Cybersecurity Risk Management and Strategy Disclosure |
12 Months Ended |
|---|---|
Dec. 31, 2025 | |
| Cybersecurity Risk Management, Strategy, and Governance [Line Items] | |
| Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] | Risk Management and Strategy We consider cybersecurity and information security at the highest strategic level. Our cybersecurity risk management strategy is designed to detect, prevent, monitor and respond to security incidents, minimize unavailability, protect integrity of data and prevent data leakage. We have adopted various processes for the assessment, identification and management of risks arising from cybersecurity threats, which are documented in our Corporate Information Security and Cyber Security Policy, available at our Investor Relations website, which is not incorporated by reference into this annual report. We have a cybersecurity department that is responsible for monitoring our technological environment and for assessing any threats and alerts relating to cybersecurity 24/7. Once the cybersecurity department identifies a cybersecurity incident, it classifies the incident as material or not based upon internal guidelines, as described in the Information Security and Cybersecurity Incident Response Plan (Plano de Tratamento de Incidentes de Segurança da Informação e Cyber Security), prepared by our cybersecurity department and approved by our board of directors, which consider, among other matters, the impact of the cybersecurity incidents on our financial system and whether there is evidence that any customer or general public information has been exfiltrated. Upon the determination that a material cybersecurity incident has occurred and that such an incident may materially damage the individuals whose personal information has been exfiltrated, the cybersecurity department is required to report the incident to the audit committee as well as to notify the relevant Brazilian authorities and those individuals implicated. In the event of a cybersecurity incident affecting personal information of our employees, the cybersecurity department reports to the inspectorate for joint action. The cybersecurity department is led by our chief information security officer (“CISO”), Daniel Menezes Santana, who reports to our CSO, Adriano Cabral Volpini. Mr. Volpini has over 30 years of experience in the financial services industry, with extensive expertise in corporate security, risk management and fraud prevention, and currently serves as Corporate Security Director and CSO of the Itaú Unibanco Group. Mr. Santana has more than 20 years of experience in information security and cybersecurity and has held senior leadership roles in the field. He has been serving as CISO since April 2025. Our cybersecurity processes have been comprehensively integrated into our risk management system and strategy. Our cybersecurity department prepares an annual cybersecurity report outlining cybersecurity incidents if any, actions taken to respond to those incidents and measures adopted to prevent cybersecurity incidents from occurring. This annual cybersecurity report is presented to the risk committee, the audit committee and the board of directors to ensure compliance with regulatory requirements in Brazil. We also conduct, on a continuous basis, stress tests to our cybersecurity infrastructure and environment to identify potential weaknesses and improve our controls and procedures. In addition, we roll out awareness campaigns and/or trainings periodically for our employees and, every two years, we conduct mandatory training on cybersecurity matters for our employees, the cybersecurity department, executive management and the board of directors. As part of our risk management strategy, we contract cybersecurity companies and auditing firms with industry recognized expertise on cybersecurity matters to assess our cybersecurity controls and procedures annually. Those consultants and auditing firms conduct independent penetration tests and suggest improvements to our overall procedures, if any. In 2011 and 2021 we obtained the ISO 27001 and ISO 27701 certificates, respectively. ISO 27001 is an international standard to manage information security while ISO 27701 is the international standard for privacy information management. This additional layer of surveillance by independent consultants and auditing firms, together with the ISO 27001 and ISO 27701 certificates, represent our commitment to adequate and reliable procedures and information infrastructure. We continuously assess and oversee material risks from cybersecurity threats associated with our third-party service providers. Before engaging in business relationships with service providers, the cybersecurity department evaluates whether they meet our minimum standards relating to cybersecurity procedures, governance and risk management. We conduct on-site visits to some service providers that impose greater cybersecurity risks to us to validate their controls over information, monitor their responses to cybersecurity incidents and improvements to cybersecurity infrastructure. Service providers are also required to report material cybersecurity incidents to us relating to breaches of our information and personal information of our customers. From an operational perspective, we use tools such as network behavioral analysis, intrusion prevention systems or IPS, firewalls, antiviruses, antispam systems, among others to protect us against external and internal attacks. Those systems are used to protect our information and information of our customers regardless of where it is located (i.e., within our own infrastructure, a cloud provider or service provider’s infrastructure) throughout the lifecycle of the information. In line with the growing use of AI technology, we have implemented a comprehensive safety journey for the use of AI in business enablement, supported by internal policies and procedures governing its application in our operations, designed to ensure the safe use of this technology while promoting appropriate risk management and regulatory compliance. In line with the growing use AI technology, we have implemented internal policies and procedures governing the use of AI in our business operations, designed to promote appropriate risk management and compliance. For more information on the risks associated with the use of AI, see “Item 3D. Risk Factors—Business Operations—As the regulatory framework for AI and machine learning technology evolves, our business, financial condition and results of operations may be adversely affected.” Risks from cybersecurity threats, including any previous cybersecurity events, have not materially affected us or our business strategy, results of operations or financial condition as of the date of this annual report. For more information on cybersecurity risks, see “Item 3D. Risk Factors—Business Operations—Failure to adequately protect ourselves against risks relating to cybersecurity could materially adversely affect us.”
|
| Cybersecurity Risk Management Processes Integrated [Flag] | true |
| Cybersecurity Risk Management Processes Integrated [Text Block] | We consider cybersecurity and information security at the highest strategic level. Our cybersecurity risk management strategy is designed to detect, prevent, monitor and respond to security incidents, minimize unavailability, protect integrity of data and prevent data leakage. |
| Cybersecurity Risk Management Third Party Engaged [Flag] | true |
| Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] | true |
| Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] | false |
| Cybersecurity Risk Board of Directors Oversight [Text Block] | Our board of directors, which includes members with technology and cybersecurity experience, oversees the management of cybersecurity risks as well as participates in the establishment of our cybersecurity strategy. |
| Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] | Our board of directors, which includes members with technology and cybersecurity experience, oversees the management of cybersecurity risks as well as participates in the establishment of our cybersecurity strategy. |
| Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] | Our Risk Committee (Comitê de Risco) receives reports on cybersecurity incidents occurring in the applicable period and information relating to the management of cybersecurity threats. |
| Cybersecurity Risk Role of Management [Text Block] | In addition to our board of directors, our management plays an important role in managing cybersecurity threats. |
| Cybersecurity Risk Management Positions or Committees Responsible [Flag] | true |
| Cybersecurity Risk Management Positions or Committees Responsible [Text Block] | We have a department solely dedicated to identifying, assessing and managing cybersecurity threats, incidents and issues. Since 2025, this department is led by our CISO, who reports to our CSO, and both ultimately report to our CRO. |
| Cybersecurity Risk Management Expertise of Management Responsible [Text Block] | The CISO and CSO must have a long and solid expertise in cybersecurity matters and reports material cybersecurity risks to CRO. |
| Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] | The CRO monitors material cybersecurity risks and reports them to the executive committee. |
| Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] | true |