Cybersecurity Risk Management and Strategy Disclosure	12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Abstract]
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]	16.K.10 Strategy of information security/cybersecurity We consider the Information Security/Cybersecurity theme at the highest strategic levels. We work daily to protect our physical and technological infrastructure against cyberattacks in order to ensure the confidentiality, integrity and availability of our channels ensuring the privacy and protection of our information and our clients. Accordingly, we have continuously developed our security framework in line with the new digital environment, with a key focus on cybersecurity as one of the pillars of technology, always seeking to provide more protection, and resilience, and in the threat identification process development, event detection, efficient response and recovery processes in cases of cyber incidents. With regard to technical aspects, in order to prepare for and anticipate IT security threats, including cyber threats, the IT area promotes ongoing investments, such as to reformulate the process of critical updates of servers and workstations, the process of inspecting the source code in the development cycle, establish the infrastructure of the safety testing laboratory and promote the use of cutting-edge technologies/tools. Our infrastructure has multiple layers of security applied in both our external and internal perimeter. To protect against attacks from external connections and the internet, we use Web Application and API Protection (WAAP) systems, DDoS prevention, and DNS protection, among others. In addition, we have systems for fraudulent behavior analysis, detection of improper access, malicious codes, analysis of network and user behavior, intrusion protection products (intrusion detector), firewall, Endpoint Detection and Response (EDR), ransomware and antispam, and encryption, among others, aiming to provide comprehensive protection to our IT environment. In addition, we have a program for continuous updating our software and hardware, vulnerability management and frequent execution of resilience tests and conducting “Penetration Tests” by independent and internal audit companies. We have also implemented a data loss prevention system (DLP) at rest and in transit, developed to ensure the protection of our data. We have continuous monitoring mechanisms, such as security operational centers (SOCs), structured in the area of IT Security, focused on identifying and dealing with potential vulnerabilities, based on an incident response framework integrated with crisis management that describes roles and responsibilities in three levels: Strategic, Tactical and Technical, covering the pillars of confidentiality, integrity and availability, with the aim of establishing an active defense with the use of cognitive intelligence, monitoring of the environment (24/7) and prevention measures through the use of intelligence information. To ensure the security and privacy of our clients, we adopt strict security procedures. Management and technical areas communicate and interact with one another in order to create solutions, provide secure access to service channels and minimize exposure and vulnerabilities. We have a range of security devices and technologies, among them several biometric systems, chip cards, use of digital validation with OTP (One Time Password) devices and physical signing transaction (Token) and Mobile (M-Token) version. We have continuously developed awareness campaigns through client channels and social media. On our “seguranca.bradesco” website (information published on the website is not incorporated by reference in this annual report) there are several guidelines for the public, including videos of the web series “Protect Yourself” with prevention tips on current key scams/fraud, which aim to improve user knowledge of our security measures. Additionally, we have our Information Security Acculturation Program, for employees, this serve as the fundamental foundation for aligning the pillars of technology, processes, and people, ensuring the effectiveness of security measures. As such, we invest in training and awareness materials for employees, associates and clients ensuring they not only understand the issue but are prepared for and informed about the associated risks and threats. CMN amended its Resolution No. 4,893/21, that contains requirements related to the cybersecurity policy and the requirements for hiring data processing and storage services and cloud computing to be observed by institutions authorized to operate by the Central Bank of Brazil and in April 2021, following the same guidelines, Central Bank of Brazil amended BCB Resolution No. 368/24 to amend the requirements for payment institutions. In short, Resolutions No. 4,893/21 and No. 368/24 enhance the previously existing provisions regarding the cybersecurity policy, without changing the primary guidelines of such resolutions. Some of the most relevant changes include the need for financial and payment institutions, as well as securities brokerage firms, securities distribution companies and foreign exchange brokerage companies authorized to operate by the Central Bank of Brazil, to have documented criteria for cases that result in a crisis situation due to a cyberattack and interruption of relevant services. In addition, we observe the provisions of the Open Finance Security Manual, which establishes the minimum-security requirements of APIs (Application Programming Interface) and other systems related to Open Finance, of which we are mandatory participants according to Communication No. 36,480/20, instituted by BCB Normative Instruction No. 305/22. 16.K.20 Cybersecurity risk Cybersecurity risk is represented by the possibility of cyber incidents, including attacks, intrusions and leakages, that could compromise the confidentiality, integrity and/or availability of our critical processes, assets and/or infrastructure. 16.K.30 Cybersecurity management process We carry out corporate risk control in an integrated and independent manner, maintaining and encouraging a collective decision-making environment and developing and implementing methodologies, models and tools for measurement and control of the risks. We promote the dissemination of a risk culture to all employees, at all hierarchical levels, from the business areas to the Board of Directors. We have deployed corporate themes (risk management, crisis management, business continuity management, data processing) to the topic of cybersecurity risk, maintaining a set of controls, represented by procedures, processes, organizational structures, policies, IT standards and solutions. In addition, we adopt best practices and market frameworks in processes, methodology in cybersecurity risk management, as well as prevention and treatment of information security and cybersecurity incidents. To do so, the following activities are carried out: identification of threats, protection against attacks, detection, responses and recovery from attacks. This corporate framework and its developments are able to meet the principles of protection related to the confidentiality, availability and integrity of information. The model of three lines that we adopt to carry out the cybersecurity risk management steps is to identify, classify the risk and ensure that the responsible areas plan and execute the assigned risk mitigation plans, so that essential management tasks are carried out in an integrated and coordinated manner. To ensure proper management of cybersecurity risk, which allows adequately assessing risks and supporting managers and Senior Management in decision making, we are grounded on the pillars of Information Security and Cybersecurity: • Confidentiality: with proper classification, encryption, access controls and segmentation of networks so that the right to read, copy and use the information is granted only when necessary and to authorized people, protecting us from misuse or data leaks; • Integrity: with proper authentication, traceability and data protection controls to ensure accuracy, consistency and reliability of information, protecting our assets from malicious software or cyberattacks that cause data corruption, alteration, or destruction; and • Availability: with proper backup, contingency and redundancy procedures, so that business critical processes can be executed properly, protecting our assets from cyberattacks that deplete the capacity of the technology infrastructure and cause instability, deactivation, or unavailability of services. We follow the above principles to adopt best market practices in processes, methodology, and controls for identifying and managing cybersecurity risks, as well as preventing and addressing information security and cyber incidents. To achieve this, we carry out the following activities: We highlight the Assurance SOC 2 Type II and SOC 3, issued by independent specialized audit, which is renewed every year. This assurance confirmed the consistency and effectiveness of the controls implemented for IT environment security, regarding financial services provided, based on international standard information security controls (AICPA – Association of International Certified Professional Accountants) and SOC 2 service categories: security, availability, processing integrity, confidentiality and privacy of data. The cybersecurity process consists of the following activities: • Identification of Threats: detect and identify threats and vulnerabilities, identify and evaluate risks, and define potential scenarios that may affect our cyber environment. This stage also includes the continuous monitoring of governance indicators that contribute to improve the identification of trends and anticipate possible incidents; • Protection Against Attacks: perform preventive actions to mitigate or transfer cybersecurity risk and safeguard critical assets such as information and cybersecurity awareness and training, as well as implement security updates, virus protection, malicious files and software, managed and updated periodically; • Detection of Attacks: monitor and identify in a timely manner risk materialized in attacks or information leaks, with monitoring tools and investigation processes that give knowledge to those responsible for actions of response; and • Response and Recovery from Attacks: keep a record of incidents, analyze the origin and effects of relevant incidents, duly detail actions in specific Incident Management regulations, defining the criticality assessment, assignment of the responsible people and expected action to contain the incident, restore assets and mitigate impacts as well as guide actions to be taken post-incident to subsidize decision-making that avoids the occurrence of other similar attacks. We use different paths in order to comply with CMN Resolution No. 4,893/21, such as corporate policies and regulations, which are reviewed every year, training and awareness activities related to information and cyber security, communication of threats and incidents to stakeholders, management process of Information Security and Cybernetic indicators, issuing of the annual cybersecurity report, as well as independent and periodic effectiveness tests carried out in key controls for monitoring cybersecurity risk. Issues related to cybersecurity risk events are reported on a timely and periodic basis in our risk control forums, including effective communication to stakeholders. 16.K.40 Methodology to measure cybersecurity risk We use internal and external sources of information to assess new types of threats, vulnerabilities and cyberattacks, as well as market standards, such as ISO/IEC 27005:2018 – Information Security Risk Management, NIST Cybersecurity Framework – NIST CSF (Guide for Improving Critical Infrastructure Cybersecurity) and the Information Security Forum (ISF) for the development of an internal model of cybersecurity risk assessment. Information security and cyber incidents are categorized according to the severity assigned, as defined in the “Information Security and Cyber Incident Severity Matrix”, considering the following potential impacts: to clients, employees and other stakeholders; financial; regulatory; reputation-related; availability of systems or services; and, the privacy of data subjects. 16.K.50 Hiring evaluators, consultants, auditors or other third parties in connection with any such cyber risk processes We also engage an independent third party to audit our ISAE 3402 compliance, in addition to the ISO/IEC 9001, 27001/2 Certifications. 16.K.50-01 Hiring Relevant Service Providers We hire relevant data processing and storage services and cloud computing according to our internal governance and regulatory compliance policies criteria, containing specific requirements to contract these services and avoid compromising the confidentiality, integrity and availability of information. Before hiring the services, we carried out a security assessment of vendors who provide services, listed our hiring process. The process is eliminatory, all procedures and checks are documented, and contracts provide for specific clauses as set out in CMN Resolution No. 4,893/21. The cybersecurity risk in relevant service providers is classified, in the corporate risk library, as “Very High”, due to the concern and the need for visibility and monitoring of the environment of these providers, being supervised at the highest strategic levels, such as Audit and Risks Committees. We reinforce the importance of the subject throughout the Group, through several communications and Workshops on Information Security with Contract managers, covering the correct classification of the service, as well as to ensure compliance with Resolution CMN No. 4,893/21 and LGPD. In addition, we also emphasized the importance of the subject to our suppliers during the assessment the importance of commitment to the evaluation process conducted by the area of Information Security for third parties (SIT). 16.K.50-02 Risks of cybersecurity threats For more information on cybersecurity threat risks, see “Item 3.D. Risk Factors — 3.D.20.09 Cybersecurity Risk”.
Cybersecurity Risk Management Processes Integrated [Flag]	true
Cybersecurity Risk Management Processes Integrated [Text Block]	We carry out corporate risk control in an integrated and independent manner, maintaining and encouraging a collective decision-making environment and developing and implementing methodologies, models and tools for measurement and control of the risks.
Cybersecurity Risk Management Third Party Engaged [Flag]	true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]	true
Cybersecurity Risk Board of Directors Oversight [Text Block]	16.K.60 Governance The approach adopted for cybersecurity risk governance is formalized through internal standards and is in line with the directives of our Regulators and Market frameworks, as is disclosed to the market through our investor relations website. This integrated structure aims to ensure governance compatible with our size, risk profile and business model, ensuring that IT’s critical assets and infrastructure are able to withstand cyberattacks. As described in “Item 4.B.20.03 Internal controls”, acts proactively in the management of risks and controls existing in the processes to keep them at acceptable levels. In addition, annually, a report is sent to the Board of Directors and to the Audit Committee (COAUD), consolidating the evaluations and conclusions of the work carried out by the Internal Controls area. The activities of the Internal Controls area are performed by trained professionals, through well-defined processes and technology compatible with our size and structure, complexity of the products and services negotiated, risk profile and business model, pursuant to CMN Resolution No. 4,968/21, as amended. This model also includes cybersecurity risks. We maintain a set of controls, represented by procedures, processes, organizational structures, policies, IT standards and solutions capable of meeting the protection principles regarding the confidentiality, availability and integrity of information. Regarding the Cybersecurity governance structure, the theme is managed by two departments: Corporate Security Department and IT Infrastructure Department (DITI), with the involvement of several areas of the our Group, which have specific tasks, with the aim of ensuring an efficient structure in risk control and mitigation, allowing risks to be identified, measured, treated and communicated, contributing to the achievement of strategic objectives. 16.K.70 Corporate Security Area Our Corporate Security Area’s mission is to promote security solutions by creating, implementing and maintaining and updating rules and processes aligned with our business. It operates strategically in the areas of Information Security and Cybersecurity, Access Management, Privacy and Data Protection, Prevention of Electronic, Debit/Credit Card and Documentary frauds, and Prevention of Physical and Property Security frauds. It also works in the specification of systemic solutions and security processes in electronic channels and information systems, evaluating, treating and proposing improvements. In addition, the department is responsible for delivering Technical Opinions on strategic security issues and the implementation of products, services, processes and AML/TF. We highlight the main areas and activities: • Governance of Information Security (IS) Policy and Guidelines: its mission is to develop, maintain and manage the Policy and Corporate Standards of Information Security, Privacy and Data Protection and Cybersecurity applicable to our business, adhering to what we believe are best practices. It also has the responsibility to evaluate and approve specific standards and rules, related to Information Security and which have been developed by all Departments and Subsidiaries; • Management of Privacy and Data Protection: responsible for managing the Privacy Program, ensuring the privacy of personal data collected and processed. Responsible for controls and processes aiming to maintain the our privacy governance structure and our compliance with the General Data Protection Law (LGPD) and other regulatory standards, as well as providing services to data subjects and the demands of the National Data Protection Authority (ANPD), in addition to monitoring the evolution of the theme in the legislative and judicial scenarios; • Cryptographic Keys and Digital Certification: it has the mission, respectively, to carry out governance and generate symmetrical cryptographic keys, and to provide support to the theme certification/digital signature, to coordinate the issuance of ICP-Brasil digital certificates for systemic and employee use; • Compliance and Risk Management: its mission is to identify and evaluate risks related to Information Security and Cybernetics, depending on preferred the corporate risk methodology, considering, among others, elements such as information assets, data criticality, threats and vulnerabilities, risk scenarios and controls established in market frameworks, and internal, legal and inflexible rules, with the aim of assisting the business in risk mitigation. It also acts as a focal point along with the Compliance and Non-Financial Risk Management Department, to confirm the information security and cyber risk, new or existing, inserted in the library or in the corporate risk map, triggering technical experts, when necessary. Additionally, provide subsidies related to Information Security for compliance with audits, regulatory bodies and internal and external entities; • Cybersecurity Management: its mission is to operate as the first line for Cybersecurity in Corporate Security, by managing the Framework for the Corporate Security, which establishes and monitors the integrated vision; consolidate and report on the metrics of performance and risk related to information and cybersecurity; and inform the appropriate committees of these risks and threats. It operates in the following spheres: data leakage monitoring, prevention and protection, the management of information security incidents and cybernetics and management of the multidisciplinary Group for Tactical Actions to Incidents of Information Security and Cybernetics (GATI), assessing more severe security incidents and their potential impacts on the business. It offers technical leadership support to the Corporate Crisis Management area, and is responsible for the Computer Security Incident Response Team (CSIRT) activity, for the prevention, detection, and resolution of security incidents. It performs analyses and proposes and maintains solutions for emerging threats and global trends to prevent transactional fraud in all channels, using the “Red Team”, Forensic and Open-Source Intelligence (OSINT), acting in the evaluation of security solutions that help mitigate the incidence of fraud and attacks trough digital channels and helps to ensure a secure and user-friendly customer experience; • The Electronic Fraud-Prevention: Bradesco App, Internet Banking, Net Empresa, Fone Fácil, BIA WhatsApp and Debit and Credit Card Product, in addition to Document Fraud Prevention in opening accounts – through branches, Bradesco Expresso, our Mobile App and next –, credit card, payroll-deductible loans, vehicle financing, Losango and consortium: we always seek to anticipate risk mitigation in our operations, monitor our data and transactional environments on an uninterrupted basis (24 hours a day and 7 days a week), employing technology processes and people specialized in the subject. Products and services are analyzed by teams of experts, who have the mission to continuously act in the prevention and correction of actions to ensure the security of information and systems that support the business, aligned with our client’s usability. We are among one of the first banks to receive the Fraud Prevention Seal of the National Confederation of Financial Institutions (CNF), in partnership with FEBRABAN, which promotes centralized, optimized and standardized measures for the handling financial system incidents; • Access Management: responsible for setting the strategy and operational direction of the process for identification and access to corporate applications and Open-Source Intelligence (SOX) compliance departments, defining and maintaining the Access Management methodology for employees and non-employees. This area aims to protect system resources and information against unwanted access, following the principles of segregation of duties, required access and the definition of automated controls, considering Internal and External Standards and Regulations; • Authentication Methods: responsible for defining standards for minimum client authentication controls in service systems and channels, monitoring projects involving the use of Biometrics, Passwords and Physical and Logical Device to generate One Time Password (OTP); • Information Security for Third Parties (SIT): its mission is to ensure the trust of our clients; Driving and innovation in our business while protecting our information through rigorous security assessments of suppliers throughout their lifecycle; • AML/TF: it has the role of disseminating the AML/TF culture, empowering employees, partners and suppliers, and developing policies, standards and procedures to mitigate the risk of misusing our structure and/or products and services. It is also responsible for maintaining detection systems and running internal risk assessments, as well as ensuring continuous improvements in processes and controls, following the best national and international practices on the subject. Suspicious or atypical cases identified are communicated to the Financial Intelligence Unit (COAF) in compliance with regulatory/legal requirements; • Sanctions: it protects our business and relationships with stakeholders by adopting actions aimed at preventing terrorist financing, drug trafficking, national and transnational criminal organizations and proliferation of weapons of mass destruction. It also detects and reports on sanctioned individuals and legal entities cited on international sanctions lists, or any activities with sanctions-related risks, in accordance with the laws and regulations in force. It develops, updates and disseminates sanctions policies and standards, and promotes awareness on the topic; and • Physical and Property Security: responsible for maintaining specialized human resources and technological devices, ensuring the implementation of security standards in accordance with Law No. 14,967/24. The system is issued by the Federal Police and follows a strict “Security Plan”. It constantly evaluates security devices for potential vulnerabilities and monitors security systems and closed-circuit TV (CCTV) on a 24/7 basis, aiming to prevent and guide actions to mitigate the effects of eventual claims. In addition to the activities performed by the corporate security area, we have our Card department, a fraud prevention area, whose mission is to provide security solutions aligned to our business through the creation, implementation, and maintenance of preventive rules, processes and technologies. This fraud prevention department assesses the security of service channels, systems, processes and products, and suggests improvements. The department also issues technical opinions in connection with strategic security issues and the introduction of products, services or processes. Among the main responsibilities of the “Corporate Security Global Vision,” we highlight the following: • The area responsible for preventing credit card fraud seeks to identify and mitigate the risk of financial losses and negative reputational impacts on the Bank. It develops prevention strategies against document and transactional fraud, monitoring and alerting in real time for all transactions made through client service and use channels. The measures are based on behavioral analyses of fraud, supported by statistical methodologies and predictive models of fraud, with the objective to ensure controls are aligned to the business. The area also diagnoses losses to identify systemic and operational weaknesses, recommending preventive actions to achieve alignment with the current strategy; • The projects and processes area establishes controls to identify risks and is responsible for evaluating the risk of fraud and issuing recommendations for new projects, processes and products. The area proposes solutions that aim to balance use and security of products and access to service channels to business and technical area managers, as well as corporate and strategic preventive actions that follow the best practices of the market; and • The portfolio analysis area is responsible for managing and communicating information received from the fraud prevention area to our other areas. 16.K.80 IT Infrastructure Department (DITI): DITI has as its mission to manage IT infrastructure projects and software infrastructure on the Mainframe Platform and Open Platform, whether on-site or in cloud environments; provide security of technological infrastructure, ensure connectivity, availability and resilience through technological evolution; and providing technical support of equipment and software of our workstations and Telecommunication services. IT Security is one of the areas of DITI, responsible for processes, resources and solutions aimed at protecting and monitoring our technological infrastructure against intrusion attempts, improper access, information evasion and malicious code and its main attributions are: • Secure Systems Development: identify and define best security practices to be adopted in programming, according to the coding languages we use, performing tests of vulnerabilities in static and/or dynamic applications, during the development cycle, according to security rules and policies; • Technical Security Architecture: define and manage the technical security reference architectures for the entire Group through controls with reusable components, supporting and overseeing the application of security controls in technological solutions aiming at balance between opportunity and risk; • Security of Technological Platforms: define, manage and coordinate compliance with best practices for configuring and protecting platforms (operating systems, application servers, database servers, mobile and fixed devices), also fixing issues in an agile and orchestrated way in case of incidents; • Network Security: develop and apply reference models/technical security requirements for networks, electronic communication channels and voice, ensuring the adoption of security standards and technical protection requirements; • Vulnerability Management: manage the life-cycle of vulnerabilities identified in our technology assets, monitor action plans with those responsible for mitigations and prioritize the level of risk exposure; • Offensive Security: identify and proactively exploit vulnerabilities to measure and validate the resilience of security controls to current methods of cyberattacks through realistic scenario attacks. Portfolio of activities: Security tests, Intrusion tests (Pentests), Red Team Exercises, Adversary simulation, Vulnerability scans, etc.; • Security Operations Center (SOC): perform security monitoring in real-time infrastructure to identify malicious and/or suspicious threats and behavior based on scenarios, rules and cases using also event history, risks and non-compliance with cybersecurity requirements, performing cyber incident response processes that include monitoring, detection, containment and response in technology assets, obtaining, treating and analyzing data and logs, considering internal and external sources. Perform information analysis (“computer forensics”) for the business areas, second and third line of defense, involved in the incident; • Intelligence and Security: generate and share security intelligence information through internal and external research, using advanced analytical methods in various sources, with artificial intelligence capabilities to identify trends, methods, threats and vulnerabilities of information security, bringing inputs to perform predictive actions, as well as building strategic visions of how we are facing global threat scenarios, making it possible to make decisions regarding the topic of cybersecurity; • Security Deployment, Support and Operational Processes: establish the requirements and guidelines we adopt regarding the life-cycle of technological projects of information security solution deployments, operating and protecting technological assets from threats, managing resources and users; • Privileged Account Management: ensure that only authorized users and accounts have approved access to business applications, information systems, networks and computing devices (Operating System, Database, among others), that individual responsibility is guaranteed and provides sufficient access privileges to allow them to perform their duties for as long as necessary, but does not allow them to exceed their authority; and • Research and Solutions: prospecting, evaluating and exploring new technologies and solutions to prevent, mitigate and resolve current problems, incidents and vulnerabilities or potential future threats. We also have other important areas and functions in DITI, described below. • IT Project Center: manage IT infrastructure projects, from identifying the need for technological infrastructure to delivery in environments, coordinating and integrating engineering throughout the process; • Mainframe Software Engineering: keep the software infrastructure installed on the Mainframe Platform up to date, operational, available and reliable, supporting our business; • Contingency Storage and Mainframe Capacity: manage, secure, and support data storage. Plan and empower the Mainframe technology infrastructure. Promote the continuity of services and exercise the activation of technological infrastructure environments provided that this requirement has been established by management Dependencies through their Business Continuity Plans; • Data Center: manage, plan, hire and maintain the electrical, air-conditioning, automation and logical cabling infrastructure of Banco Bradesco’s Data Centers, focusing on high availability and energy efficiency through the implementation of technologies and best practices focused on sustainability; • Network Engineering: provide connectivity to the business and Client areas ensuring availability and resilience through technology evolution, automation and innovation; • Telecommunications: provide and manage our Telecommunication services, such as data communication links, lines and fixed and mobile telephony devices; • Support Departments: support the hardware and software of workstations and access switches of departments and related companies and mobile device software, email account management, Internet access and technology update of stations for the entire Group; • Contact Center: provide and maintain the infrastructure services of our call centers with quality, availability and reliability, presenting results that meet the expectations of the business areas; • Capital Market and International Units: act in the transformation of areas served by teams of International Units and Capital Markets with agility, security and innovation, ensuring the availability of the supported environment and delivering the desired value to clients and shareholders; and • Unix Engineering Software, Projects and SAP: keep the software up to date, safe and resilient. Ensure the maintenance and technical support of the Unix software, providing greater availability and reliability, supporting our business needs, whether in on-site or cloud environments.
Cybersecurity Risk Role of Management [Text Block]	Cybersecurity Management: its mission is to operate as the first line for Cybersecurity in Corporate Security, by managing the Framework for the Corporate Security, which establishes and monitors the integrated vision; consolidate and report on the metrics of performance and risk related to information and cybersecurity; and inform the appropriate committees of these risks and threats. It operates in the following spheres: data leakage monitoring, prevention and protection, the management of information security incidents and cybernetics and management of the multidisciplinary Group for Tactical Actions to Incidents of Information Security and Cybernetics (GATI), assessing more severe security incidents and their potential impacts on the business. It offers technical leadership support to the Corporate Crisis Management area, and is responsible for the Computer Security Incident Response Team (CSIRT) activity, for the prevention, detection, and resolution of security incidents. It performs analyses and proposes and maintains solutions for emerging threats and global trends to prevent transactional fraud in all channels, using the “Red Team”, Forensic and Open-Source Intelligence (OSINT), acting in the evaluation of security solutions that help mitigate the incidence of fraud and attacks trough digital channels and helps to ensure a secure and user-friendly customer experience;
Cybersecurity Risk Management Positions or Committees Responsible [Flag]	true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block]	Regarding the Cybersecurity governance structure, the theme is managed by two departments: Corporate Security Department and IT Infrastructure Department (DITI), with the involvement of several areas of the our Group, which have specific tasks, with the aim of ensuring an efficient structure in risk control and mitigation, allowing risks to be identified, measured, treated and communicated, contributing to the achievement of strategic objectives.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]	true
Cybersecurity Risk Management Expertise of Management Responsible [Text Block]	The activities of the Internal Controls area are performed by trained professionals, through well-defined processes and technology compatible with our size and structure, complexity of the products and services negotiated, risk profile and business model, pursuant to CMN Resolution No. 4,968/21, as amended. This model also includes cybersecurity risks.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]	Access Management: responsible for setting the strategy and operational direction of the process for identification and access to corporate applications and Open-Source Intelligence (SOX) compliance departments, defining and maintaining the Access Management methodology for employees and non-employees. This area aims to protect system resources and information against unwanted access, following the principles of segregation of duties, required access and the definition of automated controls, considering Internal and External Standards and Regulations;

