Cybersecurity Risk Management and Strategy Disclosure

12 Months Ended

Dec. 31, 2024

Cybersecurity Risk Management, Strategy, and Governance [Abstract]

Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Risk Management and Strategy

As a global mining company, we face various cyber threats, including ransomware attacks, theft of restricted information and digital frauds. These threats can lead to financial losses, damage to our reputation, and harm to our employees and third parties. We manage these cyber risks as part of our overall risk management process.

Our overall enterprise risk management (ERM) process integrates assessing, identifying, and managing cybersecurity-related risks. If the ERM process identifies a heightened cybersecurity-related risk, we assign risk owners to develop and track risk mitigation plans. We use several tools to monitor risks, including key risk indicators (KRIs) and independent assessments of critical controls by specialized teams.

In case of a cyber incident, we follow our cyber incident response playbook, which outlines the steps for detection, mitigation, recovery, and notification, including procedures for informing relevant internal groups and the Board of Directors as needed.

Our Cybersecurity Risk Management practice is founded on internationally recognized cybersecurity frameworks like the NIST CSF (National Institute of Standards and Technology – Cybersecurity Framework), ISO 27001 and ISA62443. The practice includes the processes described below.

Identification of what we have, what we do and what is important:

We understand the business context and the assets that support essential functions.

We regularly assess cyber risks internally and the potential impacts on the company and, every two years, undergo a risk assessment by an independent and specialized third party based on the NIST CSF.

We maintain an up-to-date inventory of technology assets, such as applications, data, servers, network components, third-party services and others.

Protecting technology assets (both Information Technology and Operations Technology) to prevent or limit cyber incidents by:

We apply an identity and access process with Multi-Factor Authentication.

We provide cybersecurity training and education for employees and contractors, focusing on cyber risk and good cyber behavior, such as identifying malicious emails and correctly classifying information to protect data confidentiality.

We provide communication channels for employees and contractors to report incidents, vulnerabilities and activities related to cyber security.

We adopt network segmentation with strategic placement of network firewalls, intrusion prevention systems, and demilitarized zones for added security.

Early detection of cyber incidents through:

Our Security Operations Center, which operates 24/7/365, continuously monitors our digital environment by analyzing billions of telemetry events to detect system anomalies.

We adopt a modern End Point Detection and Response platform on our workstations and servers, combined with a managed and detection response service by the Security Operations Center.

We regularly conduct vulnerability assessments across various technological layers, independent third-party penetration tests and attack surface management practices.

We have a dedicated cybersecurity team that combines the best of in-house resources with the expertise of external partners specialized in the field.

Responding effectively to cyber incidents to significantly contain their impact by:

We maintain a robust cyber incident response plan by:

Keeping cyber incident response procedures up to date, as well as technology system recovery plans for business continuity.

Conducting cyber incident simulations for operational, tactical, and executive audiences to educate and better prepare for a real cyber incident.

Integrating the cyber incident response plan with the organization’s corporate Crisis Management process and a corporate Cyber Crisis Committee formed by areas such as Legal, Privacy, Communications, Internal Controls, Investor Relations, and other business areas.

Managing the materiality of cyber incidents within the corporate cyber crisis committee, keeping our Executive Committee and our Board of Directors informed, and disclosing to the public when applicable.

Recovering and restoring affected systems and their capabilities back in operation.

We also engage specialized third-party cybersecurity companies to evaluate the structure of the cyber program, test the effectiveness of our processes and to provide targeted training to our workforce. Our cybersecurity risk management processes extend to the oversight and identification of cybersecurity risks from our association with third-party service providers. Our risk management program includes risk assessments of third-parties that want to provide services to us through contractual commitment to comply with our baseline of security controls as well as their cyber rating performed with an independent security rating platform.

We also share and receive cyber and threat intelligence insights with our industrial base peers and are a member of the Metals and Mining Information Sharing and Analysis Center (ISAC).

Our plans aim to enhance our cybersecurity program by constantly staying abreast of emerging threats and adapting to evolving technologies.

Over the past three years, our business strategy, results of operations and financial position have not been materially impacted by risks from current and past cybersecurity threats. However, we cannot assure that they will not be materially affected by future cybersecurity threats or incidents.

Cybersecurity Risk Management Processes Integrated [Flag]

true

Cybersecurity Risk Management Processes Integrated [Text Block]

Our overall enterprise risk management (ERM) process integrates assessing, identifying, and managing cybersecurity-related risks.

Cybersecurity Risk Management Third Party Engaged [Flag]

true

Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]

true

Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]

false

Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]

Cybersecurity Risk Board of Directors Oversight [Text Block]

Governance

Board of Directors

Our Board of Directors primarily oversees the management of cybersecurity threat risks. To fulfill this responsibility, the Board relies on the support of the Audit and Risks Committee. The Audit and Risks Committee is responsible for advising the Board of Directors regarding the risk management strategy, including the analysis of corporate policies on this topic and risk appetite guidelines, as well as Vale’s integrated risk map. The Audit and Risks Committee also assesses the effectiveness and adequacy of controls and risk management systems, and regularly receives reports on cyber risks from our Corporate Risk Department.

Management

Our Executive Committee is supported by five advisory committees, including the Executive Risk Committee which focuses on strategy, finance, and cyber risks. The main responsibilities of these advisory committees are to support our Executive Committee in monitoring risks, make preventive recommendations regarding potential risks presented at the committees’ meetings, and submit them for the approval of the Executive Committee.

Our Chief Information Security Officer leads our cybersecurity function, responsible for our overall information security strategy, policy, threat detection and response. In addition to providing comprehensive cyber risk update to our Audit and Risks Committee and our Executive Risks Committee, this update covers an independent assessment of our cybersecurity program based on the NIST Cybersecurity Framework, as well as, our cyber posture, as evaluated by an independent cybersecurity rating platform. The committees are briefed on cyber incidents considered to have a moderate or greater business impact, even if they are not material to us.

Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]

Our Board of Directors primarily oversees the management of cybersecurity threat risks.

Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

The Audit and Risks Committee is responsible for advising the Board of Directors regarding the risk management strategy, including the analysis of corporate policies on this topic and risk appetite guidelines, as well as Vale’s integrated risk map.

Cybersecurity Risk Role of Management [Text Block]

Cybersecurity Risk Management Positions or Committees Responsible [Flag]

true

Cybersecurity Risk Management Positions or Committees Responsible [Text Block]

Our Chief Information Security Officer leads our cybersecurity function, responsible for our overall information security strategy, policy, threat detection and response.

Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]

The Audit and Risks Committee also assesses the effectiveness and adequacy of controls and risk management systems, and regularly receives reports on cyber risks from our Corporate Risk Department.

Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]

true