1. PURPOSE

This External Information and Cybersecurity Policy aims to establish “Principles” and “Guidelines” that enable our employees, business partners, and service providers to follow desirable and acceptable behavior standards in accordance with legality and best practices, in order to ensure the confidentiality, integrity, and availability of information owned by Banco Luso Brasileiro (“Bank”), or information under its custody. It also seeks to reinforce Top Management’s commitment to the continuous improvement of procedures related to Information and Cybersecurity.

2. COMPLEMENTARY DOCUMENTS

Code of Ethical Conduct

3. REFERENCE DOCUMENTS

CMN Resolution No. 4.893|21: Provides guidance on the cybersecurity policy and the requirements for contracting data processing, storage, and cloud computing services to be observed by institutions authorized by the Central Bank of Brazil.

Law 13.709/2018: General Data Protection Law (“LGPD”).

4. DEFINITIONS, CONCEPTS, AND ACRONYMS

Top Management: Organizational structure comprising the Statutory Board and the Board of Directors;

Cyber Environment: Virtual environment in which the user establishes social relationships;

Threat: Any circumstance or event with the potential to exploit vulnerabilities and cause harm to systems, networks, or data. It may be internal or external in nature and may include deliberate actions such as cyberattacks or accidental ones such as system failures;

ANPD: National Data Protection Authority;

Asset: Set of the Bank’s goods and rights;

BACEN | Central Bank of Brazil: Federal agency that is part of the National Financial System;

Employees: Statutory members, employees, interns, and young apprentices;

Encryption: Set of techniques through which information can be transformed from its original form into an unreadable format, so that it can only be understood by its intended recipient, making it impractical for unauthorized persons to read it.

Personal Data: Any information related to an identified or identifiable natural person;

Guidelines: Objectives and actions required to implement and maintain the direction expressed by policies;

Information Security Incident: Any event that violates one or more principles of Information Security (confidentiality, integrity, availability, authenticity, and non-repudiation);

Corporate Information: Set of organized data that makes sense and adds value to the organization;

Normative Instruments (NI): Document that establishes standards classified as Policies, Guidelines, Norms, and Normative Procedures.

Non-repudiation: Information security principle that ensures the impossibility of denying the information provided;

Hardening: The process of strengthening the security of systems and networks by reducing their vulnerabilities through the removal of unnecessary functionalities, application of patches, secure service configuration, and implementation of strict access controls;

Malware: General term used to describe any malicious software intended to infect, damage, or gain unauthorized access to systems, networks, or devices. Common examples include viruses, worms, trojans, and ransomware;

Phishing: Fraud technique involving deceptive electronic communications such as emails, text messages, or fake websites to trick individuals into revealing confidential information such as passwords and financial data;

Policy: Explicit guidance through the Bank’s vision, mission, and values.

Principles: Basic precepts or requirements that the Bank must observe in carrying out its activities, aiming for expected conduct in relationships, operations, and services, both internally and externally.

Information Protection: Any action aimed at preserving the value that information holds for an individual or an organization.

Ransomware: A type of malware that “kidnaps” sensitive user data or blocks the victim’s device and subsequently demands a “ransom” for the data’s release or device’s unlocking.

Responsibility: The obligation to respond corporately or locally for specific duties.

Risk: Defined as the quantification of uncertainty. In the context of information security, it refers to the potential associated with the exploitation of one or more vulnerabilities of an information asset or a set of such assets, by one or more threats, with negative impact on the organization’s business.

Cyber Risk: Exposure to damage and losses resulting from the occurrence of cyber incidents.

Cybersecurity: Refers to the set of practices, technologies, and processes used to protect networks, devices, programs, and data from cyberattacks, damage, or unauthorized access. Its goal is to ensure the five core pillars of information security.

Confidentiality: Ensuring that only authorized individuals can access the information.

Integrity: Ensuring that data is not unduly altered and remains accurate and reliable.

Availability: Ensuring that information and systems are accessible when needed.

Authenticity: Verifying the identity of the parties involved in accessing and handling information.

Non-repudiation: Ensuring that actions or transactions cannot be denied by the parties involved.

Third Parties: Business partners, service providers, and suppliers.

