|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Risk Management and Strategy
Due to the proliferation and sophistication of cyber-attacks in the world and especially in Retail and other industries, cybersecurity is a priority issue for Grupo Éxito, since we could be cyber vulnerable, and this would have the potential to compromise key digital assets and thus affect the continuity of operations and / or information security.
In this sense, we periodically analyze the environment and the panorama of cyber threats and carry out permanent monitoring of the behavior and level of risk exposure, to define treatment measures to mitigate the probability of occurrence and negative impact for the company and stakeholders, and to make significant investments to strengthen our cybersecurity strategy.
Process for assessing, identifying, and managing cybersecurity risk.
The company has designed and implemented a governance and a set of key cybersecurity policies, manuals, procedures, and controls designed to mitigate the occurrence and negative impacts arising from cyber threats.
These action mechanisms are established in the company to anticipate, prepare for, respond to and recover from a given event that affects corporate IT security, and are extended to employees and suppliers.
To strengthen our information security and technology strategy, the organization adopted ISO 27001, NIST and PCI as international reference standards and best practices in the field of information security. We have also instituted and implemented technical and operational controls to identify and manage security risks within our current environment. Recognizing the importance of identifying and controlling vulnerabilities in information components and systems, these elements are an integral part of our incident prevention efforts and form a fundamental aspect of our implemented security plan.
Grupo Éxito has a process to identify, evaluate and manage cyber threats depending on their nature and the level of risk they may represent for the company.
This process begins with the collection and analysis of early warnings, as signals that indicate the possibility of materialization of risks, either own or emerging, with or without the potential to generate a crisis, which allows Éxito to anticipate the possible impacts indicated by these signals. The identification and monitoring of these signals are the responsibility of all areas, processes, and personnel of the Company.
Once the warning signs have been identified, the appropriate level or team should notify the following teams or committees:
The matters discussed at the crisis roundtable are reported to the Board of Directors and/or the Audit and Risk Committee of Grupo Éxito.
The crisis will only be considered closed when all actions, including post-crisis actions, have been implemented and the results achieved are deemed satisfactory by our crisis roundtable.
In 2024 in Grupo Éxito no cybersecurity incidents were identified that represent materiality for the company, nor were there any incidents associated with the leakage or exposure of data, including personally identifiable data.
In 2024, the company invested approximately 8.7% of its total technology budget, which was over US$36 million in cybersecurity. This investment focused on improving processes, capabilities and controls and strengthening the cybersecurity strategy, enabling it to reach an optimized maturity level.
Grupo Éxito manages cybersecurity risks associated with the provision of third party services through the execution of different actions: (i)Contractual agreements that incorporate responsibility clauses and request for requirements regarding security and privacy of information for those services and/or products that involve treatment of information under the responsibility of the company or access to the technological infrastructure of the same,(ii) identification and analysis of exposed websites of those suppliers of high criticality for the organization, (iii) request of supports that endorse the due diligence and experience in the management of information security within the organization for highly critical suppliers, (iv) The Company’s Security team is an active part of the projects that involve technological components and information processing to ensure from its definition the consideration of security aspects and regulatory compliance of third parties involved when applicable.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|Crisis roundtable: led by the vice president of human resources and its members are the vice president of corporate affairs, the vice president of services, the external communications directorate, the head of integrated risk management, and the team that makes up the IT Situational Committee.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]
|
In 2024 in Grupo Éxito no cybersecurity incidents were identified that represent materiality for the company, nor were there any incidents associated with the leakage or exposure of data, including personally identifiable data.
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Oversight of the Board of Directors and/or its support committee on cyber risk.
The Board of Directors of Grupo Éxito directly and/or through its Audit and Risk Committee; oversees the cybersecurity risk and its management strategy. The Board of Directors and the Audit and Risk Committee receive periodic reports during the year from the IT security director (CISO) and the company’s risk management team on the cyber landscape, identification of potential cyber threats, evaluation, and results of the implementation of controls and management strategy to mitigate cyber risk.
Additionally, there are training and cybersecurity risk monitoring spaces with the members of the Board of Directors, in which external expert consultants are invited.
Composition, Roles and Responsibilities of the Audit and Risk Committee of the Board of Directors.
The Board of Directors has an Audit and Risk Committee that exercises oversight over cybersecurity risk. This Committee is composed of three independent members of the Board of Directors, trained in cybersecurity.
The Committee evaluates and monitors the level of cybersecurity risk exposure and management strategies, is informed of cybersecurity incidents and reviews cybersecurity policies.
Senior management assessment and oversight of cybersecurity risk.
Senior management is responsible for assessing and monitoring cybersecurity risks on a regular basis, ensuring that measures are taken to strengthen the control environment, allocating resources to implement the cybersecurity strategy, and promoting the organizational culture with respect to the information security.
The company also has the IT security director who is the CISO of Grupo Éxito, and who reports to the Vice President of Services (as of 2024 he reports to the Digital Vice President, due to a change in the name of the vice presidency).
The Company’s CISO has the necessary authority and resources to define the cybersecurity strategy, define and implement actions to mitigate cybersecurity risks to which the company is exposed, define governance, policies, and procedures around cybersecurity, to support and enable the Company’s strategy.
The CISO and its teams are well trained and experienced professionals in information systems security.
The cybersecurity strategy, its progress and the projects involved are periodically presented to senior management at the Chairman’s Committee.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Board of Directors of Grupo Éxito directly and/or through its Audit and Risk Committee; oversees the cybersecurity risk and its management strategy.
|Cybersecurity Risk Role of Management [Text Block]
|
The Board of Directors has an Audit and Risk Committee that exercises oversight over cybersecurity risk. This Committee is composed of three independent members of the Board of Directors, trained in cybersecurity.
The Committee evaluates and monitors the level of cybersecurity risk exposure and management strategies, is informed of cybersecurity incidents and reviews cybersecurity policies.
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef