XML 63 R8.htm IDEA: XBRL DOCUMENT v3.25.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Abstract]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] Risk Management and Strategy

 

Cybersecurity risk management is overseen both as a critical component of our overall risk management program and as a standalone program. We have implemented a risk-based, cross-functional approach to identifying, preventing and mitigating cybersecurity threats and incidents, while also implementing controls and procedures that provide for the prompt escalation of certain cybersecurity incidents so that decisions regarding the public disclosure and reporting of such incidents can be made by management in a timely manner.

We assess, identify, and manage risks from cybersecurity threats through various mechanisms. First, employees in our cybersecurity department monitor cybersecurity risks and incidents by monthly analyzing certain key indicators. These key indicators are gathered from various sources, including our cybersecurity reporting channel through which anonymous reports may be made, reports via email or incident registration portal (ticketing system), as well as our Security Operations Center (SOC) third party services. Any material developed by and furnished to our Cybersecurity Executive Committee is also used as evidence in our external audits required by Section 404 of the Sarbanes-Oxley Act.

We have a Cybersecurity Incident Response Plan to provide the organizational and operational structure, processes, and procedures for investigating, containing, documenting and mitigating cybersecurity incidents, and providing a coordinated response across all our cybersecurity areas to any such incidents.

Upon the occurrence of an incident, our cybersecurity assesses its scope and origin, collects data, determines the risk level and, depending on how critical the incident is deemed, gathers additional forensic data and images, analyses logs, volatile data, checks the incident timeline, and looks for any related threats. Once the analysis is concluded, we take immediate action to contain the risk from further spread and adopt the appropriate short- and medium-term measures to make sure the incident does not happen again, in accordance with the Cybersecurity Incident Response Plan.

Cybersecurity risks and incidents are reported at the quarterly meetings of our Cybersecurity Executive Committee. In case of a material incident, the Cybersecurity Executive Committee must report this incident to the Finance and Risk Management Committee, which in turn must prepare an action plan and escalate to the Board of Directors depending on its severity. The Board of Directors must assess the risk and approve the action plan to be implemented by the cybersecurity team.

In addition, once a year, our Internal Audit Office conducts cybersecurity audits. This process is part of our financial management and international audits and is submitted for approval by the Audit and Integrity Committee. The audit is conducted by internal auditors with expertise in information technology with the support of external advisors, in particular with respect to complex technical issues such as vulnerability and intrusion tests.

We also regularly review and assess our government processes related to controls of third parties with whom we share data, including our main business partners. Such process is conducted via internal audits or independent reviews to identify improvements and vulnerabilities. At the end of the audit, we prepare system and organization controls, or SOC, reports to make sure we are following best cybersecurity governance practices.

Besides conducting risk management processes audits and preparing SOC reports in connection with our main IT partners, our cybersecurity department also (i) hires external advisors to perform periodic vulnerability tests, (ii) uses threat management tools to continuously monitor the cyber environment and (iii) regularly performs crisis management simulations together with the Risk Management, Internal Controls and Controllership Global Office.

We have a cybersecurity training and compliance program in place whereby our employees receive training and are tested routinely through simulated phishing attempts.

As of the date of this annual report, no risks from cybersecurity threats have materially affected, nor have we identified any specific risks from known cybersecurity threats that are reasonably likely to materially affect, us, including our business strategy, results of operations or financial condition. Please see “Item 3. Key Information—D. Risk Factors—Risks Relating to Our Business and Industry—Breaches, disruptions or failures of our information technology systems, including as a result of cybersecurity attacks, could disrupt our operations and negatively impact our business and reputation.”
Cybersecurity Risk Management Processes Integrated [Flag] false
Cybersecurity Risk Management Processes Integrated [Text Block] We have implemented a risk-based, cross-functional approach to identifying, preventing and mitigating cybersecurity threats and incidents
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block] As of the date of this annual report, no risks from cybersecurity threats have materially affected, nor have we identified any specific risks from known cybersecurity threats that are reasonably likely to materially affect, us, including our business strategy, results of operations or financial condition.
Cybersecurity Risk Board of Directors Oversight [Text Block] Governance

 

Our cybersecurity department is responsible for identifying, managing and mitigating cybersecurity risks that may adversely affect the confidentiality, integrity and availability of our data. The cybersecurity strategy and plans to promptly mitigate any identified cybersecurity risks are prepared, assessed and monitored by the Risk Management, Internal Controls and Controllership Global Office in accordance with our Corporate Risk Management Policy.

