|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Risk Management and Strategy
Our risk management framework includes regular assessments and updates to our cybersecurity policies, aligning them closely with industry best practices and emerging threats. We emphasize a proactive approach, integrating cybersecurity considerations into our strategic planning and operational processes. This ensures that potential risks are identified and mitigated before they can impact our operations. Additionally, our strategy is structured according to the categories of the NIST Cybersecurity Framework, providing a solid and standardized foundation for our cybersecurity practices.
|
|
•
|
Cybersecurity processes are overseen by our Cybersecurity team, which reports to the Innovation and Technology Manager, who in turn reports to the CTO. The leader of our Cybersecurity team has over 12 years of experience in the field across various industries.
|
|
•
|
The Cybersecurity team provides quarterly reports to the Cybersecurity Internal Committee, which oversees and sponsors the cybersecurity strategy. This committee has received fundamental cybersecurity training from a
top-tier
third-party consultant. Our CTO, who chairs the committee, provides quarterly updates to the Corporate Practices Committee of the Board of Directors.
|
|
•
|
As part of our management process, the committee receives quarterly reports on the following key performance indicators:
|
|
•
|
Number of critical incidents that occurred during the period;
|
|
•
|
Distribution of cybersecurity monitoring alerts within the period;
|
|
•
|
Number of critical risk scenarios identified with a level 1 post-mitigation rating (highest impact and probability of occurrence);
|
|
•
|
Percentage of employees who completed mandatory cybersecurity training; and
|
|
•
|
Average results of controlled phishing exercises.
|
|
•
|
The Company’s cybersecurity and information security strategy is based on comprehensive risk assessment, mitigation, and resilience readiness. This is achieved through a threat intelligence-driven approach, application controls, and reinforced ransomware defense mechanisms. The framework follows several international standards, including NIST Special Publication
800-53
for general IT controls, ISA/IEC standards for industrial automation, the NIST Cybersecurity Framework for evaluating overall readiness, and SOX for assessing internal controls.
|
|
•
|
We have implemented a Cybersecurity Policy and Standards, which serve as a comprehensive framework for our cybersecurity rules, technical standards, and procedures. This document is aligned with our corporate operating management system and establishes guidelines for developing, implementing, and enhancing procedures to protect information from unauthorized access and misuse, ensure the availability of critical systems, and maintain data protection and integrity. This policy is the cornerstone of our information security management system and an integral part of our cybersecurity governance framework.
|
|
•
|
We maintain a comprehensive process for assessing, identifying, and managing material risks from cybersecurity threats, including risks related to business operations disruption, financial reporting systems, intellectual property theft, fraud, extortion, harm to employees or customers, violation of privacy laws, litigation and legal risks, and reputational risks.
|
|
•
|
Risk assessments are conducted on an ongoing basis. The likelihood and impact of each risk are determined using a qualitative risk assessment methodology. Risks are identified from various sources, including vulnerability scans and penetration tests. We monitor our infrastructure and applications to detect evolving cyber threats and possible intrusions. The assessment results are reported quarterly to Company management through our cybersecurity risk matrix in accordance with the established cybersecurity governance model.
|
|
•
|
Third-party risk management is integral to our approach, involving rigorous due diligence and continuous monitoring of our vendors and partners to ensure alignment with our cybersecurity standards.
|
|
•
|
This function is built on advanced security technologies and is managed by a team of experts with significant experience in cybersecurity best practices.
|
|
•
|
The Company employs comprehensive policies, software, training programs, and hardware solutions to safeguard and monitor its environment. These measures include multifactor authentication for all critical systems, firewalls, intrusion detection and prevention systems, and vulnerability and identity management systems.
|
|
•
|
Our platform incorporates a suite of technologies, including encryption, antivirus, multi-factor authentication, firewalls, and patch management. These technologies are designed to protect and maintain the integrity of systems and computers across our organization.
|
|
•
|
Our Cybersecurity team regularly tests security controls through penetration testing, vulnerability scanning, and attack simulation activities.
|
|
•
|
The Cybersecurity team conducts annual information security awareness training for all employees, performs internal phishing tests, provides targeted training for employees who click on phishing attempts, mandates security training for new hires, and publishes cybersecurity newsletters to address emerging or urgent security threats.
|
|
•
|
We have a Cybersecurity Incident Response Plan that outlines the procedures for handling cybersecurity incidents based on their severity and ensures cross-functional coordination. Additionally, we have established a Cybersecurity Detection and Response team to provide real-time enterprise visibility into cyber incidents.
|
|
•
|
Our business strategy, operational results, and financial condition have not been significantly impacted by cybersecurity threats or past incidents. However, we cannot guarantee that they will remain unaffected by such risks or future significant incidents. Over the past four fiscal years, we have not experienced any significant information security breaches, and expenses incurred from minor breaches have been insignificant. This includes penalties and settlements, of which there have been none.
|
|
•
|
The Company conducts cybersecurity tabletop and crisis management exercises facilitated by an independent third party to simulate breach and other information security scenarios. The facilitator poses questions to participants and provides insights into typical responses from other companies in similar situations. These exercises help assess and enhance response strategies, improving practices, procedures, and technologies.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|Our risk management framework includes regular assessments and updates to our cybersecurity policies, aligning them closely with industry best practices and emerging threats. We emphasize a proactive approach, integrating cybersecurity considerations into our strategic planning and operational processes. This ensures that potential risks are identified and mitigated before they can impact our operations. Additionally, our strategy is structured according to the categories of the NIST Cybersecurity Framework, providing a solid and standardized foundation for our cybersecurity practices.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Cybersecurity processes are overseen by our Cybersecurity team, which reports to the Innovation and Technology Manager, who in turn reports to the CTO.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Cybersecurity team provides quarterly reports to the Cybersecurity Internal Committee, which oversees and sponsors the cybersecurity strategy. This committee has received fundamental cybersecurity training from a
top-tier third-party consultant.
