1. PURPOSE

This Information and Cybersecurity Policy aims to establish “Principles” and “Guidelines” that enable our employees, business partners, and service providers to follow desirable and acceptable behavior standards in accordance with legality and best practices, in order to ensure the confidentiality, integrity, and availability of information owned by Banco Luso Brasileiro (“Bank”), or information under its custody. It also seeks to reinforce Senior Management’s commitment to the continuous improvement of procedures related to Information and Cybersecurity.

2. SUPPLEMENTARY DOCUMENTS

Code of Ethics and Conduct

3. REFERENCE DOCUMENTS

Central Bank of Brazil (CMN) Resolution No. 4.893|21: Provides guidance on cybersecurity policies and requirements for contracting data processing, storage, and cloud computing services for institutions authorized by the Central Bank of Brazil.

Law 13.709/2018: Brazilian General Data Protection Law (“LGPD”).

4. DEFINITIONS, CONCEPTS, AND ACRONYMS

Senior Management: Organizational structure comprising the Executive Board and the Board of Directors;

Cyber Environment: Virtual environment in which users establish social relationships;

Threat: Any circumstance or event with the potential to exploit vulnerabilities and cause harm to systems, networks, or data. Threats may be internal or external in nature and may include deliberate actions such as cyberattacks or accidental events such as system failures;

ANPD: Brazilian National Data Protection Authority;

Asset: Set of the Bank’s property and rights;

BACEN | Central Bank of Brazil: Federal agency that is part of the Brazilian National Financial System;

Employees: Board members, employees, interns, and apprentices;

Encryption: Collection of techniques by which information can be transformed from its original form into an unreadable format, so that it can only be accessed by its intended recipient, making it impractical for unauthorized persons to access it.

Personal Data: Any information related to an identified or identifiable natural person;

Guidelines: Objectives and actions required to implement and maintain the direction set forth by policies;

Information Security Incident: Any event that violates one or more principles of Information Security (confidentiality, integrity, availability, authenticity, and non-repudiation);

Corporate Information: Collection of organized data that provides meaning and adds value to the organization;

Normative Instruments (NI): Documents that establish standards classified as Policies, Guidelines, Standards, and Standard Operating Procedures.

Non-repudiation: Information security principle that ensures the impossibility of denying actions taken or information provided;

Hardening: The process of enhancing the security of systems and networks by reducing vulnerabilities through the removal of unnecessary functionalities, application of security patches, secure service configuration, and implementation of robust access controls;

Malware: General term used to describe any malicious software designed to infect, damage, or gain unauthorized access to systems, networks, or devices. Common examples include viruses, worms, Trojans, and ransomware;

Phishing: Social engineering technique involving deceptive electronic communications such as emails, text messages, or fake websites to trick individuals into revealing confidential information such as passwords and financial data;

Policy: Clear guidance reflecting the Bank’s vision, mission, and values.

Principles: Fundamental precepts or requirements that the Bank must observe in carrying out its activities, establishing expected conduct in relationships, operations, and services, both internally and externally.

Information Protection: Any action aimed at preserving the value that information holds for an individual or an organization.

Ransomware: A type of malware that encrypts sensitive user data or blocks the victim’s device and subsequently demands payment for the data’s decryption or device’s restoration.

Responsibility: The obligation to be accountable corporately or locally for specific duties.

Risk: The quantification of uncertainty. In the context of information security, it refers to the exposure associated with the exploitation of one or more vulnerabilities of an information asset or a group of such assets, by one or more threats, with negative impact on the organization’s business.

Cyber Risk: Exposure to damage and losses resulting from the occurrence of cyber incidents.

Cybersecurity: The set of practices, technologies, and processes used to protect networks, devices, programs, and data from cyberattacks, damage, or unauthorized access. Its goal is to ensure the five fundamental pillars of information security.

Confidentiality: Ensuring that only authorized individuals can access information.

Integrity: Ensuring that data is not improperly altered and remains accurate and reliable.

Availability: Ensuring that information and systems are accessible when needed.

Authenticity: Verifying the identity of the parties involved in accessing and handling information.

Non-repudiation: Ensuring that actions or transactions cannot be denied by the parties involved.

