Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

At Grupo Aval and its subsidiaries, cybersecurity risk management is an integral part of our enterprise risk management program. We establish policies, methodologies, and procedures aligned with local regulations, international standards, and industry best practices. In recent years, we have significantly expanded our capabilities to counteract the increasing number of attempts to breach our security barriers, the growing use of the Internet and automated processes, and the diversification of financial transaction channels. Our cybersecurity risk management framework provides a structured approach for handling threats and incidents, including those linked to third-party service providers. It includes steps for assessing the severity of threats, identifying their sources, implementing mitigation strategies, and informing management and the Board of Directors of material cybersecurity risks.

We and our financial subsidiaries engage third-party security experts for risk assessment and system enhancements. Additionally, our cybersecurity team provides annual training to all employees.

One of the greatest cybersecurity risks in 2024 is the increasing sophistication of AI-based attacks, which are growing exponentially in speed and success rate. Quantum computing also presents a significant risk, as it threatens to render current cryptographic protocols obsolete, posing substantial security challenges for data and communication systems. Grupo Aval actively monitors and mitigates these risks through a robust control environment based on industry best practices, specialized security frameworks, and proactive measures.

To strengthen transactional security, we have implemented risk engines that leverage predictive AI based on neural networks and self-learning algorithms. These systems detect fraudulent behavior in real time with high accuracy, reducing user friction and enhancing customer experience.

To mitigate risks associated with the increasing use of digital channels, we have implemented additional security controls, including:

●

Restricting channels for sending multi-factor authentication codes.

●

Enhancing fraud intelligence through AI-driven statistical models.

●

Strengthening the digital channel enrollment process with new technologies, such as facial biometrics.

●

Expanding transaction monitoring processes.

●

Reinforcing client cybersecurity awareness campaigns.

●

Establishing a process requiring each subsidiary to report changes to security controls or the implementation of new measures.

Cybersecurity Risk Management Processes Integrated [Text Block]

At Grupo Aval and its subsidiaries, cybersecurity risk management is an integral part of our enterprise risk management program. We establish policies, methodologies, and procedures aligned with local regulations, international standards, and industry best practices. In recent years, we have significantly expanded our capabilities to counteract the increasing number of attempts to breach our security barriers, the growing use of the Internet and automated processes, and the diversification of financial transaction channels. Our cybersecurity risk management framework provides a structured approach for handling threats and incidents, including those linked to third-party service providers. It includes steps for assessing the severity of threats, identifying their sources, implementing mitigation strategies, and informing management and the Board of Directors of material cybersecurity risks.

Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]

true

Cybersecurity Risk Board of Directors Oversight [Text Block]

The Board of Directors of our financial subsidiaries has overall oversight of cybersecurity risk management. This responsibility is delegated to the Cybersecurity and Information Security Committee and its equivalents at the Board level. These committees ensure that management has processes in place to identify and evaluate cybersecurity risks, implement mitigation strategies, and report material cybersecurity threats to the Board and the Corporate Vice Presidency of Risk and Compliance.

Grupo Aval’s Board of Directors has designated a member to oversee cybersecurity risk management at a corporate level. Management is responsible for continuously assessing material cybersecurity risks, monitoring potential exposures, implementing mitigation measures, and maintaining cybersecurity programs. Our cybersecurity programs are directed by the Corporate Vice Presidency of Risk and Compliance and the Corporate Vice Presidency of Information Technology. These teams consist of certified and experienced professionals in information systems security and cybersecurity risk management.

Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

The Board of Directors of our financial subsidiaries has overall oversight of cybersecurity risk management. This responsibility is delegated to the Cybersecurity and Information Security Committee and its equivalents at the Board level. These committees ensure that management has processes in place to identify and evaluate cybersecurity risks, implement mitigation strategies, and report material cybersecurity threats to the Board and the Corporate Vice Presidency of Risk and Compliance.

Grupo Aval’s management, including the Vice Presidency of Risk and Compliance and cybersecurity teams, regularly update their Boards of Directors and Cybersecurity and Information Security Committees on the company’s cybersecurity programs, risks, and mitigation strategies. Reports are provided semi-annually or quarterly in some subsidiaries, covering third-party assessments, developments in cybersecurity, and updates to mitigation strategies.

Cybersecurity Risk Management Positions or Committees Responsible [Flag]

true

Cybersecurity Risk Management Expertise of Management Responsible [Text Block]

Our cybersecurity programs are directed by the Corporate Vice Presidency of Risk and Compliance and the Corporate Vice Presidency of Information Technology. These teams consist of certified and experienced professionals in information systems security and cybersecurity risk management.

Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]

true