|Cybersecurity Risk Role of Management [Text Block]
|
|
|
•
|
Cybersecurity processes are overseen by our Cybersecurity team, which reports to the Innovation and Technology Manager, who in turn reports to the CTO. The leader of our Cybersecurity team has over 12 years of experience in the field across various industries.
|
|
•
|
The Cybersecurity team provides quarterly reports to the Cybersecurity Internal Committee, which oversees and sponsors the cybersecurity strategy. This committee has received fundamental cybersecurity training from a
top-tier
third-party consultant. Our CTO, who chairs the committee, provides quarterly updates to the Corporate Practices Committee of the Board of Directors.
|
|
•
|
As part of our management process, the committee receives quarterly reports on the following key performance indicators:
|
|
•
|
Number of critical incidents that occurred during the period;
|
|
•
|
Distribution of cybersecurity monitoring alerts within the period;
|
|
•
|
Number of critical risk scenarios identified with a level 1 post-mitigation rating (highest impact and probability of occurrence);
|
|
•
|
Percentage of employees who completed mandatory cybersecurity training; and
|
|
•
|
Average results of controlled phishing exercises.
|
|
•
|
The Company’s cybersecurity and information security strategy is based on comprehensive risk assessment, mitigation, and resilience readiness. This is achieved through a threat intelligence-driven approach, application controls, and reinforced ransomware defense mechanisms. The framework follows several international standards, including NIST Special Publication
800-53
for general IT controls, ISA/IEC standards for industrial automation, the NIST Cybersecurity Framework for evaluating overall readiness, and SOX for assessing internal controls.
|
|
•
|
We have implemented a Cybersecurity Policy and Standards, which serve as a comprehensive framework for our cybersecurity rules, technical standards, and procedures. This document is aligned with our corporate operating management system and establishes guidelines for developing, implementing, and enhancing procedures to protect information from unauthorized access and misuse, ensure the availability of critical systems, and maintain data protection and integrity. This policy is the cornerstone of our information security management system and an integral part of our cybersecurity governance framework.
|
|
•
|
We maintain a comprehensive process for assessing, identifying, and managing material risks from cybersecurity threats, including risks related to business operations disruption, financial reporting systems, intellectual property theft, fraud, extortion, harm to employees or customers, violation of privacy laws, litigation and legal risks, and reputational risks.
|
|
•
|
Risk assessments are conducted on an ongoing basis. The likelihood and impact of each risk are determined using a qualitative risk assessment methodology. Risks are identified from various sources, including vulnerability scans and penetration tests. We monitor our infrastructure and applications to detect evolving cyber threats and possible intrusions. The assessment results are reported quarterly to Company management through our cybersecurity risk matrix in accordance with the established cybersecurity governance model.
|
|
•
|
Third-party risk management is integral to our approach, involving rigorous due diligence and continuous monitoring of our vendors and partners to ensure alignment with our cybersecurity standards.
|
|
•
|
This function is built on advanced security technologies and is managed by a team of experts with significant experience in cybersecurity best practices.
|
|
•
|
The Company employs comprehensive policies, software, training programs, and hardware solutions to safeguard and monitor its environment. These measures include multifactor authentication for all critical systems, firewalls, intrusion detection and prevention systems, and vulnerability and identity management systems.
|
|
•
|
Our platform incorporates a suite of technologies, including encryption, antivirus, multi-factor authentication, firewalls, and patch management. These technologies are designed to protect and maintain the integrity of systems and computers across our organization.
|
|
•
|
Our Cybersecurity team regularly tests security controls through penetration testing, vulnerability scanning, and attack simulation activities.
|
|
•
|
The Cybersecurity team conducts annual information security awareness training for all employees, performs internal phishing tests, provides targeted training for employees who click on phishing attempts, mandates security training for new hires, and publishes cybersecurity newsletters to address emerging or urgent security threats.
|
|
•
|
We have a Cybersecurity Incident Response Plan that outlines the procedures for handling cybersecurity incidents based on their severity and ensures cross-functional coordination. Additionally, we have established a Cybersecurity Detection and Response team to provide real-time enterprise visibility into cyber incidents.
|
|
•
|
Our business strategy, operational results, and financial condition have not been significantly impacted by cybersecurity threats or past incidents. However, we cannot guarantee that they will remain unaffected by such risks or future significant incidents. Over the past four fiscal years, we have not experienced any significant information security breaches, and expenses incurred from minor breaches have been insignificant. This includes penalties and settlements, of which there have been none.
|
|
•
|
The Company conducts cybersecurity tabletop and crisis management exercises facilitated by an independent third party to simulate breach and other information security scenarios. The facilitator poses questions to participants and provides insights into typical responses from other companies in similar situations. These exercises help assess and enhance response strategies, improving practices, procedures, and technologies.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Our CTO, who chairs the committee, provides quarterly updates to the Corporate Practices Committee of the Board of Directors.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|The leader of our Cybersecurity team has over 12 years of experience in the field across various industries.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true