|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Abstract]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
| Risk
Management and Strategy
As a global mining company, we face various cyber threats, including ransomware attacks, theft of restricted information and digital frauds. These threats can lead to financial losses, damage to our reputation, and harm to our employees and third parties. We manage these cyber risks as part of our overall risk management process.
Our overall enterprise risk management (ERM) process integrates assessing, identifying, and managing cybersecurity-related risks. If the ERM process identifies a heightened cybersecurity-related risk, we assign risk owners to develop and track risk mitigation plans. We use several tools to monitor risks, including key risk indicators (KRIs) and independent assessments of critical controls by specialized teams.
In case of a cyber incident, we follow our cyber incident response playbook, which outlines the steps for detection, mitigation, recovery, and notification, including procedures for informing relevant internal groups and the Board of Directors as needed.
Our Cybersecurity Risk Management practice is founded on internationally recognized cybersecurity frameworks like the NIST CSF (National Institute of Standards and Technology – Cybersecurity Framework), ISO 27001 and ISA62443. The practice includes the processes described below.
Identification of what we have, what we do and what is important:
Protecting technology assets (both Information Technology and Operations Technology) to prevent or limit cyber incidents by:
Early detection of cyber incidents through:
Responding effectively to cyber incidents to significantly contain their impact by:
Recovering and restoring affected systems and their capabilities back in operation.
We also engage specialized third-party cybersecurity companies to evaluate the structure of the cyber program, test the effectiveness of our processes and to provide targeted training to our workforce. Our cybersecurity risk management processes extend to the oversight and identification of cybersecurity risks from our association with third-party service providers. Our risk management program includes risk assessments of third-parties that want to provide services to us through contractual commitment to comply with our baseline of security controls as well as their cyber rating performed with an independent security rating platform.
We also share and receive cyber and threat intelligence insights with our industrial base peers and are a member of the Metals and Mining Information Sharing and Analysis Center (ISAC).
Our plans aim to enhance our cybersecurity program by constantly staying abreast of emerging threats and adapting to evolving technologies.
Over the past three years, our business strategy, results of operations and financial position have not been materially impacted by risks from current and past cybersecurity threats. However, we cannot assure that they will not be materially affected by future cybersecurity threats or incidents.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|Our overall enterprise risk management (ERM) process integrates assessing, identifying, and managing cybersecurity-related risks.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]
|Over the past three years, our business strategy, results of operations and financial position have not been materially impacted by risks from current and past cybersecurity threats. However, we cannot assure that they will not be materially affected by future cybersecurity threats or incidents.
|Cybersecurity Risk Board of Directors Oversight [Text Block]
| Governance
Board of Directors
Our Board of Directors primarily oversees the management of cybersecurity threat risks. To fulfill this responsibility, the Board relies on the support of the Audit and Risks Committee. The Audit and Risks Committee is responsible for advising the Board of Directors regarding the risk management strategy, including the analysis of corporate policies on this topic and risk appetite guidelines, as well as Vale’s integrated risk map. The Audit and Risks Committee also assesses the effectiveness and adequacy of controls and risk management systems, and regularly receives reports on cyber risks from our Corporate Risk Department.
Management
Our Executive Committee is supported by five advisory committees, including the Executive Risk Committee which focuses on strategy, finance, and cyber risks. The main responsibilities of these advisory committees are to support our Executive Committee in monitoring risks, make preventive recommendations regarding potential risks presented at the committees’ meetings, and submit them for the approval of the Executive Committee.
Our Chief Information Security Officer leads our cybersecurity function, responsible for our overall information security strategy, policy, threat detection and response. In addition to providing comprehensive cyber risk update to our Audit and Risks Committee and our Executive Risks Committee, this update covers an independent assessment of our cybersecurity program based on the NIST Cybersecurity Framework, as well as, our cyber posture, as evaluated by an independent cybersecurity rating platform. The committees are briefed on cyber incidents considered to have a moderate or greater business impact, even if they are not material to us.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our Board of Directors primarily oversees the management of cybersecurity threat risks.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Audit and Risks Committee is responsible for advising the Board of Directors regarding the risk management strategy, including the analysis of corporate policies on this topic and risk appetite guidelines, as well as Vale’s integrated risk map.
|Cybersecurity Risk Role of Management [Text Block]
|Our Executive Committee is supported by five advisory committees, including the Executive Risk Committee which focuses on strategy, finance, and cyber risks. The main responsibilities of these advisory committees are to support our Executive Committee in monitoring risks, make preventive recommendations regarding potential risks presented at the committees’ meetings, and submit them for the approval of the Executive Committee.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Our Chief Information Security Officer leads our cybersecurity function, responsible for our overall information security strategy, policy, threat detection and response.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|The Audit and Risks Committee also assesses the effectiveness and adequacy of controls and risk management systems, and regularly receives reports on cyber risks from our Corporate Risk Department.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef