XML 40 R8.htm IDEA: XBRL DOCUMENT v3.25.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Abstract]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] Risk Management and Strategy

Our cybersecurity risk management strategy sets forth guidelines on information security, control and monitoring to adequately protect our information assets regarding integrity, availability and confidentiality of information included in our IT systems and other resources. We adopted processes for the management of risks deriving from cybersecurity threats, which are documented in our information security policy.

We apply cybersecurity solutions and procedures to ensure the most appropriate and applicable handling, collection and availability of data and information used in our corporate systems.

Our IT department is responsible for maintaining and fostering the implementation of our cybersecurity policy, as well as instructing users about the information security rules that are applicable to all, including those in our subsidiaries with a different IT environment, with greater or lesser integration with the rest of the organization.

As part of our risk management strategy, we engage a cybersecurity ISO27001 and ISAE3402 certified company to manage our cybersecurity controls and procedures. Moreover, we adopt the Control Objectives for Information Technologies framework, which is a framework created by the Information Systems Audit and Control Association for information technology management and IT governance. We continuously assess and oversee material risks deriving from cybersecurity threats associated with our third-party service providers.

In terms of cybersecurity processes and tools, we have a security operations center, an event correlation tool and a virus detection and reaction solution. We also established committees and invest in multiple authentication factor solutions, user awareness and immutable backup solutions.

We conduct quarterly internal vulnerability analysis processes, together with our outsourced service provider, and annual invasion tests, together with external companies. Based on the gaps identified during the invasion tests, we prepare action plans to mitigate these risks. All information security events are monthly recorded, addressed and presented by our security operations center.

In recent years, we had no incidents that resulted in any type of service downtime, damage or data leak.

In December 2024, our Volta Redonda and Porto Real plants received the Trusted Information Security Assessment Exchange, or TISAX certification, which is an assessment and exchange mechanism for the information security of enterprises that allows recognition of assessment results among the participants. The TISAX certification is valid for three years.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block] Our cybersecurity risk management strategy sets forth guidelines on information security, control and monitoring to adequately protect our information assets regarding integrity, availability and confidentiality of information included in our IT systems and other resources.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block] We Operate — Failures in or interruptions to our telecommunications, information technology systems or automated machinery could adversely affect us” and “— Unauthorized access to or release or violation of our or our business partners’ systems and data could materially and adversely affect us.”
Cybersecurity Risk Board of Directors Oversight [Text Block] Governance

We have an information security work group that comprises our information technology team and with our risk and compliance teams. All relevant threats and risks are informed to our audit committee. Our audit committee holds regular meetings that focus on ensuring compliance with the responsibilities set forth in applicable law and the audit committee’s operating policy. Our audit committee decides on the engagement of consultants, counsel, accountants, experts and other external professionals, as required, to assist it in the performance of its duties.

We assess our strategic, operating, financial and regulatory risks through our audit, risks and compliance executive board. Accordingly, our main risk factors, including risks derived from cybersecurity threats, are consolidated every two years and assessed in terms of chance of occurrence and potential impacts to us. Based on this mapping, the business departments responsible for the management of the risks involved in the relevant processes implement action plans to mitigate these risks and avoid significant impacts.

Our cybersecurity policy is also implemented in all our Brazilian subsidiaries. Our international subsidiaries are responsible for implementing cybersecurity controls in compliance with their respective local laws and regulations. For more information see “Item 3. Key Information—3D. Risk Factors—Risks Relating to Us and the Industries in Which We Operate — Failures in or interruptions to our telecommunications, information technology systems or automated machinery could adversely affect us” and “— Unauthorized access to or release or violation of our or our business partners’ systems and data could materially and adversely affect us.”
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] We have an information security work group that comprises our information technology team and with our risk and compliance teams. All relevant threats and risks are informed to our audit committee.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] Our audit committee holds regular meetings that focus on ensuring compliance with the responsibilities set forth in applicable law and the audit committee’s operating policy.
Cybersecurity Risk Role of Management [Text Block] We assess our strategic, operating, financial and regulatory risks through our audit, risks and compliance executive board. Accordingly, our main risk factors, including risks derived from cybersecurity threats, are consolidated every two years and assessed in terms of chance of occurrence and potential impacts to us.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] Our audit committee decides on the engagement of consultants, counsel, accountants, experts and other external professionals, as required, to assist it in the performance of its duties.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] Based on this mapping, the business departments responsible for the management of the risks involved in the relevant processes implement action plans to mitigate these risks and avoid significant impacts.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true