SOUTHERN COPPER CORP/ - (SCCO)

10-K Filing Date: February 29, 2024
ITEM 1C. CYBERSECURITY

Risk Management and Strategy

Our Cybersecurity Approach and Integration

Technology is a fundamental element in our Company’s permanent engagement with innovation and continuous improvement in the area of risk management and cybersecurity management strategy. As cybersecurity threats are becoming increasingly sophisticated and rapidly evolving, we have implemented processes for overseeing and identifying material risks from potential cybersecurity threats. Cyber risk management is a core component of our Company’s governance structure, and our cybersecurity processes are integrated into the Company’s overall risk management system and processes. Our primary focus is information security.

Our Information Technology governance framework is composed of policies, procedures, standards, and methodologies to identify and manage risks among other aspects, which are governed by reference frameworks and best practices.

SCC’s information security strategy is led by the Technology and Information Security Director (“TISD”), with review and support from the Chief Information Security Officer (“CISO”) of Grupo Mexico. The main purpose of SCC’s information security strategy is to identify and manage technological risks that could affect the Company's objectives and to strengthen our Company’s resilience. As part of management’s oversight of cybersecurity, the information security strategy is presented on an annual basis to SCC’s Audit Committee of the Board of Directors, which reports to the full Board of Directors, with additional review and oversight by AMC’s Risks Committee. In addition, we conduct a quarterly follow-up of our cybersecurity strategy’s execution progress and any significant cybersecurity incidents are rigorously monitored.

SCC’s Information Technology Governance Framework includes:

a.Procedures for Information Security Risk Management and Information Security Risk Management Methodology based on the ISO 27005 Information security, cybersecurity and privacy protection standard and Control Objectives for Information and Related Technology (“COBIT”), which establishes criteria to identify, analyze, evaluate, treat and accept risks to the Company's technology infrastructure, including cybersecurity risks.

Our Risk Management Methodology is applied year-round and covers all of the Company’s IT departments and processes. The results are used to generate and update risk and control matrices.

Cybersecurity risks are documented on the Information Security risks and controls matrices. Key risks and their treatment are tracked via these matrices as part of the Information Security processes, which include Vulnerability Management, Patch Management on Information Technology devices, Hardening, Information Security Incident Response, Information Security Culture Development and Cyber Threat Intelligence.

The IT risks and controls matrices are reviewed, authorized, and released annually by the Technology and Information Security Director. The matrices are then submitted to SCC's Internal Audit department to review and evaluate controls, in terms of design, implementation, and operational effectiveness.

b.Information Security Incident Management Procedure based on the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework

We utilize the Cybersecurity Framework of the NIST to outline the activities and authorize personnel to handle information security and cybersecurity incident responses within the Company. This procedure outlines the phases of the incident response process, including detection and analysis; containment and intelligence development; eradication and remediation; recovery; and post-incident activities. Assessments include the

28

qualitative and quantitative factors that are essential for determining materiality on information security and cybersecurity incidents.

In instances where a cybersecurity incident is classified and declared as material, our process is designed to meticulously document in a comprehensive report, all critical details such as the date and time of identification of the incident, a concise description of the incident's nature and scope, the impact of the incident on the Company's operations, and its current status (remediated or is undergoing remediation), in order to be clearly informed by the Company.

Information security and cybersecurity incidents undergo thorough review and assessment by the Information Security Subdirector, in collaboration with cybersecurity specialists and experts. Those incidents classified as material are reported to the Technology and Information Security Director, relevant Business Directors, and the Board’s Audit Committee, with additional review by AMC's Productivity and Risk Committees. . Simultaneously, these processes allow cybersecurity incidents classified as “material” to be promptly disclosed to the SEC in a Form 8-K report within 4 business days of the Company’s determination that such incident is in fact a “material” incident.

Oversight of Third-Party Service Providers

Security Assessment Process for IT Service Providers

Our Security Assessment Process for IT Service Providers is based on the ISO 27001 Information security, cybersecurity, and privacy protection standard. This standard’s guidelines ensure that service providers design and implement procedures and notification mechanisms for incident response management within their technological infrastructure. All contracts with IT service providers must stipulate the service levels required by the Company.

