Política de Segurança da Informação – EN

Information and Cyber Security Policy

1. OBJECTIVE

This Information and Cybersecurity Policy aims to establish “Principles” and “Guidelines” that enable employees to follow desirable and acceptable standards of behavior, in compliance with legislation and best market practices, in order to ensure the security, confidentiality, integrity, and availability of information owned by Banco Luso Brasileiro (“Bank”) or information under its custody. It also seeks to reinforce the Senior Management’s commitment to the continuous improvement of procedures related to Information and Cybersecurity.

2. SUPPORTING DOCUMENTS

Code of Ethical Conduct

Business Continuity Plan v.2.2

PN|18.4|01.05: Access Management and Use of Corporate Data

3. REFERENCE DOCUMENTS

CMN Resolution No. 4.893|21: Establishes the cybersecurity policy and the requirements for contracting data processing, storage, and cloud computing services to be observed by institutions authorized to operate by the Central Bank of Brazil.

Law 13.709/2018: General Data Protection Law (“LGPD”)

4. DEFINITIONS, CONCEPTS AND ACRONYMS

Senior Management: Organizational structure composed of the Statutory Board of Directors and the Board of Directors;

Cyber Environment: Virtual environment in which the user establishes social relationships;

Threat: Any circumstance or event with the potential to exploit vulnerabilities and cause damage to systems, networks, or data. It may be internal or external in nature and may include deliberate actions such as cyberattacks or accidental ones such as system failures;

ANPD: Brazilian National Data Protection Authority;

Asset: Set of the Bank’s goods and rights;

BACEN/Central Bank of Brazil: Federal agency part of the National Financial System;

Employees: Statutory members, employees, interns, and apprentices;

Encryption: Set of techniques by which information is transformed from its original form into another unreadable format, making it accessible only to its intended recipient and unreadable by unauthorized individuals;

Personal Data: Any information related to an identified or identifiable natural person;

Guidelines: Objectives and actions required to implement and maintain the direction expressed by the policies;

Information Security Incident: Any event that violates one or more principles of Information Security (confidentiality, integrity, availability, authenticity, and non-repudiation);

Corporate Information: Set of organized data that is meaningful and generates value for the organization;

Normative Instruments (NI): Document that establishes standards classified as Policies, Guidelines, Norms, and Normative Procedures;

Non-repudiation: Information security principle that ensures that provided information cannot be denied by its originator;

Hardening: The process of strengthening the security of systems and networks by reducing their vulnerabilities through the removal of unnecessary features, patch application, secure service configuration, and implementation of strict access controls;

Malware: Generic term describing any malicious software intended to infect, damage, or gain unauthorized access to systems, networks, or devices. Common examples include viruses, worms, trojans, and ransomware;

Phishing: Fraud technique that involves the use of deceptive electronic communications, such as emails, text messages, or fake websites, to trick individuals into disclosing confidential information, such as passwords and financial data;

Policy: Direction expressed through the Bank’s vision, mission, and values;

Principles: Fundamental precepts or requirements the Bank must observe when carrying out its activities, aiming for expected conduct in relationships, operations, and services in both internal and external environments;

Information Protection: Any action aimed at preserving the value that information holds for an individual or organization;

Ransomware: Another type of malware that “kidnaps” sensitive user data or locks the victim’s device and then demands a “ransom” for the return of the data or unlocking of the device;

Responsibility: Obligation to respond corporately or locally for specific assignments;

Risk: Defined as the quantification of uncertainty, in the context of information security it refers to the potential for one or more threats to exploit vulnerabilities in an information asset or group of assets, causing negative business impact;

Cyber Risk: Exposure to damage and losses resulting from cyber incidents;

Cybersecurity: Refers to the set of practices, technologies, and processes used to protect networks, devices, software, and data from cyberattacks, damage, or unauthorized access. Its objective is to ensure the five core pillars of information security;

Confidentiality: Ensuring that only authorized individuals can access the information;

Integrity: Ensuring that data is not improperly altered and remains accurate and reliable;

Availability: Ensuring that information and systems are accessible when needed;

Authenticity: Verifying the identity of the parties involved in accessing and handling information;

Non-repudiation: Ensuring that actions or transactions cannot be denied by the involved parties;

Third Parties: Business partners, service providers, and suppliers;

Vulnerability: Weakness or flaw in a system, software, or process that can be exploited by a threat to cause damage or gain unauthorized access. Vulnerabilities may result from design flaws, implementation issues, or misconfiguration;

Virus: Type of malware that infects other files by altering their content so they contain malicious code;

Worm: Unlike viruses, this type of malware spreads to other devices, for example, via email or messaging apps.

5. SCOPE

All Bank employees, at any hierarchical level, are required to observe, comply with, and enforce the terms and conditions of this policy and other related regulations, within their scope of responsibility. They must ensure the effective implementation and enforcement of the rules and principles of information security and protection, in line with legal and ethical standards that govern the Bank. The same guidelines apply to third parties.

6. DETAILING

6.1. Principles

6.1.1. Principles | General

Ethics and Legality: Act in compliance with current laws and regulations, following ethical standards and conduct.

Transparency: Ensure the integrity of the business to strengthen the bonds between stakeholders, guaranteeing good relationships and engagement.

Continuous Improvement: Commitment to enhancing ethical and conduct standards, applying corrective measures, ensuring adequate security levels, product quality, and service efficiency.

6.1.2. Principles | Information Security

Confidentiality: Ensure that access to information is restricted only to authorized individuals, preventing the misuse of sensitive data;

Integrity: Ensure that information is not improperly altered, maintaining its accuracy and reliability, and preventing unauthorized modification of data;

Availability: Ensure that information and systems are accessible and operational whenever needed, enabling business processes to run without interruptions;

Authenticity: Verify the identity of the parties involved in accessing and handling information, ensuring that data and systems are accessed only by properly authenticated users;

Non-repudiation: Ensure that none of the parties involved in a transaction or communication can deny the authorship of their actions or transactions, ensuring traceability and accountability.

6.2. Guidelines

In order to protect information, the Bank establishes guidelines to be followed, aiming at the implementation of security controls that permeate its commitment and responsibility for information security at all hierarchical levels, with these guidelines being the following:

1. The information of the Bank, clients and users, employees, and third parties must be treated ethically, confidentially, and legally, avoiding misuse and undue exposure;

2. Classify data and information according to their relevance;

3. The control and processing of restricted access information is limited to people who need to know it;

4. Define parameters to be used to identify the relevance of events;

5. Use updated and modern security mechanisms (Bank and third parties) that keep up with the technological evolution of the market, capable of providing corresponding support and protection to the Bank;

6. Use information transparently and only for the purpose for which it was collected;

7. Guarantee unique identification for each employee, being personal and non-transferable, qualifying them as responsible for the actions taken;

8. Ensure that access passwords are kept secret and assigned to each employee, with awareness training on the prohibition of their sharing;

9. Develop incident scenarios to be considered in business contingency plans;

10. Define preventive and incident handling procedures and controls to be adopted by third-party companies that handle sensitive or relevant data or information for operational activities;

11. Implement training and periodic evaluation actions;

12. Maintain informative actions for clients and users regarding precautions in the use of financial products and services;

13. Report all risks related to the Bank’s and its clients’ information to the Information Security area for analysis, evaluation, and treatment according to the situation.

6.3. Governance

Since its inception, the Bank values the relevance of information assets in the financial market, so that the information produced or received must be used with a sense of responsibility, ethically and securely, for the exclusive benefit of corporate business.

Thus, to carry out banking activities in an enhanced manner, the bank relies on fundamental principles of information security to preserve, monitor, and treat information ownership efficiently, observing its confidentiality, integrity, and availability.

The Information Security area must guide the processes of surveying, evaluating, and treating vulnerabilities and threats capable of leaving information assets in a risk situation considered unacceptable by the Central Bank of Brazil.

Thus, specific controls and procedures must be implemented, including those aimed at information traceability, to prevent, detect, and reduce technical, procedural, and legal vulnerabilities, minimizing the risks of incidents related to the Cybernetic Environment, in order to ensure the security of information.

6.4. Content Scope

The content of this policy must be compatible with the Bank’s size, risk profile, and business model, the nature of its operations, and the complexity of its products, services, activities, and processes, the sensitivity of the data and information under its responsibility, observing the principles and guidelines defined by senior management for the implementation of procedures aimed at ensuring the confidentiality, integrity, and availability of information held and used by the Bank.

6.5. Rules and Procedures

6.5.1. Information Processing

Corporate information must be classified according to its degree of importance, confidentiality, and availability into relevant data, sensitive data, and classified by levels that handle confidential, internal use, and public information, and must cover data processing, storage, and cloud computing services provided in the country or abroad, and these must be made available only to authorized persons, aiming at reducing/mitigating risks such as leaks and improper sharing.

6.5.2. Control Measures

The Bank must monitor and record the use of processed and disseminated information in its environment, establishing procedures and controls, such as audit trails and activity logs at all points and systems it deems necessary, to reduce vulnerability to data security incidents, as well as other adversities that may occur. The following technical measures to be adopted stand out: authentication; prevention of information leakage; intrusion tests; vulnerability scanning; control against malicious software; cryptography; traceability; network segmentation; maintenance of data and information backups.

The Bank must carry out a robust analysis of the results of monitoring activity, as well as define the frequency of reviewing the level of sensitivity of information, when necessary.

6.5.3. Contracting Third Parties

The process of contracting relevant third parties that process information inside or outside the Bank’s premises must be guided by clear rules and procedures to be strictly observed, and they must commit and act in accordance with this Policy, observing and respecting the pillars of Information Security, such as: Confidentiality, Integrity, and Availability.

In the case of any new hiring, alteration, adaptation, or termination of existing contracts that fall under this Policy, the Information Security and Fraud Prevention and Legal areas must be informed for internal measures to implement or terminate the relationship.

The contracting of relevant data processing, storage, and cloud computing services must be communicated to the Central Bank of Brazil, containing the name of the contracted company, the relevant services contracted, and the indication of the countries and regions in each country where the services may be provided and the data may be stored, processed, and managed, as well as contractual changes that occur in this information, observing the period of ten days after the contracting or alteration of services.

6.5.4. Awareness and Responsibility Actions

The Bank’s employees, partners, service providers, and relevant suppliers must be aware of this Policy, internal and/or external version as applicable, being communicated and disclosed appropriately.

Employees and relevant third parties who perform any form of access, manipulation of information, or use of the Bank’s technological resources must commit and act in accordance with this Policy, observing and respecting the pillars of Information Security.

6.5.5. Training and Qualification

The Bank will periodically promote training for its employees and relevant third parties on this Policy, at the beginning of the relationship or when updates occur, and apply tests to assess the assimilation of the content for the knowledge acquired.

6.5.6. Information Security Management and Monitoring

The Bank must monitor and record the use of processed and disseminated information in its environment in order to enable monitoring, through appropriate controls, audit trails, and activity logs at all points and systems it deems necessary, in order to reduce the risks of incidents and aiming at maintaining good practices.

6.5.7. Business Continuity

Business continuity plans must ensure the handling of relevant incidents and contingency situations related to the cybernetic environment, defining the procedures to be followed in the event of interruption of relevant contracted data processing, storage, and cloud computing services, covering scenarios that consider the replacement of the contracted company and the reestablishment of the Bank’s normal operation, as well as the incident scenarios considered in business continuity tests.

6.5.8. Cybersecurity Incident Action and Response Plan

The Bank must have a specific document containing the security incident response plan, to guide the Incident Crisis Management, with actions to be developed by the bank to adapt its organizational and operational structure to the principles and guidelines of the Information Security and Cybernetics Policy;

6.5.9. Annual Report

The Bank must prepare an annual report, with a base date of December 31, on the implementation of the incident action and response plan, highlighting the effectiveness of actions, results obtained, relevant incidents, and business continuity tests. This report must be submitted to the risk management committee and approved by senior management.

6.6. Responsibilities

6.6.1. Board of Directors

1. Approve the Information Security and Cybernetics Policy and the incident action and response plan;

2. Obtain knowledge about the annual report on the implementation of the incident action and response plan by March 31 of the year following the base date.

6.6.2. Managers

1. Ensure in their respective areas the implementation of necessary mechanisms for the secure disposal of information;

2. Demonstrate care and knowledge about Information Security, showing themselves as a reference of conduct for internal employees under their management;

3. Ensure that their teams have access to and know this policy, as well as the procedures established herein;

4. Specify and request access permission in advance, listing the information assets for service providers in general;

5. In cases of contracting Third Parties and Service Providers, always use the contract template or similar containing the information security and cybernetics clauses, duly evaluated by the Legal Department;

6. Critically analyze identified incidents, sharing them with the Information Security and Fraud Prevention area for the joint definition of necessary actions;

6.6.3. Employees

1. Use the work tools and equipment provided appropriately;

2. Use the internet, email tool, and other Bank devices and equipment, focusing only on professional assignments responsibly;

3. Are responsible for the security of the information they have access to, including when working remotely;

4. Keep corporate equipment such as notebooks and cell phones locked when not in use, and must be stored in a safe place when not being used, with absence of due care considered a serious offense;

5. Seek guidance from their supervisor when in doubt regarding information security;

6. Sign the Term of Responsibility, formalizing awareness of the Information Security and Cybernetics Policy, as well as assuming responsibility for its compliance;

7. Notify the Information Security and Fraud Prevention area of any non-compliance or violation of this policy and related procedures;

8. Are responsible for maintaining the confidentiality of their access passwords to computer network resources, systems, and services, and the use of user identification accounts by third parties is prohibited;

9. Do not open messages from unknown senders, as they may be a Phishing attack. Whenever a suspicious message is identified, inform the Information Security and Fraud Prevention team via email si@lusobank.com.br. Files, links, or attachments from unknown senders should never be opened.

6.6.4. Information Security and Fraud Prevention

1. Ensure proper segregation of duties in the Bank’s systems, mitigating the risk of access conflicts;

2. Review system accesses annually to make adjustments to users/profiles/systems as necessary;

3. Participate in the implementation of new Bank systems to define or direct user access profiles, ensuring proper segregation of duties from the outset;

4. Coordinate the Information Security and Data Privacy Committee;

5. Present annual improvements and incident responses through a regulatory Annual Report;

6. Review the Business Continuity Plan annually, updating related documents if necessary;

7. Record any relevant occurrences, the main actions taken for resolution, and action plans when necessary, to mitigate identified risks;

8. Communicate and promote periodic training for employees and partners regarding Information Security and Business Continuity;

9. Promote Information Security management with regard to corporate processes;

10. Review the Information Security and Cybernetics Policy when necessary and, after approval by the Board of Directors, monitor its publication in the channels available for the knowledge of those involved;

11. Comply with relevant and current legislation.

6.6.5. Information Security and Fraud Prevention | Information Technology

1. Promote information security management with regard to technological processes and tools used;

2. Technically analyze Cybersecurity incidents;

3. Act in the implementation of solutions for continuous improvement of Technological Security;

4. Promote the Hardening process of the technological environment;

5. Monitor the technological environment, updating and analyzing identified attack attempts;

6. Act in situations that require Forensic investigation, when necessary; immediately notify the Board of Directors and the Data Protection Officer (“DPO”) about incidents that result in the leakage of Personal Data under the Bank’s processing, regardless of who the data subjects are;

7. Provide the DPO with information and other support regarding incidents, in order to enable the fulfillment and/or reporting of information that the Bank is obliged to provide, whether to the ANPD, BACEN, and/or Personal Data subjects.

6.6.6. Information Security and Data Privacy Committee

The Information Security and Data Privacy Committee – CSIPD, formed by representatives from the Information Security and Fraud Prevention, Legal, Organizational Development (HR), Compliance / Marketing, Internal Controls, Products, Audit, and Information Technology (IT) areas, has the following responsibilities:

1. Define strategies that promote and strengthen the Bank’s Information Security and Data Privacy;

2. Evaluate actions to raise awareness among all employees, third parties, and service providers about the relevance of Information Security and Data Privacy for the Bank’s business;

3. Identify areas for improvement in Information Security and Data Privacy within the Bank’s processes;

4. Formalize the analysis of cause and impact, as well as controls related to the effects of relevant incidents;

5. Define measures to be taken for cases of non-compliance with the Information Security and Cybernetics Policy;

6. Issue a technical cybersecurity report, providing information on potential cybersecurity incidents and potential improvements/weaknesses in the Bank’s systems;

7. Evaluate, when requested, the annual report on the implementation of the incident action and response plan and send it for approval by the Cybersecurity Director;

8. Review annually the Security Incident Crisis Management procedures, which specifically address the Guidelines of the incident action and response plan;

6.6.7. Director Responsible for the Information Security and Cybernetics Policy

The Director responsible for the Policy must also implement the incident action and response plan, when necessary, as well as perform the following functions:

1. Communicate to the Board of Directors and the Board of Administration about relevant cybersecurity risks and any incidents that occur, as well as the measures adopted in the incident action and response plan;

2. Guide the Information Security and Data Privacy Committee in situations of doubt regarding the Policy and incident response action plan;

3. Review and approve the annual report on the implementation of the incident action and response plan.

6.6.8. Legal

1. Support the Information Security and Data Privacy Committee in specific issues related to their area that are related to Information Security and Cybernetics at the time of contracting relevant services, as provided for in art. 13 of Resolution 4.893/21, as well as regarding communications to BACEN;

2. Adapt contracts and point out risks in contracting using the General Personal Data Protection Law (LGPD) as a basis;

3. Responsible for analyzing contracts and terminations made with providers of relevant data processing, storage, and cloud computing services.

6.6.9. Formalization

1. Responsible for filing contracts and terminations made with providers of relevant data processing, storage, and cloud computing services to make them available to BACEN, if requested.

6.6.10. Internal Audit

1. Evaluate the adequacy and compliance of processes and procedures related to the policy, auditing and testing the mechanisms for monitoring, controlling, and mitigating risks and their effectiveness, in accordance with the annual plan.

6.6.11. Data Protection Officer (“DPO”)

1. Support the Technology and Information Security and Fraud Prevention areas in matters and demands related to legislation that provides for the processing of personal data, issuing opinions, as well as providing support for decision-making by the board of directors.

2. Carry out the dialogue between the Bank and the National Data Protection Agency (“ANPD”) on matters related to the processing of personal data by the Bank.

6.7. Penalties

All Bank employees, including business partners, suppliers, and service providers, as mentioned in the “external” version of the Information Security and Cybernetics Policy, who fail to comply with the obligations provided for in internal policies and in the law due to negligence, fault, or intent, are subject to disciplinary actions, including termination of contract and/or administrative or criminal measures, in addition to the penalties provided for by law.

Infractions of the Information Security and Cybernetics Policy and its rules must be reported to the Information Security and Fraud Prevention area, via email: si@lusobank.com.br, which will conduct the investigation through internal procedures.

Any case of non-compliance with the Information Security and Cybernetics Policy, by an area, client, business partner, suppliers, and service providers, must be reported following the internal procedure, with adequate detail of the reason for non-compliance | violation, in addition to the existing or defined compensatory controls and residual risks.

7. EFFECTIVE DATE

This Policy comes into effect on the date of its publication and will remain in effect for an indefinite period, and must be reviewed, at a minimum, annually or, when necessary, if there is any change in the Bank’s internal rules, in the amendment of Information Security and Cybernetics Guidelines, in business objectives, and also, if required by the competent regulatory body.

Made with by