|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
We have developed and implemented processes for assessing, identifying and managing material risks from cybersecurity threats. Our cybersecurity processes leverage international best practices and standards issued by the U.S. National Institute of Standards and Technology (NIST), the International Organization for Standardizations (ISO), the International Society of Automation (ISA), the International Electrotechnical Commission (IEC), the American Institute of CPAs (AICPA), the Cloud Security Alliance (CSA) and the Center for Internet Security (CIS), among others. Key elements of our cybersecurity risk management framework include:
•risk assessments designed to identify, evaluate and prioritize cybersecurity risks to our critical infrastructure and our broader enterprise IT environment;
•implementation of strategy on identity management, authentication and digital access controls;
•preparation of technical analyses and policies regarding cybersecurity;
•a security team principally responsible for designing, managing, monitoring and improving our cybersecurity risk assessment processes, architecture, security controls and responses to cybersecurity incidents;
•cybersecurity training for our employees, incident response personnel and senior management; and
•our Centro de Respuesta a Incidentes de Ciberseguridad (Cybersecurity Incident Response Center), which is responsible for cybersecurity incident prevention, monitoring, identification, containment, eradication and recovery and improvement efforts, including prevention and reporting of cyber fraud and extortion.
Our cybersecurity processes are integrated into our overall risk management system. We utilize our comprehensive Marco de Administración de Riesgos Empresariales (Enterprise Risk Management Framework, or “MARE”) for assessing, identifying and managing material risks, including risks relating to cybersecurity threats or breaches, business disruption, financial reporting, industrial systems, intellectual property theft, fraud, extortion, employee or customer harm, system hacking, malware, cyberterrorism, misuse of information technology assets, internal control failures, information leakage, litigation, and legal risk and reputational risks.
We engage third parties in connection with our cybersecurity processes. This includes working with external experts to validate and test our security architecture, identify vulnerabilities, train our personnel and address emerging threats. Our Cybersecurity Incident Response Center also collaborates with other specialized cybersecurity centers in Mexico, such as the Centro de Respuesta a Incidentes Cibernéticos managed by the National Guard, and receives information from reliable international sources to coordinate responses to cybersecurity events and incidents with specialized entities.
In an effort to mitigate risk factors associated with our third-party service providers, we routinely include confidentiality clauses, intellectual property protection and personal data protection clauses in our contracts, conduct due diligence of third parties, including evaluations of their information security strategies, policies and controls, and require operational technology service providers to comply with applicable cybersecurity standards and controls.
On November 10, 2019, we detected a ransomware cyber-attack that targeted certain computer software applications. Although the cyber-attack did not interrupt the operational continuity of our business, we implemented remedial measures in accordance with our protocols that were intended to contain the extent of the attack and preserve the integrity of our proprietary information. We face certain ongoing risks from cybersecurity threats that, if realized, are reasonably likely to materially affect us, including our operations, business strategy, results of operations, or financial condition. See “Item 3—Key Information—Risk Factors—Risk Factors Related to Our Operations—We are exposed to cybersecurity incidents, failures and attacks that could materially adversely affect our business, results of operations and financial condition” for more information.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
Our cybersecurity processes are integrated into our overall risk management system. We utilize our comprehensive Marco de Administración de Riesgos Empresariales (Enterprise Risk Management Framework, or “MARE”) for assessing, identifying and managing material risks, including risks relating to cybersecurity threats or breaches, business disruption, financial reporting, industrial systems, intellectual property theft, fraud, extortion, employee or customer harm, system hacking, malware, cyberterrorism, misuse of information technology assets, internal control failures, information leakage, litigation, and legal risk and reputational risks.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|
Board of Directors
The Audit Committee of our Board of Directors is responsible for the oversight of our overall risk management systems and processes and is primarily responsible for verifying compliance with our strategic objectives pursuant to our Business Plan. This includes preparing comparative analyses between the goals and commitments established in our Business Plan and the results achieved, as well as proposing adjustments and actions to our Board of Directors to correct any identified deficiencies.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
The Audit Committee of our Board of Directors is responsible for the oversight of our overall risk management systems and processes and is primarily responsible for verifying compliance with our strategic objectives pursuant to our Business Plan. This includes preparing comparative analyses between the goals and commitments established in our Business Plan and the results achieved, as well as proposing adjustments and actions to our Board of Directors to correct any identified deficiencies.
