Doral has developed an Information Security and Privacy Policy and adopted an Information Security Procedures Manual to define an organizational, managerial, and professional framework for decision-making in the field of information security. This is done while creating an organizational framework to address routine and exceptional issues related to the implementation and integration of information security aspects within the Company. Once a year, all company employees undergo a refresher training on the procedures and aspects of information security through a dedicated e-learning module. In 2023, 97% of company employees completed this training, and in 2024, a dedicated training tailored to the different departmental staff and various activities will be conducted. Additionally, external entities engaging with the Company must commit to maintaining confidentiality, insider information, and information security.
In 2023, the Company’s board of directors extensively discussed information security and cybersecurity, appointing the internal auditor, who has extensive experience in this field, as an advisor to the board on this matter. Moreover, the Company, through a specialized firm, conducted a comprehensive information security and cyber survey (IT and OT risk assessment) whose findings and work plan to address the identified gaps and deficiencies were presented to the Audit Committee. The work plan was also approved by the board of directors, and the Company is currently implementing it. This includes expanding, improving, and optimizing information security and cyber protection within the Company through enhanced IT infrastructure, the integration of technological tools, updating company procedures, raising employee and supply chain awareness of risks, and recruiting specialized personnel.
In 2023, a Chief Information Systems Officer was hired, reporting to the VP of Engineering and working in full collaboration with Doral’s CEO. Additional staff were recruited in early 2024, and the unit now consists of three people, in addition to two IT personnel. One team member is a dedicated project manager for the Energy Management System.
It is important to note that Doral is committed to ensuring that every new facility complies with the guidelines of the Ministry of Energy and the Cyber Directorate. Furthermore, entering the virtual supplier domain necessitated the integration of cloud-based systems, requiring appropriate systemic preparations for securing the included information. Doral invested in a 24/7 monitoring and control center with real-time viewing capabilities for all systems.
Due to changing conditions domestically and globally, and the need to address extreme crisis events, the Company deemed it appropriate to adopt a Business Continuity Procedure prepared by the CEO in collaboration with the rest of management and advised by the internal auditor. This procedure aims to establish methods and responsible parties for preparing, updating, and implementing the plan to prevent or minimize damages that may result from a disaster. The plan was established based on risk assessments, the criticality of systems for the Company’s operations, and required availability, addressing information security aspects, including concerns about the exposure of information and/or sensitive processes to unauthorized entities. The Company’s management or its designees are responsible for instructing all company employees on the existence and implementation of the plan during a disaster. During the COVID-19 crisis, the business continuity plan facilitated the transition of company employees to remote work to ensure their health and business continuity.
In 2023, no significant inquiries regarding suspected information breaches were received, and there were no cyber incidents. Doral operates with business clients; however, no information security incidents have occurred that disrupted the company’s routine operations or caused damage to the company’s activities.