We have built and continue to evolve processes for assessing, identifying, and managing material risks from cybersecurity threats. We have embedded the oversight and management of cybersecurity risk within our enterprise risk management framework to help drive a company-wide culture of cybersecurity risk management, and we have established policies and procedures as well as a reporting line of governance that guide our cybersecurity risk management program.

We maintain a cybersecurity infrastructure to safeguard our operations, networks and data through comprehensive security measures including our technology tools, internal management and external service providers. Our processes for assessing, identifying and managing material risks from cybersecurity threats are integrated into our risk management system. We use a variety of tools and processes to collect relevant data and identify, monitor, assess and manage material cybersecurity risks. The Group has adequate management of security incidents, a strategy for dealing with and governing cybersecurity risks through the following elements:

Our Corporate Chief Information Officer, Mauricio Alvarez (“CIO”) is also responsible for assessing, identifying, and managing the risks from cybersecurity threats. Our CIO has significant experience in information technology and many of our information technology team members hold qualifications in technology security positions. Our CIO, together with our security team members, reviews emerging threats, controls, and procedures as part of assessing, identifying, and managing risks. Risks identified by our cybersecurity program are analyzed to determine the potential impact on us and the likelihood of occurrence. Such risks are continuously monitored to ensure that the circumstances and severity of such risks have not changed.

The team in charge of the Group’s Cybersecurity is made up of:

We provide cybersecurity awareness training to our employees which is designed to provide guidance for identifying and reporting cybersecurity risks and to promote familiarity with our cybersecurity policies. We also use internal communications to promote awareness and conduct phishing exercises and provide training to employees. In addition, we engage independent third parties on an as-needed basis to assess our cybersecurity capabilities. The results of these assessments are shared with our Information Security Committee.

Our board of directors oversees management’s approach to managing cybersecurity risks as part of its risk management oversight. Our board of directors holds periodic discussions with management regarding our guidelines and policies with respect to cybersecurity risks and receives regular reports from the CIO regarding such risks and the steps management has taken to monitor and control any exposure resulting from such risks.

During 2024, we experienced an increase in the number of phishing attacks where some users executed links or attachments. These activities were mitigated in a timely manner. None of these incidents has significantly affected, nor is it reasonably likely to significantly affect, the Group or our business strategy, operating results, or financial condition.

Third-party vendor agreements include confidentiality obligations and specify data elements that the third party has access to, how the third party protects the data, and procedures for the return or destruction of protected data. The vendors/third parties also must report all cybersecurity incidents immediately to the Company’s responsible functional manager and to the Director of Information Technology. All relevant third parties are required to provide a SOC 1 Type II report which is monitored and reviewed by the company. We evaluate any potential risks or deviations communicated within these reports.

However, we cannot guarantee any future events will not affect our operations or customers. We are constantly seeking to improve and strengthen our security strategy by aligning it with Security Frameworks and Best Practices such as NIST CSF and ISO 27000.

Our Corporate Chief Information Officer, Mauricio Alvarez (“CIO”) is also responsible for assessing, identifying, and managing the risks from cybersecurity threats. Our CIO has significant experience in information technology and many of our information technology team members hold qualifications in technology security positions. Our CIO, together with our security team members, reviews emerging threats, controls, and procedures as part of assessing, identifying, and managing risks. Risks identified by our cybersecurity program are analyzed to determine the potential impact on us and the likelihood of occurrence. Such risks are continuously monitored to ensure that the circumstances and severity of such risks have not changed.