Cybersecurity Risk Management and Strategy Disclosure

12 Months Ended

Dec. 31, 2024

Cybersecurity Risk Management, Strategy, and Governance [Abstract]

Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

16.K.10 Strategy of information security/cybersecurity

We consider the Information Security/Cybersecurity theme at the highest strategic levels. We work daily to protect our physical and technological infrastructure against cyberattacks in order to ensure the confidentiality, integrity and availability of our channels ensuring the privacy and protection of our information and our clients.

Accordingly, we have continuously developed our security framework in line with the new digital environment, with a key focus on cybersecurity as one of the pillars of technology, always seeking to provide more protection, and resilience, and in the threat identification process development, event detection, efficient response and recovery processes in cases of cyber incidents.

With regard to technical aspects, in order to prepare for and anticipate IT security threats, including cyber threats, the IT area promotes ongoing investments, such as to reformulate the process of critical updates of servers and workstations, the process of inspecting the source code in the development cycle, establish the infrastructure of the safety testing laboratory and promote the use of cutting-edge technologies/tools.

Our infrastructure has multiple layers of security applied in both our external and internal perimeter. To protect against attacks from external connections and the internet, we use Web Application and API Protection (WAAP) systems, DDoS prevention, and DNS protection, among others. In addition, we have systems for fraudulent behavior analysis, detection of improper access, malicious codes, analysis of network and user behavior, intrusion protection products (intrusion detector), firewall, Endpoint Detection and Response (EDR), ransomware and antispam, and encryption, among others, aiming to provide comprehensive protection to our IT environment. In addition, we have a program for continuous updating our software and hardware, vulnerability management and frequent execution of resilience tests and conducting “Penetration Tests” by independent and internal audit companies. We have also implemented a data loss prevention system (DLP) at rest and in transit, developed to ensure the protection of our data.

We have continuous monitoring mechanisms, such as security operational centers (SOCs), structured in the area of IT Security, focused on identifying and dealing with potential vulnerabilities, based on an incident response framework integrated with crisis management that describes roles and responsibilities in three levels: Strategic, Tactical and Technical, covering the pillars of confidentiality, integrity and availability, with the aim of establishing an active defense with the use of cognitive intelligence, monitoring of the environment (24/7) and prevention measures through the use of intelligence information.

To ensure the security and privacy of our clients, we adopt strict security procedures. Management and technical areas communicate and interact with one another in order to create solutions, provide secure access to service channels and minimize exposure and vulnerabilities. We have a range of security devices and technologies, among them several biometric systems, chip cards, use of digital validation with OTP (One Time Password) devices and physical signing transaction (Token) and Mobile (M-Token) version. We have continuously developed awareness campaigns through client channels and social media. On our “seguranca.bradesco” website (information published on the website is not incorporated by reference in this annual report) there are several guidelines for the public, including videos of the web series “Protect Yourself” with prevention tips on current key scams/fraud, which aim to improve user knowledge of our security measures.

Additionally, we have our Information Security Acculturation Program, for employees, this serve as the fundamental foundation for aligning the pillars of technology, processes, and people, ensuring the effectiveness of security measures. As such, we invest in training and awareness materials for employees, associates and clients ensuring they not only understand the issue but are prepared for and informed about the associated risks and threats.

CMN amended its Resolution No. 4,893/21, that contains requirements related to the cybersecurity policy and the requirements for hiring data processing and storage services and cloud computing to be observed by institutions authorized to operate by the Central Bank of Brazil and in April 2021, following the same guidelines, Central Bank of Brazil amended BCB Resolution No. 368/24 to amend the requirements for payment institutions. In short, Resolutions No. 4,893/21 and No. 368/24 enhance the previously existing provisions regarding the cybersecurity policy, without changing the primary guidelines of such resolutions. Some of the most relevant changes include the need for financial and payment institutions, as well as securities brokerage firms, securities distribution companies and foreign exchange brokerage companies authorized to operate by the Central Bank of Brazil, to have documented criteria for cases that result in a crisis situation due to a cyberattack and interruption of relevant services. In addition, we observe the provisions of the Open Finance Security Manual, which establishes the minimum-security requirements of APIs (Application Programming Interface) and other systems related to Open Finance, of which we are mandatory participants according to Communication No. 36,480/20, instituted by BCB Normative Instruction No. 305/22.

16.K.20 Cybersecurity risk

Cybersecurity risk is represented by the possibility of cyber incidents, including attacks, intrusions and leakages, that could compromise the confidentiality, integrity and/or availability of our critical processes, assets and/or infrastructure.

16.K.30 Cybersecurity management process

We carry out corporate risk control in an integrated and independent manner, maintaining and encouraging a collective decision-making environment and developing and implementing methodologies, models and tools for measurement and control of the risks. We promote the dissemination of a risk culture to all employees, at all hierarchical levels, from the business areas to the Board of Directors.

We have deployed corporate themes (risk management, crisis management, business continuity management, data processing) to the topic of cybersecurity risk, maintaining a set of controls, represented by procedures, processes, organizational structures, policies, IT standards and solutions.

In addition, we adopt best practices and market frameworks in processes, methodology in cybersecurity risk management, as well as prevention and treatment of information security and cybersecurity incidents. To do so, the following activities are carried out: identification of threats, protection against attacks, detection, responses and recovery from attacks.

This corporate framework and its developments are able to meet the principles of protection related to the confidentiality, availability and integrity of information.

The model of three lines that we adopt to carry out the cybersecurity risk management steps is to identify, classify the risk and ensure that the responsible areas plan and execute the assigned risk mitigation plans, so that essential management tasks are carried out in an integrated and coordinated manner.

To ensure proper management of cybersecurity risk, which allows adequately assessing risks and supporting managers and Senior Management in decision making, we are grounded on the pillars of Information Security and Cybersecurity:

• Confidentiality: with proper classification, encryption, access controls and segmentation of networks so that the right to read, copy and use the information is granted only when necessary and to authorized people, protecting us from misuse or data leaks;

• Integrity: with proper authentication, traceability and data protection controls to ensure accuracy, consistency and reliability of information, protecting our assets from malicious software or cyberattacks that cause data corruption, alteration, or destruction; and

• Availability: with proper backup, contingency and redundancy procedures, so that business critical processes can be executed properly, protecting our assets from cyberattacks that deplete the capacity of the technology infrastructure and cause instability, deactivation, or unavailability of services.

We follow the above principles to adopt best market practices in processes, methodology, and controls for identifying and managing cybersecurity risks, as well as preventing and addressing information security and cyber incidents. To achieve this, we carry out the following activities:

We highlight the Assurance SOC 2 Type II and SOC 3, issued by independent specialized audit, which is renewed every year. This assurance confirmed the consistency and effectiveness of the controls implemented for IT environment security, regarding financial services provided, based on international standard information security controls (AICPA – Association of International Certified Professional Accountants) and SOC 2 service categories: security, availability, processing integrity, confidentiality and privacy of data.

The cybersecurity process consists of the following activities:

• Identification of Threats: detect and identify threats and vulnerabilities, identify and evaluate risks, and define potential scenarios that may affect our cyber environment. This stage also includes the continuous monitoring of governance indicators that contribute to improve the identification of trends and anticipate possible incidents;

• Protection Against Attacks: perform preventive actions to mitigate or transfer cybersecurity risk and safeguard critical assets such as information and cybersecurity awareness and training, as well as implement security updates, virus protection, malicious files and software, managed and updated periodically;

• Detection of Attacks: monitor and identify in a timely manner risk materialized in attacks or information leaks, with monitoring tools and investigation processes that give knowledge to those responsible for actions of response; and

• Response and Recovery from Attacks: keep a record of incidents, analyze the origin and effects of relevant incidents, duly detail actions in specific Incident Management regulations, defining the criticality assessment, assignment of the responsible people and expected action to contain the incident, restore assets and mitigate impacts as well as guide actions to be taken post-incident to subsidize decision-making that avoids the occurrence of other similar attacks.

We use different paths in order to comply with CMN Resolution No. 4,893/21, such as corporate policies and regulations, which are reviewed every year, training and awareness activities related to information and cyber security, communication of threats and incidents to stakeholders, management process of Information Security and Cybernetic indicators, issuing of the annual cybersecurity report, as well as independent and periodic effectiveness tests carried out in key controls for monitoring cybersecurity risk.

Issues related to cybersecurity risk events are reported on a timely and periodic basis in our risk control forums, including effective communication to stakeholders.

16.K.40 Methodology to measure cybersecurity risk

We use internal and external sources of information to assess new types of threats, vulnerabilities and cyberattacks, as well as market standards, such as ISO/IEC 27005:2018 – Information Security Risk Management, NIST Cybersecurity Framework – NIST CSF (Guide for Improving Critical Infrastructure Cybersecurity) and the Information Security Forum (ISF) for the development of an internal model of cybersecurity risk assessment.

Information security and cyber incidents are categorized according to the severity assigned, as defined in the “Information Security and Cyber Incident Severity Matrix”, considering the following potential impacts: to clients, employees and other stakeholders; financial; regulatory; reputation-related; availability of systems or services; and, the privacy of data subjects.

16.K.50 Hiring evaluators, consultants, auditors or other third parties in connection with any such cyber risk processes

We also engage an independent third party to audit our ISAE 3402 compliance, in addition to the ISO/IEC 9001, 27001/2 Certifications.

16.K.50-01 Hiring Relevant Service Providers

We hire relevant data processing and storage services and cloud computing according to our internal governance and regulatory compliance policies criteria, containing specific requirements to contract these services and avoid compromising the confidentiality, integrity and availability of information.

Before hiring the services, we carried out a security assessment of vendors who provide services, listed our hiring process. The process is eliminatory, all procedures and checks are documented, and contracts provide for specific clauses as set out in CMN Resolution No. 4,893/21.

The cybersecurity risk in relevant service providers is classified, in the corporate risk library, as “Very High”, due to the concern and the need for visibility and monitoring of the environment of these providers, being supervised at the highest strategic levels, such as Audit and Risks Committees.

We reinforce the importance of the subject throughout the Group, through several communications and Workshops on Information Security with Contract managers, covering the correct classification of the service, as well as to ensure compliance with Resolution CMN No. 4,893/21 and LGPD. In addition, we also emphasized the importance of the subject to our suppliers during the assessment the importance of commitment to the evaluation process conducted by the area of Information Security for third parties (SIT).

16.K.50-02 Risks of cybersecurity threats

For more information on cybersecurity threat risks, see “Item 3.D. Risk Factors — 3.D.20.09 Cybersecurity Risk”.

Cybersecurity Risk Management Processes Integrated [Flag]

true

Cybersecurity Risk Management Processes Integrated [Text Block]

Cybersecurity Risk Management Third Party Engaged [Flag]

true

Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]

true

Cybersecurity Risk Board of Directors Oversight [Text Block]

16.K.60 Governance

The approach adopted for cybersecurity risk governance is formalized through internal standards and is in line with the directives of our Regulators and Market frameworks, as is disclosed to the market through our investor relations website.

This integrated structure aims to ensure governance compatible with our size, risk profile and business model, ensuring that IT’s critical assets and infrastructure are able to withstand cyberattacks.

As described in “Item 4.B.20.03 Internal controls”, acts proactively in the management of risks and controls existing in the processes to keep them at acceptable levels. In addition, annually, a report is sent to the Board of Directors and to the Audit Committee (COAUD), consolidating the evaluations and conclusions of the work carried out by the Internal Controls area. The activities of the Internal Controls area are performed by trained professionals, through well-defined processes and technology compatible with our size and structure, complexity of the products and services negotiated, risk profile and business model, pursuant to CMN Resolution No. 4,968/21, as amended. This model also includes cybersecurity risks.

We maintain a set of controls, represented by procedures, processes, organizational structures, policies, IT standards and solutions capable of meeting the protection principles regarding the confidentiality, availability and integrity of information.

Regarding the Cybersecurity governance structure, the theme is managed by two departments: Corporate Security Department and IT Infrastructure Department (DITI), with the involvement of several areas of the our Group, which have specific tasks, with the aim of ensuring an efficient structure in risk control and mitigation, allowing risks to be identified, measured, treated and communicated, contributing to the achievement of strategic objectives.

16.K.70 Corporate Security Area

Our Corporate Security Area’s mission is to promote security solutions by creating, implementing and maintaining and updating rules and processes aligned with our business.

It operates strategically in the areas of Information Security and Cybersecurity, Access Management, Privacy and Data Protection, Prevention of Electronic, Debit/Credit Card and Documentary frauds, and Prevention of Physical and Property Security frauds. It also works in the specification of systemic solutions and security processes in electronic channels and information systems, evaluating, treating and proposing improvements. In addition, the department is responsible for delivering Technical Opinions on strategic security issues and the implementation of products, services, processes and AML/TF. We highlight the main areas and activities:

• Governance of Information Security (IS) Policy and Guidelines: its mission is to develop, maintain and manage the Policy and Corporate Standards of Information Security, Privacy and Data Protection and Cybersecurity applicable to our business, adhering to what we believe are best practices. It also has the responsibility to evaluate and approve specific standards and rules, related to Information Security and which have been developed by all Departments and Subsidiaries;

• Management of Privacy and Data Protection: responsible for managing the Privacy Program, ensuring the privacy of personal data collected and processed. Responsible for controls and processes aiming to maintain the our privacy governance structure and our compliance with the General Data Protection Law (LGPD) and other regulatory standards, as well as providing services to data subjects and the demands of the National Data Protection Authority (ANPD), in addition to monitoring the evolution of the theme in the legislative and judicial scenarios;

• Cryptographic Keys and Digital Certification: it has the mission, respectively, to carry out governance and generate symmetrical cryptographic keys, and to provide support to the theme certification/digital signature, to coordinate the issuance of ICP-Brasil digital certificates for systemic and employee use;

• Compliance and Risk Management: its mission is to identify and evaluate risks related to Information Security and Cybernetics, depending on preferred the corporate risk methodology, considering, among others, elements such as information assets, data criticality, threats and vulnerabilities, risk scenarios and controls established in market frameworks, and internal, legal and inflexible rules, with the aim of assisting the business in risk mitigation. It also acts as a focal point along with the Compliance and Non-Financial Risk Management Department, to confirm the information security and cyber risk, new or existing, inserted in the library or in the corporate risk map, triggering technical experts, when necessary.

Additionally, provide subsidies related to Information Security for compliance with audits, regulatory bodies and internal and external entities;

• Cybersecurity Management: its mission is to operate as the first line for Cybersecurity in Corporate Security, by managing the Framework for the Corporate Security, which establishes and monitors the integrated vision; consolidate and report on the metrics of performance and risk related to information and cybersecurity; and inform the appropriate committees of these risks and threats. It operates in the following spheres: data leakage monitoring, prevention and protection, the management of information security incidents and cybernetics and management of the multidisciplinary Group for Tactical Actions to Incidents of Information Security and Cybernetics (GATI), assessing more severe security incidents and their potential impacts on the business. It offers technical leadership support to the Corporate Crisis Management area, and is responsible for the Computer Security Incident Response Team (CSIRT) activity, for the prevention, detection, and resolution of security incidents. It performs analyses and proposes and maintains solutions for emerging threats and global trends to prevent transactional fraud in all channels, using the “Red Team”, Forensic and Open-Source Intelligence (OSINT), acting in the evaluation of security solutions that help mitigate the incidence of fraud and attacks trough digital channels and helps to ensure a secure and user-friendly customer experience;

• The Electronic Fraud-Prevention: Bradesco App, Internet Banking, Net Empresa, Fone Fácil, BIA WhatsApp and Debit and Credit Card Product, in addition to Document Fraud Prevention in opening accounts – through branches, Bradesco Expresso, our Mobile App and next –, credit card, payroll-deductible loans, vehicle financing, Losango and consortium: we always seek to anticipate risk mitigation in our operations, monitor our data and transactional environments on an uninterrupted basis (24 hours a day and 7 days a week), employing technology processes and people specialized in the subject. Products and services are analyzed by teams of experts, who have the mission to continuously act in the prevention and correction of actions to ensure the security of information and systems that support the business, aligned with our client’s usability. We are among one of the first banks to receive the Fraud Prevention Seal of the National Confederation of Financial Institutions (CNF), in partnership with FEBRABAN, which promotes centralized, optimized and standardized measures for the handling financial system incidents;

• Access Management: responsible for setting the strategy and operational direction of the process for identification and access to corporate applications and Open-Source Intelligence (SOX) compliance departments, defining and maintaining the Access Management methodology for employees and non-employees. This area aims to protect system resources and information against unwanted access, following the principles of segregation of duties, required access and the definition of automated controls, considering Internal and External Standards and Regulations;

• Authentication Methods: responsible for defining standards for minimum client authentication controls in service systems and channels, monitoring projects involving the use of Biometrics, Passwords and Physical and Logical Device to generate One Time Password (OTP);

• Information Security for Third Parties (SIT): its mission is to ensure the trust of our clients; Driving and innovation in our business while protecting our information through rigorous security assessments of suppliers throughout their lifecycle;

• AML/TF: it has the role of disseminating the AML/TF culture, empowering employees, partners and suppliers, and developing policies, standards and procedures to mitigate the risk of misusing our structure and/or products and services. It is also responsible for maintaining detection systems and running internal risk assessments, as well as ensuring continuous improvements in processes and controls, following the best national and international practices on the subject. Suspicious or atypical cases identified are communicated to the Financial Intelligence Unit (COAF) in compliance with regulatory/legal requirements;

• Sanctions: it protects our business and relationships with stakeholders by adopting actions aimed at preventing terrorist financing, drug trafficking, national and transnational criminal organizations and proliferation of weapons of mass destruction. It also detects and reports on sanctioned individuals and legal entities cited on international sanctions lists, or any activities with sanctions-related risks, in accordance with the laws and regulations in force. It develops, updates and disseminates sanctions policies and standards, and promotes awareness on the topic; and

• Physical and Property Security: responsible for maintaining specialized human resources and technological devices, ensuring the implementation of security standards in accordance with Law No. 14,967/24. The system is issued by the Federal Police and follows a strict “Security Plan”. It constantly evaluates security devices for potential vulnerabilities and monitors security systems and closed-circuit TV (CCTV) on a 24/7 basis, aiming to prevent and guide actions to mitigate the effects of eventual claims.

In addition to the activities performed by the corporate security area, we have our Card department, a fraud prevention area, whose mission is to provide security solutions aligned to our business through the creation, implementation, and maintenance of preventive rules, processes and technologies. This fraud prevention department assesses the security of service channels, systems, processes and products, and suggests improvements. The department also issues technical opinions in connection with strategic security issues and the introduction of products, services or processes.

Among the main responsibilities of the “Corporate Security Global Vision,” we highlight the following:

• The area responsible for preventing credit card fraud seeks to identify and mitigate the risk of financial losses and negative reputational impacts on the Bank. It develops prevention strategies against document and transactional fraud, monitoring and alerting in real time for all transactions made through client service and use channels. The measures are based on behavioral analyses of fraud, supported by statistical methodologies and predictive models of fraud, with the objective to ensure controls are aligned to the business. The area also diagnoses losses to identify systemic and operational weaknesses, recommending preventive actions to achieve alignment with the current strategy;

• The projects and processes area establishes controls to identify risks and is responsible for evaluating the risk of fraud and issuing recommendations for new projects, processes and products. The area proposes solutions that aim to balance use and security of products and access to service channels to business and technical area managers, as well as corporate and strategic preventive actions that follow the best practices of the market; and

• The portfolio analysis area is responsible for managing and communicating information received from the fraud prevention area to our other areas.

