Risk Management and Strategy

Cementos Pacasmayo considers risk management to be a fundamental pillar of its strategy. The Company therefore evaluates threats and vulnerabilities, identifies its critical assets and quantifies the associated risk at least twice a year or sooner if warranted. Identified risks are confirmed by senior management to determine whether, due to their importance, they should be considered strategic risks, and different remediation or mitigation mechanisms relating to such risks are evaluated. For example, cybersecurity risks have been evaluated and determined to be strategic risks for the following reasons:

Cementos Pacasmayo’s cybersecurity strategy is based on the NIST 1.1 framework. Specifically, when referring to the identification and management of cybersecurity risks and threats that could compromise the Company, Cementos Pacasmayo has developed a methodology for risk management of information security based on ISO/IEC 27005. This systematic method allows the Company’s management to make appropriate decisions. Based on this and as part of our focus on the continuous improvement of information security in the company, during 2024 an internal audit was carried out to evaluate our Information Security Management System (ISMS) based on the guidelines and controls of ISO27001, as well as the respective external audit, which allowed us to obtain the ISO27001:2022 certification for our cement production and distribution process issued by AENOR, being the first cement company in Peru to obtain this certification.

The Company identifies and oversees risks internally. The audit committee of the Company has defined what a material cybersecurity risk is, so that the occurrence of a cybersecurity incident can be reported to the SEC. During 2024, Cementos Pacasmayo did not identify any threats that materially affected, or were reasonably likely to materially affect, its business strategy, results of operations or financial condition. As part of our information security policies, we have established the standards for access to and use of our information systems by employees or by third parties. In addition, we have established a new policy specifically relating to the access to and use of our information systems by third parties, which sets forth the conditions any third party must comply with in order to have any access to our information systems, which are being progressively incorporated into contracts with suppliers that are subject to these guidelines.

Finally, twice a year we run ethical hacking and pen-testing to evaluate our risks and vulnerabilities, and we have engaged an ethical hacking service which runs automatically when we perform spot exercises in our information systems (in-house and third-party solutions).

However, despite our efforts to identify and respond to cybersecurity threats, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced an undetected cybersecurity incident. For more information about these risks, see “Item 3D. Risk Factors—Risks Relating to Our Business and Industry—Failures in our information technology systems and information security (cybersecurity) systems can adversely impact our operations and reputation.”

Governance

Role of the Board

The Board, in coordination with the Audit Committee, which is the corporate body in charge of centralizing corporate risks, oversees the Company’s risk management program, which includes risks arising from cybersecurity threats. The Audit Committee meets quarterly and reviews the corporate risk matrix in detail, including cybersecurity risks. At each regularly scheduled Board meeting, the Audit Committee Chair provides the full Board with an update on all significant matters discussed, reviewed, considered and approved by the committee since the last regularly scheduled.

Additionally, the Audit Committee is promptly apprised of any cybersecurity incident that meets established reporting thresholds, and receives ongoing updates regarding any such incident until it has been resolved. We have established a Policy for Response to Cybersecurity Incidents, and a related plan, which includes four playbooks (covering ransomware, phishing, DOS and malware) on how to respond to each type of incident and the specificities to communications matters, to our legal, compliance, risk management and audit committee. This policy and these plans are part of our Disaster Recovery Plan (DRP) which is also part of our Business Continuity Plan (BCP).

Role of the Board

The Board, in coordination with the Audit Committee, which is the corporate body in charge of centralizing corporate risks, oversees the Company’s risk management program, which includes risks arising from cybersecurity threats. The Audit Committee meets quarterly and reviews the corporate risk matrix in detail, including cybersecurity risks. At each regularly scheduled Board meeting, the Audit Committee Chair provides the full Board with an update on all significant matters discussed, reviewed, considered and approved by the committee since the last regularly scheduled.

Additionally, the Audit Committee is promptly apprised of any cybersecurity incident that meets established reporting thresholds, and receives ongoing updates regarding any such incident until it has been resolved. We have established a Policy for Response to Cybersecurity Incidents, and a related plan, which includes four playbooks (covering ransomware, phishing, DOS and malware) on how to respond to each type of incident and the specificities to communications matters, to our legal, compliance, risk management and audit committee. This policy and these plans are part of our Disaster Recovery Plan (DRP) which is also part of our Business Continuity Plan (BCP).