The structure of our Risk Management, Internal Controls and Controllership Global Office includes:

 

(i)our Board of Directors, responsible for overseeing and monitoring risks reported by the Finance and Risk Management and the Audit and Integrity Committees, as further explained below in “—Risk Management and Strategy”;
(ii)the Finance and Risk Management Committee, which is an advisory committee for our Board of Directors, composed of directors and executive officers from our information technology, risk management and internal controls, compliance, legal and audit committee departments, and responsible among other things for assessing and monitoring risks and defining action plans, monitoring compliance with board recommendations, guaranteeing the implementation of an efficient risk management model and supervising its evolution, monitoring indicators and mitigation strategies, evaluating, at least annually, the risk management’s maturity evolution presented by the cybersecurity department and reporting such evolution to the Board of Directors, and guaranteeing an adequate structure of human and financial resources and systems involved in the risk management process;

 

(iii)the Audit and Integrity Committee, which is an advisory committee for our Board of Directors, responsible among other things for discussing risk evaluation and management policies and procedures, evaluating and monitoring risk exposure and monitoring actions plans for risk mitigation and control; and
(iv)cybersecurity employees responsible for and with authority to manage cybersecurity risks, who must identify and systematically monitor such risks, timely report to the Finance and Risk Management Committee any events, occurrences or situations that may result in a cybersecurity threat, define and implement corrective or mitigating actions and monitor such actions, implement and monitor key indicators.

Additionally, we have a Cybersecurity Executive Committee, which is formed by members of the cybersecurity department as well as executive managers from the Risk Management, Internal Controls and Controllership Global Office, including (i) the executive manager responsible for planning and executing cybersecurity and IT governance strategies, who has approximately sixteen years of experience in this field within our Company and has obtained a specialization in network management and system security as well as many certifications in this area, including Information Security Officer, ISO 27001, COBIT, ASM, ITIL and CLOUDF; and (ii) our Digital Transformation Director who has been dedicated to the technology area for the last thirty-five years within our Company. The Cybersecurity Executive Committee meets once every quarter to discuss cybersecurity risk indicators gathered, as discussed in “—Key Management and Strategy” below.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] our Board of Directors, responsible for overseeing and monitoring risks reported by the Finance and Risk Management and the Audit and Integrity Committees
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] the Finance and Risk Management Committee, which is an advisory committee for our Board of Directors, composed of directors and executive officers from our information technology, risk management and internal controls, compliance, legal and audit committee departments, and responsible among other things for assessing and monitoring risks and defining action plans, monitoring compliance with board recommendations
Cybersecurity Risk Role of Management [Text Block] guaranteeing the implementation of an efficient risk management model and supervising its evolution, monitoring indicators and mitigation strategies, evaluating, at least annually
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] the Audit and Integrity Committee, which is an advisory committee for our Board of Directors, responsible among other things for discussing risk evaluation and management policies and procedures, evaluating and monitoring risk exposure and monitoring actions plans for risk mitigation and control
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] cybersecurity employees responsible for and with authority to manage cybersecurity risks, who must identify and systematically monitor such risks, timely report to the Finance and Risk Management Committee any events, occurrences or situations that may result in a cybersecurity threat, define and implement corrective or mitigating actions and monitor such actions, implement and monitor key indicators.
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] the executive manager responsible for planning and executing cybersecurity and IT governance strategies, who has approximately sixteen years of experience in this field within our Company and has obtained a specialization in network management and system security as well as many certifications in this area, including Information Security Officer, ISO 27001, COBIT, ASM, ITIL and CLOUDF; and (ii) our Digital Transformation Director who has been dedicated to the technology area for the last thirty-five years within our Company. The Cybersecurity Executive Committee meets once every quarter to discuss cybersecurity risk indicators gathered