Third Parties: Business partners, service providers, and suppliers.

Vulnerability: Weakness or flaw in a system, software, or process that can be exploited by a threat to cause damage or gain unauthorized access. Vulnerabilities may result from design flaws, implementation errors, or improper configuration.

Virus: A type of malware that infects other files by altering their content to include malicious code.

Worm: Unlike viruses, this type of malware spreads to other devices independently, for example via email or messaging applications.

5. SCOPE

All Bank employees at all hierarchical levels, as well as Business Partners, Suppliers, and Contracted Service Providers, are required to observe, comply with, and enforce the terms and conditions of this policy and other related regulations. Within their areas of responsibility, they must ensure the effective implementation of the standards and principles of information security and protection, upholding the legal and ethical standards applicable to the Bank. The same requirements apply to third parties.

6. POLICY DETAILS

6.1. Principles

6.1.1. General Principles

Ethics and Legal Compliance: Acting in compliance with applicable laws and regulations, and with standards of ethics and conduct.

Transparency: Ensuring business integrity to strengthen relationships with stakeholders, promoting positive relationships and engagement.

Continuous Improvement: Commitment to improving standards of ethics and conduct, implementing corrective measures, ensuring appropriate security levels, the quality of products and services offered, and the efficiency of service delivery.

6.1.2. Information Security Principles

Confidentiality: Ensure that access to information is restricted to authorized individuals only, preventing the misuse of sensitive data;

Integrity: Ensure that information is not improperly altered, maintaining its accuracy and reliability, to avoid unauthorized modification of data;

Availability: Ensure that information and systems are accessible and operational whenever needed, allowing business processes to function without interruption;

Authenticity: Verify the identity of the parties involved in accessing and handling information, ensuring that data and systems are accessed only by properly authenticated users;

Non-repudiation: Ensure that no party involved in a transaction or communication can deny the authorship of their actions or transactions performed, ensuring traceability and accountability.

6.2. Guidelines

To protect information, the Bank establishes guidelines to be followed, focused on the implementation of security controls that reflect its commitment and responsibility for information security at all hierarchical levels. These guidelines are as follows:

a) Bank, client, user, employee, and third-party information must be treated ethically, confidentially, and in accordance with applicable laws, avoiding misuse and inappropriate exposure;

b) Classify data and information according to their criticality;

c) Access to and handling of restricted-access information is limited to individuals who have a business need to know;

d) Establish parameters for identifying the significance of events;

e) Implement up-to-date and current security mechanisms (for both the Bank and third parties) that keep pace with technological advances, capable of providing adequate protection for the Bank;

f) Use information transparently and only for the purpose for which it was collected;

g) Ensure that each employee has a unique, personal, and non-transferable identification, holding them accountable for their actions;

h) Ensure that access passwords are kept confidential and assigned to each employee individually, along with training about the prohibition of sharing them;

i) Create incident scenarios to be considered in business contingency plans;

j) Establish preventive and remediation procedures and controls for incidents to be adopted by third-party companies that handle sensitive or business-critical data for the Bank’s operational activities;

k) Implement training and periodic assessment actions;

l) Maintain informational actions for clients and users regarding precautions in the use of financial products and services;

m) Escalate all risks related to the Bank’s and its clients’ information to the Information Security department so that they may be analyzed, evaluated, and addressed appropriately.

6.3. Governance

Since its inception, the Bank has recognized the importance of information assets in the financial industry, ensuring that the information produced or received is used responsibly, ethically, and securely, solely for the benefit of business operations.

Therefore, to support banking activities, the Bank is guided by fundamental information security principles, to efficiently preserve, monitor, and manage information assets, ensuring their confidentiality, integrity, and availability.

The Information Security department must guide the processes of identifying, assessing, and mitigating vulnerabilities and threats that could expose information assets to a level of risk considered unacceptable by the Central Bank of Brazil.

Accordingly, specific controls and procedures must be implemented, including those aimed at information traceability, to prevent, detect, and reduce technical, procedural, and legal vulnerabilities, minimizing the risks of incidents related to the Cyber Environment, and ensure the security of information.

6.4. Content Scope

The content of this policy must be appropriate for the size, risk profile, and business model of the Bank, the nature of its operations, and the complexity of the Bank’s products, services, activities, and processes, as well as the sensitivity of the data and information under its responsibility. It must also comply with the principles and guidelines defined by senior management for the implementation of procedures that ensure the confidentiality, integrity, and availability of the information maintained and used by the Bank.

6.5. Rules and Procedures

6.5.1. Information Handling

Corporate information must be classified according to its level of importance, confidentiality, and availability into business-critical data, sensitive data, and by levels that include confidential, internal use, and public information. This classification must cover data processing, storage, and cloud computing services provided domestically or internationally, and should only be made available to authorized individuals, to reduce/mitigate risks such as data breaches and improper sharing.

6.5.2. Control Measures

The Bank must monitor and log the use of information processed and transmitted within its environment by establishing procedures and controls, such as audit trails and activity logs across all systems and endpoints deemed necessary, to reduce vulnerability to data security incidents as well as other threats that may occur. Key technical measures to be adopted include: authentication; data loss prevention; penetration testing; vulnerability scanning; anti-malware controls; encryption; traceability; network segmentation; and maintenance of backup copies of data and information.

The Bank must conduct a comprehensive analysis of the results of monitoring activities, as well as define the frequency for reviewing the sensitivity level of information, when necessary.

6.5.3. Third-Party Contracting

The process of contracting with material third parties who handle information on or off the Bank’s premises must be guided by clear rules and procedures to be rigorously followed. These third parties must commit to and act in accordance with this Policy, observing and respecting the pillars of Information Security, including: Confidentiality, Integrity, and Availability.

In the case of any new contracting, modification, adaptation, or termination of contracts that fall under this Policy, the Information Security, Fraud Prevention, and Legal departments must be notified to take the necessary internal actions to establish or terminate the relationship.

When the Bank contracts with a particular partner, service provider, or supplier with whom confidential and sensitive information will be shared, it must:

a) Ensure that the contracting will not impair the Bank’s regular operations or hinder the actions of the Central Bank of Brazil;

b) Define, prior to contracting, which countries and regions within each country the services may be provided in, and where the data and information may be stored and processed;

c) Consider business continuity alternatives in the event of inability to maintain or termination of the contract;

d) Analyze the criticality of the service and the sensitivity level of the data and information to be processed, stored, and managed, considering the classification of data and information according to criticality;

e) Document the technical capacity assessment of the partner, service provider, or supplier.

The hiring of relevant data processing, storage, and cloud computing services must be reported to the Central Bank of Brazil, including the name of the contracted company, the relevant services hired, and the countries and regions where the services may be provided and data may be stored, processed, and managed, as well as any contractual changes related to this information, within ten days after hiring or modifying the services. Upon signing the contract, an addendum must be signed outlining the obligations and responsibilities of the contracted company in accordance with CMN Resolution No. 4,893/21.

6.5.4. Awareness and Responsibilities

Bank employees, partners, material service providers, and suppliers must be aware of this Policy (internal and/or external version as applicable), and it must be properly communicated and distributed.

Employees and material third parties who access, handle information, or use the Bank’s technological resources in any way must commit to and act in accordance with this Policy, observing and respecting the pillars of Information Security.

**6.5.5. Training and Development

The Bank will periodically conduct training sessions for its employees and material third parties on this Policy, at the commencement of the relationship or when updates occur, and will administer tests to assess the understanding of the content and knowledge retention.

6.5.6. Client and User Awareness Measures

The Bank is constantly working to maintain a secure cyber environment, making Information Security its priority, which is evident in its policies and procedures.

However, it is essential to emphasize that the responsibility for Information Security also rests with its clients and users, who must be vigilant against “scams”, “cyber fraud”, and malicious software present on the internet.

Cybercriminals, through the aforementioned schemes, seek to illicitly obtain data and information to gain improper advantages.

Therefore, to guide clients and/or users in contributing to the maintenance of a secure online environment, Banco Luso Brasileiro recommends the following:

a) Login credentials (login and password) must be memorized and not recorded in other digital or physical locations, nor shared with third parties, including those in your household. This measure helps maintain the confidentiality of your information;

b) Passwords should be changed not only periodically but also whenever there is suspicion of a breach of their confidentiality;

c) Strong passwords should be created, meaning they must be complex (including letters, numbers, special characters) and unique, and should not be reused;

d) The client’s and/or user’s personal device should not be used by other people while it is authenticated with their login credentials;

e) The client’s and/or user’s personal device should always be locked when unattended.

6.6. Responsibilities

6.6.1. Board of Directors

a) Approve the External Information and Cybersecurity Policy.

6.6.2. Partners, Service Providers, and Suppliers

All material partners, service providers, and suppliers who handle information on or off the Bank’s premises, in addition to complying with the normative instruments related to third-party contracting, must observe and enforce the following provisions:

a) Ensure complete understanding of the requirements to be met in the signed contracts, in accordance with current legislation and regulations;

b) Provide the Bank with access to the data and information to be processed or stored during service provision;

c) When requested, complete the questionnaire on the adoption of corporate governance and Information Security practices.

d) Observe the fundamental principles of Information Security, including: confidentiality, integrity, and availability, as well as the recovery of data and information processed or stored by the service provider;

e) Demonstrate compliance with the certifications required by the Bank for the provision of the contracted service, when requested;

f) Permit the Bank to access reports prepared by an independent third-party audit firm engaged by the service provider, related to procedures and controls used in the provision of the contracted services;

g) Provide adequate management information and resources for monitoring the services to be provided;

h) Identify and segregate the Bank’s customer data through physical or logical controls;

i) Ensure the effectiveness of access controls aimed at protecting the Bank’s customer data and information;

j) In the case of internet-based application deployment, controls must be adopted to mitigate the effects of potential vulnerabilities in the deployment of new application versions;

k) Ensure complete understanding of all items in this policy and execute a statement of responsibility, committing to full compliance with all items contained therein.

6.6.3. Information Security and Fraud Prevention

a) Ensure proper segregation of duties in the Bank’s systems, mitigating the risk of conflicting access rights;

b) Review system access rights annually to make necessary adjustments to users/profiles/systems;

c) Participate in the implementation of new Bank systems, to define or recommend user access profiles, ensuring proper segregation of duties from the beginning;

d) Chair the Information Security and Data Privacy Committee;

e) Present annual improvements and responses to incidents through the regulatory annual report;

f) Review the Business Continuity Plan annually, updating related documents as necessary;

g) Document any material incidents, the main actions taken to resolve them, and action plans when necessary, to mitigate identified risks;

h) Deliver and promote periodic training for employees and partners regarding Information Security and Business Continuity;

i) Oversee Information Security management for corporate processes;

j) Review the Information and Cybersecurity Policy when necessary, and after approval by the Board of Directors, ensure its distribution through available channels for stakeholder awareness;

k) Ensure compliance with applicable and current legislation.

6.6.4. Information Security and Fraud Prevention | Information Technology

a) Oversee Information Security management for technological processes and tools used;

b) Conduct technical analysis of Information Security and Fraud Prevention incidents;

c) Implement solutions to continuously improve Technology Security;

d) Execute the Hardening process for the technological environment;

e) Monitor the technological environment, performing updates and analyzing detected attack attempts;

f) Respond to situations requiring forensic investigation when necessary; immediately report to the Executive Board and the Data Protection Officer (“DPO”) incidents resulting in disclosure of Personal Data processed by the Bank, regardless of the data subjects involved.

Support the DPO with information and other necessary assistance regarding incidents, to enable the Bank to comply with its obligations to report to the ANPD, BACEN, and/or the data subjects.

6.6.5. Data Protection Officer (“DPO”)

a) Support the Technology and Information Security and Fraud Prevention departments in matters and requests related to legislation concerning the processing of personal data, providing opinions and recommendations for decision-making by the Executive Board.

b) Serve as a liaison between the Bank and the Brazilian National Data Protection Authority (“ANPD”) on matters related to the Bank’s personal data processing activities.

7. EFFECTIVENESS

This Policy becomes effective on the date of its publication and will remain in force indefinitely. It must be reviewed at least annually, or whenever necessary, in the event of changes to the Bank’s internal regulations, amendments to information and cybersecurity guidelines, changes in business objectives, or as required by the applicable regulatory authority.