| Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] |
RISK MANAGEMENT AND STRATEGY As a global mining company,
we face various cyber threats, including ransomware attacks, theft of restricted information and digital frauds. These threats can lead
to financial losses, damage to our reputation, and harm to our employees and third parties. We manage these cyber risks as part of our
overall risk management process. Our overall enterprise
risk management (ERM) process integrates assessing, identifying, and managing cybersecurity-related risks. If the ERM process identifies
a heightened cybersecurity-related risk, we assign risk owners to develop and track risk mitigation plans. We use several tools to monitor
risks, including key risk indicators (KRIs) and independent assessments of critical controls by specialized teams. In case of a cyber incident,
we follow our cyber incident response playbook, which outlines the steps for detection, mitigation, recovery, and notification, including
procedures for informing relevant internal groups and the Board of Directors as needed. Our Cybersecurity Risk
Management practice is founded on internationally recognized cybersecurity frameworks like the NIST CSF (National Institute of Standards
and Technology – Cybersecurity Framework), ISO 27001 and ISA62443. The practice includes the processes described below.
| Identification of what we have, what we do and what is important: |
| • | We understand the business context and the assets that support essential functions. |
| • | We regularly assess cyber risks internally and the potential impacts on the company and, every two years,
undergo a risk assessment by an independent, and specialized third-party based on the NIST CSF. |
| • | We maintain an up-to-date inventory of technology assets, such as applications, data, servers, network
components, third- party services and others. |
| Protecting technology assets (both Information Technology and Operations Technology) to prevent or limit cyber incidents by: |
| • | We apply an identity and access process with Multi-Factor Authentication. |
| • | We provide cybersecurity training and education for employees and contractors, focusing on cyber risk
and good cyber behavior, such as identifying malicious emails and correctly classifying information to protect data confidentiality. |
| • | We provide communication channels for employees and contractors to report incidents, vulnerabilities and
activities related to cyber security. |
| • | We adopt network segmentation with strategic placement of network firewalls, intrusion prevention systems,
and demilitarized zones for added security. |
| Early detection of cyber incidents through: |
| • | Our Security Operations Center, which operates 24/7/365, continuously monitors our digital environment
by analyzing billions of telemetry events to detect system anomalies. |
| • | We adopt a modern End Point Detection and Response platform on our workstations and servers, combined
with a managed and detection response service by the Security Operations Center. |
| • | We regularly conduct vulnerability assessments across various technological layers, independent third-party
penetration tests, and attack surface management practices. |
| • | We have a dedicated cybersecurity team that combines the best of in-house resources with the expertise
of external partners specialized in the field. |
| Responding effectively to cyber incidents to significantly contain their impact by: |
| • | We maintain a robust cyber incident response plan by: |
| – | Keeping cyber incident response procedures up to date, as well as technology system recovery plans for
business continuity. |
| – | Conducting cyber incident simulations for operational, tactical, and executive audiences to educate and
better prepare for a real cyber incident. |
| – | Integrating the cyber incident response plan with the organization’s corporate Crisis Management
process and a corporate Cyber Crisis Committee formed by areas such as Legal, Privacy, Communications, Internal Controls, Investor Relations,
and other business areas. |
| – | Managing the materiality of cyber incidents within the corporate cyber crisis committee, keeping our Executive
Committee and our Board of Directors informed, and disclosing to the public when applicable. |
| Recovering and restoring affected systems and their capabilities back in operation. |
| • | We conduct regular tests of our recovery plans to ensure the restoration of technology assets in case
of need. |
We also engage specialized
third-party cybersecurity companies to evaluate the structure of the cyber program, test the effectiveness of our processes and to provide
targeted training to our workforce. Our cybersecurity risk management processes extend to the oversight and identification of cybersecurity
risks from our association with third-party service providers. Our risk management program includes risk assessments of third-parties
that want to provide services to us through contractual commitment to comply with our baseline of security controls as well as their cyber
rating performed with an independent security rating platform. We also share and receive
cyber and threat intelligence insights with our industrial base peers and are a member of the Metals and Mining Information Sharing and
Analysis Center (ISAC). Our plans aim to enhance
our cybersecurity program by constantly staying abreast of emerging threats and adapting to evolving technologies. Over the past three years,
our business strategy, results of operations and financial position have not been materially impacted by risks from current and past cybersecurity
threats. However, we cannot assure that they will not be materially affected by future cybersecurity threats or incidents.
|
| Cybersecurity Risk Board of Directors Oversight [Text Block] |
GOVERNANCE
Our Board of Directors
primarily oversees the management of cybersecurity threat risks. To fulfill this responsibility, the Board relies on the support of the
Audit and Risks Committee. The Audit and Risks Committee is responsible for advising the Board of Directors regarding the risk management
strategy, including the analysis of corporate policies on this topic and risk appetite guidelines, as well as Vale’s integrated
risk map. The Audit and Risks Committee also assesses the effectiveness and adequacy of controls and risk management systems, and regularly
receives reports on cyber risks from our Corporate Risk Department.
Our Executive Committee
is supported by five advisory committees, including the Executive Risk Committee which focuses on strategy, finance, and cyber risks.
The main responsibilities of these advisory committees are to support our Executive Committee in monitoring risks, make preventive recommendations
regarding potential risks presented at the committees’ meetings, and submit them for the approval of the Executive Committee. Our Chief Information
Security Officer leads our cybersecurity function, responsible for our overall information security strategy, policy, threat detection
and response. In addition to providing comprehensive cyber risk update to our Audit and Risks Committee and our Executive Risks Committee,
this update covers an independent assessment of our cybersecurity program based on the NIST Cybersecurity Framework, as well as, our cyber
posture, as evaluated by an independent cybersecurity rating platform. The committees are briefed on cyber incidents considered to have
a moderate or greater business impact, even if they are not material to us.
|