Information security is a fundamental aspect of our strategic and operational business management. In January 2025, we implemented a new cybersecurity governance model designed to enhance oversight, risk management, and maturity, while providing greater autonomy and accountability to each of our business units. Cybersecurity remains a strategic priority across the Cosan Group.

Under this new model, the Cosan information security team now operates as a second line of defense, focusing on governance, cybersecurity policies, risk management, regulatory compliance, security maturity assessments, and effectiveness testing. This function provides guidance and oversight to the Cosan group’s subsidiaries with the aim of improving alignment with strategic objectives and regulatory expectations. The Cosan information security team is led by a cybersecurity executive with over 22 years of experience who reports directly to our chief financial and investor relations officers.

The Cosan Group has a structured process to monitor, analyze, and mitigate cybersecurity risks, with the objective of identifying and addressing threats early and proactively. Security risks are mapped and communicated to relevant stakeholders for treatment and mitigation. Independent security assessments are conducted twice a year. In addition, our security maturity program evaluates cybersecurity performance across the Cosan Group, and the maturity rating was incorporated as a variable in calculating the variable compensation of certain executives.

To maintain executive engagement and visibility, we hold monthly meetings on information security with the participation of business information security officers, or “BISOs,” technology managers, chief information officers, or “CIOs,” and Cosan’s executive leadership, including the chief financial officer and chief executive officer. These meetings are designated to maintain cybersecurity as a key topic in corporate governance discussions and to permit that security initiatives are aligned with our business strategy and regulatory obligations.

The Cyber Defense Center (CDC) at Raízen, a subsidiary of Cosan, continues to execute cybersecurity operations for the entire Cosan Group, while maintaining strategic alignment with Cosan’s information security team, in order to provide a centralized oversight and consistency with the Cosan’s Group corporate security standards. The CDC is responsible for incident detection and response, threat intelligence, security testing, and operational technology (OT) security monitoring. In 2025, its scope was expanded to include Data Protection (Database Security), Security Awareness and Culture Initiatives (Guardian Program), Vendor Risk Management, Proof-of-Concept Security Evaluations (PoCs and Innovation), and Cloud Security Operations.

Each business unit within the Cosan Group assumes direct responsibility for its cybersecurity strategy and implementation. While the governance model allows subsidiaries flexibility to define their security leadership structure, they remain accountable for their security posture and risk management. The Cosan information security team provides guidance and challenge.

Continuous Investment in Cybersecurity and New Security Controls

As part of our ongoing strategy to enhance cybersecurity, we evaluate and implement advanced security solutions. In 2025, we intend to further expand our defenses by deploying a next-generation Security Information and Event Management (SIEM) solution, with the objective of improving real-time security monitoring and advanced threat detection capabilities. Additionally, we are onboarding a new external Security Operations Center (SOC) partner. We also intend to deploy our Data Loss Prevention (DLP) system with the aim of enhancing enhance sensitive data protection, alongside new cloud security solutions.

Since the start of our cybersecurity transformation in 2020, we have sought to strengthen our capabilities through investments in technology, processes, and talent development through structured initiatives, including the implementation of security controls and improvement programs.

Cybersecurity Effectiveness and Crisis Management

In 2024, we launched our Cybersecurity Effectiveness Program, an initiative aimed at continuously measuring and optimizing the effectiveness of our security defenses. This program, currently in its final implementation phase, incorporates breach and attack simulations (BAS), real-world security control validations, and targeted cybersecurity risk assessments. The objective of this program is to enhance our ability to proactively detect, respond to, and mitigate cyber threats before they materialize.

Recognizing the increasing complexity of cyber threats, we have also established a Cyber Crisis Management Program. This initiative trains technical teams, security personnel, and executive leadership to effectively respond to cybersecurity crises. Through real-world incident simulations, we test and refine our ability to react to various threat scenarios. The objective of this program is to strengthen our ability to make informed decisions and execute strategic responses under crisis conditions.

Our Cyber Defense Center at Raízen continues to play a crucial role in threat detection and response, operating a 24/7 Security Operations Center (SOC), a Cyber Threat Intelligence (CTI) team, and an Incident Response (CSIRT) function. Additionally, we have reinforced Application Security (AppSec), Ethical Hacking, and Red Team exercises, to strengthen our offensive security capabilities. In the area of Operational Technology (OT) security, we have deployed industrial security monitoring technologies, in order to improve our visibility into cyber risks affecting critical infrastructure.

Incident Management and Risk Oversight

In March 2020, our subsidiaries and jointly controlled companies suffered a cyberattack by ransomware that caused a partial and temporary interruption of our operations. Following this incident, we have strengthened procedures and controls with the support of our chief of information security and cybersecurity, internal cybersecurity-dedicated personnel and third-party security experts to expand and improve our cybersecurity controls. 

See also “Item 3. Key Information—D. Risk Factors—Risks Related to Our Businesses and the Industries in Which We Operate Generally—We could be the target of attempted cyber threats in the future, which could adversely affect our business.”

The Cosan Group has a structured process to monitor, analyze, and mitigate cybersecurity risks, with the objective of identifying and addressing threats early and proactively. Security risks are mapped and communicated to relevant stakeholders for treatment and mitigation. Independent security assessments are conducted twice a year. In addition, our security maturity program evaluates cybersecurity performance across the Cosan Group, and the maturity rating was incorporated as a variable in calculating the variable compensation of certain executives.

To maintain executive engagement and visibility, we hold monthly meetings on information security with the participation of business information security officers, or “BISOs,” technology managers, chief information officers, or “CIOs,” and Cosan’s executive leadership, including the chief financial officer and chief executive officer. These meetings are designated to maintain cybersecurity as a key topic in corporate governance discussions and to permit that security initiatives are aligned with our business strategy and regulatory obligations.

Incident Management and Risk Oversight

In March 2020, our subsidiaries and jointly controlled companies suffered a cyberattack by ransomware that caused a partial and temporary interruption of our operations. Following this incident, we have strengthened procedures and controls with the support of our chief of information security and cybersecurity, internal cybersecurity-dedicated personnel and third-party security experts to expand and improve our cybersecurity controls. 

See also “Item 3. Key Information—D. Risk Factors—Risks Related to Our Businesses and the Industries in Which We Operate Generally—We could be the target of attempted cyber threats in the future, which could adversely affect our business.”