|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Risk Management and Strategy
We maintain a comprehensive process for assessing, identifying and managing material risks from cybersecurity threats as part of our overall enterprise risk management system and processes. Our enterprise risk management program considers cybersecurity risks alongside other company risks, and our enterprise risk professionals consult with company subject matter experts to gather information necessary to identify cybersecurity risks, and evaluate their nature and severity, as well as identify mitigations and assess the impact of those mitigations on residual risk. Our cybersecurity risk management practices include development, implementation, and improvement of policies and procedures to safeguard information and ensure availability of critical data and systems.
We understand the importance of preserving trust and protecting personal information. To assist us, we have a cybersecurity governance framework in place, which is designed to protect information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction. The program is built upon a foundation of advanced security technology and overseen by an experienced and trained team of experts with substantial knowledge of cybersecurity best practices. Our cybersecurity program consists of controls designed to identify, protect against, detect, respond to and recover from information and cybersecurity incidents. Our framework leverages International Organization for Standardizations (ISO) 27001 standards for general information technology controls. Key components of our cybersecurity risk management processes include the following:
We maintain an
in-houseIT service management system, and we conduct technical security review during the designing stage of our system development. We utilize policies, software, training programs and hardware solutions to protect and monitor our environment, including multifactor authentication on all critical systems, firewalls, intrusion detection and prevention systems, vulnerability and penetration testing and identity management systems. Our platform includes a host of encryption, antivirus, multi-factor authentication, firewall and patch-management technologies designed to protect and maintain the systems and computers across our business.
Our cybersecurity team regularly tests our controls through penetration testing, vulnerability scanning and attack simulation. We conduct risk assessments periodically to identify threats and
vulnerabilities, and then determine the likelihood and impact for each risk using a qualitative risk assessment methodology. Risks are identified from various sources, including vulnerability scans, penetration tests, vendors risk assessments, product and services audits, internal compliance assessments and threat-hunting operations. We monitor our infrastructure and applications to identify evolving cyber threats, scan for vulnerabilities and mitigate risks. We also operate an integrated security control room through a third-party company, through which we detect and defend against hacking attacks from outside in real time.
We also maintain a robust cybersecurity incident response plan, which provides a framework for handling cybersecurity incidents based on the severity of the incident and facilitates cross-functional coordination across the company. Our incident response plan coordinates the activities we take to prepare for, detect, respond to and recover from cybersecurity incidents, which include processes to triage, assess severity for, escalate, contain, investigate and remediate the incident, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage.
We value collaboration with external evaluators, consultants, auditors and other third parties to strengthen and continually improve our cybersecurity risk management processes. In connection with our cybersecurity risk management processes, we engage:
Our cybersecurity risk management processes extend to the oversight and identification of threats associated with our use of third-party service providers. We have a third-party risk management program that assesses risks from service providers.
Our cybersecurity risk management program includes due diligence of service providers’ information security programs. We review our service providers’ cybersecurity practices before we enter into business transactions with them, and we seek to contractually obligate them to operate their environments in accordance with strict cybersecurity standards. We also develop contingency plans for business continuity in case our service providers are subject to a cyberattack that impacts our use of their systems.
Our busin
ess strategy, results of operations and financial condition have not been materially affected by risks from cybersecurity threats, including as a result of previous cybersecurity incidents, but we cannot provide assurance that they will not be materially affected in the future by such risks and any future material incidents. See “Item 3.D. Risk Factors — Significant breaches of information security could lead to legal and financial exposure, damage to our reputation and a loss of confidence by our customers” for more information on risks from cybersecurity threats that are reasonably likely to materially affect our business strategy, results of operations and financial
condition.
Governance
Management
The cybersecurity risk management processes described above are managed by the Head of Technology, who is the Chief Technology Officer of the POSCO Group and reports to our Chief Executive Officer. The Head of Technology works with our Chief Information Security Officer and chairs the Information Security Committee, which discusses the latest trends in cybersecurity, changes in expectations of our stakeholders, risks identified, security measures implemented, and effectiveness of security protocols.
