XML 69 R42.htm IDEA: XBRL DOCUMENT v3.25.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
Identified risks, including cybersecurity risks, are categorized as critical, very significant, significant or less significant, based on their potential impact, likelihood of occurrence and severity. Currently cybersecurity risks are categorized as critical, very significant, significant and less significant. Critical, very significant and significant risks and are assessed or reassessed at least three times per year.

In today's digital age, where cybersecurity is a critical priority for organizations, collaboration with third-party service providers has become increasingly common and necessary. Third-party service providers play a critical role in strengthening information security processes, providing specialized expertise and additional resources to address the complexities of the ever-evolving cyber threat landscape.

Our Global Cybersecurity Director leads our cybersecurity team, acting as the internal focal point for risk management and implementation of security controls. However, we recognize that cybersecurity encompasses a wide range of expertise, and it is in these cases that we turn to specialized consultants. Specialized cybersecurity consultants are engaged when specific expertise is required to address particular challenges or to conduct comprehensive risk assessments. These professionals bring a valuable external perspective, offering expertise and skills that complement our team's internal capabilities. Tasks and responsibilities outsourced to third-party service providers may include:

1.    Risk and Vulnerability Assessment: Consultants can conduct comprehensive risk assessments and vulnerability scans to identify potential gaps in our security infrastructure.

2.    Security audits: They perform independent audits to ensure compliance with information security standards and regulations, or industry-specific regulations.

3.    Penetration Testing: Consultants perform ethical penetration tests to identify weaknesses in our network and systems, simulating real attacks to evaluate the resistance of our defenses.

4.    Development of security policies and controls: They collaborate in the creation and review of information security policies, as well as in the design and implementation of appropriate controls to mitigate risks.

5.    Training and awareness: They provide cybersecurity training and awareness programs for our staff, helping to promote a culture of security throughout the organization.

6.    Security Operation Centers ("SOC"): The SOC plays a critical role in detecting, analyzing and responding to security incidents in real time.

Tasks are distributed between external vendors and the Global Cybersecurity Director based on the nature and scope of each project. The Global Cybersecurity Director and his team closely monitor all cybersecurity-related activities, ensuring that they align with the organization's security objectives and standards. In addition, he or she coordinates communication and collaboration between third-party vendors and other relevant internal teams, ensuring effective integration of cybersecurity efforts across the enterprise. Third-party vendors are carefully selected based on their experience, credentials and demonstrated capabilities in the cybersecurity field. We look for partners who hold
recognized certifications, and who have a proven track record of success in similar projects. Transparency and trust are core values in our relationship with third-party vendors, and we work closely with them to ensure comprehensive protection of our information assets.

Our Global Cybersecurity Director has been working on Ternium’s cybersecurity area since 2006. He holds a degree in Information Systems Engineering and a CISM-Certified Information Security Manager certification from ISACA.

As Ternium relies heavily on information systems to conduct its operations, it has adopted information security policies and controls aligned with the industry’s best practices and standards, in compliance with international frameworks including the U.S. National Institute of Standards and Technology, or NIST, the Open Worldwide Application Security Project, or OWASP, and ISO, among others.

Our information security teams regularly evaluate the effectiveness of our policies and controls, learning from past incidents and implementing continuous improvements. We closely evaluate and supervise the information security practices of our suppliers and third parties with access to our assets and critical data.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block] In addition, Ternium S.A. has established a management-level Critical Risk Committee (“CRC”) in connection with the monitoring, assessment and review of risks to which Ternium is exposed and in the oversight of the risk management framework and processes, with a focus on critical risks (including among them, cybersecurity risks), the development of mitigating actions, and the monitoring of action plans.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block] Under Ternium S.A.’s articles of association, as supplemented by the audit committee’s charter, the audit committee assists the board of directors in fulfilling its oversight responsibilities relating to the effectiveness of its systems of internal control, risk management and internal audit over financial reporting.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] Under Ternium S.A.’s articles of association, as supplemented by the audit committee’s charter, the audit committee assists the board of directors in fulfilling its oversight responsibilities relating to the effectiveness of its systems of internal control, risk management and internal audit over financial reporting.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] Ternium S.A.’s board of directors receives quarterly reports from the Chief Executive Officer and the Chief Financial Officer on risk management, including cybersecurity risk management and relevant cybersecurity incidents. In addition, at least once a year, the Chief Information Officer reports to the board of directors on Ternium S.A.’s cybersecurity management
Cybersecurity Risk Role of Management [Text Block] In addition, Ternium S.A. has established a management-level Critical Risk Committee (“CRC”) in connection with the monitoring, assessment and review of risks to which Ternium is exposed and in the oversight of the risk management framework and processes, with a focus on critical risks (including among them, cybersecurity risks), the development of mitigating actions, and the monitoring of action plans. The CRC is composed of certain senior managers, including the Chief Information Officer, the Global Cybersecurity Director, the Chief Financial Officer and the Chief Executive Officer. The Chief Financial Officer oversees the risk management strategy. In particular with respect to cybersecurity risks, Ternium S.A. has appointed an Information Security Officer who is responsible for assessing cybersecurity risks and managing cybersecurity incidents, and reports to the Chief Information Officer, who, in turn, reports to the Chief Financial Officer.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] The CRC is composed of certain senior managers, including the Chief Information Officer, the Global Cybersecurity Director, the Chief Financial Officer and the Chief Executive Officer.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
Our Global Cybersecurity Director has been working on Ternium’s cybersecurity area since 2006. He holds a degree in Information Systems Engineering and a CISM-Certified Information Security Manager certification from ISACA.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] The Chief Financial Officer oversees the risk management strategy. In particular with respect to cybersecurity risks, Ternium S.A. has appointed an Information Security Officer who is responsible for assessing cybersecurity risks and managing cybersecurity incidents, and reports to the Chief Information Officer, who, in turn, reports to the Chief Financial Officer.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true