XML 107 R34.htm IDEA: XBRL DOCUMENT v3.25.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
Policies and Procedure
The purpose of information security and cybersecurity is to define the general guidelines regarding the Information Security Governance and Management System (SGGSI) and which must be known, adopted and complied with by all employees of the company, as well as third parties linked to it. SQM defines that the effective Governance and Management of Information and Operation Technology Security (IT/OT) is a business function and as such a critical element for the success and survival of SQM in a globalized and highly competitive world.
An information security strategy is developed and implemented in alliance with business strategies, information technologies (IT) and operational technologies (OT). The scope and extent of the information security strategy depends on the size, complexity of the company, its business activities, risks, vulnerabilities and threats, providing a reasonable defense against any internal or external attack. This cybersecurity strategy addresses preventive, detective, corrective and reactive measures. Also, an important aspect is the information security incident management life cycle, which consists of being able to methodologically analyze Information Security & Cybersecurity (ISC) events/incidents from a point of view of the impact they could cause to the company. Incident response methodologies generally emphasize preparedness, not only establishing an incident response capability, but also preventing incidents by ensuring that systems, networks and applications are sufficiently secure. Preparation involves implementing the appropriate tools and configuring appropriate processes and procedures for treatment before an incident occurs. One of the most important tasks is to identify the assets that must be protected.
We have incorporated cybersecurity related risks into our overall risk management system, which is built considering international standards, such as ISO 31000 and COSO ERM (Committee of Sponsoring Organizations Enterprise Risk Management), and includes the following stages:
Risk Identification: To identify the risks, meetings will be held between the business risk management area and the different process owners of each business unit or business areas, who, due to their responsibilities, can be presumed to understand significant risk situations.

Based on this input, the Business Risk Management Department will prepare a list of the risks identified for each unit. This list will be called a "risk inventory".

Risk Analysis: Risk analysis includes the study of the causes and consequences in the event of a risk materialization. A risk can have multiple causes and consequences, which can affect more than one risk, so its correct identification will provide an in-depth analysis of the risk and its possible consequences. For any critical risk related to our strategic objectives, such as the risk of cybersecurity, a cause-consequence analysis must be performed, which is registered in a Bow-Tie sheet, which will help to better identify the controls that mitigate such risk. This analysis will be reviewed at least once every six months by the Business Risk Management Department and the responsible area.

Risk Assessment: For any critical risk related to the Company's strategic objectives, such as the risk of cybersecurity, a cause-consequence analysis must be performed, which is registered in a Bow-Tie sheet, which will help to better identify the controls that mitigate such risk. The Bow-Tie analysis is a risk management technique that provides a visual representation of potential hazards, the threats that could cause those hazards, the consequences of those threats, and the controls in place to mitigate the risks. The name "bow-tie" comes from the shape of the diagram, which resembles a bow-tie with the hazard in the center and the threats and consequences branching out on either side. This analysis will be reviewed at least once every six months by the Business Risk Management Department and the responsible area.

Risk Treatment: Once the residual risk has been defined, there are different ways of dealing with the risks based on the risk management methodology, which must be considered on a case-by-case basis. The way in which risk is dealt with will depend mainly on the risk appetite defined for each case.

Risk Monitoring: The Business Risk Management Department continuously monitors the action plans committed by each responsible area.

Risk Communication: At least twice a year, the Business Risk Management Department will present SQM's critical risks, such as cybersecurity, to the Board of Directors directly, or through the Directors' Committee, so it may then report to the Board of Directors. Upon receipt of information regarding critical risks, the Board of Directors may request further details during the Board meeting or engage in discussions about the risks and/or mitigation measures with the respective responsible party.

SQM Business Risk Management Department is responsible for performing all the above described stages of the process.

