Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Risk Management and Strategy

We maintain a comprehensive process for assessing, identifying, and managing risks from cybersecurity threats, including risks relating to disruption of business operations or financial reporting systems, data breach; violation of privacy laws and other litigation and legal risk; and reputational risk. We have developed a cybersecurity policy based on the guidelines and criteria contemplated by the international standards ISO 27001 and ISO 27002, as well as control mechanisms, technologies, processes, and procedures developed on the basis of the guidelines and criteria addressed by Law No. 25,326 (on personal data protection) and the Payment Card Industry Data Security Standard (PCI DSS).

We have a dedicated cybersecurity structure - the Department of Cybersecurity, under the CTO, led by a Chief Information Security Officer (CISO) and further composed of the Departments of i) Architecture Development & Engineering, ii) Business Information Security Officer (BISO) Enablers Community, iii) Cyber Defense Center, and iv) Governance, Risk, Compliance & Incidents (“GRCI”). The functions of our Department of Cybersecurity have been integrated into the Company’s general risk systems and processes by incorporating the BISO Department teams by business.

The Department of Cybersecurity is responsible for establishing a set of preventive and reactive measures that affect data processing and enable the protection of information. In addition, it conducts the analysis and evaluation of risks related to cybersecurity threats that may impact the Company, in coordination with the GRCI Manager and other cybersecurity leaders. It also ensures the security of computer systems, electronic systems, networks, computers, servers, and data from malicious attacks. The CISO is responsible for reporting the findings to the Company’s Management. (For further information, see below “—Governance - Management”).

Key functions of the Department of Cybersecurity include:

-

Preventing unauthorized individuals, entities, or processes from accessing or modifying information;

-

Ensuring that all critical business services and information are available when required for authorized users, entities, or processes;

-

Identifying risks and proposing security solutions to respond to and monitor them;

-

Overseeing, communicating, and executing technical implementations of security solutions for business objectives;

-

Proactively searching for threats to achieve early identification and isolation, thereby minimizing the impact on the Company’s assets, products, and businesses;

-

Maintaining and developing cybersecurity policies and controls to ensure compliance with the mentioned standards and regulations;

-

Conducting a comprehensive and thorough review of the credit card data processing environment in accordance with the PCI DSS, for which certification for the year 2023 was obtained in early 2024. As of the date of this Annual Report, the Department of Cybersecurity is in the process of obtaining the recertification for the year 2024; and

-

Assessing each cyber event and evaluating its consequences after the attack has been mitigated, among others.

The Cybersecurity Department’s processes are annually reviewed, tested, updated and approved by the GRCI Department. If updates to the processes arise from the review, they are carried out according to the requirements of the Company and in agreement with other areas of the Company. The final review of the processes is carried out by the CISO.

The Company’s incident response and prevention process, depending on the Cybersecurity Department of Telecom includes the following elements: incident response, security awareness and training, penetration testing, vulnerability management, security monitoring, threat detection and response, and threat intelligence.

The Company does not engage consultant services to carry out its cybersecurity processes. However, Telecom contracted the PCI audit service, since a Qualified Security Assessor (QSA) is needed to provide such certification.

As of the date of this Annual Report, our insurance policy does not cover damages caused by cyberattacks and other similar events.

Cybersecurity Risk Management Processes Integrated [Text Block]

Risk Management and Strategy

We maintain a comprehensive process for assessing, identifying, and managing risks from cybersecurity threats, including risks relating to disruption of business operations or financial reporting systems, data breach; violation of privacy laws and other litigation and legal risk; and reputational risk. We have developed a cybersecurity policy based on the guidelines and criteria contemplated by the international standards ISO 27001 and ISO 27002, as well as control mechanisms, technologies, processes, and procedures developed on the basis of the guidelines and criteria addressed by Law No. 25,326 (on personal data protection) and the Payment Card Industry Data Security Standard (PCI DSS).

We have a dedicated cybersecurity structure - the Department of Cybersecurity, under the CTO, led by a Chief Information Security Officer (CISO) and further composed of the Departments of i) Architecture Development & Engineering, ii) Business Information Security Officer (BISO) Enablers Community, iii) Cyber Defense Center, and iv) Governance, Risk, Compliance & Incidents (“GRCI”). The functions of our Department of Cybersecurity have been integrated into the Company’s general risk systems and processes by incorporating the BISO Department teams by business.

Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]

true

Cybersecurity Risk Board of Directors Oversight [Text Block]

Board of Directors

At the Board level, the Audit Committee is ultimately responsible for overseeing the Company’s financial and non-financial risks, including cybersecurity threats. To fulfill this responsibility, the Audit Committee holds meetings regularly and when needed, at which the CISO reports on cybersecurity events and provides updates on current risks. Also, the Audit Committee meets the CISO in case of the existence of a material event, as disclosed in “Incident Response Plan”. These reports may include information about cybersecurity incidents and the responses to them.

The CISO reports on significant cybersecurity incident-related activities in accordance with the “Incident Response Plan” to both the Executive Committee and the Audit Committee.

Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

At the Board level, the Audit Committee is ultimately responsible for overseeing the Company’s financial and non-financial risks, including cybersecurity threats. To fulfill this responsibility, the Audit Committee holds meetings regularly and when needed, at which the CISO reports on cybersecurity events and provides updates on current risks. Also, the Audit Committee meets the CISO in case of the existence of a material event, as disclosed in “Incident Response Plan”. These reports may include information about cybersecurity incidents and the responses to them.

The CISO reports on significant cybersecurity incident-related activities in accordance with the “Incident Response Plan” to both the Executive Committee and the Audit Committee.

Cybersecurity Risk Management Positions or Committees Responsible [Flag]

true

Cybersecurity Risk Management Expertise of Management Responsible [Text Block]

The cybersecurity risk management processes delineated above are managed by our CISO. The CISO has extensive cybersecurity experience. The CISO has 30 years of experience in Cybersecurity matters, with experience in the design, implementation, auditing and analysis of computer security risks. He is a professor of Cybersecurity Management and Strategy at the CEMA University of Buenos Aires.

Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]

true