The Information Security Committee annually reviews and approves our cybersecurity risk management processes, including updates to our internal regulations and guidelines. Our Chief Information Security Officer is supported by the company at the highest levels and regularly engages with cross-functional teams, including Communications, Digital Technology, Human Resources and Strategic Technology.
Bo
ard of Directors
Our board of directors is committed to mitigating data privacy and cybersecurity risks and recognizes the importance of these issues as part of our risk management framework. While the board of directors maintains ultimate responsibility for the oversight of our data privacy and cybersecurity program and risks, it has delegated certain responsibilities to the ESG Committee of the board of directors. This committee-level focus on data privacy and cybersecurity allows the board to further enhance its understanding of these issues. The ESG Committee assists the board of directors in its oversight of our data privacy and cybersecurity needs by staying apprised of our data privacy and information security programs, strategy, policies, standards, architecture, processes and material risks, and overseeing responses to security and data incidents.
Our board of directors and the ESG Committee’s principal role is one of oversight, recognizing that management is responsible for the design, implementation and maintenance of an effective program for protecting against and mitigating data privacy and cybersecurity risks.
The Head of Technology, as the chair of the Information Security Committee, provides updates to the ESG Committee on an annual basis and, as necessary, to the board of directors.These regular reports include detailed updates on our performance preparing for, preventing, detecting, responding to and recovering from cyber incidents. The Head of Technology also promptly informs and updates the ESG Committee about any information security incidents that may pose significant risk to the POSCO Group. Members of the board of directors stay apprised of the rapidly evolving cyber threat landscape and provide guidance to management as appropriate in order to address the effectiveness of our overall data privacy and cybersecurity program.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
We maintain a comprehensive process for assessing, identifying and managing material risks from cybersecurity threats as part of our overall enterprise risk management system and processes. Our enterprise risk management program considers cybersecurity risks alongside other company risks, and our enterprise risk professionals consult with company subject matter experts to gather information necessary to identify cybersecurity risks, and evaluate their nature and severity, as well as identify mitigations and assess the impact of those mitigations on residual risk. Our cybersecurity risk management practices include development, implementation, and improvement of policies and procedures to safeguard information and ensure availability of critical data and systems.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]
|
Our busin
ess strategy, results of operations and financial condition have not been materially affected by risks from cybersecurity threats, including as a result of previous cybersecurity incidents, but we cannot provide assurance that they will not be materially affected in the future by such risks and any future material incidents. See “Item 3.D. Risk Factors — Significant breaches of information security could lead to legal and financial exposure, damage to our reputation and a loss of confidence by our customers” for more information on risks from cybersecurity threats that are reasonably likely to materially affect our business strategy, results of operations and financial
condition.
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Governance
Management
The cybersecurity risk management processes described above are managed by the Head of Technology, who is the Chief Technology Officer of the POSCO Group and reports to our Chief Executive Officer. The Head of Technology works with our Chief Information Security Officer and chairs the Information Security Committee, which discusses the latest trends in cybersecurity, changes in expectations of our stakeholders, risks identified, security measures implemented, and effectiveness of security protocols.
The Information Security Committee annually reviews and approves our cybersecurity risk management processes, including updates to our internal regulations and guidelines. Our Chief Information Security Officer is supported by the company at the highest levels and regularly engages with cross-functional teams, including Communications, Digital Technology, Human Resources and Strategic Technology.
Bo
ard of Directors
Our board of directors is committed to mitigating data privacy and cybersecurity risks and recognizes the importance of these issues as part of our risk management framework. While the board of directors maintains ultimate responsibility for the oversight of our data privacy and cybersecurity program and risks, it has delegated certain responsibilities to the ESG Committee of the board of directors. This committee-level focus on data privacy and cybersecurity allows the board to further enhance its understanding of these issues. The ESG Committee assists the board of directors in its oversight of our data privacy and cybersecurity needs by staying apprised of our data privacy and information security programs, strategy, policies, standards, architecture, processes and material risks, and overseeing responses to security and data incidents.
