Risk Management

Cybersecurity risks are managed through a dynamic and iterative process, reflecting the evolving landscape of cyber threats. Our risk management framework includes the identification of potential threats, assessment of vulnerabilities, and the implementation of strategic defenses tailored to protect our critical assets. We leverage advanced technology solutions, including data loss prevention (DLP) tools, endpoint monitoring, and intrusion detection systems, such as sensors and hardware or software protection controls against malicious code, to safeguard our network and data against unauthorized access and cyber threats. We manage and monitor access control (whether physical or logical) to information and assets, as well as their storage, sharing and disposal, so that only authorized personnel can use them under rules, permissions, profiles, or corporate policies. Regular security audits and penetration testing form a critical part of our risk evaluation, enabling us to strengthen our defenses continuously. We also contract cybersecurity companies with industry-recognized expertise on cybersecurity matters to assess cybersecurity risks relating to our service providers and suppliers.

Our information security committee oversees the risks and activities of our information security departments (GRC, Cyber and AppSec) and is responsible for: (i) ensuring the integrity, availability, confidentiality, and authenticity of the Company’s information; (ii) managing and providing visibility to internal and external issues that may affect the Company’s business regarding information security; (iii) proposing policies, standards, and general procedures related to information security; (iv) supporting the identification and management activities of specific security risks; (v) establishing guidelines and fronts within the Company in information security initiatives, offering the necessary governance to manage the discipline; (vi) aligning institutional and IT objectives with information security; (vii) monitoring and proposing action plans to ensure the management of information security-related topics; (viii) complying with current regulations related to information security topics; (ix) enabling, defining, proposing, and approving the technical, material, and financial resources necessary for the implementation of prevention, control, and mitigation actions guided by this committee; (x) analyzing and approving contracts classified as relevant, according to current regulations; (xi) analyzing infractions related to relevant incidents committed by professionals of the Company for validation of the appropriate disciplinary measure; (xii) appointing the CISO; (xiii) defining communication and response models in case of incidents related to data leakage and information security, with financial, image, and/or reputational impact; (xiv) defining the strategies, plans, and actions to ensure, support, and meet the Business Continuity Management System Program, ensuring its quality, effectiveness, and compliance during crisis management scenarios; and (xv) defining the general rules regarding the organization, functioning, and structuring of the Information Security Committee’s activities.