Information security and cybersecurity policy

1 INTRODUCTION

Technological evolution is transforming the way that organizations conduct their business activities. In the current context, organizations face a wide range of risks in the field of Information Security, and therefore, it is essential to establish solid and proactive measures that guarantee the protection of information and the assets that support it.

The General Management of the ABANCA Group (‘ABANCA’ or, alternatively, ‘the Organization’) recognizes that risk is inherent to its business and that risk management is fundamental to achieving its objectives, giving confidence to its customers and successfully executing its strategies.

For this reason, at the meeting on March 22, 2024, the Board of Directors of ABANCA approved the Information Security Policy (also known as the ‘Policy’), with the purpose of outlining ABANCA's position in the management and governance of security, providing principles and guidelines to safeguard data and guarantee the confidentiality, integrity and availability of the information processed.

Additionally, this Policy aims to demonstrate the Organization's commitment by establishing Information Security and cybersecurity as one of the fundamental pillars in all banking processes.

Furthermore, ABANCA's regulatory framework development is firmly based on internationally recognized standards, such as ISO 27000 and NIST CSF. These regulatory frameworks allow us to align ourselves with best practices in risk management and information protection.

It should be noted that this Policy applies to all information owned by ABANCA, its customers, or third parties involved in the provision of the service, regardless of how it is transmitted, processed or stored, or the medium on which it is stored.

2 SCOPE OF APPLICATION

Any person working in or for ABANCA or needing access to ABANCA's information systems must comply with the provisions established in the Policy, as well as with all the regulations derived from it.

When ABANCA uses third party services or shares information with them, it will involve them in this Policy and the regulations applicable to such services or information, which they are obligated to comply with.

3 OBJECTIVES

The Policy aims to protect the information of ABANCA and its clients, along with the technologies used for its transmission, processing, or storage, against internal or external threats, deliberate or accidental, in order to ensure:

  • Confidentiality: ensuring that sensitive information is accessible only to authorized individuals.

  • Integrity: maintaining the accuracy and integrity of all information, ensuring that it is not altered in an unauthorizedly during its storage, processing or transmission.

  • Availability: ensuring that authorized users have access to information and associated resources when needed.

4 PRINCIPLES

To materialize the commitment of the General Management regarding Information Security, in line with the previously stated objectives, the following principles are established:

  1. Commitment: the commitment of the General Management regarding Information Security is made evident, in line with the business strategy, providing it with the necessary means and powers to carry out its functions.

  2. Risk management: risks are identified and analyzed, and risk mitigation actions are undertaken based on the organisation's need for risk reduction. The measures implemented must be proportionate to the risk.

  3. Comprehensive security: security is considered as a globalising process, encompassing physical, logical, organisational, and human aspects, enabling the definition of a unique protection strategy.

  4. Identification, protection, detection, response and recovery:

    a. Identification measures provide knowledge about assets and functions, to manage the Organization’s risks.

    b. The protection measures have the purpose of avoiding or minimizing the occurrence of incidents.

    c. Detection methods serve to identify potentially dangerous events. They should accompany response measures.

    d. Response measures take action on the detected event, minimizing the damage that could occur.

    e. Recovery methods allow information or services that may have been affected by an incident to be reestablished.

  5. Defense in depth: there must be successive protection layers so that an incident is not capable of achieving its full damage potential, should one occur. To do this, the defense lines have to be established by measures of organizational, physical and logical nature.

  6. Periodic reassessment of the measures and continuous improvement: it is verified that the measures continue to be adequate, both for the risks identified and for any new risks that are identified, and remain effective, at least annually. Consider information security and cybersecurity as a process of continuous improvement, enabling increasingly advanced levels of security to be achieved.

  7. Separation of duties: separation of responsibilities that prevents conflicts of interest that could be to the detriment of security.

  8. Awareness: a ‘culture of security’ must be created both internally, in relation to all staff, and externally, in relation to ABANCA's customers and suppliers.

  9. Compliance: compliance with all legal, regulatory and contractual requirements applicable to information security must be ensured.

  10. Non-compliance: it shall be noted that breaches of the Policy that are regulated by the legislation will result in legal liabilities. If the non-compliance is not legislated, ABANCA's Management will decide to apply the corresponding measures depending on the seriousness of the non-compliance. In the case of third party personnel, the measures provided for in the contract will apply.

The Policy will be developed through rules, procedures and guidelines that address specific issues and are available to the members of the Organisation.

5 MAINTENANCE AND REVIEW OF THE POLICY

To ensure the validity and effectiveness of the Policy, it will be reviewed annually in order to align it with ABANCA's strategic objectives and adapt it to the demands of emerging technological environments. It shall also be updated in the event of a substantial change in the Organisation.

In any case, modifications to the Policy must be duly submitted to and approved by the responsible and competent body of ABANCA.