Data in Bancoob

Karla Castro Cybersecurity Manager Privacy in Bancoob World’s Outlook

US Federal Laws Canada Switzerland União Europeia (UE) Russia HIPAA, GLBA, COPPA, PIPEDA, CASL Federal Data General Data Protection Regulation (GDPR), Federal Law of July 27, 2006, n ° CAN-SPAM, Do Not and Provincial Protection Act Proteção de Privacidade de UE, Diretiva de 152-FZ on personal data Call, Safe Harbor Privacy Laws 1992 Retenção de Dados de Comunicação (2006), Principle, FCRA Diretiva de UE de Privacidade e South Korea Comunicações Eletrênicas, implementada Law on Promotion of Use of California por 27 diferentes Leis de Proteção de Dados Information and Communication California Online dos Membros de Estado. Network, and Data Protection Privacy Protection 2000 Act 2003, Security Taiwan Breach Notice Protection of Personal Data (Civil Code 1798 Processed by Computers Formerly SB 1386) Hong Kong Colombia Personal Data Privacy Decree Personal Data Protection Act 2012 Philippines Brasil Data Privacy Act proposed by Law 12.965/14 - Chile ITECC, Civil Law of Privacy Law Civil Framework Private Life Protection Dubai New Zealand Act, Personal Data of the . Personal Data Privacy Act 1993, Privacy Protection Act 1998 Protection Amendment Act, Privacy Law 13.709/18 - Law 2007 Amendment of 1993 and 1994 General Data Argentina Protection Act Personal Data South Africa India Australia Personal. Protection Act 2000, Uruguay Electronic Legislative proposal under Privacy Act 1988, Privacy Information Personal Data Communications discussion, Information Amendment Act, Anti- Confidentiality Law Protection Act 2008 and Transactions Act Technology Act 2000 Spam Act - 2004 ONLINE CRIME IN BRAZIL | 2019 2. Capture of sensitive data Virtual Traps attracted consumers, the digital frauds steal datas like passwords, credit and debit cards simulating sites (cases of phishing) or applications (cases of malware) official. 1. Branding in digital scams Everywhere every 231,5% 67% 15 minutes On the superficial web, branding is the main way to attract was the growth of fake of phishing attacks are A phishing attack were phishing pages done with brand-name detected in the last victims to fraud and scams. They are everywhere possible. between February and domain names trimester December

only this time, Financial Banks and 50,9% the rate of branded and Institutions E-commerce of the cases of piracy and the rate of false similar domains 38 finances unauthorized sales occurred in the profiles grew increased Diferents (and their Is the sector most last three months of the year, when customers) were targeted affected by phishing, happened dates as Blake Friday and by the same malware, with 44% o the end of year festivities 31,3% 35,1% identified in December of the total SaaS/Webmail

These are the two main uses of brands used to publicize The same way as system intrusions, these frauds generate... and host phising, the most common fraud for ...

5,7 23,6 37,6 26,7% billions millions millions of credit cards leaked 3. sale and data leak online are from Brazil of exposed are .br domains is the number of One key ,many copies - we are only behind credentials* were times password the United States, detected in 2019 123456 was Sensitive data is sold and exposed in lists from the superficial web to the deep which has 50.9% of detected in 2019 detections web - and generate financial losses for companies

*password or hash (encrypted password) Source: AXUR 31/1/2020 Personal Data Privacy Project Overview

Guardians of privacy and training 71 Privacy guardians (respondents) defined and involved during the project

Privacy Workshops 337 Employees trained on Privacy and LGPD Risks identified More than 821 risks in operations identified treatment Project in Project phases and deadlines numbers Cybersecurity Diagnosis • Inventory of personal data (Data Mapping) and Data Discovery • Identification of risks and threats • Roadmap and action plan • Duration: 15 weeks from 1/28/2019 to 5/31/2019 Interviews conducted and scope 95 interviews (Business, IT and Information Security) Units evaluated: Torre Z and Aricanduva Personal Data Privacy Project Scope

Map the business processes 1. Cybersecurity Diagnosis that deal with personal data or sensitive personal data, Inventory of personal data (Data Mapping) and Data Discovery information security risks / 2. data protection, identification Identification of risks and threats of gaps and recommendations 3. for improvements through an action plan to adapt to LGPD. 4. Action Plan Personal Data Privacy Project Diagnosis

Data Inventory and Identification of Risks and Threats Personal Data Privacy Project Diagnosis

565

InventárioData Inventory de Dados RiscosIdentified IdentificadosRisks 313

137 67 47 56 42 6 10 1619 29

Bancoob Bancoob DTVM Cabal Seguradora Ponta Sicoob Previ Personal Data Privacy Project Action Plan

2020 JAN FEB MAR APR MAY JUN JUL AUG SET OCT NOV DEC

Legal Actions

Governance Organization of privacy and protection of PA 2 Structure personal data

Build and approve policies PA 3 Design of Petitioners, DPIA, PbD and PA 4, 5, 6 e 7 Incidents

Structuring Processes Data Protection in 3rd PA 8

Data Governance PA 9

Training PA 10 PA 10 Correction / Adjustments in Existing Monitoring of personal data via DLP (Data PA 11 Processes or Loss Prevention) Technologies Definition and implementation of access review processes to protect personal data in the systems PA 12 Personal Data Privacy Project Action Plan

PHASE ACTION PLAN

Define legal bases for the treatment of personal data and sensitive personal data.

Buy personal databases without safeguards for legitimate collection (Serasa and AML).

Prepare a legal opinion to regularize the collection and treatment PA 1 of consumers' personal data (Terms of consent). Legal actions for LGPD compliance.

Implement Privacy Policy for employees and third parties.

Review and / or prepare contracts and / or contractual amendments with provision for personal data protection clauses.

Review contracts for the purpose that are suitable for LGPD. Personal Data Privacy Project Action Plan

PHASE ACTION PLAN

Review contract for the purpose of ensuring that personal data is stored in Brazil and otherwise, regularize the situation. PA 1 Legal actions for LGPD compliance. Review contracts for the purpose that are suitable for LGPD.

Appoint a Data Processing Officer.

Define the role and responsibility of the Data Processing Officer

PA 2 Define the competence of the Data Processing Supervisor Definition and implementation of the access review process to protect personal data in the systems. Develop and implement a privacy / data protection governance structure.

Define an organizational structure with the roles and responsibilities of privacy / data protection at Bancoob. Personal Data Privacy Project Action Plan

PHASE ACTION PLAN

Check Bancoob's level of compliance with the General Data Protection Law. PA 2 Definition and implementation of the access review process to protect personal data in the systems. Creation of a local data privacy portal to disclose the privacy, data retention, storage, sharing and disposal policy

Add new categorizations, including: personal data and sensitive personal data, collection, handling, storage and disposal of personal data PA 3 Review and implementation of policies and processes to protect personal data. Implement policy for secure sharing of personal data

Implement mobile device usage policy. Personal Data Privacy Project Action Plan

PHASE ACTION PLAN

Develop a policy for sharing with service providers with the best security and privacy practices that must be observed during the contractual relationship with Bancoob. PA 3 Review and implementation of policies and processes to protect Update the cookie policy. personal data Update the privacy policy.

Review the MIG - Cybersecurity.

Create procedures.

Design a process to meet the requests of the owners (customers, candidates, employees, former employees and service PA 4 providers). Definition and implementation of the Petition Management process, Consent Management and Opt-in / Opt-out Management Assess consent management tool and Opt-in / Opt-out. Personal Data Privacy Project Action Plan

PHASE ACTION PLAN

PA 4 Define a process for receiving, registering and filing (system), Definition and implementation of the Petition Management evaluating (confirmation by the holder), escalating and process, Consent Management and Opt-in / Opt-out Management responding to requests.

PA 5 It is also recommended that a standard response be drawn up for Definition and implementation of DPIA (Risk Assessment) each applicable request type with legal support.

Evaluate tool for managing personal data and DPIA inventory PA 6 Definition and implementation of Privacy by Design Include questions regarding the privacy of personal data

PA 7 Define a process to communicate the ANPD and the holders in Definition of the incident process (inclusion of privacy aspects) case of privacy incidents that may impact the holders' freedom and privacy. Personal Data Privacy Project Action Plan

PHASE ACTION PLAN

Examine the types of risk they pose. Depending on the services provided, the third party may exercise multiple risk factors in the company, which will increase the diligence and guarantee of compliance required from the third party.

PA 8 Complete the development of the third-party risk register with a Definition and implementation of a personal data protection scoring technique to assess and aggregate the risk for each third process in service providers. party individually.

Monitor, review and report third party risks regularly and be triggered if mergers and acquisitions occur, divestitures, major changes in the organization, entering new markets and geographic expansion. Personal Data Privacy Project Action Plan

PHASE ACTION PLAN

Develop a risk assessment procedure in the process of PA 8 contracting third parties with information security questions and Definition and implementation of a personal data protection a specific chapter to assess privacy in the contracting process, process in service providers that is, the centralized cybersecurity structure is used.

To develop the criteria for assessing the security risk of third parties for the company, the inventory must be within the context of the financial sector, the types of services provided and the degree of impact of service dependencies on the organization. Personal Data Privacy Project Action Plan

PHASE ACTION PLAN

Implement a process that allows access to a single location of the personal data inventory.

PA 9 Definition and implementation of the personal data governance Build an Information Management model, aiming to structure process on the issues demanded by the LGPD. and mature control over all environments, processes and personal data assets managed by Bancoob, now and in the future.

PA 10 Define a personal data protection training plan for Bancoob Conducting a corporate and protection training employees. program,

PA 11 Implement rules in the DLP for monitoring personal data. Monitoring of personal data via DLP ( Prevention)

PA 12 Review access to systems, network directories that store Definition and implementation of the access review process for personal data. the protection of personal data in the systems OBRIGADA! Diretoria de Controle (Dicon) Superintendência de Gestão de Riscos (Suris) OBRIGADA! Diretoria de Controle (Dicon) Superintendência de Gestão de Riscos (Suris)