Our board of directors and the ESG Committee’s principal role is one of oversight, recognizing that management is responsible for the design, implementation and maintenance of an effective program for protecting against and mitigating data privacy and cybersecurity risks.
The Head of Technology, as the chair of the Information Security Committee, provides updates to the ESG Committee on an annual basis and, as necessary, to the board of directors.These regular reports include detailed updates on our performance preparing for, preventing, detecting, responding to and recovering from cyber incidents. The Head of Technology also promptly informs and updates the ESG Committee about any information security incidents that may pose significant risk to the POSCO Group. Members of the board of directors stay apprised of the rapidly evolving cyber threat landscape and provide guidance to management as appropriate in order to address the effectiveness of our overall data privacy and cybersecurity program.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our board of directors and the ESG Committee’s principal role is one of oversight, recognizing that management is responsible for the design, implementation and maintenance of an effective program for protecting against and mitigating data privacy and cybersecurity risks.
The Head of Technology, as the chair of the Information Security Committee, provides updates to the ESG Committee on an annual basis and, as necessary, to the board of directors.These regular reports include detailed updates on our performance preparing for, preventing, detecting, responding to and recovering from cyber incidents. The Head of Technology also promptly informs and updates the ESG Committee about any information security incidents that may pose significant risk to the POSCO Group. Members of the board of directors stay apprised of the rapidly evolving cyber threat landscape and provide guidance to management as appropriate in order to address the effectiveness of our overall data privacy and cybersecurity program.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
The Head of Technology, as the chair of the Information Security Committee, provides updates to the ESG Committee on an annual basis and, as necessary, to the board of directors.These regular reports include detailed updates on our performance preparing for, preventing, detecting, responding to and recovering from cyber incidents. The Head of Technology also promptly informs and updates the ESG Committee about any information security incidents that may pose significant risk to the POSCO Group. Members of the board of directors stay apprised of the rapidly evolving cyber threat landscape and provide guidance to management as appropriate in order to address the effectiveness of our overall data privacy and cybersecurity program.
|Cybersecurity Risk Role of Management [Text Block]
|
Management
The cybersecurity risk management processes described above are managed by the Head of Technology, who is the Chief Technology Officer of the POSCO Group and reports to our Chief Executive Officer. The Head of Technology works with our Chief Information Security Officer and chairs the Information Security Committee, which discusses the latest trends in cybersecurity, changes in expectations of our stakeholders, risks identified, security measures implemented, and effectiveness of security protocols.
The Information Security Committee annually reviews and approves our cybersecurity risk management processes, including updates to our internal regulations and guidelines. Our Chief Information Security Officer is supported by the company at the highest levels and regularly engages with cross-functional teams, including Communications, Digital Technology, Human Resources and Strategic Technology.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|
The Head of Technology, as the chair of the Information Security Committee, provides updates to the ESG Committee on an annual basis and, as necessary, to the board of directors.These regular reports include detailed updates on our performance preparing for, preventing, detecting, responding to and recovering from cyber incidents.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|
We understand the importance of preserving trust and protecting personal information. To assist us, we have a cybersecurity governance framework in place, which is designed to protect information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction. The program is built upon a foundation of advanced security technology and overseen by an experienced and trained team of experts with substantial knowledge of cybersecurity best practices. Our cybersecurity program consists of controls designed to identify, protect against, detect, respond to and recover from information and cybersecurity incidents. Our framework leverages International Organization for Standardizations (ISO) 27001 standards for general information technology controls. Key components of our cybersecurity risk management processes include the following:
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|The Head of Technology also promptly informs and updates the ESG Committee about any information security incidents that may pose significant risk to the POSCO Group. Members of the board of directors stay apprised of the rapidly evolving cyber threat landscape and provide guidance to management as appropriate in order to address the effectiveness of our overall data privacy and cybersecurity program.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef