|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Abstract]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|Risk management and strategy
We rely on our technology infrastructure and information systems to support our operations, including sales, production, distribution, and support functions, among others. Also, in our technology infrastructure we keep confidential information and business knowledge. Our internally developed systems and processes may be susceptible to damage or interruption from cybersecurity threats that include any unauthorized access to our information systems that may result in adverse effects on the confidentiality, integrity, or availability of such systems or the related information. Potential cybersecurity threats include terrorist or hacker attacks, the introduction of malicious computer viruses, ransomware, falsification of banking and other information, insider risk, and other security breaches. Such attacks have become more and more sophisticated over time, especially as threat actors have become increasingly well-funded by, or themselves include, governmental actors with significant means. We expect that sophistication of cyber-threats will continue to evolve as threat actors increase their use of artificial intelligence (AI) and machine-learning technologies. Nonetheless, the digital transformation of our business has generated more dependency from data networks and information systems, which generates more vulnerability to cyber-attacks and information security breaches. Our Board of Directors has direct oversight of our management of cybersecurity risks.
The Strategic Risk Management process of CCU, conducts risk assessment that identifies and prioritizes the most relevant risks for the Company. From these assessments the Company has identified that there are potential risks associated with cyber-attacks and information security. (See ITEM 3: Key information – Risk Factors – C. Risks related to technology and innovation).
To the best of our knowledge, and according to the definition of a Cybersecurity incident or threat for this section, the Company has not suffered any cybersecurity incidents or threats that have materially affected its financial position, results, or that has triggered a change in its business strategy.
To face and mitigate the above, CCU has developed and is currently implementing its 2023 - 2025 Cybersecurity master plan with the following objectives: (i) generate cybersecurity literacy, awareness and governance; (ii) manage risks and prepare the organization for cyber-attack crises to ensure operation continuity, (iii) incorporate a cybersecurity model in operational technology (OT), (iv) implement similar cybersecurity capabilities across the countries where we operate, (v) define and incorporate a cloud cybersecurity model, (vi) define and implement a secure and agile “in-house” software development model (DEVSECOPS), (vii) incorporate a data privacy model and, (viii) incorporate an identity and access management model (IAM).
In order to implement the necessary initiatives to reach the objectives mentioned above, CCU created a cybersecurity governance, described in more detail below, to define roles and create decision-making instances. In addition, the Company outsources and hires services from third parties to have a professional and unbiased external view of the current status of the Company in cybersecurity issues and, if needed, to implement the necessary capabilities to develop the Cybersecurity master plan.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|Our internally developed systems and processes may be susceptible to damage or interruption from cybersecurity threats that include any unauthorized access to our information systems that may result in adverse effects on the confidentiality, integrity, or availability of such systems or the related information.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]
|To the best of our knowledge, and according to the definition of a Cybersecurity incident or threat for this section, the Company has not suffered any cybersecurity incidents or threats that have materially affected its financial position, results, or that has triggered a change in its business strategy.
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|Cybersecurity Governance
The Chief Information Security Officer (CISO) has the principal responsibility of supervising and managing cybersecurity issues and risks with a regional scope and participates in preparing updates for the Board of Directors. This includes being in charge of creating, managing, and carrying out the Company's Cybersecurity master plan, including among others tasks: (i) develop the strategy to increase cybersecurity knowledge and awareness within the Company, (ii) comply with the Company's administrative policies on cybersecurity matters, (iii) develop the cybersecurity architecture, including IT and OT aspects, (iv) identify risks and manage crises arising from cyber-attacks or other information security threats, and (v) identify new technologies and innovative developments to reduce cybersecurity risks within the Company. The CISO reports to the Chief Information Officer (CIO), who reports to the CFO.
CCU’s CIO is Mr. Matías Rojas. Mr. Rojas holds an Engineering degree from Pontificia Universidad Católica de Chile and a Master of Science in Business Analytics from New York University. He has served as Chief Information Officer since June 2023 and previously as Chief Data and Analytics Officer from September 2017 until May 2023. Additionally, Mr. Rojas is a member of the board of directors of La Barra S.A. and serves as an Adjunct Professor at Universidad de los Andes.
CCU’s CISO is Mr. Patricio Bustos. Mr. Bustos holds a degree in Computer Engineering from Universidad Central de Chile. He has served as CISO since January 2025 and previously as Head of IT Continuity from February 2018.
In response to the increasing threats presented by cyber incidents, in 2021 we created the Cybersecurity Committee, which meets regularly to discuss cybersecurity and information security topics. This committee is headed by the CIO and the CISO acts as secretary, and attended by senior management. Among the senior management members of the Committee are the CFO, the General Controller, the General Counsel and the Corporate Industrial Processes Manager. The Cybersecurity Committee, whose scope extends to all our subsidiaries, oversees activities related to ensuring progress in the objectives of the Cybersecurity master plan, determines actions in the event that threats of this nature materialize, defines the cybersecurity budget and its allocation, and evaluates all third companies which provide cybersecurity services to CCU. The Cybersecurity Committee meets quarterly, and once a year the CIO presents to the board of directors the progress of the objectives defined by the Cybersecurity master plan and the status of cybersecurity events of the Company.
At the board level, CCU has five board members with expertise in cybersecurity and digital transformation, this is, knowledge and/or experience in management and supervision of the management of risk mitigation techniques and systems that threaten digital security.
We have adopted the US National Institute of Standards and Technology (“NIST”) Cybersecurity Framework to continually evaluate and enhance our cybersecurity procedures. Activities include online training for all employees, technical security controls, enhanced data protection, the maintenance of backup and protective systems, policy review and implementation, assessments of third-party service providers to assess cyber preparedness of key vendors, and running simulated cybersecurity drills, including vulnerability scanning, penetration testing and disaster recovery exercises throughout the organization. We use automated tools that monitor, detect, and prevent cybersecurity risks and have a security operations center that operates 24 hours a day to alert us about any potential cybersecurity threats. Our strategic SaaS (Software as a Service) contracts include contractual cybersecurity obligations and certifications.
The Company has incorporated cybersecurity awareness throughout all its operation, ensuring that employees are informed and trained on cybersecurity concepts to help them identify threats to information security and cybersecurity. We regularly conduct cyber-attack crisis drills in preparation for malignant events. Finally, CCU has increased its investments to maintain cybersecurity in its digital transformation, including the incorporation of technological controls that allow us to identify, monitor, protect, detect and respond in real time to possible threat vectors, in addition to including Security Orchestration Automation and Response (SOAR) in our Security Operating Center (SOC) and improvement in our industrial network monitoring.
If we experience a cybersecurity incident, we count with defined protocols to rapidly respond to ensure business continuity.
We engage external subject matter experts to assist us in preparing and improving our response to any cybersecurity incident. The Cybersecurity Committee oversees and establishes the parameters of our engagement with these experts to ensure we obtain the supplement assistance needed in this area, if any.
Though we take steps to ensure our products and/or software are secure, it is possible that a cyber-attack could result in the loss or compromise of such critical data. If a client alleges that a cyber-attack causes or contributes to a loss or compromise of critical data, whether or not caused by us, we could face harm to our reputation and financial condition and regulatory repercussions. (See ITEM 3: Key information – Risk Factors - C. Risks related to technology and innovation).
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Chief Information Security Officer (CISO) has the principal responsibility of supervising and managing cybersecurity issues and risks with a regional scope and participates in preparing updates for the Board of Directors. This includes being in charge of creating, managing, and carrying out the Company's Cybersecurity master plan, including among others tasks: (i) develop the strategy to increase cybersecurity knowledge and awareness within the Company, (ii) comply with the Company's administrative policies on cybersecurity matters, (iii) develop the cybersecurity architecture, including IT and OT aspects, (iv) identify risks and manage crises arising from cyber-attacks or other information security threats, and (v) identify new technologies and innovative developments to reduce cybersecurity risks within the Company. The CISO reports to the Chief Information Officer (CIO), who reports to the CFO.
|Cybersecurity Risk Role of Management [Text Block]
|We have adopted the US National Institute of Standards and Technology (“NIST”) Cybersecurity Framework to continually evaluate and enhance our cybersecurity procedures. Activities include online training for all employees, technical security controls, enhanced data protection, the maintenance of backup and protective systems, policy review and implementation, assessments of third-party service providers to assess cyber preparedness of key vendors, and running simulated cybersecurity drills, including vulnerability scanning, penetration testing and disaster recovery exercises throughout the organization.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|In response to the increasing threats presented by cyber incidents, in 2021 we created the Cybersecurity Committee, which meets regularly to discuss cybersecurity and information security topics. This committee is headed by the CIO and the CISO acts as secretary, and attended by senior management. Among the senior management members of the Committee are the CFO, the General Controller, the General Counsel and the Corporate Industrial Processes Manager.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|The Cybersecurity Committee meets quarterly, and once a year the CIO presents to the board of directors the progress of the objectives defined by the Cybersecurity master plan and the status of cybersecurity events of the Company.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|At the board level, CCU has five board members with expertise in cybersecurity and digital transformation, this is, knowledge and/or experience in management and supervision of the management of risk mitigation techniques and systems that threaten digital security.
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef