Segurança da Informação
Cyber Security
KODS 2030
100% of direct and indirect employees included in the digital language necessary to support the cybersecurity culture, ensuring the protection of personal and company data
Percentage of direct and indirect employees included in the digital language
| Category | 2021 | 2022 | 2023 | 2024 | 2030 Goal |
|---|---|---|---|---|---|
| Total number of direct employees | 17,436 | 18,394 | 17,739 | 18,495 | |
| Total number of indirect employees | 2,723 | 2,200 | 2,400 | 4,686 | |
| Trained direct employees | 8,659 | 10,739 | 15,864 | 14,687 | |
| Trained indirect employees | 962 | 726 | 960 | 3,165 | |
| % of trained direct employees | 50% | 58% | 89% | 78% | 100% |
| % of trained indirect employees | 35% | 33% | 40% | 67% | 100% |
In 2024, Klabin continued its phishing simulation campaigns and enhanced its cybersecurity training by adopting a more robust platform featuring more challenging scenarios. It also reinforced the knowledge of its automation team with specific content developed for its needs. The topic was also included on the agenda of the Managers, Coordinators and Specialists Convention, and is continuously disseminated on the Minha Klabin (My Klabin) intranet page, raising awareness at different levels of the organization.
In 2024, there was a significant increase in the number of contractors trained compared to previous years. This variation was mainly due to a general strike at the Monte Alegre unit, which took place during the training period.
| Category | 2024 | 2023 | 2022 | 2021 |
|---|---|---|---|---|
| Number of complaints received from external parties and proven by the organization | 0 | 0 | 0 | 0 |
| Number of complaints from regulatory agencies | 0 | 0 | 0 | 0 |
| Total number of identified leaks, thefts, or losses of customer data | 0 | 0 | 0 | 0 |
In 2024, in line with previous years, Klabin did not record any incidents involving privacy breaches or losses of customer data.
The year 2024 saw an escalation in cyberattacks, which became increasingly sophisticated and unprecedented. The use of artificial intelligence by malicious agents increased the complexity of attacks, making detection and remediation processes even more challenging. This situation demanded redoubled attention from Klabin’s leaders, spurring the implementation of even more robust cyber risk management strategies.
Cybersecurity governance at Klabin is structured to support risk control and reduction initiatives and to preserve the confidentiality, integrity, availability and authenticity of information, based on an integrated view of the administrative and industrial environment.
Cybersecurity Management is headed by a Chief Information Security Officer (CISO), who is accountable to the Information Technology Board, which in turn is accountable to the Executive Board and the Board of Directors. The topic is included in the Company's risk assessment and all initiatives are guided by standards, frameworks, and legislation applicable to the segment, such as: IEC:62446, ISO27001, NIST, CIS, LGPD, Brazilian Civil Rights Framework for the Internet. All this governance was designed to support control initiatives in the quest to reduce cybersecurity risks and ensure the confidentiality, integrity, availability, and authenticity of information with an integrated vision of the administrative and industrial environment.
Mission: Guarantee the confidentiality, availability and integrity of Klabin’s information by applying innovative processes and solutions that deliver real results for the business and strengthen the trust of clients, employees, society and shareholders.
Vision: Add value to Klabin’s image by enhancing information security through efficient risk management focused on confidentiality, availability and integrity of information in the administrative and manufacturing environments.
In building Klabin’s cybersecurity journey, aligned with the Company’s strategic drivers and market best practices, an internal framework was developed that addresses key challenges and supports the evolution of digital transformation.
Management of Information Security Plans/Programs
| Business continuity plans related to information security | The Company has a critical systems recovery plan, evaluated by the internal audit department, simulating recovery times, availability, and data integrity. |
| Vulnerability analysis of information security (internal and external audits) | The Company carries on internal audits to monitors its systems available on the Internet and acts to correct vulnerabilities. In 2025, Klabin obtained an A rating from Security Scorecard, an external platform that monitors publications available on the Internet. Klabin implements ISO27001, the Brazilian Civil Rights Framework for the Internet (Marco Civil da Internet), LGPD (Brazilian General Data Protection Law), GDPR, CISP, NIST and IEC-62443 as guidelines and benchmarks for best practices, with the aim of ensuring the confidentiality, integrity, availability and authenticity of information and an integrated view of the administrative and industrial environment. |
| Escalation process for employees to report incidents, vulnerabilities, or suspicious activities | Incidents and suspected incidents can be reported using the “phishing attempt” buttons in the email or by contacting the Cybersecurity team directly. As a preventive measure, other incidents are managed through the Security Information and Event Management process. Significant cases are brought before the Executive Committee and may reach the Board of Directors through the Advisory Committees. |
| Information security awareness training | Klabin promotes the dissemination of cybersecurity principles and guidelines through awareness and training programs. In addition to mandatory training for all employees, Klabin has a 2030 goal of having 100% of its direct and indirect employees proficient in the digital language necessary to keep up with cybersecurity culture, ensuring the protection of personal and Company data. In 2024, the Company continued its phishing simulation campaigns. Targeted training was developed for the automation team. Content continued to be published on the Klabin Intranet. The topic of cybersecurity was discussed at the Managers, Coordinators and Specialists Conventions. |
Internal Cyber security Commitments
Cyber security is an essential pillar of Klabin’s strategy. We are committed to ensuring the protection of the Company’s operations and information, promoting a secure and resilient digital environment for employees, partners, customers, and shareholders. To support this commitment, Klabin uses ISO27001, the Brazilian Civil Rights Framework for the Internet, LGPD, GDPR, CISP, NIST and IEC-62443 standards as guidelines and benchmarks for best practices. This decision ensures the confidentiality, integrity, availability and authenticity of information, in addition to providing an integrated view of administrative and industrial environments.
Klabin's cybersecurity efforts are guided by four pillars:
- Confidentiality: only authorized persons have access to information;
- Availability: information accessible whenever necessary, by duly authorized users;
- Integrity: data changed only by authorized means;
- Authenticity: confirmation of the origin of the information, ensuring its accuracy.
The governance of this topic is conducted by a multidisciplinary committee involving the areas of Risk, Internal Controls, Internal Audit, Information Technology, Industrial Automation, and business areas. This structure ensures an integrated and strategic vision of cyber risks, promoting preventive, corrective, and educational actions.
Klabin also adopts an approach to third-party management in the context of cybersecurity and privacy, ensuring that all suppliers and partners are aligned with its internal policies and regulatory compliance. In addition, the Information Security area acts proactively to protect the company's systems and ensure data integrity and protection through internal commitments to actions and continuous improvement of systems, such as:
- Use of layered technologies for risk mitigation;
- Continuous monitoring of security threats and incident response;
- Compliance of industrial systems with manufacturer recommendations;
- Execution and testing of business continuity plans;
- Assessment of security requirements with suppliers and partners;
- Awareness of employees and third parties, establishing individual responsibilities for the information security of all employees;
- Support for the secure development of software and technology projects;
- Responsible adoption of new technologies, including artificial intelligence;
- Compliance with internal policies and controls.
Updated and verified on: 29/08/2025