Vulnerability: Weakness or flaw in a system, software, or process that can be exploited by a threat to cause damage or gain unauthorized access. Vulnerabilities may result from design flaws, implementation issues, or improper configuration.

Virus: A type of malware that infects other files by altering their content so they begin to carry malicious code.

Worm: Unlike viruses, this type of malware spreads to other devices, for example via email or messaging apps.

5. SCOPE

The Bank’s employees at all hierarchical levels, as well as Commercial Partners, Suppliers, and Contracted Service Providers, are required to observe, comply with, and enforce the terms and conditions of this policy and other related regulations. Within their areas of responsibility, they must ensure the effective implementation of the rules and principles of information security and protection, upholding the legal and ethical standards involving the Bank. The same guidelines apply to third parties.

6. DETAILS

6.1. Principles

6.1.1. Principles | General

Ethics and Legality: Acting in compliance with current laws and regulations, and with standards of ethics and conduct.

Transparency: Ensuring business integrity to strengthen the bonds between stakeholders, promoting good relationships and engagement.

Continuous Improvement: Commitment to improving standards of ethics and conduct, applying corrective measures, ensuring appropriate security levels, the quality of offered products, and the efficiency of services.

6.1.2. Principles | Information Security

Confidentiality: Ensure that access to information is restricted only to authorized individuals, preventing the misuse of sensitive data;

Integrity: Ensure that information is not improperly altered, maintaining its accuracy and reliability, in order to avoid unauthorized modification of data;

Availability: Ensure that information and systems are accessible and operational whenever needed, allowing business processes to function without interruption;

Authenticity: Verify the identity of the parties involved in accessing and handling information, ensuring that data and systems are accessed only by properly authenticated users;

Non-repudiation: Ensure that none of the parties involved in a transaction or communication can deny the authorship of their actions or transactions carried out, ensuring traceability and accountability.

6.2. Guidelines

In order to protect information, the Bank establishes guidelines to be followed, aiming at the implementation of security controls that reflect its commitment and responsibility for information security at all hierarchical levels. These guidelines are as follows:

a) Bank, client, user, employee, and third-party information must be treated ethically, confidentially, and legally, avoiding misuse and undue exposure;

b) Classify data and information according to their relevance;

c) The control and handling of restricted-access information is limited to individuals who need to know it;

d) Define parameters to be used to identify the relevance of events;

e) Use up-to-date and modern security mechanisms (Bank and third parties) that keep pace with technological market developments, capable of providing adequate support and protection for the Bank;

f) Use information transparently and only for the purpose for which it was collected;

g) Ensure that each employee has a unique, personal, and non-transferable identification, making them accountable for their actions;

h) Ensure that access passwords are kept secret and assigned to each employee, along with awareness efforts about the prohibition of sharing them;

i) Develop incident scenarios to be considered in business contingency plans;

j) Define preventive and treatment procedures and controls for incidents to be adopted by third-party companies that handle sensitive or relevant data for operational activities;

k) Implement training and periodic evaluation actions;

l) Maintain informational actions for clients and users regarding precautions in the use of financial products and services;

m) Report all risks related to the Bank’s and its clients’ information to the Information Security area so that they may be analyzed, evaluated, and addressed appropriately.

6.3. Governance

Since its inception, the Bank has valued the importance of information assets in the financial market, ensuring that the information produced or received is used responsibly, ethically, and securely, solely for the benefit of corporate business.

Therefore, to enhance banking activities, the Bank is guided by core information security principles, in order to efficiently preserve, monitor, and manage information ownership, ensuring its confidentiality, integrity, and availability.

The Information Security department must guide the processes of identifying, assessing, and addressing vulnerabilities and threats that could expose information assets to a level of risk considered unacceptable by the Central Bank of Brazil.

Thus, specific controls and procedures must be implemented, including those aimed at information traceability, in order to prevent, detect, and reduce technical, procedural, and legal vulnerabilities, minimizing the risks of incidents related to the Cyber Environment, to ensure the security of information.

6.4. Content Scope

The content of this policy must be compatible with the size, risk profile, and business model of the Bank, the nature of its operations, and the complexity of the Bank’s products, services, activities, and processes, as well as the sensitivity of the data and information under its responsibility. It must also observe the principles and guidelines defined by senior management for the implementation of procedures that aim to ensure the confidentiality, integrity, and availability of the information held and used by the Bank.

6.5. Rules and Procedures

6.5.1. Information Handling

Corporate information must be classified according to its level of importance, confidentiality, and availability into relevant data, sensitive data, and by levels that address confidential, internal use, and public information. This classification must cover data processing, storage, and cloud computing services provided domestically or abroad, and should only be made available to authorized individuals, aiming to reduce/mitigate risks such as data leaks and improper sharing.

6.5.2. Control Measures

The Bank must monitor and record the use of information processed and transmitted within its environment by establishing procedures and controls, such as audit trails and activity logs across all points and systems deemed necessary, to reduce vulnerability to data security incidents as well as other adversities that may occur. Notable technical measures to be adopted include: authentication; information leakage prevention; intrusion testing; vulnerability scanning; control against malicious software; encryption; traceability; network segmentation; and maintenance of backup copies of data and information.

The Bank must conduct a robust analysis of the results of monitoring activities, as well as define the periodicity for reviewing the sensitivity level of information, when necessary.

6.5.3. Hiring Third Parties

The process of hiring relevant third parties who handle information inside or outside the Bank’s premises must be guided by clear rules and procedures to be rigorously followed. These third parties must commit to and act in accordance with this Policy, observing and respecting the pillars of Information Security, such as: Confidentiality, Integrity, and Availability.

In the case of any new hiring, modification, adaptation, or termination of contracts that fall under this Policy, the Information Security, Fraud Prevention, and Legal departments must be informed to take the necessary internal actions to formalize or terminate the relationship.

When the Bank hires a particular partner, service provider, or supplier with whom confidential and sensitive information will be shared, it must:

a) Ensure that the hiring will not impair the Bank’s regular operations or hinder the actions of the Central Bank of Brazil;

b) Define, prior to hiring, which countries and regions within each country the services may be provided in, and where the data and information may be stored and processed;

c) Consider business continuity alternatives in the event of an inability to maintain or termination of the contract;

d) Analyze the criticality of the service and the sensitivity level of the data and information to be processed, stored, and managed, considering the classification of data and information according to relevance;

e) Document the technical capacity assessment of the partner, service provider, or supplier.

The hiring of relevant data processing, storage, and cloud computing services must be reported to the Central Bank of Brazil, including the name of the contracted company, the relevant services hired, and the countries and regions where the services may be provided and data may be stored, processed, and managed, as well as any contractual changes related to this information, within ten days after hiring or modifying the services. Upon signing the contract, an addendum must be signed outlining the obligations and responsibilities of the contracted company in accordance with CMN Resolution No. 4,893/21.

6.5.4. Awareness and Responsibilities

Bank employees, partners, relevant service providers, and suppliers must be aware of this Policy (internal and/or external version as applicable), and it must be properly communicated and disclosed.

Employees and relevant third parties who access, handle information, or use the Bank’s technological resources in any way must commit to and act in accordance with this Policy, observing and respecting the pillars of Information Security.

6.5.5. Training and Qualification

The Bank will periodically promote training sessions for its employees and relevant third parties on this Policy, at the beginning of the relationship or when updates occur, and will apply tests to assess the assimilation of the content and the knowledge acquired.

6.5.6. Prevention Measures for Clients and Users

The Bank is constantly working to maintain a secure cyber environment, making Information Security its priority, which is evident in its policies and procedures.

However, it is essential to highlight that the responsibility for Information Security also depends on its clients and users, who must be alert to “tricks”, “cyber scams”, and malicious software circulating on the internet.

Cybercriminals, through the aforementioned schemes, aim to illicitly obtain data and information in order to gain undue advantages.

Therefore, to guide clients and/or users in contributing to the maintenance of a secure online environment, Banco Luso Brasileiro recommends the following:

a) Identification data (login and password) must be memorized and not recorded in other digital or physical environments, nor shared with third parties, even those in your household. This measure helps to maintain the confidentiality of your information;

b) The password should be changed not only periodically but also whenever there is suspicion of a breach of its confidentiality;

c) Strong passwords should be created, meaning they must be complex (including letters, numbers, special characters) and unique, and should not be reused;

d) The client’s and/or user’s personal device should not be used by other people while it is connected with their identification (login and password);

e) The client’s and/or user’s personal device should always be locked when leaving the location.

6.6. Responsibilities

6.6.1. Board of Directors

a) Approve the External Information and Cybersecurity Policy.

6.6.2. Partners, Service Providers, and Suppliers

All relevant partners, service providers, and suppliers who handle information inside or outside the Bank’s premises, in addition to complying with the normative instruments related to third-party contracting, must observe and enforce the following provisions:

a) Ensure full knowledge of the requirements to be met in the signed contracts, in accordance with current legislation and regulations;

b) Provide the Bank with access to the data and information to be processed or stored at the time of service provision;

c) When requested, respond to the questionnaire on the adoption of corporate governance and Information Security practices.

d) Observe the core principles of Information Security, such as: confidentiality, integrity, and availability, as well as the recovery of data and information processed or stored by the service provider;

e) Prove compliance with the certifications required by the institution for the provision of the contracted service, when requested;

f) Authorize the Bank to access reports prepared by an independent specialized audit firm hired by the service provider, related to procedures and controls used in the provision of the contracted services;

g) Provide adequate management information and resources for monitoring the services to be provided;

h) Identify and segregate the Bank’s end-user data through physical or logical controls;

i) Ensure the quality of access controls aimed at protecting the Bank’s end-user data and information;

j) In the case of internet-based application execution, controls must be adopted to mitigate the effects of potential vulnerabilities in the release of new application versions;

k) Ensure full knowledge of all items in this policy and sign a statement of responsibility, committing to full compliance with all items contained therein.

6.6.3. Information Security and Fraud Prevention

a) Ensure proper segregation of duties in the Bank’s systems, mitigating the risk of access conflicts;

b) Review system accesses annually in order to make necessary adjustments to users/profiles/systems;

c) Participate in the implementation of new Bank systems, in order to define or guide user access profiles, ensuring proper segregation of duties from the outset;

d) Coordinate the Information Security and Data Privacy Committee;

e) Present annual improvements and responses to incidents through the regulatory annual report;

f) Review the Business Continuity Plan annually, updating related documents if necessary;

g) Record any relevant incidents, the main actions taken to resolve them, and action plans when necessary, to mitigate identified risks;

h) Communicate and promote periodic training for employees and partners regarding Information Security and Business Continuity;

i) Promote Information Security management with regard to corporate processes;

j) Review the Information and Cybersecurity Policy when necessary, and after approval by the Board of Directors, ensure its publication through available channels for stakeholder awareness;

k) Ensure compliance with applicable and current legislation.

6.6.4. Information Security and Fraud Prevention | Information Technology

a) Promote Information Security management with regard to technological processes and tools used;

b) Technically analyze Information Security and Fraud Prevention incidents;

c) Implement solutions to continuously improve Technological Security;

d) Promote the Hardening process of the technological environment;

e) Monitor the technological environment, performing updates and analyzing identified attack attempts;

f) Act in situations requiring Forensic investigation when necessary; immediately report to the Executive Board and the Data Protection Officer (“DPO”) incidents resulting in leakage of Personal Data processed by the Bank, regardless of the data subjects involved.

Provide the DPO with information and other necessary support regarding incidents, in order to enable the Bank to comply with its obligations to report to the ANPD, BACEN, and/or the data subjects.

6.6.5. Data Protection Officer (“DPO”)

a) Support the areas of Technology and Information Security and Fraud Prevention in matters and demands related to legislation concerning the processing of personal data, issuing opinions and providing input for decision-making by the Executive Board.

b) Act as a liaison between the Bank and the National Data Protection Authority (“ANPD”) on matters related to the Bank’s personal data processing activities.

7. EFFECTIVENESS

This Policy comes into effect on the date of its publication and will remain in force indefinitely. It must be reviewed at least annually, or whenever necessary, in the event of changes to the Bank’s internal regulations, amendments to information and cybersecurity guidelines, changes in business objectives, or as required by the competent regulatory body.