XML 59 R40.htm IDEA: XBRL DOCUMENT v3.25.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Coca-Cola Andina recognizes information security and cyber-attacks as potential areas of business risk. Consequently, the Company has formulated and implemented a comprehensive strategy that enables us to safeguard confidentiality, integrity and availability of information and critical data and systems by (i) establish an organizational understanding for the purpose of overseeing cybersecurity risks related to its systems, people, assets, data and capabilities, (ii) safeguard systems and assets (including data), (iii) identify deviations from established protocols, (iv) react to cybersecurity incidents, and (v) restore business operations, if required.

Policy for Information Security

The Company’s information security policy is an ongoing process designed to protect information assets from threats that could compromise their availability, integrity, or confidentiality. The corporate information security policy was created and put into effect to strengthen this pillar. In addition to providing general guidelines on the access, handling, manipulation, processing, transmission, and storage of the Company’s information assets, this policy seeks to establish general guidelines regarding the responsibility, protection, and management of information risks. The implementation of this policy involves the classification of information, the definition of responsibilities, and the use of digital solutions to strengthen its execution. Examples of these solutions include the unification of information storage and transfer mechanisms, the protection of information through Data Lost Prevention (DLP) practices, and the encryption of information stored on the Company’s essential equipment. The CISO is in charge of the Company’s information security strategy, policies, guidelines, and practices.

Cybersecurity provider risk and measurements management

Infrastructure and information security services are outsourced to one of the largest technology companies in Latin America. This company provides us with field support, users support center, networking support and cyber security monitoring. The IT outsourcing service is governed by a contractual agreement that specifies service levels and a Data Processing Agreement. An external auditor conducts an annual audit of the services to assess the adherence of the controls of the critical services rendered via ISAE 3402. All technology suppliers that offer on-premise SaaS or software are assessed throughout the selection procedure using an INCIBE-CERT-based cyber resilience framework (National Cybersecurity Institute of Spain).

Cybersecurity Framework

Our cybersecurity risk management program was developed in accordance with, and aligned to, international standards, best practices, and worldwide frameworks such as the International Organization for Standardizations (ISO) and the National Institute of Standards and Technology Cyber Security Framework (NIST) and incorporates the highest industry standards and is continually tested for Business Continuity (BC) and Disaster Recovery (DR). Our program is managed with an integrated people, processes, and technology vision and in order to improve its cyber resilience, the Company has a cybersecurity strategy to which it adds new controls and systems every year. This involves a risk management methodology based on a Business Impact Analysis (BIA) and Risk Impact Analysis Information Technology (RIA IT) model to unify risk and processes deemed critical to the organization, as well as regular and comprehensive testing of vulnerability mitigation measures found through ethical hacking, pentesting and vulnerabilities assessments. This activity gives a clear picture of known vulnerabilities in the system so that they can be specifically fixed and additional searches for undiscovered weaknesses, foreseeing future attacks and strengthening defenses. Furthermore, a “Zero Trust” model for platform access, Privileged Access Control and Multifactor Authenticator has been implemented for all platforms and user access. We use policies, processes, software, training programs, and hardware solutions to protect and monitor our environment across all critical systems, firewalls, intrusion detection and prevention systems, anti-malware, patch management, and identity management systems.

Corporate Cybersecurity Policy

The Company’s Corporate Cybersecurity strategy provides a framework for effective security management processes pertaining to IT systems and the associated assets, and it establishes a control model for the protection of the confidentiality, integrity, and availability of information systems, in accordance with the applicable laws and regulations in the countries in which we operate. Our cybersecurity risk management program also includes review and assessment by independent, external third parties, who evaluate and report on our cybersecurity program, as well as preparedness for internal incident response and help identify areas for continuous focus and improvement.

Dissemination and Training

The Company provides continuous information about the measures taken to promote cybersecurity, ensuring that all employees are informed of, and have received training on cybersecurity concepts and threats to information security and cybersecurity. Focusing on software and services based on the Company’s digital transformation, specialized areas in the Company’s IT and Human Resources departments coordinate specific training through various channels, using communications and e-mails delivering content that addresses information management and information security.

For instance, all employees of the company receive cybersecurity and phishing exercise training each year; the technology team also receives training on the various guidelines and protocols related to cybersecurity practices, including safeguarding digital assets, secure development, managing IT risks, and system modifications, among other topics.

We do not currently believe that risks from cybersecurity threats, including as a result of cybersecurity incidents, have materially affected the Company or our financial position, results of operations or cash flows. However, any compromise of data security could result in a violation of applicable privacy, laws or standards, the loss of valuable business data, or a disruption of our business. Coca-Cola Andina recognizes that a security breach involving the misappropriation, loss or other unauthorized disclosure of sensitive or confidential information could give rise to unwanted media attention, materially damage our customer relationships and reputation, and result in fines or liabilities, which may not be covered by our insurance policies and therefore works with data security as an integral part of its risks. See “Item 3. Key Information — Risk Factors — Risks Related to our Company— If we are unable to protect our information systems against data corruption, cyber-based attacks or network security breaches, our operations could be disrupted.” for more information.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block]

