|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Abstract]
|
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Risk Management and Strategy
We maintain a comprehensive process for assessing, identifying and managing material risks from cybersecurity threats including risks relating to disruption of business operations or financial reporting systems, intellectual property theft; fraud; extortion; harm to employees or customers; violation of privacy laws and other litigation and legal risk; and reputational risk, as part of our overall risk management system and processes.
Our cybersecurity risk management processes include the following:
|
|-
|Aligning our cyber practices with internationally established cybersecurity frameworks is a key focus. In addition to being ISO 27001 certified, we have adhered to market best practices and frameworks, including CIS Controls, NIST SCF, and Mitre ATT&CK. We prioritize the use of monitoring solutions for security, implementing systems to identify anomalous traffic on the local network or in the cloud, along with antimalware measures for endpoint security. Cloud monitoring is supported by a specific solution, and logs from critical assets are sent to our central Security Information and Event Management (“SIEM”) system. SIEM is operated 24/7 by outsourced professionals, who promptly notify our security team of critical alerts for appropriate intervention.
|
|-
|Maintaining a strict cybersecurity protocol to protect sensitive data and ensure system integrity. Our advanced security measures include multifactor authentication, robust firewalls, and an eXtended Detection and Response (“XDR”) system serving as antivirus, regularly updated. Proactive vulnerability management is conducted to identify and address potential breaches promptly. As part of our ongoing cybersecurity efforts, we undergo penetration testing twice a year by an accredited external firm to assess our security posture and further enhance defenses against digital threats.
|
|-
|Involving a comprehensive team responsible for day-to-day cybersecurity related matters. Our legal department provides guidance on regulatory and legal matters, ensuring compliance with cybersecurity laws and regulations. Internal audit conducts independent assessments of the effectiveness of our security controls, identifying areas for improvement. Our human resources department plays a crucial role in ensuring that every new hire is trained on safe computing practices and data protection. Our compliance area ensures that our policies are aligned with applicable regulatory standards. Our IT team works closely with SecOps experts to implement and maintain robust defense systems. Additionally, our corporate security team plays a complementary role in protecting physical assets that can impact digital security.
|
|-
|Carrying insurance against potential losses resulting from cybersecurity incidents and regularly reviewing our policy and coverage levels based on relevant risks. Although CI&T Brazil does not have cyber liabilty insurance coverage, the policy held by CI&T US provides financial protection in the event of data breaches, cyberattacks, or other security incidents, helping to mitigate the financial impact on our organization. By regularly assessing our policies and coverage levels, we aim to ensure that our insurance is adequately aligned with the constantly evolving threat landscape and potential vulnerabilities in our systems.
|
|-
|Conducting annual cybersecurity awareness training sessions, mandatory for all company employees. These sessions are designed to educate about the latest cybersecurity threats, best practices for protecting sensitive information, and the importance of maintaining vigilance in their digital activities. Additionally, weekly posts are made on our corporate social network, along with simulated phishing exercises and real-world case studies. Our trainings are intended to equip employees with the knowledge and skills necessary to identify and effectively respond to potential security risks.
|
|-
|Maintaining a robust incident response plan which defines the procedures and protocols to be followed in the event of any cyber incident, from initial detection to full resolution. Our incident response plan establishes the roles and responsibilities of the various teams involved, to ensure a prompt and coordinated response. Additionally, the plan includes steps for impact mitigation and recovery of affected systems and data. In the event of an incident, the plan also provides for an internal escalation process, pursuant to which incidents are initially addressed by the cybersecurity team and, if necessary, escalated to higher levels of leadership, aiming at swift and effective responses. We regularly review and update our incident response plan in order to ensure its effectiveness in light of the constantly evolving cyber threat landscape.
|
|-
|Involvement in broader industry initiatives and organizations relating to cybersecurity, such as collaborating with organizations across different industries to share best practices, fight cybercrime, enhance privacy, discuss new technologies, and advance capabilities in these areas. We are actively involved in initiatives and organizations related to cybersecurity as members of an external group composed of several companies that discuss information security topics. Participating in this group provides us with access to valuable insights and best practices in cybersecurity, allowing us to keep our security posture updated and aligned with the latest industry trends.
We also engage trusted partners to ensure the effectiveness of our security practices. One of these partners played a key role in the successful implementation of the ISO 27001 standard, providing expertise and specialized guidance throughout the process. This implementation process was validated by a third-party market audit firm, responsible for certifying our compliance with ISO 27001. Additionally, we evaluate the structure and test the effectiveness of our processes and to provide training. Our cybersecurity risk management processes extend to the oversight and identification of cybersecurity risks from our association with our use of third-party service providers. Our risk management program includes supplier management as a component of our cybersecurity strategy. We evaluate our vendors to ensure that they meet our security standards and requirements, including by assessing their cybersecurity practices, data protection measures, and compliance with relevant regulations. We prioritize partnerships with vendors who demonstrate a strong commitment to security and provide transparency regarding their security posture. Additionally, our contracts provide an outline of our expectations and define responsibilities in connection with cybersecurity.
As of the date of this report, our business strategy, results of operations and financial condition have not been materially affected by risks from cybersecurity threats. We cannot provide assurance that they will not be materially affected in the future by such risks and any future material incidents.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
Our cybersecurity risk management processes include the following:
|
|-
|Aligning our cyber practices with internationally established cybersecurity frameworks is a key focus. In addition to being ISO 27001 certified, we have adhered to market best practices and frameworks, including CIS Controls, NIST SCF, and Mitre ATT&CK. We prioritize the use of monitoring solutions for security, implementing systems to identify anomalous traffic on the local network or in the cloud, along with antimalware measures for endpoint security. Cloud monitoring is supported by a specific solution, and logs from critical assets are sent to our central Security Information and Event Management (“SIEM”) system. SIEM is operated 24/7 by outsourced professionals, who promptly notify our security team of critical alerts for appropriate intervention.
|
|-
|Maintaining a strict cybersecurity protocol to protect sensitive data and ensure system integrity. Our advanced security measures include multifactor authentication, robust firewalls, and an eXtended Detection and Response (“XDR”) system serving as antivirus, regularly updated. Proactive vulnerability management is conducted to identify and address potential breaches promptly. As part of our ongoing cybersecurity efforts, we undergo penetration testing twice a year by an accredited external firm to assess our security posture and further enhance defenses against digital threats.
|
|-
|Involving a comprehensive team responsible for day-to-day cybersecurity related matters. Our legal department provides guidance on regulatory and legal matters, ensuring compliance with cybersecurity laws and regulations. Internal audit conducts independent assessments of the effectiveness of our security controls, identifying areas for improvement. Our human resources department plays a crucial role in ensuring that every new hire is trained on safe computing practices and data protection. Our compliance area ensures that our policies are aligned with applicable regulatory standards. Our IT team works closely with SecOps experts to implement and maintain robust defense systems. Additionally, our corporate security team plays a complementary role in protecting physical assets that can impact digital security.
|
|-
|Carrying insurance against potential losses resulting from cybersecurity incidents and regularly reviewing our policy and coverage levels based on relevant risks. Although CI&T Brazil does not have cyber liabilty insurance coverage, the policy held by CI&T US provides financial protection in the event of data breaches, cyberattacks, or other security incidents, helping to mitigate the financial impact on our organization. By regularly assessing our policies and coverage levels, we aim to ensure that our insurance is adequately aligned with the constantly evolving threat landscape and potential vulnerabilities in our systems.
|
|-
|Conducting annual cybersecurity awareness training sessions, mandatory for all company employees. These sessions are designed to educate about the latest cybersecurity threats, best practices for protecting sensitive information, and the importance of maintaining vigilance in their digital activities. Additionally, weekly posts are made on our corporate social network, along with simulated phishing exercises and real-world case studies. Our trainings are intended to equip employees with the knowledge and skills necessary to identify and effectively respond to potential security risks.
|
|-
|Maintaining a robust incident response plan which defines the procedures and protocols to be followed in the event of any cyber incident, from initial detection to full resolution. Our incident response plan establishes the roles and responsibilities of the various teams involved, to ensure a prompt and coordinated response. Additionally, the plan includes steps for impact mitigation and recovery of affected systems and data. In the event of an incident, the plan also provides for an internal escalation process, pursuant to which incidents are initially addressed by the cybersecurity team and, if necessary, escalated to higher levels of leadership, aiming at swift and effective responses. We regularly review and update our incident response plan in order to ensure its effectiveness in light of the constantly evolving cyber threat landscape.
|
|-
|Involvement in broader industry initiatives and organizations relating to cybersecurity, such as collaborating with organizations across different industries to share best practices, fight cybercrime, enhance privacy, discuss new technologies, and advance capabilities in these areas. We are actively involved in initiatives and organizations related to cybersecurity as members of an external group composed of several companies that discuss information security topics. Participating in this group provides us with access to valuable insights and best practices in cybersecurity, allowing us to keep our security posture updated and aligned with the latest industry trends.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]
|As of the date of this report, our business strategy, results of operations and financial condition have not been materially affected by risks from cybersecurity threats. We cannot provide assurance that they will not be materially affected in the future by such risks and any future material incidents.
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Governance
Board of Directors
Our board of directors and our audit committee are primarily responsible for overseeing risks related to information security. As noted below, such risks are managed by our security team, an independent division led by a senior manager, an executive manager, and a director. This team regularly participates in meetings with our audit committee, where information security and security risk management agendas are discussed. Additionally, topics discussed at these meetings, including significant incidents and potential impacts, are presented and discussed at meetings of the board of directors.
Management
The cyber risk management processes described above are overseen by the information security team and audited annually by internal and external audit teams as part of the ISO 27001 certification review. As part of this management, we are attentive to the risks in our supply chain, and have established a policy to annually assess the security maturity level of the most critical third parties.
Our security team follows market-recognized best practices and frameworks such as MITRE, CIS, NIST, among others. Furthermore, we hold ISO 27001 certification and subject our Information Security Management System (ISMS) to internal and external audits annually to validate ISO 27001 controls, ensuring certification renewal.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our board of directors and our audit committee are primarily responsible for overseeing risks related to information security. As noted below, such risks are managed by our security team, an independent division led by a senior manager, an executive manager, and a director.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our board of directors and our audit committee are primarily responsible for overseeing risks related to information security. As noted below, such risks are managed by our security team, an independent division led by a senior manager, an executive manager, and a director. This team regularly participates in meetings with our audit committee, where information security and security risk management agendas are discussed. Additionally, topics discussed at these meetings, including significant incidents and potential impacts, are presented and discussed at meetings of the board of directors.
|Cybersecurity Risk Role of Management [Text Block]
|
Management
The cyber risk management processes described above are overseen by the information security team and audited annually by internal and external audit teams as part of the ISO 27001 certification review. As part of this management, we are attentive to the risks in our supply chain, and have established a policy to annually assess the security maturity level of the most critical third parties.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|The cyber risk management processes described above are overseen by the information security team and audited annually by internal and external audit teams as part of the ISO 27001 certification review.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Maintaining a robust incident response plan which defines the procedures and protocols to be followed in the event of any cyber incident, from initial detection to full resolution. Our incident response plan establishes the roles and responsibilities of the various teams involved, to ensure a prompt and coordinated response. Additionally, the plan includes steps for impact mitigation and recovery of affected systems and data. In the event of an incident, the plan also provides for an internal escalation process, pursuant to which incidents are initially addressed by the cybersecurity team and, if necessary, escalated to higher levels of leadership, aiming at swift and effective responses. We regularly review and update our incident response plan in order to ensure its effectiveness in light of the constantly evolving cyber threat landscape.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true