Cybersecurity Risk Management and Strategy Disclosure |
12 Months Ended |
|---|---|
Dec. 31, 2024 | |
| Cybersecurity Risk Management, Strategy, and Governance [Line Items] | |
| Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] | Risk Management and Strategy Our cybersecurity risk management program includes development, implementation and improvement of policies and procedures to safeguard confidentiality, integrity and availability of information and critical data and systems (“cybersecurity risk management program”), to ensure regulatory, contractual and operational compliance. Our cybersecurity risk management program identifies cybersecurity risks, and evaluates their nature and severity, as well as identifies mitigations and assesses the impact of those mitigations on residual risk. The cybersecurity risk management program consists of our information security policy, guidelines and standards. Our cybersecurity risk management program was developed in accordance with, and aligned to, international standards, best practices and worldwide frameworks such as the International Organization for Standardizations (ISO) 27001 and the National Institute of Standards and Technology Cyber Security Framework (NIST) SP 800-53, among others, reflecting our commitment to upholding the highest benchmark of information security and resilience. We utilize policies, processes, software, training programs and hardware solutions to protect and monitor our environment on all critical systems, firewalls, intrusion detection and prevention systems, vulnerability and penetration testing, multifactor authentication, antimalware, patch-management, identity management systems and access control solutions. We also carry insurance that provides protection against the potential losses arising from a cybersecurity incident. We have a Cyber Incident Response Plan (“CIRP”) which coordinates the activities to prepare for, detect, respond to and recover from cybersecurity incidents while ensuring business continuity, including processes to triage, assess severity for, escalate, contain, investigate and remediate the incident, as well as to comply with potentially applicable legal obligations. Our CIRP facilitates cross-functional coordination across the Company. Our cybersecurity team periodically conducts risks and control evaluations and tests to identify threats and vulnerabilities, and then determine the likelihood and impact for each risk using a qualitative risk assessment methodology. Risks are identified from various sources, including vulnerability scans, penetration tests, vendors risk assessments, internal compliance assessments. We monitor our infrastructure and applications to identify evolving cyber threats, scan for vulnerabilities and mitigate risks. Our cybersecurity risk management program further includes review and assessment by external, independent third parties, who assess and report on our cybersecurity program, and internal incident response preparedness and help identify areas for continued focus and improvement. We conduct continuous internal cybersecurity audits that report directly to the board’s audit committee, while independent evaluations, including audits from FEMSA and The Coca-Cola Company, offer critical insights into our maturity and security status. We verify and evaluate the security measures and controls of our vendors and suppliers, and we continue to evolve our oversight processes to mature how we identify and manage cybersecurity risks associated with such vendors and suppliers. In an effort to detect and defend against cyber threats, we annually provide our employees with various cybersecurity and data protection training programs, as well as security awareness education and training.
|
| Cybersecurity Risk Management Processes Integrated [Flag] | true |
| Cybersecurity Risk Management Processes Integrated [Text Block] | Our cybersecurity risk management program includes development, implementation and improvement of policies and procedures to safeguard confidentiality, integrity and availability of information and critical data and systems (“cybersecurity risk management program”), to ensure regulatory, contractual and operational compliance. |
| Cybersecurity Risk Management Third Party Engaged [Flag] | true |
| Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] | true |
| Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] | false |
| Cybersecurity Risk Board of Directors Oversight [Text Block] | The CISO present updates to the audit committee quarterly and, as necessary, to our board of directors. These regular reports include detailed updates on our cybersecurity strategy, priorities and the company´s performance preparing for, preventing, detecting, responding to and recovering from cyber incidents. The CISO also promptly informs and updates our board of directors about any information security incidents that may pose significant risk to us. Our program is periodically evaluated by external experts, and the results of those reviews are reported to the audit committee.
|
| Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] | audit committee of our board of directors, a cybersecurity steering committee (“cybersecurity committee”) |
| Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] | Our CISO reports directly to the audit committee or the board of directors on our cybersecurity program and efforts to prevent, detect, mitigate, and remediate issues. |
| Cybersecurity Risk Role of Management [Text Block] | Our cybersecurity risk management program benefits from oversight by various governance entities, including to the audit committee of our board of directors, a cybersecurity steering committee (“cybersecurity committee”), and a chief information security officer (“CISO”) who leads our cybersecurity strategy. Such program is supervised by our CISO, who reports directly to our chief financial officer and functionally reports also to our chief information officer. The CISO and his team are responsible for leading enterprise-wide cybersecurity strategy, policy, standards, architecture and processes. Our CISO has extensive experience in cybersecurity and information security, working since 2002 in different roles such as CISO, cybersecurity operation director, cybersecurity architect, information risk manager, defining, assessing, and managing cybersecurity programs and cybersecurity risks and operations. Our CISO has a Bachelor’s degree in Information Systems (ITESM), diplomas in Business Administration (IPADE) and Information Security (ITESM), and certain diplomas, postgraduate studies and recognized international certifications in Information Security. Our CISO reports directly to the audit committee or the board of directors on our cybersecurity program and efforts to prevent, detect, mitigate, and remediate issues. The CISO chairs our cybersecurity committee, a cross-functional management committee that drives awareness, ownership and alignment across broad governance and risk stakeholder groups for effective cybersecurity risk management. The cybersecurity committee is sponsored by several members of the senior leadership team and is comprised of members from our legal, information technology, cybersecurity, commercial, finance, manufacture and human resources functions, among others. Subject matter experts are also invited, as appropriate. The cybersecurity committee meets at least quarterly and has responsibility for oversight and validation of our cybersecurity strategic direction, risks and threats, priorities, resource allocation, capabilities and planning.
|
| Cybersecurity Risk Management Positions or Committees Responsible [Flag] | true |
| Cybersecurity Risk Management Positions or Committees Responsible [Text Block] | Our cybersecurity risk management program benefits from oversight by various governance entities, including to the audit committee of our board of directors, a cybersecurity steering committee (“cybersecurity committee”), and a chief information security officer (“CISO”) who leads our cybersecurity strategy. |
| Cybersecurity Risk Management Expertise of Management Responsible [Text Block] | Our CISO has extensive experience in cybersecurity and information security, working since 2002 in different roles such as CISO, cybersecurity operation director, cybersecurity architect, information risk manager, defining, assessing, and managing cybersecurity programs and cybersecurity risks and operations. |
| Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] | Such program is supervised by our CISO, who reports directly to our chief financial officer and functionally reports also to our chief information officer. The CISO and his team are responsible for leading enterprise-wide cybersecurity strategy, policy, standards, architecture and processes. |
| Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] | true |