XML 358 R19.htm IDEA: XBRL DOCUMENT v3.25.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
Cybersecurity Risk Management

Cybersecurity risk management is an integral part of our overall enterprise risk management. We manage cybersecurity risks through our information security program, which is designed to align with the National Institute of Standards and Technology Cybersecurity Framework ("NIST CSF"). Our information security program manages cybersecurity risks by creating a framework for identifying the source of cybersecurity threats and incidents (including threats associated with the use of services provided by third-party service providers), training employees and specialized roles, implementing measures to protect critical data and data flows, monitoring essential networks and applications, identifying and remediating vulnerabilities and informing executive management and our Board of Directors of material cybersecurity threats and incidents.

Our cybersecurity team also engages a third-party consultant for risk incident detection and vulnerability assessment, which employs a risk management program based on Rapid7's solutions. We confer with our third-party consultant on a weekly basis to assess the adequacy and strength of our monitoring efforts, address operational issues and drive continuous improvement.

In 2024, we did not identify any cybersecurity threats that have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced an undetected cybersecurity incident. For more information about these risks, please see "Key Information—1. Risks related to the telecommunications, cable and MFS industries—f. Cybersecurity and data protection" in this Annual Report.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block] Cybersecurity risk management is an integral part of our overall enterprise risk management. We manage cybersecurity risks through our information security program, which is designed to align with the National Institute of Standards and Technology Cybersecurity Framework ("NIST CSF"). Our information security program manages cybersecurity risks by creating a framework for identifying the source of cybersecurity threats and incidents (including threats associated with the use of services provided by third-party service providers), training employees and specialized roles, implementing measures to protect critical data and data flows, monitoring essential networks and applications, identifying and remediating vulnerabilities and informing executive management and our Board of Directors of material cybersecurity threats and incidents.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block]
Cybersecurity Risk Governance

Role of the Board of Directors

Our Board of Directors has overall oversight responsibility for our risk management and delegates cybersecurity risk management oversight to the Audit and Compliance Committee of the Board of Directors. The Audit and Compliance Committee is responsible for ensuring that management has processes in place that are designed to mitigate cybersecurity risks to an acceptable level, in line with the Company's risk appetite and risk tolerance, and to:

monitor the Company’s information security program, including the activities performed by the information security team;
provide oversight and direction on information security risk management, including cybersecurity and related threats;
ensure that the Company allocates the proper level of resources to information security and cybersecurity;
monitor results and remediation of findings from audit and assurance activities related to the Company’s information security program; and
ensure that material information security and cybersecurity issues affecting the Company’s internal control environment are communicated to the Audit and Compliance Committee of the Company.

Role of Management
While our Board of Directors has overall responsibility for the oversight of our enterprise risk management, our management is responsible for day-to-day risk management. Our cybersecurity risk management is under the direction of our CTIO and CISO, and they are primarily responsible for defining and implementing our information security program and cybersecurity risk management (which we do not engage third parties for). In particular, our CTIO and CISO are responsible for identifying, considering and assessing material cybersecurity risks on an ongoing basis, establishing processes and risk indicators to ensure that such potential cybersecurity risk exposures are monitored, and implementing mitigating actions and plans to lower risks to targeted levels. In addition, our CTIO and CISO oversee the design of trainings on cybersecurity risks that are provided to all employees at least annually, with specialized trainings for executives, developers, system, network and database administrators and other key roles within the Company. More than 90% of our employees participated in security awareness and training in 2024 covering key threats—including but not limited to phishing risk—as well as prevention and company procedures.
Our CTIO and CISO receive reports from our cybersecurity team and monitor the prevention, detection, mitigation and remediation of cybersecurity incidents. Under the cybersecurity incident response plan, our CISO assigns a severity rating to each incident, and an escalation matrix is used to provide notifications to management and the Board of Directors based on the severity and duration of the incident.
In addition, our CTIO and CISO provide a quarterly update to the Audit and Compliance Committee on Millicom's cybersecurity risk management that includes reports on cybersecurity threats and incidents, mitigation strategies and
remediation plans, recent developments in cybersecurity and updates to the Company's cybersecurity programs. Our CTIO and CISO provide a similar cybersecurity update to management, typically once a month.
Our CTIO and CISO are experienced information systems security professionals. Our CTIO has more than 30 years of experience in the telecommunications industry, particularly with technology-related aspects of telecommunication companies. His presence in the telecommunications business makes him knowledgeable about the technology and cybersecurity risks that are specific to the industry and our markets. Our CISO has over 20 years of experience in information technology, including 15 years in information technology security, information security, and managing cybersecurity risks, and is certified in cybersecurity by the Information System Security Certification Consortium (ISC2).
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
Role of the Board of Directors

Our Board of Directors has overall oversight responsibility for our risk management and delegates cybersecurity risk management oversight to the Audit and Compliance Committee of the Board of Directors. The Audit and Compliance Committee is responsible for ensuring that management has processes in place that are designed to mitigate cybersecurity risks to an acceptable level, in line with the Company's risk appetite and risk tolerance, and to:

monitor the Company’s information security program, including the activities performed by the information security team;
provide oversight and direction on information security risk management, including cybersecurity and related threats;
ensure that the Company allocates the proper level of resources to information security and cybersecurity;
monitor results and remediation of findings from audit and assurance activities related to the Company’s information security program; and
ensure that material information security and cybersecurity issues affecting the Company’s internal control environment are communicated to the Audit and Compliance Committee of the Company.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
Our CTIO and CISO receive reports from our cybersecurity team and monitor the prevention, detection, mitigation and remediation of cybersecurity incidents. Under the cybersecurity incident response plan, our CISO assigns a severity rating to each incident, and an escalation matrix is used to provide notifications to management and the Board of Directors based on the severity and duration of the incident.
In addition, our CTIO and CISO provide a quarterly update to the Audit and Compliance Committee on Millicom's cybersecurity risk management that includes reports on cybersecurity threats and incidents, mitigation strategies and
remediation plans, recent developments in cybersecurity and updates to the Company's cybersecurity programs. Our CTIO and CISO provide a similar cybersecurity update to management, typically once a month.
Cybersecurity Risk Role of Management [Text Block]
Role of Management
While our Board of Directors has overall responsibility for the oversight of our enterprise risk management, our management is responsible for day-to-day risk management. Our cybersecurity risk management is under the direction of our CTIO and CISO, and they are primarily responsible for defining and implementing our information security program and cybersecurity risk management (which we do not engage third parties for). In particular, our CTIO and CISO are responsible for identifying, considering and assessing material cybersecurity risks on an ongoing basis, establishing processes and risk indicators to ensure that such potential cybersecurity risk exposures are monitored, and implementing mitigating actions and plans to lower risks to targeted levels. In addition, our CTIO and CISO oversee the design of trainings on cybersecurity risks that are provided to all employees at least annually, with specialized trainings for executives, developers, system, network and database administrators and other key roles within the Company. More than 90% of our employees participated in security awareness and training in 2024 covering key threats—including but not limited to phishing risk—as well as prevention and company procedures.
Our CTIO and CISO receive reports from our cybersecurity team and monitor the prevention, detection, mitigation and remediation of cybersecurity incidents. Under the cybersecurity incident response plan, our CISO assigns a severity rating to each incident, and an escalation matrix is used to provide notifications to management and the Board of Directors based on the severity and duration of the incident.
In addition, our CTIO and CISO provide a quarterly update to the Audit and Compliance Committee on Millicom's cybersecurity risk management that includes reports on cybersecurity threats and incidents, mitigation strategies and
remediation plans, recent developments in cybersecurity and updates to the Company's cybersecurity programs. Our CTIO and CISO provide a similar cybersecurity update to management, typically once a month.
Our CTIO and CISO are experienced information systems security professionals. Our CTIO has more than 30 years of experience in the telecommunications industry, particularly with technology-related aspects of telecommunication companies. His presence in the telecommunications business makes him knowledgeable about the technology and cybersecurity risks that are specific to the industry and our markets. Our CISO has over 20 years of experience in information technology, including 15 years in information technology security, information security, and managing cybersecurity risks, and is certified in cybersecurity by the Information System Security Certification Consortium (ISC2).
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] Our cybersecurity risk management is under the direction of our CTIO and CISO, and they are primarily responsible for defining and implementing our information security program and cybersecurity risk management (which we do not engage third parties for). In particular, our CTIO and CISO are responsible for identifying, considering and assessing material cybersecurity risks on an ongoing basis, establishing processes and risk indicators to ensure that such potential cybersecurity risk exposures are monitored, and implementing mitigating actions and plans to lower risks to targeted levels. In addition, our CTIO and CISO oversee the design of trainings on cybersecurity risks that are provided to all employees at least annually, with specialized trainings for executives, developers, system, network and database administrators and other key roles within the Company.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] Our CTIO and CISO are experienced information systems security professionals. Our CTIO has more than 30 years of experience in the telecommunications industry, particularly with technology-related aspects of telecommunication companies. His presence in the telecommunications business makes him knowledgeable about the technology and cybersecurity risks that are specific to the industry and our markets. Our CISO has over 20 years of experience in information technology, including 15 years in information technology security, information security, and managing cybersecurity risks, and is certified in cybersecurity by the Information System Security Certification Consortium (ISC2).
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] Our CTIO and CISO receive reports from our cybersecurity team and monitor the prevention, detection, mitigation and remediation of cybersecurity incidents. Under the cybersecurity incident response plan, our CISO assigns a severity rating to each incident, and an escalation matrix is used to provide notifications to management and the Board of Directors based on the severity and duration of the incident.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true