Segurança da Informação
Cyber Security
KODS 2030
100% of direct and indirect employees included in the digital language necessary to support the cybersecurity culture, ensuring the protection of personal and company data
Percentage of direct and indirect employees included in the digital language
| Category | 2021 | 2022 | 2023 | 2024 | 2030 Goal |
|---|---|---|---|---|---|
| Total number of direct employees | 17,436 | 18,394 | 17,739 | 18,495 | |
| Total number of indirect employees | 2,723 | 2,200 | 2,400 | 4,686 | |
| Trained direct employees | 8,659 | 10,739 | 15,864 | 14,687 | |
| Trained indirect employees | 962 | 726 | 960 | 3,165 | |
| % of trained direct employees | 50% | 58% | 89% | 78% | 100% |
| % of trained indirect employees | 35% | 33% | 40% | 67% | 100% |
In 2024, Klabin continued its phishing simulation campaigns and enhanced its cybersecurity training by adopting a more robust platform featuring more challenging scenarios. It also reinforced the knowledge of its automation team with specific content developed for its needs. The topic was also included on the agenda of the Managers, Coordinators and Specialists Convention, and is continuously disseminated on the Minha Klabin (My Klabin) intranet page, raising awareness at different levels of the organization.
In 2024, there was a significant increase in the number of contractors trained compared to previous years. This variation was mainly due to a general strike at the Monte Alegre unit, which took place during the training period.
| Category | 2024 | 2023 | 2022 | 2021 |
|---|---|---|---|---|
| Number of complaints received from external parties and proven by the organization | 0 | 0 | 0 | 0 |
| Number of complaints from regulatory agencies | 0 | 0 | 0 | 0 |
| Total number of identified leaks, thefts, or losses of customer data | 0 | 0 | 0 | 0 |
In 2024, in line with previous years, Klabin did not record any incidents involving privacy breaches or losses of customer data.
The year 2024 saw an escalation in cyberattacks, which became increasingly sophisticated and unprecedented. The use of artificial intelligence by malicious agents increased the complexity of attacks, making detection and remediation processes even more challenging. This situation demanded redoubled attention from Klabin’s leaders, spurring the implementation of even more robust cyber risk management strategies.
Cybersecurity governance at Klabin is structured to support risk control and reduction initiatives and to preserve the confidentiality, integrity, availability and authenticity of information, based on an integrated view of the administrative and industrial environment.
The Cybersecurity Area is responsible for identifying, assessing and reporting legal and regulatory risks related to information technology and cybersecurity, supporting and promoting business objectives.
The area is led by a Chief Information Security Officer (CISO), who reports to the Information Technology Department. In turn, this department reports to the Executive Board and Board of Directors.
Mission: Guarantee the confidentiality, availability and integrity of Klabin’s information by applying innovative processes and solutions that deliver real results for the business and strengthen the trust of clients, employees, society and shareholders.
Vision: Add value to Klabin’s image by enhancing information security through efficient risk management focused on confidentiality, availability and integrity of information in the administrative and manufacturing environments.
Cybersecurity is covered by the Company’s risk assessment, and related initiatives are guided by standards, frameworks and legislation applicable to the sector, such as IEC:62446, ISO 27001, NIST, CIS, the Brazilian General Data Protection Law and the country’s Digital Bill of Rights.
In building Klabin’s cybersecurity journey, aligned with the Company’s strategic drivers and market best practices, an internal framework was developed that addresses key challenges and supports the evolution of digital transformation.
Management of Information Security Plans/Programs
| Business continuity plans related to information security | The Company has a critical systems recovery plan, evaluated by the internal audit department, simulating recovery times, availability, and data integrity. |
| Vulnerability analysis of information security (internal and external audits) | The Company monitors its systems available on the Internet and acts to correct vulnerabilities. In 2025, Klabin obtained an A rating from Security Scorecard, a market platform that monitors publications available on the Internet. Klabin's strategic direction was to implement ISO27001, the Brazilian Civil Rights Framework for the Internet (Marco Civil da Internet), LGPD (Brazilian General Data Protection Law), GDPR, CISP, NIST and IEC-62443 as guidelines and benchmarks for best practices, with the aim of ensuring the confidentiality, integrity, availability and authenticity of information and an integrated view of the administrative and industrial environment. |
| Escalation process for employees to report incidents, vulnerabilities, or suspicious activities | Incidents and suspected incidents can be reported using the “phishing attempt” buttons in the email or by contacting the Cybersecurity team directly. As a preventive measure, other incidents are managed through the Security Information and Event Management process. Significant cases are brought before the Executive Committee and may reach the Board of Directors through the Advisory Committees. |
| Information security awareness training | Klabin promotes the dissemination of cybersecurity principles and guidelines through awareness and training programs. In addition to mandatory training for all employees, Klabin has a 2030 goal of having 100% of its direct and indirect employees proficient in the digital language necessary to keep up with cybersecurity culture, ensuring the protection of personal and Company data. In 2024, the Company continued its phishing simulation campaigns. Targeted training was developed for the automation team. Content continued to be published on the Klabin Intranet. The topic of cybersecurity was discussed at the Managers, Coordinators and Specialists Conventions. |
Updated and verified on: 29/08/2025