CMPC has high standards of governance oriented towards sustainable management, rooted in the top-level management of the company. It is based on a corporate culture of ethics and compliance with the Corporate Policies and Regulations. We carry out our operations and business transactions in accordance with the best international practices, strictly complying with the laws and regulations of each country where we are present and always respecting the people, their dignity and rights, as well as the environment.

CMPC’s governance is structured around three  levels: the Shareholders’ Meeting, the Board of Directors, and Executive Management. Each has defined authorities, roles, and responsibilities that ensure the company’s effective functioning, direction, and long-term sustainability. This structure is founded on a governance framework developed and implemented in accordance with the applicable laws and regulations of the countries where CMPC operates, as well as the governance principles outlined in its Corporate Governance Policies and Procedures. 

The governance structure is reflected in CMPC’s bylaws, the amendment of which is subject to Law No. 18,046 on Corporations (Ley de Sociedades Anónimas (LSA)) and requires approval by a qualified quorum of shareholders. (por favor poner el link en CMPC’s bylaws)

The primary role of CMPC’s Board of Directors is to manage and direct the Company. It is composed of nine members, whose duties must be carried out in strict compliance with applicable regulations. Chilean law, through civil legislation and the Law on Corporations (LSA), establishes the standards of conduct and rules of liability associated with fulfilling directors’ fiduciary duties of care and loyalty. Such liability cannot be waived or mitigated by shareholder decision or by the company’s bylaws, nor can it be renounced in advance. In this regard, directors act in the best interests of the company and are subject to the highest standards of conduct.

As part of its governance structure, the Board of Directors has established committees, including the Sustainability and Regulatory Committee. Its primary purpose is to directly oversee the implementation of the company’s sustainability strategy across its economic, social, and environmental dimensions, as well as to verify the effective achievement of the objectives and targets set in this regard. The committee may also review and propose the adoption of best practices to further strengthen CMPC’s long-term commitment to sustainable development.

For CMPC, information security and cybersecurity are essential for operational continuity and the protection of business value. We recognize their growing importance and maintain a high level of preparedness to prevent and effectively respond to significant incidents.

Our management approach is based on high standards and seeks to enhance transparency and the public availability of information in this area. To achieve this, we have established a robust governance structure that ensures comprehensive oversight. At the corporate level, the Board of Directors’ Audit, Ethics, and Compliance Committee is responsible for overseeing cybersecurity risks. As part of its role in the risk management system, this committee regularly reviews the risk matrix, monitors the execution of internal audit plans, ensures compliance with the Compliance Program, and evaluates actions taken in response to cyber threats, ensuring appropriate controls for prevention, detection, and mitigation.

We consider corporate information to be a strategic asset, and its protection is the responsibility of all employees and third parties. Our Comprehensive Information Security Policy, approved in October 2023, sets out the guidelines for safeguarding information and associated technologies throughout their life cycle, ensuring compliance with quality and security standards. Given that the document includes key procedures and technical controls for threat management, it is distributed internally as a preventive measure to protect its effectiveness. This Policy includes, among others, the following essential elements:

• It actively promotes the continuous improvement of the information security management system by constantly assessing emerging threats and adapting our defense capabilities. This practice aims to reduce risks, optimize costs, and improve the efficiency and effectiveness of information systems.
• We are committed to protecting information against unauthorized access (confidentiality), intentional or accidental alterations (integrity), and disruptions that prevent its use (availability). Control measures are implemented at every stage of the information life cycle, prioritizing classification and protection to prevent disclosure or manipulation by unauthorized individuals.
• The Policy defines specialized instances responsible for monitoring and managing information security incidents. These functions follow established procedures that include protocols for detection, response, mitigation, and reporting, ensuring timely and coordinated reactions to potential threats.
• Information security responsibilities are clearly defined and mandatory for everyone at CMPC, regardless of their role, function, or geographic location. From the Technology, Digitalization, and Cybersecurity Committee to end users, the entire organization must adhere to the Policy’s guidelines. Employees are also expected to promptly report any suspicious behavior or activity that could pose a threat to information security. Key roles such as Corporate and IT Security Officers, along with the Human Resources department, have specific duties to ensure proper implementation, monitoring, and compliance.

This Policy also extends to third parties, such as suppliers, contractors, and supply chain actors, who must protect any information accessed during the provision of their services. They are required to comply with CMPC’s defined security standards. The Procurement area ensures that evaluation and contracting processes include security controls as contractual requirements, mitigating risks in external relationships and protecting shared systems and data.

Active Information Security and Cybersecurity Management

CMPC has implemented a series of internal processes to ensure robust and preventive management of information security and cybersecurity, protecting its digital assets against internal and external threats. The design and implementation of security controls are based on internationally recognized standards and frameworks, including ISO 27000, ISA 62443, NERC-CIP, the NIST Cybersecurity Framework (CSF), COBIT, and the CIS Critical Security Controls (Center for Internet Security). For security reasons, specific details regarding mechanisms and controls are not publicly disclosed to preserve their effectiveness and reduce exposure to vulnerabilities.

In 2024, CMPC conducted both internal and external audits of its information security and technology management systems, verifying compliance with applicable standards and controls. The Corporate Information Technology Department coordinates with business units and subsidiaries to implement contingency plans that ensure operational continuity and information availability in the event of critical incidents. These units are required to maintain and regularly test their Business Continuity Plans (BCP), identifying key processes and resources. In addition, CMPC performs continuous vulnerability monitoring across systems, networks, and applications to anticipate threats and enhance proactive risk management.

CMPC promotes a strong cybersecurity culture through ongoing training and awareness initiatives. All employees and third parties are required to promptly report incidents, suspicious events, or misuse of technological resources. Furthermore, all employees must complete an annual mandatory e-learning course that reinforces best practices and helps prevent risky behaviors. The Internal Audit department contributes to the design, implementation, and evaluation of the system, strengthening the comprehensive management of information security.

CMPC is part of different associations and business organizations, universities, think tanks and NGOs with the aim of promoting the forestry industry, its good practices and benefits. Along these lines, during 2024 the most significant contributions were directed towards the Chilean Timber Corporation (CORMA) (USD 355,710), the Pontificia Universidad Católica de Chile (USD 412,623) and the Universidad de Concepción (USD 380,000), thus contributing to public debate.

Over the year 2024, CMPC did not make any contributions to lobbying, representation of interests or similar, political campaigns, candidates or others.

In addition, CMPC discloses a detailed breakdown of taxes paid in each jurisdiction where it is resident for tax purposes, enhancing transparency and enabling stakeholders to better understand its tax profile and contributions.

According to the CMPC Mission, Values and Corporate Purpose, sustainability is a strategic part of each business unit, its corresponding subsidiaries, a.s well as all operations and geographic area of influence and stakeholders. This strategic focus is based on three fundamental pillars: the risks to which the company and the part it plays in the community is exposed; material issues , related to the positive and negative impact along our entire value chain; Risk Management Program; and our contribution towards global initiatives such as the Sustainable Development Goals to which we subscribe.

Focusing on key processes, activities, products and by-products of each business unit, and paying close attention to internal circular flows, we have developed our Value Creation Model based on the Corporate Purpose, and through which, we face our Sustainable Development Corporate Goals.