16.K.80 IT Infrastructure Department (DITI):

DITI has as its mission to manage IT infrastructure projects and software infrastructure on the Mainframe Platform and Open Platform, whether on-site or in cloud environments; provide security of technological infrastructure, ensure connectivity, availability and resilience through technological evolution; and providing technical support of equipment and software of our workstations and Telecommunication services.

IT Security is one of the areas of DITI, responsible for processes, resources and solutions aimed at protecting and monitoring our technological infrastructure against intrusion attempts, improper access, information evasion and malicious code and its main attributions are:

• Secure Systems Development: identify and define best security practices to be adopted in programming, according to the coding languages we use, performing tests of vulnerabilities in static and/or dynamic applications, during the development cycle, according to security rules and policies;

• Technical Security Architecture: define and manage the technical security reference architectures for the entire Group through controls with reusable components, supporting and overseeing the application of security controls in technological solutions aiming at balance between opportunity and risk;

• Security of Technological Platforms: define, manage and coordinate compliance with best practices for configuring and protecting platforms (operating systems, application servers, database servers, mobile and fixed devices), also fixing issues in an agile and orchestrated way in case of incidents;

• Network Security: develop and apply reference models/technical security requirements for networks, electronic communication channels and voice, ensuring the adoption of security standards and technical protection requirements;

• Vulnerability Management: manage the life-cycle of vulnerabilities identified in our technology assets, monitor action plans with those responsible for mitigations and prioritize the level of risk exposure;

• Offensive Security: identify and proactively exploit vulnerabilities to measure and validate the resilience of security controls to current methods of cyberattacks through realistic scenario attacks. Portfolio of activities: Security tests, Intrusion tests (Pentests), Red Team Exercises, Adversary simulation, Vulnerability scans, etc.;

• Security Operations Center (SOC): perform security monitoring in real-time infrastructure to identify malicious and/or suspicious threats and behavior based on scenarios, rules and cases using also event history, risks and non-compliance with cybersecurity requirements, performing cyber incident response processes that include monitoring, detection, containment and response in technology assets, obtaining, treating and analyzing data and logs, considering internal and external sources. Perform information analysis (“computer forensics”) for the business areas, second and third line of defense, involved in the incident;

• Intelligence and Security: generate and share security intelligence information through internal and external research, using advanced analytical methods in various sources, with artificial intelligence capabilities to identify trends, methods, threats and vulnerabilities of information security, bringing inputs to perform predictive actions, as well as building strategic visions of how we are facing global threat scenarios, making it possible to make decisions regarding the topic of cybersecurity;

• Security Deployment, Support and Operational Processes: establish the requirements and guidelines we adopt regarding the life-cycle of technological projects of information security solution deployments, operating and protecting technological assets from threats, managing resources and users;

• Privileged Account Management: ensure that only authorized users and accounts have approved access to business applications, information systems, networks and computing devices (Operating System, Database, among others), that individual responsibility is guaranteed and provides sufficient access privileges to allow them to perform their duties for as long as necessary, but does not allow them to exceed their authority; and

• Research and Solutions: prospecting, evaluating and exploring new technologies and solutions to prevent, mitigate and resolve current problems, incidents and vulnerabilities or potential future threats.

We also have other important areas and functions in DITI, described below.

• IT Project Center: manage IT infrastructure projects, from identifying the need for technological infrastructure to delivery in environments, coordinating and integrating engineering throughout the process;

• Mainframe Software Engineering: keep the software infrastructure installed on the Mainframe Platform up to date, operational, available and reliable, supporting our business;

• Contingency Storage and Mainframe Capacity: manage, secure, and support data storage. Plan and empower the Mainframe technology infrastructure. Promote the continuity of services and exercise the activation of technological infrastructure environments provided that this requirement has been established by management Dependencies through their Business Continuity Plans;

• Data Center: manage, plan, hire and maintain the electrical, air-conditioning, automation and logical cabling infrastructure of Banco Bradesco’s Data Centers, focusing on high availability and energy efficiency through the implementation of technologies and best practices focused on sustainability;

• Network Engineering: provide connectivity to the business and Client areas ensuring availability and resilience through technology evolution, automation and innovation;

• Telecommunications: provide and manage our Telecommunication services, such as data communication links, lines and fixed and mobile telephony devices;

• Support Departments: support the hardware and software of workstations and access switches of departments and related companies and mobile device software, email account management, Internet access and technology update of stations for the entire Group;

• Contact Center: provide and maintain the infrastructure services of our call centers with quality, availability and reliability, presenting results that meet the expectations of the business areas;

• Capital Market and International Units: act in the transformation of areas served by teams of International Units and Capital Markets with agility, security and innovation, ensuring the availability of the supported environment and delivering the desired value to clients and shareholders; and

• Unix Engineering Software, Projects and SAP: keep the software up to date, safe and resilient. Ensure the maintenance and technical support of the Unix software, providing greater availability and reliability, supporting our business needs, whether in on-site or cloud environments.

Cybersecurity Risk Role of Management [Text Block]

Cybersecurity Management: its mission is to operate as the first line for Cybersecurity in Corporate Security, by managing the Framework for the Corporate Security, which establishes and monitors the integrated vision; consolidate and report on the metrics of performance and risk related to information and cybersecurity; and inform the appropriate committees of these risks and threats. It operates in the following spheres: data leakage monitoring, prevention and protection, the management of information security incidents and cybernetics and management of the multidisciplinary Group for Tactical Actions to Incidents of Information Security and Cybernetics (GATI), assessing more severe security incidents and their potential impacts on the business. It offers technical leadership support to the Corporate Crisis Management area, and is responsible for the Computer Security Incident Response Team (CSIRT) activity, for the prevention, detection, and resolution of security incidents. It performs analyses and proposes and maintains solutions for emerging threats and global trends to prevent transactional fraud in all channels, using the “Red Team”, Forensic and Open-Source Intelligence (OSINT), acting in the evaluation of security solutions that help mitigate the incidence of fraud and attacks trough digital channels and helps to ensure a secure and user-friendly customer experience;

Cybersecurity Risk Management Positions or Committees Responsible [Flag]

true

Cybersecurity Risk Management Positions or Committees Responsible [Text Block]

Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]

true

Cybersecurity Risk Management Expertise of Management Responsible [Text Block]

The activities of the Internal Controls area are performed by trained professionals, through well-defined processes and technology compatible with our size and structure, complexity of the products and services negotiated, risk profile and business model, pursuant to CMN Resolution No. 4,968/21, as amended. This model also includes cybersecurity risks.

Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]

Access Management: responsible for setting the strategy and operational direction of the process for identification and access to corporate applications and Open-Source Intelligence (SOX) compliance departments, defining and maintaining the Access Management methodology for employees and non-employees. This area aims to protect system resources and information against unwanted access, following the principles of segregation of duties, required access and the definition of automated controls, considering Internal and External Standards and Regulations;