security Corporate Manager is experienced in aspects as a comprehensive access management strategy, cybersecurity monitoring and governance, awareness programs, business continuity strategy, information technology general controls under the Sarbanes-Oxley Act, among others.
The Information Security Plan, Budget and strategic projects are presented and explained, at least once per year, to the Board of Directors.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Information Security Incident Response Committee
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|
The Information Security Corporate Manager has more than twenty years of progressive experience in all aspects of technology risk management, and has a deep understanding of strategic and tactical aspects of information technology security, internal control over information technology and operational processes over critical assets and infrastructure. The Information Security Corporate Manager is experienced in aspects as a comprehensive access management strategy, cybersecurity monitoring and governance, awareness programs, business continuity strategy, information technology general controls under the Sarbanes-Oxley Act, among others.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|The Cybersecurity Incidents which individually or in the aggregate are classified by the ISIRC as critical or high, must be reported by the ISIRC to our Executive Committee, which shall analyze if the incident must be disclosed. The Cybersecurity Policy also establishes that in case of detection of any Cybersecurity Incident, it shall be immediately reported to the local cybersecurity officer (local or corporate), who will call an ISIRC meeting.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef