|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Jun. 30, 2025
|Cybersecurity Risk Management, Strategy, and Governance [Abstract]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
For the fiscal year ended June 30, 2025, we completed the implementation of our cybersecurity risk management program across our operating subsidiaries: Lavoro Agro Holding S.A. (“Lavoro Agro”), Crop Care Holding S.A. (“Crop Care”) and Lavoro Colombia S.A.S. (“Lavoro Colombia”), and its subsidiaries. The program establishes common policies, control standards, and incident-response procedures across the group. The program management, as well as control and monitoring activities remain decentralized and are carried out by each entity in accordance with these standards.
Lavoro entities maintain a robust information and cybersecurity structure, managed by our information technology department. The internal teams include a cybersecurity specialist and/or an analyst, and collaborate with two partner companies. One partner manages the Security Operations Center (“SOC”), while the other performs continuous vulnerability assessments. These partners use SIEM (Security Information and Event Management) and IDR (Incident Detection and Response) tools to identify, assess, and mitigate vulnerabilities. In the event of cybersecurity incidents, they work with our team to resolve them. Vulnerabilities are classified and addressed for correction by the IT Infrastructure. The SOC and Lavoro’s cybersecurity team respond to incidents, and the partner company provides monthly reports on vulnerabilities and incidents.
Risk Management and Strategy
The Cybersecurity teams assess vulnerabilities identified by our partners based on MITRE ATT&CK standards, determining the likelihood of exploitation and the potential for cyber-attacks. This process aligns with the Cyber Vulnerability Management Policy and adheres to the guidelines of ISO 27001, MITRE ATT&CK, and NIST CSF.
Lavoro Cybersecurity Structure
Our cybersecurity structures, aligned with the NIST CSF framework, cover the phases of identification, protection, detection, response, and recovery from cyber incidents, applicable to emails, workstations, cloud servers, and third-party systems. Related policies include:
Cyber Incident Management Policy: Covers the phases of the NIST CSF.
Cyber Incident Response Policy: Specifies the application of the NIST CSF.
Cyber Incident Communication Policy: Defines communication procedures and severity levels.
Incident Response
Incident response is managed by cybersecurity teams and the SOC, following the NIST CSF framework. Data Privacy incidents are handled by the Data Privacy team and managed by the Data Protection Officer - DPO. We maintain a Disaster Recovery Plan (DRP) and conduct annual penetration tests with specialized firms.
Employee Training
All new employees receive initial cybersecurity training. For the fiscal year ended June 30, 2025, we implemented an annual mandatory cybersecurity training requirement for all employees. We also conduct regular phishing simulations to monitor employees’ ability to identify and handle suspicious emails. Results are reported to the CEO of each entity and used to reinforce cybersecurity policies.
Regular Reviews
We seek to proactively address information security and data privacy risks through a structured and comprehensive approach. We regularly conduct an independent maturity review of our cybersecurity and privacy programs, utilizing the U.S. National Institute of Standards and Technology (NIST) frameworks, specifically the Cybersecurity Framework (CSF) for cybersecurity and the NIST Privacy Framework for privacy management.
Our last review, yielded the following scores:
Cybersecurity (CSF): 3.65 for policy and 3.32 for practice; and
Privacy: 3.21 for policy and 3.02 for practice.
These scores indicate that our current practices and policies exceed the recommended target score of 3.0 (Defined), which is considered the benchmark where processes have become formal, standardized, and defined. Achieving these levels signifies that we have robust, consistent policies and practices across the organization, which helps mitigate risks associated with cyber threats and privacy concerns.
We continuously monitor and refine these processes to align with evolving regulatory requirements and industry standards, ensuring that our practices in both cybersecurity and data privacy remain resilient and capable of addressing potential risks.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|The Cybersecurity teams assess vulnerabilities identified by our partners based on MITRE ATT&CK standards, determining the likelihood of exploitation and the potential for cyber-attacks. This process aligns with the Cyber Vulnerability Management Policy and adheres to the guidelines of ISO 27001, MITRE ATT&CK, and NIST CSF.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]
|For the fiscal year ended June 30, 2025, we did not identify any cybersecurity threats that materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition.
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Governance
The boards of directors of Lavoro Agro and Crop Care oversee the cybersecurity risk-management program for their respective entities. Direct oversight is delegated to the Information Security and Data Privacy Committee, consisting of seven members: the CEO, the General Manager of Information Technology, the Cybersecurity Specialist, the Internal Controls Coordinator, the Data Protection Officer (DPO), a representative from the Legal department, and a representative from HR.
The Committee is responsible for:
Approving the annual review of the Corporate Information Security and Cybersecurity Policy (PCSIC).
Recommending improvements to access control processes and incident response.
Developing and reviewing the Cyber Incident Communication Plan.
Ensuring compliance with the General Data Protection Law (LGPD) and overseeing audits and corrective actions.
The Committee provides reports on material risks and critical incidents to the Board, with quarterly updates based on indicators provided by the SOC. Management is responsible for the continuous identification and assessment of cybersecurity risks, implementation of mitigation measures, and maintenance of security programs. The General Manager of Information Technology oversees the operation of cybersecurity programs, receiving monthly reports from the SOC and coordinating incident response.
The cybersecurity team, consisting of the General Manager and a Specialist with over 20 years of experience in frameworks such as ISO 27k, NIST CSF, MITRE ATT&CK, and CIS V8, leads the implementation of policies, creation of procedures, monitoring of incidents, and remediation of vulnerabilities. Cybersecurity reports are provided quarterly to the CEO, covering third-party assessments, developments, and updates to security strategies.
In Colombia, cybersecurity oversight follows a distinct governance model: the Chief Executive Officer of Lavoro Colombia exercises direct oversight of the program for that entity, with management responsibilities carried out locally by the Information Technology Infrastructure area and is in alignment with the group’s policies and minimum control standards.
For the fiscal year ended June 30, 2025, we did not identify any cybersecurity threats that materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition.
Despite our efforts, we cannot guarantee the complete elimination of risks or ensure that no undetected incidents will occur. We maintain a robust cybersecurity structure, including an internal specialist and an outsourced firm responsible for the SOC, monitoring cybersecurity events 24/7.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Direct oversight is delegated to the Information Security and Data Privacy Committee, consisting of seven members: the CEO, the General Manager of Information Technology, the Cybersecurity Specialist, the Internal Controls Coordinator, the Data Protection Officer (DPO), a representative from the Legal department, and a representative from HR.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
The Committee is responsible for:
Approving the annual review of the Corporate Information Security and Cybersecurity Policy (PCSIC).
Recommending improvements to access control processes and incident response.
Developing and reviewing the Cyber Incident Communication Plan.
Ensuring compliance with the General Data Protection Law (LGPD) and overseeing audits and corrective actions.
|Cybersecurity Risk Role of Management [Text Block]
|Management is responsible for the continuous identification and assessment of cybersecurity risks, implementation of mitigation measures, and maintenance of security programs. The General Manager of Information Technology oversees the operation of cybersecurity programs, receiving monthly reports from the SOC and coordinating incident response.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Management is responsible for the continuous identification and assessment of cybersecurity risks, implementation of mitigation measures, and maintenance of security programs. The General Manager of Information Technology oversees the operation of cybersecurity programs, receiving monthly reports from the SOC and coordinating incident response.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|The cybersecurity team, consisting of the General Manager and a Specialist with over 20 years of experience in frameworks such as ISO 27k, NIST CSF, MITRE ATT&CK, and CIS V8, leads the implementation of policies, creation of procedures, monitoring of incidents, and remediation of vulnerabilities.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|
Despite our efforts, we cannot guarantee the complete elimination of risks or ensure that no undetected incidents will occur. We maintain a robust cybersecurity structure, including an internal specialist and an outsourced firm responsible for the SOC, monitoring cybersecurity events 24/7.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef