Downloads
Downloads

Cybersegurity

In Cybersecurity, there is no such thing as zero risk, and our first line of defence is people. This is why our Cybersecurity strategy must start with training activities for those working at Aleatica México.

Cybersecurity strategy

The Information Technology and Systems Department designs and implements our cybersecurity strategy based on the NIST Cybersecurity Framework (National Institute of Standards and Technology). This framework sets out a methodology focused on reducing risks associated with cyber threats that could compromise data security and operational continuity.

Our Cybersecurity Framework is structured around a set of core functions organised hierarchically. These functions provide a high-level framework for organising essential cybersecurity activities and reducing risk to acceptable levels.

In 2024, we reviewed and updated this structure, and in 2025, we expect the Executive Committee to approve the new version for implementation across all operations.

Cybersecurity governance

Leadership in these matters shall be the responsibility of the Director/Manager of the respective Business Unit within Aleatica, who shall observe and fully comply with the Cybersecurity Framework.

SCC
Strategic Cybersecurity Committee

Cybersecurity Officer

TCIT
Tactical Cybersecurity Incident Team

CIRG
Cybersecurity Incident Response Group

At each Aleatica Mexico Business Unit, the Unit Director/Manager is required to lead compliance with the Cybersecurity Framework.

Cybersecurity training

In 2024, using Aleatica Mexico’s institutional videoconferencing system, we delivered three webinars to all employees on the following topics:

In today’s digital age, our digital identity is crucial for interactions, transactions, and administrative procedures, but it also exposes us to risk.

The webinar explored the evolution of these threats, the importance of protecting credentials to prevent cyberattacks, and how oversharing on social media can facilitate identity theft.

As cyber threats evolve, we explored how phishing and other social engineering tactics have become more sophisticated through generative AI.

Participants learned about the attackers’ strategies and why scepticism and vigilance were key defences.

In an increasingly digital world, safeguarding sensitive information is essential for privacy and business integrity.

This session examined the importance of solid information management policies and cultivating a security-aware culture.

Cybersecurity incident notification process

1. Report
Internal or external employees who suspect or are the subject of a cybersecurity threat or event must report it to the Systems Help Desk (MAS for its acronym in Spanish) via email or telephone call.
2. investigate
Each cybersecurity event or incident is assigned a ticket number with which the department investigates and provides a solution.
3. Act

If a possible violation of data protection guidelines is identified or suspected, the Data Protection Department is notified so that it can act within its management and responsibility.

Cybersecurity Contingency / Business Continuity Plans (BCP)

Our BCPs identify critical processes that can be partially restored using contingency mechanisms—whether manual or technological—in the event of a disruption, including cyber incidents. These are detailed in each Disaster Recovery Plan (DRP), applicable to both Business Units and corporate operations.

In 2024, we verified that all Business Units and corporate centres correctly managed their DRPs.

In the event of a cyber incident, we follow standardised protocols,

supported by a tiered communication matrix, operational guides, and tools that help classify the severity and impact of the incident, define the appropriate treatment, determine reporting requirements and escalation protocols, and log incidents via the IT Help Desk (MAS for its acronym in Spanish). These protocols and tools are tested and improved after every incident or threat to ensure their effectiveness.

Cybersecurity vulnerability analysis

We have partnered with CYE, a cybersecurity firm and strategic ally of our controlling shareholder, to implement four key services: Cyber resilience, incident response, attack simulations and infrastructure defence, and threat identification. These services involve ethical hacking (penetration testing) to:

Detect vulnerabilities and implement corrective actions.
Strengthen the technical skills of our IT teams in cybersecurity management.
We also benefit from CYE’s 24/7 support team, which is available to respond immediately to any cyberattack or incident, following international best practices

In addition, we conduct quarterly proactive vulnerability scans on all IT-managed resources that support key administrative systems, such as email, corporate and Business Unit websites, database servers, antivirus tools, and digital credential management systems.

Cybersecurity performance

We conducted five cybersecurity webinars

with a total of 590 team members participating, totaling 1,627 hours of training.

We successfully completed a cybersecurity certification course

for 100% of non-operational administrative positions in the Business Units and corporate offices. A total of 407 team members were certified.

87% of Business Units increased or maintained

their cybersecurity maturity level.

In Aleatica, there were no data breaches.

Switch to Global