Our Audit Committee and our Board of Directors receive monthly and annual reports on information technology issues from our Unidad de Control Interno Institucional (Institutional Internal Control Unit) and our Office of Internal Audit. When applicable, these reports summarize our cybersecurity activity and incidents and include observations and recommendations to improve our procedural and operational management. Additionally, our Deputy Director of Information Technologies, who monitors the daily status of cybersecurity at Petróleos Mexicanos, reports periodically to the Corporate Director of Administration and Services.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
Our Audit Committee and our Board of Directors receive monthly and annual reports on information technology issues from our Unidad de Control Interno Institucional (Institutional Internal Control Unit) and our Office of Internal Audit. When applicable, these reports summarize our cybersecurity activity and incidents and include observations and recommendations to improve our procedural and operational management. Additionally, our Deputy Director of Information Technologies, who monitors the daily status of cybersecurity at Petróleos Mexicanos, reports periodically to the Corporate Director of Administration and Services.
|Cybersecurity Risk Role of Management [Text Block]
|
Management
The cybersecurity risk management processes described above are implemented through our Information Technology Sub-directorate and our Information Security Office. Alongside the Risk Committee of our General Directorate, they are responsible for implementing initiatives to strengthen cybersecurity management processes, issuing internal policies and regulations regarding cybersecurity, identity management, user access controls and the protection of sensitive digital information. It also considers solutions, tools and services contracted through specialized suppliers.
Our Information Technology Sub-directorate is composed of the Deputy Director, coordinators and managers. The Deputy Director has serves on the Boards of Directors of Pemex Logistics and PMI NASA, and acts as our representative in the Mexican Government’s Comisión Intersecretarial de Tecnologías de la Información y Comunicación, y de la Seguridad de la Información (Intersecretariat Commission for Information, Communication Technologies and Information Security). The coordinators supervise the managers to ensure their functions are carried out in accordance with our cybersecurity strategy. The managers collaborate with specialists in the different technological domains to operate cybersecurity controls in accordance with our cybersecurity strategy.
Our Information Security Office is led by the Head of the Information Security Management and is composed of 24 professionals. The Head of the Information Security Management is an expert in cybersecurity management who specializes in national security and has certifications in CISM, CRISC, CISA, ISO 22301. The 24 professionals are experts and specialists in different cybersecurity matters and are continuously trained. Collectively, they have certifications in CISM, CISSP, CRISC, CISA, GIAC-GPN, GIAC-GCFA, E|CES, E|CIH, C|HFI, and CSSLP.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|
The cybersecurity risk management processes described above are implemented through our Information Technology Sub-directorate and our Information Security Office. Alongside the Risk Committee of our General Directorate, they are responsible for implementing initiatives to strengthen cybersecurity management processes, issuing internal policies and regulations regarding cybersecurity, identity management, user access controls and the protection of sensitive digital information. It also considers solutions, tools and services contracted through specialized suppliers.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|
Our Information Technology Sub-directorate is composed of the Deputy Director, coordinators and managers. The Deputy Director has serves on the Boards of Directors of Pemex Logistics and PMI NASA, and acts as our representative in the Mexican Government’s Comisión Intersecretarial de Tecnologías de la Información y Comunicación, y de la Seguridad de la Información (Intersecretariat Commission for Information, Communication Technologies and Information Security). The coordinators supervise the managers to ensure their functions are carried out in accordance with our cybersecurity strategy. The managers collaborate with specialists in the different technological domains to operate cybersecurity controls in accordance with our cybersecurity strategy.
Our Information Security Office is led by the Head of the Information Security Management and is composed of 24 professionals. The Head of the Information Security Management is an expert in cybersecurity management who specializes in national security and has certifications in CISM, CRISC, CISA, ISO 22301. The 24 professionals are experts and specialists in different cybersecurity matters and are continuously trained. Collectively, they have certifications in CISM, CISSP, CRISC, CISA, GIAC-GPN, GIAC-GCFA, E|CES, E|CIH, C|HFI, and CSSLP.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|The coordinators supervise the managers to ensure their functions are carried out in accordance with our cybersecurity strategy. The managers collaborate with specialists in the different technological domains to operate cybersecurity controls in accordance with our cybersecurity strategy.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef