XML 144 R8.htm IDEA: XBRL DOCUMENT v3.25.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Abstract]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] Cybersecurity Framework and Risk Management

In today’s technologically advanced world, data has become increasingly valuable, making information security crucial for the success of any organization. Moreover, with the rise in global attacks on industrial systems, particularly critical infrastructure, it has become imperative to prevent damage to business, operations, reputation, and human lives. Over the years, we have developed a comprehensive set of processes, policies and controls to mitigate Information and cybersecurity risks, drawing on global frameworks and best practices that provide comprehensive protection for our business.

 

Laws and Regulations
 

We are subject to various Brazilian regulations regarding information security. Notably, Decree No. 9.637/2018 establishes the National Information Security Policy and Decree No. 11.856/2023 establishes the National Cybersecurity Policy and the National Cybersecurity Committee, while Normative Instruction 1/2020 GSI/PR (Institutional Security Office) guides the structure for managing information security, including the establishment of the Information Security Committee (the “CSI”). Additionally, we comply with other general rules such as Brazilian Law No. 12.527/2011 (Access to Information Law), which governs public access to information.

With regards to privacy, we comply with Brazilian Law No. 13,709/2018 – General Personal Data Protection Law (LGPD), and are subject to penalties in cases of disclosure or misuse of personal data. We view the legislation on the protection of personal data as an opportunity to evolve our system to greater maturity, adding continuous improvements to our privacy processes. To achieve excellence, the process is conducted through a governance model, and the adoption of technical and administrative measures to respond to legal requirements, mitigate data breach risks and guarantee the data rights of our workforce and stakeholders as data subjects. 

 

 

Cybersecurity Strategy and Risk Management

Our layered defense approach integrates policies, processes, training, and cybersecurity technology to protect and monitor our environment.

Our cybersecurity measures are primarily based on the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework. We use NIST best practices to assess our security maturity.

Cyber Defense

Our incident response plan encompasses preparation, detection, response, and recovery from cybersecurity incidents, ensuring legal compliance and minimizing reputational damage.

A 24/7 Computer Security Incident Response Team (CSIRT) manages and coordinates responses to cybersecurity events. Significant incidents that could affect investors’ decisions will be promptly reported to the market as required by the SEC.

We are members of FIRST (Forum of Incident Response and Security Teams), a prominent global forum for cybersecurity teams across various sectors and countries, focusing on prevention and improving global information security.

We collaborate with global cybersecurity teams, sharing threat intelligence and best practices, and engage in workshops, conferences, and partnerships to enhance security, privacy, and technological capabilities.

To reinforce our security measures, we:

 

engage independent companies for periodic vulnerability identification and penetration testing.
conduct regular information security reviews based on the NIST Cybersecurity Framework by third-party auditors.

 

We have been enhancing our operational cybersecurity maturity by implementing a robust strategy to safeguard industrial automation and control systems. This includes adopting advanced monitoring tools, strengthening defense in-depth measures, conducting regular vulnerability assessments, simulating industrial cybersecurity incidents and monitoring key performance indicators. These efforts aim to leverage the resilience of critical operations by mitigating cyber risks in an increasingly connected industrial environment.

Risk Management and Digital Controls

We regularly assess and manage risks related to cybersecurity in both corporate and industrial automation and control system environments.

These risks are incorporated into our corporate risk matrix and monitored by senior management.

Our risk management process involves:

 

identifying threats and vulnerabilities.
implementing controls and mitigating measures.
assessing likelihood and impact using qualitative methodology.

 

We extend our cybersecurity risk management to third-party service providers by:

 

establishing cybersecurity requirements for business transactions.
contractually obligating vendors to maintain strict cybersecurity standards.

 

Currently, we do not maintain cybersecurity incident insurance due to market conditions, but we regularly evaluate available options.

Our business strategy, operations, and financial condition have not been materially affected by cybersecurity threats or previous incidents, but we cannot provide assurance that we will not be materially affected in the future by such risks and any future material incidents.

In the past three fiscal years:

 

no material information security breaches occurred.
expenses from information security incidents were immaterial.
no penalties or settlements were incurred.

 

Digital Continuity Program

To ensure our ability to withstand a cyberattack scenario, we have established a comprehensive Digital Continuity Plan. This plan aims to guarantee the uninterrupted functioning of critical processes in the event of a crisis or digital disaster. We have implemented contingency measures for critical digital assets, documented recovery procedures for these assets, and regularly test the effectiveness of our plans.

In managing serious incidents, we follow the Incident Command System, a corporate crisis handling methodology. This methodology is also applied in our cybersecurity practices, ensuring a structured and coordinated response to any significant incident. To further enhance our preparedness, we conduct cybersecurity tabletop exercises, onboardings, and Tone at the Top trainings to new Board of Directors members and Executive Officers. These training sessions cover corporate security information rules, policies, best practices, and expected user behavior.

Training & Awareness

Our Information Security Awareness Plan includes, but is not limited to, the following activities:

 

security awareness education and training for both workforce and secondees.
internal “phishing” testing to assess susceptibility to email scams.
security training for new hires.
annual information security awareness campaigns and periodic cybersecurity newsletters, which highlight emerging and urgent security threats.
specialized training, such as DevSecOps (i.e., development, security and operations) and OT Cybersecurity (cybersecurity for operational technology), is also provided to specific audiences to address their unique requirements.

 
Cybersecurity Risk Management Processes Integrated [Flag] false
Cybersecurity Risk Management Processes Integrated [Text Block] Our layered defense approach integrates policies, processes, training, and cybersecurity technology to protect and monitor our environment.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block] Our business strategy, operations, and financial condition have not been materially affected by cybersecurity threats or previous incidents, but we cannot provide assurance that we will not be materially affected in the future by such risks and any future material incidents.
Cybersecurity Risk Board of Directors Oversight [Text Block] Governance

Management Structure

We have a dedicated Information Security executive management structure (SI), which operates independently from the Information Technology (IT) department. This structure is responsible for overseeing information security initiatives, establishing strategies and guidelines aligned with business objectives, recommending investments to mitigate cyber risks, and providing adequate digital protection for critical assets. Both the SI and IT report to the Chief Corporate Affairs Officer.

The Chief Information Security Officer, Samara Braz, leads the information security efforts and holds multiple qualifications in IT and Information Security, including the following:

 

Certified in the Governance of Enterprise IT (CGEIT) from Information Systems Audit and Control Association (“ISACA”);
Certified in Risk and Information Systems Control (CRISC) from ISACA;

 

 

Certified Data Privacy Solutions Engineer (CDPSE) from ISACA;
Certified Information Security Manager (CISM) from ISACA;
Certified Information Systems Auditor (CISA) from ISACA and
Certified Chief Information Security Officer (CCISO) from International Council of E-Commerce Consultants (EC-Council).

 

Additionally, we have an Information Security Committee (CSI) composed of members appointed by our executive board. The CSI advises on information security matters, aligning them with the National Information Security Policy and our business objectives, with strategic issues discussed quarterly.

The Security Information Management team holds regular meetings to address operational and strategic concerns, in addition to routine interactions. Monthly discussions are held to monitor key security indicators, management processes and project management.

Role of the Board of Directors, Executive Board and Committees

Our senior management receives periodic reports on risks from Petrobras’ corporate risk matrix based on their assessed severity. These reports include strategic risks and risks of very high and high severity – including those related to cybersecurity and information security. They follow a standardized model with an annual timeline for specific risk management actions, detailing managed risks and main response actions. Senior management also monitors the evolution of the risk matrix and the deadlines for response plans.

Strategic risks are those business risks that, due to their relevance to meeting our strategic objectives, are monitored by the Executive Board and Board of Directors, which schedule quarterly presentations. Recently, cybersecurity risks have been classified as strategic due to their relevance, interconnectedness and impact on the business.


The Board of Directors approves the company’s risk profile and oversees the company’s risk management with advice from the Audit Committee.

The CSI evaluates and monitors the Information Security Management System, cybersecurity and information security risks, and the execution of risk treatment plans and guidelines.

The CISO manages information security initiatives, establishes strategies aligned with business objectives and regulation, and recommends investments to mitigate risks and protect critical assets.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] We have a dedicated Information Security executive management structure (SI), which operates independently from the Information Technology (IT) department.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] This structure is responsible for overseeing information security initiatives, establishing strategies and guidelines aligned with business objectives, recommending investments to mitigate cyber risks, and providing adequate digital protection for critical assets.
Cybersecurity Risk Role of Management [Text Block] Role of the Board of Directors, Executive Board and Committees
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] Strategic risks are those business risks that, due to their relevance to meeting our strategic objectives, are monitored by the Executive Board and Board of Directors, which schedule quarterly presentations.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] The Board of Directors approves the company’s risk profile and oversees the company’s risk management with advice from the Audit Committee.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true