Regular meetings are conducted with IT service providers to assess compliance with contracted services, which includes a report on detected information security and cybersecurity incidents, activities for their remediation, and findings and insights from previous reviews and improvements.

Engagement with External Experts

The Company engages top-tier external cyber security firms as needed and leverage their expertise. This is part of our ongoing effort to evaluate and enhance our cybersecurity program. The information security strategy includes assessments conducted by third parties and the engagement of specialized services for specific tasks, including:

a.Internal and External Penetration Testing of SCC's Technology Infrastructure: This service is contracted at least annually to identify and remediate vulnerabilities that may exist at the infrastructure and critical operation systems levels.
b.Cybersecurity Organizational Maturity Assessment: The objective of this service is to understand the level of risk and maturity of the Company's cybersecurity controls (Cybersecurity Assessment). The results of Cybersecurity Assessments are used to design and implement work plans.

Disclosure of Management’s Responsibilities

Technology and Information Security Director and Information Security Subdirector

Our management possesses significant expertise in the assessment and management of cybersecurity risks. TISD, and the Information Security Subdirector (“ISD”), has extensive experience in the areas of information technology, information security risk management, and cybersecurity. Specific to cybersecurity, the TISD and the ISD have the expertise to provide insights into the nature of cyber threats, the Company’s readiness, and actions that should be taken to mitigate such risks.

The TISD, under the direction of the Company’s Chief Executive Officer, is responsible for overseeing the Company’s information technology systems, digital capabilities, and cybersecurity practices. The current TISD has more than 25 years

29

of IT experience and has spent 15+ years overseeing cybersecurity strategy, implementation, and operation. Additionally, he holds a Master’s degree in IT Management and a Master’s Degree in Business Administration.

The ISD, under the direction of the TISD, is responsible for overseeing the organization’s cybersecurity and promoting a security-centric culture throughout our operations. The ISD is at the forefront of enhancing our cybersecurity framework and strengthening the overall cybersecurity program. Additionally, the ISD oversees the cyber risk management function, which identifies cybersecurity threats and assesses cybersecurity risks. Our ISD has more than 12 years of experience in the cybersecurity field and holds a Computer Engineering degree.

Risk Committee and Productivity Committee

The Company’s holding company, AMC, has the following Committees, that convene several times a year:

AMC Productivity Committee
AMC Risks Committee

These committees provide support to the Company's Board of Directors with respect to information security and cybersecurity matters. In particular, the Risk Committee provides oversight of the Company’s risk management, cybersecurity, and operational compliance activities, as well as a means of bringing risk issues to the attention of management.

Disclosure of the Board’s Roles and Responsibilities

The Board of Directors is responsible for global oversight of our strategic and operational risks. The Audit Committee assists the Board of Directors with this responsibility by reviewing and discussing our risk assessment and risk management practices, including cybersecurity risks, with members of management. The Audit Committee, in turn, periodically reports its findings to the Board of Directors.

The Audit Committee

The Audit Committee is responsible for overseeing the Company’s overall risk management strategies, including cybersecurity risks and disclosures. To keep the Audit Committee informed, our information security strategy is periodically presented to the Audit Committee, which reports to the full Board of Directors. Regular meetings are held to report to the Audit Committee, which include a risk assessment that highlights cybersecurity risks and cybersecurity risk mitigation actions. Additionally, the Audit Committee receives updates on significant incidents and cybersecurity risks that have been presented to or discussed with the Risk Committee.

The Internal Audit Department

The Internal Audit department of SCC operates in accordance to an Annual Plan that has been approved by the SCC Audit Committee. This plan encompasses the design and execution of system audits, including testing of cybersecurity controls and protocols. Recommendations from both Internal and External experts are thoroughly reviewed and evaluated and may be implemented if findings so merit.

Cybersecurity Incident Impact

While we identified no cybersecurity incidents, we have been subject to attempted cybersecurity threats and will likely continue to be subject to such attempts in the future. For additional discussions of risks from cybersecurity threats we face, see Item 1A “Risk Factors”. There were no material cybersecurity incidents in 2023.

30