XML 86 R39.htm IDEA: XBRL DOCUMENT v3.25.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
We maintain a comprehensive process for assessing, identifying and managing material risks from cybersecurity threats, including risks relating to disruption of business operations, financial reporting systems, intellectual property theft, fraud, extortion, harm to employees or customers, violations of privacy laws, reputational and other litigation and legal risks, as part of our overall risk management system and processes.

Our cybersecurity risk management processes focus on (i) the identification, (ii) the analysis and evaluation, and (iii) the mitigation of potential threats across critical business and operational areas of our organization. Such areas are delineated by top management, and are determined based on their outcomes and their financial, reputational and operative impact.These measures are aimed towards mitigating risks and safeguarding our sensitive information from potential security breaches. To assist with the identification of potential threats, we have robust set of internal procedures designed to accurately identify both internal and external threats. This includes comprehensive vulnerability management processes, rigorous external and internal penetration testing, the use of cyber intelligence, and continuous monitoring of emerging and existing threats. To assist with the analysis and evaluation of identified threats, we perform risk assessments processes and validate with reliable external sources, as product manufactures, industries experts, information security organizations and government best practices and bulletins. Finally, we mitigate cybersecurity-related threats through the implementation of remediation plans that assure the correct mitigation of potential adverse impacts.

Additionally, as part of our cybersecurity risk management procedures, we, on a tri-annual basis, engage external parties to perform technical and process-related assessments of our cybersecurity controls. These third-party evaluations aim to enhance the strength of our information security controls and to ensure adequate protection and control of potential threats.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block]
We maintain a comprehensive process for assessing, identifying and managing material risks from cybersecurity threats, including risks relating to disruption of business operations, financial reporting systems, intellectual property theft, fraud, extortion, harm to employees or customers, violations of privacy laws, reputational and other litigation and legal risks, as part of our overall risk management system and processes.

Our cybersecurity risk management processes focus on (i) the identification, (ii) the analysis and evaluation, and (iii) the mitigation of potential threats across critical business and operational areas of our organization. Such areas are delineated by top management, and are determined based on their outcomes and their financial, reputational and operative impact.These measures are aimed towards mitigating risks and safeguarding our sensitive information from potential security breaches. To assist with the identification of potential threats, we have robust set of internal procedures designed to accurately identify both internal and external threats. This includes comprehensive vulnerability management processes, rigorous external and internal penetration testing, the use of cyber intelligence, and continuous monitoring of emerging and existing threats. To assist with the analysis and evaluation of identified threats, we perform risk assessments processes and validate with reliable external sources, as product manufactures, industries experts, information security organizations and government best practices and bulletins. Finally, we mitigate cybersecurity-related threats through the implementation of remediation plans that assure the correct mitigation of potential adverse impacts.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block]
Our business strategy, results of operations and financial condition have not been materially affected by risks from cybersecurity threats, including as a result of previous cybersecurity incidents, but we cannot provide assurance that they will not be materially affected in the future by such risks and any future material incidents. See “Item 3. Risk Factors” for more information on our cybersecurity-related risks.

The cybersecurity risk management processes described above are managed by FEMSA’s Chief Information Security Officer (the “CISO”), who is primarily responsible for the oversight of risks from cybersecurity threats. Furthermore, both the CISOs within each of our business units and FEMSA’s CISO bear the responsibility for monitoring any risks that surpass our predetermined risk tolerance thresholds and adopting follow-up actions to address such risks effectively. The Board of Directors determined that retaining responsibility for the oversight of risks from cybersecurity threats is appropriate, due to the impact that these risks have on our organization. To fulfill this responsibility, the Board of Directors receives quarterly reports regarding cybersecurity risks from the FEMSA CISO. These reports include information regarding information security risks and the corresponding mitigation strategies and actions adopted to address such risks.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] The cybersecurity risk management processes described above are managed by FEMSA’s Chief Information Security Officer (the “CISO”), who is primarily responsible for the oversight of risks from cybersecurity threats.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
The cybersecurity risk management processes described above are managed by FEMSA’s Chief Information Security Officer (the “CISO”), who is primarily responsible for the oversight of risks from cybersecurity threats. Furthermore, both the CISOs within each of our business units and FEMSA’s CISO bear the responsibility for monitoring any risks that surpass our predetermined risk tolerance thresholds and adopting follow-up actions to address such risks effectively. The Board of Directors determined that retaining responsibility for the oversight of risks from cybersecurity threats is appropriate, due to the impact that these risks have on our organization. To fulfill this responsibility, the Board of Directors receives quarterly reports regarding cybersecurity risks from the FEMSA CISO. These reports include information regarding information security risks and the corresponding mitigation strategies and actions adopted to address such risks.
Cybersecurity Risk Role of Management [Text Block]
The cybersecurity risk management processes described above are managed by FEMSA’s Chief Information Security Officer (the “CISO”), who is primarily responsible for the oversight of risks from cybersecurity threats. Furthermore, both the CISOs within each of our business units and FEMSA’s CISO bear the responsibility for monitoring any risks that surpass our predetermined risk tolerance thresholds and adopting follow-up actions to address such risks effectively. The Board of Directors determined that retaining responsibility for the oversight of risks from cybersecurity threats is appropriate, due to the impact that these risks have on our organization. To fulfill this responsibility, the Board of Directors receives quarterly reports regarding cybersecurity risks from the FEMSA CISO. These reports include information regarding information security risks and the corresponding mitigation strategies and actions adopted to address such risks.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] The cybersecurity risk management processes described above are managed by FEMSA’s Chief Information Security Officer (the “CISO”), who is primarily responsible for the oversight of risks from cybersecurity threats. Furthermore, both the CISOs within each of our business units and FEMSA’s CISO bear the responsibility for monitoring any risks that surpass our predetermined risk tolerance thresholds and adopting follow-up actions to address such risks effectively.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] The cybersecurity risk management processes described above are managed by FEMSA’s Chief Information Security Officer (the “CISO”), who is primarily responsible for the oversight of risks from cybersecurity threats. Furthermore, both the CISOs within each of our business units and FEMSA’s CISO bear the responsibility for monitoring any risks that surpass our predetermined risk tolerance thresholds and adopting follow-up actions to address such risks effectively. The Board of Directors determined that retaining responsibility for the oversight of risks from cybersecurity threats is appropriate, due to the impact that these risks have on our organization
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
The cybersecurity risk management processes described above are managed by FEMSA’s Chief Information Security Officer (the “CISO”), who is primarily responsible for the oversight of risks from cybersecurity threats. Furthermore, both the CISOs within each of our business units and FEMSA’s CISO bear the responsibility for monitoring any risks that surpass our predetermined risk tolerance thresholds and adopting follow-up actions to address such risks effectively. The Board of Directors determined that retaining responsibility for the oversight of risks from cybersecurity threats is appropriate, due to the impact that these risks have on our organization. To fulfill this responsibility, the Board of Directors receives quarterly reports regarding cybersecurity risks from the FEMSA CISO. These reports include information regarding information security risks and the corresponding mitigation strategies and actions adopted to address such risks.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true