Cybersecurity is one of our strategic priorities and one of the pillars of our organization. Our information security team establishes and leads our cybersecurity strategy and the lifecycle for managing cybersecurity risks, including identifying, analyzing, evaluating, mitigating and monitoring risks that could affect our processes and products. Our information security team also defines the policies, practices, procedures, and organizational structure that best aligns with our business objectives, which we use to identify, analyze, evaluate, measure, mitigate, and monitor cybersecurity risks. Our cybersecurity activities are reported to our Cybersecurity Committee on a quarterly basis. We collaborate together with different teams of our organization to conduct continuous analysis of potential failures, vulnerabilities or risks that may impact our processes and products.

​

Our information security strategy is based on the following three security frameworks: defense in depth, security by design, and zero trust. We foster these principles through standardized controls, risk-based governance, and continuous monitoring and response focusing on critical assets which support business processes. During 2025, we focused on improving the level of maturity of our  systems using the Center for Internet Security controls framework, which is based on internationally recognized cybersecurity best practices. Additionally, our controls are aligned to new regulations of regulatory bodies such as the Central Bank. This strategy is implemented by a multidisciplinary group of information security professionals who work full-time and operate in an agile and collaborative manner. They collaborate not only among themselves but also with our business teams to maintain and develop new products.

​

We operate a Cybersecurity Center of Excellence (“CoE”) that defines, standardizes and maintains security guidelines and controls and supports their consistent adoption across the Group. The CoE seeks to integrate our cybersecurity strategy throughout the product lifecycle, including during pre-design, by participating in solution design, defining protections aligned to context, analyzing undesired scenarios, and proposing changes or mitigations.

​

Our security professionals are organized in dedicated functions and teams, including: (i) a “green team” who is responsible for digital identity and access governance, (ii) a “red team” who is responsible for adversarial testing through vulnerability assessments and penetration tests, (iii) a “blue team” who is focused on protective controls, security operations and incident response, and (iv) our CoE which support the integration of security-by-design standards across our product delivery, and (v) a security governance function that supports regulatory alignment, risk-based prioritization, periodic analysis and assessment of third party partners and vendors to validate their alignment with our security guidelines, metrics and reporting, and coordination with delivery practices;. All these teams manage and mitigate cybersecurity risks on a regular basis. These teams work in bi-weekly sprints, holding daily and weekly meetings where information related to the progress of ongoing projects, new products, risks and threats is exchanged and analyzed. Executive summaries of all the activities carried out by these teams are compiled, analyzed, and discussed bi-monthly in meetings of our Cybersecurity Committee, which are attended by senior management, directors, and the Company’s chairman.

​

As cyber-attacks evolve and become more sophisticated, companies must strengthen their prevention and monitoring efforts and adopt new measures to mitigate cybersecurity risks. In recent years, the average number of cybersecurity incidents has increased significantly worldwide. As a result, in 2025, one of our goals was to prevent the most common cyberattacks, which are related to ransomware, smishing, phishing, brand abuse, among others, and to maintain ratios below market average. Therefore, we have enhanced our system monitoring capabilities, paying special attention to critical assets that support business processes. We focus our efforts on cloud security, data loss prevention, automation, and on extending the cybersecurity protective perimeter to our customer devices, adding layers of security on mobile channel.

​

For the third consecutive year, we are in compliance with the SWIFT security assessment and we meet all mandatory and recommended controls. This milestone underscores our unwavering commitment to cybersecurity excellence, demonstrating a proactive and innovative approach to safeguarding critical assets and customer data. By maintaining the highest standards of protection on one of the most targeted infrastructures in the financial sector, we reinforce our resilience against evolving threats.

To address the dynamic nature of cyber risks, we have implemented several strategic initiatives. These include a comprehensive information classification framework, significantly improved through automation to prevent data leakage by blocking unauthorized transmissions. Additionally, we conduct regular inspections and testing of our security measures through simulation exercises, including cybersecurity tests by our “red team.” These exercises help us identify vulnerabilities through technical assessments, social engineering simulations, and ethical phishing campaigns. We have also embraced a model to ensure that our business initiatives, products and their underlying technologies are secure.

​

In 2025, we conducted a campaign for our employees and clients to raise awareness of secure digital transactions. The campaign generated above-market performance against key KPIs, as validated by an independent third party.

​

Based on the information we have as of the date of this annual report, we do not believe any cybersecurity threats have materially affected or are reasonably likely to materially affect the Group, including our business strategy, results of operations or financial condition.  However, despite our efforts to identify and respond to cybersecurity threats, we cannot eliminate all risks from cybersecurity threats or provide assurances that we have not experienced an undetected cybersecurity incident. For more information about these risks, see “Item 3.D. Risk Factors—Risks Relating to Our Business—Cybersecurity events could negatively affect our reputation, results of operations and financial condition.”

Cybersecurity is one of our strategic priorities and one of the pillars of our organization. Our information security team establishes and leads our cybersecurity strategy and the lifecycle for managing cybersecurity risks, including identifying, analyzing, evaluating, mitigating and monitoring risks that could affect our processes and products. Our information security team also defines the policies, practices, procedures, and organizational structure that best aligns with our business objectives, which we use to identify, analyze, evaluate, measure, mitigate, and monitor cybersecurity risks. Our cybersecurity activities are reported to our Cybersecurity Committee on a quarterly basis. We collaborate together with different teams of our organization to conduct continuous analysis of potential failures, vulnerabilities or risks that may impact our processes and products.

​

Our information security strategy is based on the following three security frameworks: defense in depth, security by design, and zero trust. We foster these principles through standardized controls, risk-based governance, and continuous monitoring and response focusing on critical assets which support business processes. During 2025, we focused on improving the level of maturity of our  systems using the Center for Internet Security controls framework, which is based on internationally recognized cybersecurity best practices. Additionally, our controls are aligned to new regulations of regulatory bodies such as the Central Bank. This strategy is implemented by a multidisciplinary group of information security professionals who work full-time and operate in an agile and collaborative manner. They collaborate not only among themselves but also with our business teams to maintain and develop new products.

​

We operate a Cybersecurity Center of Excellence (“CoE”) that defines, standardizes and maintains security guidelines and controls and supports their consistent adoption across the Group. The CoE seeks to integrate our cybersecurity strategy throughout the product lifecycle, including during pre-design, by participating in solution design, defining protections aligned to context, analyzing undesired scenarios, and proposing changes or mitigations.

To ensure that the Company’s security strategy is implemented efficiently, we have established a security governance model. This security governance model has been prepared by committees responsible for approving and supervising the execution of the information security strategy in areas such as corporate security and risk management.

Our Board of Directors regularly receives cybersecurity updates as an integral part of its ongoing risk oversight from the Board committees. Additionally, the Chief Technology Officer, the Chief Risk Officer and the Chief Information Security Officer may convene ad hoc meetings with board members. Our incident response plan sets forth procedures for incident escalation, including convening crisis committees comprised by members of our Board of Directors, in order to facilitate decision-making procedures in response to cybersecurity events. Our crisis committees analyze the quantitative and/or qualitative materiality of cybersecurity events to determine if they exceeds the materiality thresholds and the actions to be taken in response thereto, which enables us to adopt swift and effective responses to mitigate potential impacts on our operations and reputation.

While the primary responsibility for cybersecurity lies with our CISO, who has more than 30 years of experience and extensive academic training in cybersecurity and cryptography, we recognize the importance to collaborate with other experts and we highly value the diversity of expert opinions.