Every three years, SQM's Business Risk Management Department requests a evaluation of SQM's risk management function. This evaluation is conducted by an external audit firm and includes a review of governance, processes, culture, and supporting systems, comparison with an industry benchmark, and recommendations. The most recent evaluation was conducted in 2024.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block]
We have incorporated cybersecurity related risks into our overall risk management system, which is built considering international standards, such as ISO 31000 and COSO ERM (Committee of Sponsoring Organizations Enterprise Risk Management), and includes the following stages:
Risk Identification: To identify the risks, meetings will be held between the business risk management area and the different process owners of each business unit or business areas, who, due to their responsibilities, can be presumed to understand significant risk situations.

Based on this input, the Business Risk Management Department will prepare a list of the risks identified for each unit. This list will be called a "risk inventory".

Risk Analysis: Risk analysis includes the study of the causes and consequences in the event of a risk materialization. A risk can have multiple causes and consequences, which can affect more than one risk, so its correct identification will provide an in-depth analysis of the risk and its possible consequences. For any critical risk related to our strategic objectives, such as the risk of cybersecurity, a cause-consequence analysis must be performed, which is registered in a Bow-Tie sheet, which will help to better identify the controls that mitigate such risk. This analysis will be reviewed at least once every six months by the Business Risk Management Department and the responsible area.

Risk Assessment: For any critical risk related to the Company's strategic objectives, such as the risk of cybersecurity, a cause-consequence analysis must be performed, which is registered in a Bow-Tie sheet, which will help to better identify the controls that mitigate such risk. The Bow-Tie analysis is a risk management technique that provides a visual representation of potential hazards, the threats that could cause those hazards, the consequences of those threats, and the controls in place to mitigate the risks. The name "bow-tie" comes from the shape of the diagram, which resembles a bow-tie with the hazard in the center and the threats and consequences branching out on either side. This analysis will be reviewed at least once every six months by the Business Risk Management Department and the responsible area.

Risk Treatment: Once the residual risk has been defined, there are different ways of dealing with the risks based on the risk management methodology, which must be considered on a case-by-case basis. The way in which risk is dealt with will depend mainly on the risk appetite defined for each case.

Risk Monitoring: The Business Risk Management Department continuously monitors the action plans committed by each responsible area.

Risk Communication: At least twice a year, the Business Risk Management Department will present SQM's critical risks, such as cybersecurity, to the Board of Directors directly, or through the Directors' Committee, so it may then report to the Board of Directors. Upon receipt of information regarding critical risks, the Board of Directors may request further details during the Board meeting or engage in discussions about the risks and/or mitigation measures with the respective responsible party.

SQM Business Risk Management Department is responsible for performing all the above described stages of the process.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block] At least twice a year, the Business Risk Management Department will present SQM's critical risks, such as cybersecurity, to the Board of Directors directly, or through the Directors' Committee, so it may then report to the Board of Directors. Upon receipt of information regarding critical risks, the Board of Directors may request further details during the Board meeting or engage in discussions about the risks and/or mitigation measures with the respective responsible party.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] At least twice a year, the Business Risk Management Department will present SQM's critical risks, such as cybersecurity, to the Board of Directors directly, or through the Directors' Committee, so it may then report to the Board of Directors.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] At least twice a year, the Business Risk Management Department will present SQM's critical risks, such as cybersecurity, to the Board of Directors directly, or through the Directors' Committee, so it may then report to the Board of Directors. Upon receipt of information regarding critical risks, the Board of Directors may request further details during the Board meeting or engage in discussions about the risks and/or mitigation measures with the respective responsible party.
Cybersecurity Risk Role of Management [Text Block]
Management and Director Cybersecurity Expertise

Our Business Risk Management Department consists of five people and is led by the Department Head who has access and reports to the Directors' Committee. Each member of the Department has training and/or certifications in Risk Management such as ISO 31000 or COSO ERM. All of them have more than five years of experience in Risk Management, Audit and Compliance roles.

SQM manages information security and cybersecurity through its IT Security and Governance Department for both its divisions: SQM Iodine-Plant Nutrition Division, SQM Lithium Chile Division and SQM International Lithium Division. The main responsibility of these departments is to protect the Company's IT infrastructure from cyberattacks and other threats. SQM has an Information Security Management System (ISMS) based on ISO 27001, the Control Objectives for Information and Related Technologies (COBIT), and the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF).

The SQM Iodine-Plant Nutrition Division has an IT Security and Governance Department, where the Cybersecurity Leader is responsible for managing security resources, implementing protective measures, continuously monitoring, and developing response plans for cybersecurity incidents. Additionally, the department includes a Cybersecurity Risk team,
under the direction of the IT Risk and Compliance Leader, responsible for managing and detecting risks, establishing robust security policies, and ensuring compliance with internal regulations and regulations related to information security and cybersecurity.

The IT Security and Governance Department reports to the Deputy IT Manager and the IT Manager, who bring over 30 years of combined experience in risk management, information asset protection, and operational continuity management in the mining sector. They oversee our divisions globally, providing advice and support to business and operational managers in their activities to ensure that information security and cybersecurity are managed as critical components of our overall sustainability strategy. Through their leadership, they ensure that best practices in cybersecurity and risk management are effectively implemented, promoting a culture of security that protects our assets and strengthens our operational resilience.

The Lithium Chile Division has an IT Security and Governance Department led by the Department Head, who reports directly to the IT Manager. This department has two main missions: Information Security, which manages risks related to the use of information technologies, regulatory compliance, and data protection; and Cybersecurity, which effectively protects, defends, and contains, through advanced monitoring, potential events and incidents that could affect availability, integrity, and confidentiality.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
SQM manages information security and cybersecurity through its IT Security and Governance Department for both its divisions: SQM Iodine-Plant Nutrition Division, SQM Lithium Chile Division and SQM International Lithium Division. The main responsibility of these departments is to protect the Company's IT infrastructure from cyberattacks and other threats. SQM has an Information Security Management System (ISMS) based on ISO 27001, the Control Objectives for Information and Related Technologies (COBIT), and the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF).

The SQM Iodine-Plant Nutrition Division has an IT Security and Governance Department, where the Cybersecurity Leader is responsible for managing security resources, implementing protective measures, continuously monitoring, and developing response plans for cybersecurity incidents. Additionally, the department includes a Cybersecurity Risk team,
under the direction of the IT Risk and Compliance Leader, responsible for managing and detecting risks, establishing robust security policies, and ensuring compliance with internal regulations and regulations related to information security and cybersecurity.

The IT Security and Governance Department reports to the Deputy IT Manager and the IT Manager, who bring over 30 years of combined experience in risk management, information asset protection, and operational continuity management in the mining sector. They oversee our divisions globally, providing advice and support to business and operational managers in their activities to ensure that information security and cybersecurity are managed as critical components of our overall sustainability strategy. Through their leadership, they ensure that best practices in cybersecurity and risk management are effectively implemented, promoting a culture of security that protects our assets and strengthens our operational resilience.

The Lithium Chile Division has an IT Security and Governance Department led by the Department Head, who reports directly to the IT Manager. This department has two main missions: Information Security, which manages risks related to the use of information technologies, regulatory compliance, and data protection; and Cybersecurity, which effectively protects, defends, and contains, through advanced monitoring, potential events and incidents that could affect availability, integrity, and confidentiality.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] Each member of the Department has training and/or certifications in Risk Management such as ISO 31000 or COSO ERM. All of them have more than five years of experience in Risk Management, Audit and Compliance roles.The IT Security and Governance Department reports to the Deputy IT Manager and the IT Manager, who bring over 30 years of combined experience in risk management, information asset protection, and operational continuity management in the mining sector.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
Risk Communication: At least twice a year, the Business Risk Management Department will present SQM's critical risks, such as cybersecurity, to the Board of Directors directly, or through the Directors' Committee, so it may then report to the Board of Directors. Upon receipt of information regarding critical risks, the Board of Directors may request further details during the Board meeting or engage in discussions about the risks and/or mitigation measures with the respective responsible party.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true