Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Risk Management and Strategy

We maintain a comprehensive process for assessing, identifying and managing material risks from cybersecurity threats including risks relating to disruption of business operations or financial reporting systems, intellectual property theft; fraud; extortion; harm to employees or customers; violation of privacy laws and other litigation and legal risk; and reputational risk, as part of our overall risk management system and processes.

Our cybersecurity risk management processes include the following:

●

Conforming our cyber practices to internationally established cybersecurity frameworks. Our information systems processes and practices are aligned with established frameworks, such as COBIT, developed by ISACA for the governance and management of information technology. Additionally, we are in the process of implementing the NIST Cybersecurity Framework to further enhance our security posture.

●

Utilizing material components in our cybersecurity framework, such as employing multifactor authentication for accessing security consoles, ensuring an additional layer of protection. We have implemented next-generation firewalls and integrated vulnerability testing with our antivirus solution to enhance overall system security. Furthermore, we have deployed both software and hardware backup solutions to safeguard data. In addition, we utilize identity and brand protection services, which include continuous web monitoring to detect and prevent fraudulent activities, such as fake websites aimed at impersonation.

●

Involving a six person team responsible for day-to-day cybersecurity related matters, including local IT Managers who are granted access to cybersecurity devices and consoles, ensuring hands-on management and control. Additionally, we maintain agreements with hardware and software providers to support our IT infrastructure. We have implemented a comprehensive Business Continuity Management Plan, which includes an Incident Management Plan, a Business Continuity Plan, and a Disaster Recovery Plan. As part of our documentation process, we utilize Business Impact Analysis questionnaires that outline critical activities, involved teams, and necessary resources. Furthermore, we maintain a Risk Matrix specifically designed to support business continuity efforts.

●

Conducting annual cybersecurity awareness training for employees involved in our systems. Each year, we hold a meeting with critical departments within the organization to conduct tests of our Disaster Recovery Plan and Business Continuity Plan. During these sessions, we review and update our Risk Matrix to ensure it reflects any changes or new risks. We also emphasize the importance of email security, particularly in identifying and preventing phishing attacks. Teams receive training on their specific roles, participate in the tests, collect all relevant information related to the exercise, and conclude with a debrief meeting to discuss results and formulate action plans for improvement.

●

Maintaining a robust incident response plan, which is activated when a critical event occurs, is essential to ensuring business continuity and minimizing disruption. Based on our Disaster Recovery Plan, our Incident Management Committee convenes to execute the action plan. The team gathers in the Crisis Room, where all members are briefed on the situation and the necessary steps for responding and communicating with the broader organization. Our IT team conducts a thorough analysis and implements the required actions to resolve or mitigate the issue, while a communication coordinator ensures timely updates are delivered as per the agreed schedule. The escalation process follows the established resolution matrix, ensuring that issues are addressed according to their severity. This Committee remains in charge of managing all steps until the incident is fully resolved and closed.

●

Regularly reviewing, testing, updating, and approving cybersecurity processes by conducting penetration testing, vulnerability scanning, and attack simulations is a key part of our security strategy. Our IT team has access to firewall and endpoint security systems to review logs and ensure all applications remain up-to-date. In accordance with our support policy, third-party partners are also authorized to perform these tasks. They assist in reviewing incidents and coordinating the scheduling of updates or new releases to ensure our systems are continuously protected and optimized.

We also engage third-party experts to evaluate the structure and test the effectiveness of our processes, as well as to provide ongoing training. Our cybersecurity risk management processes extend to the oversight and identification of cybersecurity risks associated with our use of third-party service providers. Our risk management program includes continuous monitoring, assessments, and compliance with industry best practices to mitigate potential vulnerabilities.

We maintain technical support agreements with service providers that cover essential aspects such as software licensing, configuration, upgrades, and necessary changes, supplementing any internal training initiatives. In addition, have implemented a comprehensive Business Continuity Management Plan, developed in collaboration with a third-party service provider, and supported by both internal and external audits, in coordination with our legal team.

Both our purchasing and IT departments regularly evaluate the competency and qualifications of third-party partners. These providers are required to demonstrate high levels of expertise and hold relevant technical certifications.

Our business strategy, results of operations, and financial condition have not been materially affected by cybersecurity threats, including previous cybersecurity incidents. However, we cannot provide assurance that such risks, or any future material cybersecurity incidents, will not have a significant impact in the future.

For instance, in 2021, one of our branch offices experienced a ransomware attack that targeted Microsoft Windows servers. Although this incident did not materially affect our operations, as the servers were quickly restored from backups and our ERP system remained functional throughout, it underscores the potential risks. The action plan involved isolating each affected server for a comprehensive inspection and cleanup, followed by the full replacement of our perimeter and endpoint security solutions before the servers were brought back online. While we successfully mitigated the immediate risk, this event illustrates the importance of continued vigilance, as future incidents may not be as contained or without impact.

Cybersecurity Risk Management Processes Integrated [Flag]

true

Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]

Our business strategy, results of operations, and financial condition have not been materially affected by cybersecurity threats, including previous cybersecurity incidents. However, we cannot provide assurance that such risks, or any future material cybersecurity incidents, will not have a significant impact in the future.

Cybersecurity Risk Board of Directors Oversight [Text Block]

Governance

Board of Directors and Management

The Board of Directors holds primary responsibility for overseeing risks related to cybersecurity threats. To fulfill this responsibility, the board is regularly advised by outside counsel on best practices for cybersecurity oversight and improvement, as well as on material legal and legislative developments in this area. Additionally, the Audit Committee is specifically charged with overseeing data privacy and cybersecurity risks. Management keeps the board informed through updates on strategic key indicators, ongoing cybersecurity initiatives, and significant incidents, including their potential impact on the organization. Members of the board remain actively engaged and stay informed of the rapidly evolving cyber threat landscape to ensure the company is prepared to address emerging risks.

Cybersecurity Risk Management Positions or Committees Responsible [Flag]

true