Buenaventura has implemented a cybersecurity program based on technological risks, supported by an assessment and estimation of the maturity level according to the controls outlined in the NIST CSF framework. As a result of the program, a corporate strategy has been established based on 4 central pillars that address the main cybersecurity capabilities necessary in the current cyber threat landscape: Improving cybersecurity governance, continuous risk management, strengthening a cybersecurity culture and, finally, a cybersecurity strategy to reinforce the protection of critical assets while improving detection capabilities and ensuring a timely response to cyber incidents.

​

It should be noted that, as part of this program, a periodic update of the maturity level assessment is planned. This update is provided by a specialized vendor to offer a third-party perspective on the program and strategy evolution.

​

Likewise, for each pillar, a set of measures and controls has been established to improve protection against cyber threats, as well as to ensure proper management of the cybersecurity program and strategy within the organization. The following are some of the capabilities currently in place:

​

To improve cybersecurity governance, a general information security and cybersecurity policy has been established, along with a set of rules and procedures that serve as a general framework for protecting the organization’s assets. This framework safeguards their confidentiality, integrity and availability, while ensuring the trust of the main stakeholders. In addition, a procedure has been put in place for the identification and classification of information assets.

​

Risk management includes a methodology for assessing and addressing information security and cybersecurity risks. Through external consulting, operational cybersecurity risks that pose a threat to the company are identified. Based on the SWOT analysis, along with impact and probability assessments, three major cybersecurity risks were identified. A roadmap was created for each risk to address and mitigate its impact on our information and operations.

​

Regarding the cybersecurity culture, an information security and cybersecurity awareness plan has been established, formalizing the activities to be carried out as part of the training and awareness efforts for Buenaventura’s employees and vendors on cybersecurity matters. Likewise, the periodic carrying out of social engineering tests has been defined to assess our personnel’s capabilities to detect and report potential cyber threats that could compromise the organization’s critical assets.

​

As part of the cybersecurity strategy implemented within the company, the protection of critical assets has been strengthened. In addition, various cybersecurity solutions and products have been implemented at both the perimeter and internal levels to improve Buenaventura’s capabilities to prevent, detect and minimize the impact of any cyber incident or threat. The information recovery process has been strengthened to minimize data loss and system downtime in the event of a total disaster. Finally, as part of the capability improvement, a Cybersecurity Operations Center (SOC) has been implemented to provide continuous monitoring and management of cybersecurity alerts for Buenaventura’s network and infrastructure, aiming for early detection of potential threats. Likewise, a general cyber incident response plan has been defined, along with a set of operational procedures for the main types of threats based on the current landscape. These establish the basis for an appropriate and effective response to cyber incidents, with the aim of minimizing their potential impact. Lastly, annual tests are performed to validate the effectiveness of the controls and as part of the continuous improvement process.