Coca-Cola Andina recognizes information security and cyber-attacks as potential areas of business risk. Consequently, the Company has formulated and implemented a comprehensive strategy that enables us to safeguard confidentiality, integrity and availability of information and critical data and systems by (i) establish an organizational understanding for the purpose of overseeing cybersecurity risks related to its systems, people, assets, data and capabilities, (ii) safeguard systems and assets (including data), (iii) identify deviations from established protocols, (iv) react to cybersecurity incidents, and (v) restore business operations, if required.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block] This includes the Audit Committee, which is represented by 3 independent directors, our Chief Executive Officer, Chief Financial Officer, Chief Legal Officer and Chief Audit Officer. One of the Audit Committee’s responsibilities is to supervise the policies, guidelines and strategies for information security risk management in order to ensure compliance with national and international standards, evaluating for this purpose the scope and effectiveness of information security systems, the status of cybersecurity framework controls within the organization, ongoing initiatives and future work plans.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] Audit Committee
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] One of the Audit Committee’s responsibilities is to supervise the policies, guidelines and strategies for information security risk management in order to ensure compliance with national and international standards, evaluating for this purpose the scope and effectiveness of information security systems, the status of cybersecurity framework controls within the organization, ongoing initiatives and future work plans
Cybersecurity Risk Role of Management [Text Block]

Additionally, to protect against and address cybersecurity incident management and decision-making, there is a senior management committee known as the “Cybersecurity Committee” which is led by the Chief Information Security Officer (CISO). This cross-functional management committee drives awareness, ownership and alignment across broad stakeholder groups on governance and risk for effective management of cybersecurity risks and when a threat affecting the security of our digital information assets materializes, or at least once a year, the Cybersecurity Committee meets, both to manage the crisis and/or evaluate and control cybersecurity risks, to approve the cybersecurity strategy and direction and the organization’s contingency processes, and to perform a general evaluation of the different cybersecurity risk management indicators.

The Cybersecurity Committee is comprised of the Company’s CISO, the Company’s Chief Human Resources Officer, Chief Legal Officer, Chief Information Technology Officer, the Company’s Risk and Sustainability Corporate Manager, and a Representative of the Corporate Internal Audit Area.

The Company’s CISO is responsible for overseeing and managing cybersecurity issues and risks. This includes being responsible for creating, managing, and carrying out the company’s cybersecurity plan for its networks, both IT (information technology) and OT (operational technology) at the corporate and regional level, overseeing the implementation of improvements, architectures, policies, and standards related to the protection of the organization’s digital assets. In addition, the CISO manages the IT Risk Map (IT RIA) and related mitigation plans, ensuring that necessary modifications are made to maintain compliance with the company’s regulatory framework and standards.

Currently, Eduardo Troncoso Meza serves as our CISO. Mr. Eduardo Troncoso Meza has more than fifteen years of experience in the fields of cybersecurity and information security management. Prior to his current position, Mr. Troncoso held the position of Cybersecurity Architect at Banco BCI. In order to determine the proper implementation of technological security controls, he was tasked with designing and proposing architecture models and solutions for identifying threats, vulnerabilities, and risks on the applications that provide services to the various platforms of the bank. Mr. Troncoso received his Engineering Sciences degree and obtained a Computer Engineering degree from Universidad de Las Américas. Mr. Troncoso also holds a Diploma in Cybersecurity from Universidad de Chile, and has the following certifications:

Information Security Management Systems Auditor/Lead Auditor Training Course (BS ISO/IEC 27001:2013) – BSI;
ISO/IEC 27001 Lead Implementer – PECB; and
Cybersecurity for Managers Certificate: A Playbook from the Massachusetts Institute of Technology.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] Cybersecurity Committee
Cybersecurity Risk Management Expertise of Management Responsible [Text Block]

Currently, Eduardo Troncoso Meza serves as our CISO. Mr. Eduardo Troncoso Meza has more than fifteen years of experience in the fields of cybersecurity and information security management. Prior to his current position, Mr. Troncoso held the position of Cybersecurity Architect at Banco BCI. In order to determine the proper implementation of technological security controls, he was tasked with designing and proposing architecture models and solutions for identifying threats, vulnerabilities, and risks on the applications that provide services to the various platforms of the bank. Mr. Troncoso received his Engineering Sciences degree and obtained a Computer Engineering degree from Universidad de Las Américas. Mr. Troncoso also holds a Diploma in Cybersecurity from Universidad de Chile, and has the following certifications:

Information Security Management Systems Auditor/Lead Auditor Training Course (BS ISO/IEC 27001:2013) – BSI;
ISO/IEC 27001 Lead Implementer – PECB; and
Cybersecurity for Managers Certificate: A Playbook from the Massachusetts Institute of Technology.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]

Policy for Information Security

The Company’s information security policy is an ongoing process designed to protect information assets from threats that could compromise their availability, integrity, or confidentiality. The corporate information security policy was created and put into effect to strengthen this pillar. In addition to providing general guidelines on the access, handling, manipulation, processing, transmission, and storage of the Company’s information assets, this policy seeks to establish general guidelines regarding the responsibility, protection, and management of information risks. The implementation of this policy involves the classification of information, the definition of responsibilities, and the use of digital solutions to strengthen its execution. Examples of these solutions include the unification of information storage and transfer mechanisms, the protection of information through Data Lost Prevention (DLP) practices, and the encryption of information stored on the Company’s essential equipment. The CISO is in charge of the Company’s information security strategy, policies, guidelines, and practices.

Cybersecurity provider risk and measurements management

Infrastructure and information security services are outsourced to one of the largest technology companies in Latin America. This company provides us with field support, users support center, networking support and cyber security monitoring. The IT outsourcing service is governed by a contractual agreement that specifies service levels and a Data Processing Agreement. An external auditor conducts an annual audit of the services to assess the adherence of the controls of the critical services rendered via ISAE 3402. All technology suppliers that offer on-premise SaaS or software are assessed throughout the selection procedure using an INCIBE-CERT-based cyber resilience framework (National Cybersecurity Institute of Spain).
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true