Cybersecurity
There is no zero-cybersecurity risk and our first line of defense is people. Therefore, our cybersecurity strategy must begin by training activities for Aleatica associates.
Cybersecurity strategy
The Information Technology and Systems Department designs and implements our cybersecurity strategy based on the NIST Cybersecurity Framework (National Institute of Standards and Technology). This framework sets out a methodology focused on reducing risks associated with cyber threats that could compromise data security and operational continuity.
Our Cybersecurity Framework is structured around a set of core functions organised hierarchically. These functions provide a high-level framework for organising essential cybersecurity activities and reducing risk to acceptable levels.
In 2024, we reviewed and updated this structure, and in 2025, we expect the Executive Committee to approve the new version for implementation across all operations.
Cybersecurity governance
Leadership in these matters shall be the responsibility of the Director/Manager of the respective Business Unit within Aleatica, who shall observe and fully comply with the Cybersecurity Framework.
SCC
Strategic Cybersecurity Committee
Cybersecurity Officer
TCIT
Tactical Cybersecurity Incident Team
CIRG
Cybersecurity Incident Response Group
At each Aleatica Business Unit, the Unit Director/Manager is required to lead compliance with the Cybersecurity Framework.
Cybersecurity training
Through Aleatica’s videoconferencing system, five webinars were conducted in 2024 for all global staff on the following matters:
In today’s digital age, our digital identity is crucial for interactions, transactions, and administrative procedures, but it also exposes us to risk.
The webinar explored the evolution of these threats, the importance of protecting credentials to prevent cyberattacks, and how oversharing on social media can facilitate identity theft.
As cyber threats evolve, we explored how phishing and other social engineering tactics have become more sophisticated through generative AI.
Participants learned about the attackers’ strategies and why scepticism and vigilance were key defences.
In an increasingly digital world, safeguarding sensitive information is essential for privacy and business integrity.
This session examined the importance of solid information management policies and cultivating a security-aware culture.
Cybersecurity incident notification process
1
Internal or external employees who suspect or are the subject of a cybersecurity threat or event must report it to the Systems Help Desk (MAS for its acronym in Spanish) via email or telephone call.
2
Each cybersecurity event or incident is assigned a ticket number with which the department investigates and provides a solution.
3
If a possible violation of data protection guidelines is identified or suspected, the Data Protection Department is notified so that it can act within its management and responsibility.
Cybersecurity Contingency / Business Continuity Plans (BCP)
Our BCPs identify critical processes that can be partially restored using contingency mechanisms—whether manual or technological—in the event of a disruption, including cyber incidents. These are detailed in each Disaster Recovery Plan (DRP), applicable to both Business Units and corporate operations.
In 2024, we verified that all Business Units and corporate centres correctly managed their DRPs.
In the event of a cyber incident, we follow standardised protocols
supported by a tiered communication matrix, operational guides, and tools that help classify the severity and impact of the incident, define the appropriate treatment, determine reporting requirements and escalation protocols, and log incidents via the IT Help Desk (MAS for its acronym in Spanish). These protocols and tools are tested and improved after every incident or threat to ensure their effectiveness.
These protocols and tools are tested and improved after every incident or threat to ensure their effectiveness.
Cybersecurity vulnerability analysis
We have partnered with CYE, a cybersecurity firm and strategic ally of our controlling shareholder, to implement four key services: Cyber resilience, incident response, attack simulations and infrastructure defence, and threat identification. These services involve ethical hacking (penetration testing) to:
Find vulnerabilities and work on their remediation.
Increase IT team knowledge and technical skills on cybersecurity and/or subject to cybersecurity tasks.
CYE has a 24/7 response team in place – following best practices – so that any cybersecurity attacks or incidents at Aleatica can be promptly addressed.
Additionally, a quarterly IT vulnerability identification and proactive remediation is performed on technological resources managed by the IT department, which provide most of the computer services for staff administrative tasks, such as e-mail, corporate and Business Unit websites, database and corporate system servers, antivirus, digital credentials management and authentication for customers, etc.
Cybersecurity performance
We conducted five cybersecurity webinars
ith a total of 1,125 team members participating, totaling 3,087 hours of training.
We successfully completed a cybersecurity certification course
for 99% of non-operational administrative positions in the Business Units and corporate offices. A total of 935 team members were certified.
87% of Business Units
increased or maintained their cybersecurity maturity level.