We consider Information Security and Cybersecurity to be matters of highest strategic relevance. We work to protect our physical and technological infrastructure against cyberattacks, ensuring the confidentiality, integrity and availability of our channels, as well as the privacy and protection of information belonging to the Group and our customers.

We maintain a set of policies, standards, processes, controls, organizational structures and solutions designed to ensure the principles of confidentiality, integrity and availability. Senior Management oversees risk management and integrates it into the Group’s strategy by defining risk appetite, approving policies, ensuring adherence to guidelines and promoting a risk-aware culture.

The Risk Committee plays a central role in assessing the appetite levels defined in the Risk Appetite Statement (RAS) and the related strategies. The Committee also monitors compliance with the RAS by the executive management, oversees adherence of processes to the risk-management policies and provides recommendations to the Board of Directors regarding policies, strategies, structures, plans, scenarios and risk limits.

Our IT infrastructure is protected by multiple layers of security aimed at preventing attacks, fraud and unauthorized access, and continuously monitoring suspicious activity. We keep our systems updated, regularly assess vulnerabilities and perform independent testing to ensure control effectiveness. We also maintain 24/7 SOC monitoring conducted by specialized teams, supported by a structured incident-response model to ensure agility, coordination and protection of our data and operations.

We make continuous investments to strengthen our ability to anticipate and respond to threats, enhance internal processes and improve the security and resilience of our environments. In addition, we maintain an Information Security Awareness Program that supports integration across technology, processes and people, providing training and awareness initiatives to employees, collaborators and customers.

Our processes are continuously enhanced to meet regulatory requirements related to cybersecurity, risk management and data protection. We maintain a proactive and preventive posture aligned with market best practices, ensuring compliance, resilience and governance across the technological environment. The Group holds SOC 2 Type II and SOC 3 assurance reports issued by an independent specialized auditor, renewed annually. These assurance reports confirm the consistency and effectiveness of the controls implemented to protect the IT environment for the financial services provided, based on international criteria for SOC 2 (AICPA), covering the following categories: security, availability, processing integrity, confidentiality and privacy.

16.K.20 Cybersecurity Risk

Cybersecurity risk refers to the possibility of cyber incidents—including attacks, intrusions and data leaks—that may compromise the confidentiality, integrity and/or availability of our critical business processes, assets and/or critical infrastructure.

16.K.30 Information Security and Cybersecurity Risk-Management Process

The cybersecurity process comprises four main components: identifying threats by monitoring risks and trends; protecting the environment through preventive measures and awareness initiatives; detecting events to ensure timely recognition of attacks or exposures; and responding and recovering by analyzing incidents, mitigating impacts and strengthening the environment to prevent recurrence.

We apply the Three Lines Model to identify, classify and address cybersecurity risks, ensuring coordinated action among the responsible areas. Risk management follows the principles of confidentiality, integrity and availability. We also adopt market-standard frameworks and methodologies for cybersecurity risk management, as well as for the prevention and treatment of information-security and cyber incidents.

We exercise corporate risk control in an integrated and independent manner, preserving the collegiate decision-making environment and developing and implementing methodologies, models and tools for measurement and control. Risk culture is promoted across all employees and hierarchical levels, from business areas to the Board of Directors.

Corporate topics such as risk management, crisis management, business continuity and data processing are translated into the cybersecurity-risk domain through a set of controls represented by procedures, processes, organizational structures, policies, standards and solutions.

Effective risk management is essential to the long-term sustainability and success of a financial institution. In this context, we rely on the Risk Appetite Framework (RAF), which guides the Group in defining its risk-appetite levels and ensures that strategic decisions remain aligned with our capacity to identify, assess, assume and manage risks in a controlled manner.

In compliance with CMN Resolution No. 4,893/21, we utilize corporate policies and standards (reviewed annually), training and awareness activities on information and cybersecurity, communication of threats and incidents to stakeholders, management of cybersecurity indicators, issuance of an annual cybersecurity report and independent periodic effectiveness tests of key controls for monitoring cybersecurity risk.

Cybersecurity risk-related matters are reported promptly and periodically to our risk-control forums, including timely communication to the relevant stakeholders.

16.K.40 Cybersecurity Risk-Measurement Methodology

We use internal and external sources of information regarding new types of threats, vulnerabilities and cyberattacks, along with market frameworks such as ISO/IEC 31000 (Risk Management—Principles and Guidelines), the NIST Cybersecurity Framework and FAIR (Factor Analysis of Information Risk) to support the development of our internal cybersecurity risk-assessment model.

In accordance with the metrics defined in our Corporate Risk-Management Methodology, risks are graded according to their respective severity, which considers probability of occurrence, potential impacts in case of materialization, and potential effects on customers, employees and stakeholders; finances; regulatory requirements; reputation; availability of systems and services; and privacy of data subjects.

16.K.50 Engagement of Assessors, Consultants, Auditors or Other Third Parties in Connection With Cybersecurity-Risk Processes

We engage an independent auditor to verify our compliance with ISAE 3402, in addition to holding ISO/IEC 27001/2 certifications. 

16.K.50.01 Engagement of Relevant Service Providers

The engagement of service providers follows criteria aligned with our internal governance and regulatory-compliance policies and includes specific requirements designed to mitigate risks that may affect the confidentiality, integrity and availability of information.

As part of the Group’s procurement process, services are classified and providers are assessed during onboarding and throughout the monitoring cycle, with reassessments carried out according to the schedule defined in our internal standards. All assessments are documented, and contracts include clauses in accordance with BCB Resolution 4,893/21, including timely communications to the Central Bank of Brazil when contracting services that meet the criteria for relevant service providers.

16.K.50.02 Cybersecurity Threat Risks

For further information on cybersecurity threats, see “Item 3.D. Risk Factors — 3.D.20.09 Cybersecurity Risk.”