Other information of interest

At BBVA, our employees are the cornerstone of our internal culture. Thanks to our team, our cultural values defined by the Group, principles, and practices, we have continued to make progress in transformation

Due Diligence BBVA

Colombia has a due diligence process that covers different areas such as:

a) General Procurement Policies: We require our suppliers to comply with regulations such as:

Dignified and adequate hiring of personnel.
Respect for fundamental rights.
Compliance with labor laws.
Recognition of labor rights.
Issues related to occupational health.

b) Internal regulations on the matter:

Supply Management: This procedure regulates the acquisition of goods and services, guided by the Local Standard for the Acquisition of Goods and Contracting of Services, to meet internal needs and achieve the entity's objectives.

Key aspects in the execution of the procedure:

Occupational Health and Safety Annexes (SGSST): The Procurement Associate II is responsible for including these annexes during negotiation and formalization, according to the requirements of the user area and as established in the contractors and suppliers program (available on the legal services SITE).
Other contractual annexes: The user area must define additional annexes (e.g., confidentiality, security) when submitting the request, based on the technical specification. The Procurement Associate II guarantees their inclusion in the negotiation and formalization.

Commitment to BBVA's Code of Conduct:
BBVA's code of conduct is based on the following principles:

Non-discrimination and financial inclusion: It seeks to avoid unjustified discrimination in access to products and services for clients, promoting policies that promote financial inclusion and financial education.

Respect for people: Respect is demanded and promoted in the workplace, prohibiting discrimination based on any unjustified condition or circumstance (gender, race, age, etc.) for both employees and supplier personnel. Any form of harassment (sexual, labor, personal) and behaviors that generate an intimidating or offensive work environment are considered inadmissible.

Respect for human rights: BBVA acts respecting the dignity and inherent rights of all people, in line with its General Sustainability Policy, the UN Guiding Principles on Business and Human Rights, the Universal Declaration of Human Rights and the ILO Conventions. These principles are integrated into the relationship with suppliers, ensuring transparency, compliance with labor and environmental requirements, and promotion of socially responsible products and services. BBVA is committed to ensuring compliance with all applicable laws and respect for internationally recognized human rights in all its interactions.

Occupational Health and Safety (OHS) Audit for BBVA Contractors:
Based on the OHS Standard and the Contractors and Suppliers Program, the OHS Management System carries out the following actions:

Controls to suppliers on health issues: Implementation of a control procedure to ensure compliance with occupational health and safety regulations. This includes review of internal policies, verification of certifications, hazard matrices, audits of occupational risk management and demand for ARL certification on compliance with the SG-SST.
List of audited suppliers: In 2024, occupational health and safety audits were carried out on suppliers AINECOL, DOMESA, HONOR & LAUREL and ELITE.
Annual schedule: Supplier control activities are integrated into the Health and Safety Management Plan at Work. Two semi-annual reviews are scheduled with randomly selected suppliers, prioritizing those with higher risk.

Additional policies and regulations:
General Corporate Social Responsibility Policy:

Establishes respect for the dignity of people and their rights, adhering to national and international commitments such as the International Bill of Human Rights and the United Nations Global Compact.

"Labor Coexistence Committee Standard" of BBVA Colombia S.A.:

Establishes guidelines for processing labor harassment complaints, regulating the Labor Coexistence Committee (Law 1010/2006). There is an independent channel for sexual harassment. It includes campaigns and corrective measures. The Committee, with four representatives of employees and four of the company (two-year period), meets quarterly or when necessary, deciding by simple majority. The complaint procedure includes admission, transfer to the alleged aggressor, conciliation hearing, evaluation of evidence and closure in six to eight months. Confidentiality, responsibilities and indefinite validity of the standard are emphasized, with communication channels and a glossary.

"Standard for the attention and prevention of sexual harassment in BBVA Colombia":

The policy seeks a workplace free of sexual harassment, protecting all BBVA Colombia employees. It is based on the Constitution and laws such as 2365 of 2024, regulating sexual harassment in the workplace. Investigations can be external or internal (through reportesacososexual-col@bbva.com), detailing the complaint and investigation procedure by the Committee.

Commitment to labor practices
BBVA Colombia COLLECTIVE AGREEMENT 2024-2026:
Key Benefits for Non-Unionized Employees Valid from 01/01/2024 to 12/31/2026, automatically renewable.

Salary Aspects:

2024: 13% increase for Drivers, Assistants, Integral Advisors.
2025: CPI + 2.3% for the same positions.
2026: CPI + 2.5% for the same positions.
Other positions: According to internal salary policy.

Featured Benefits:

- Disabilities: BBVA covers 100% of salary.
- Night Surcharge: 40% on basic salary.
- Aid (Transport, Food, Dinner and Night Transport): Annual increase (2025: legal/CPI + 2.3%; 2026: legal/CPI + 2.5%).
- Educational Aid: For children (annual), and higher for children with special conditions (e.g., Down Syndrome, Autism).
- Death Benefit: Covers parents, siblings, spouse/partner and children.
- Optical Aid: For frames and lenses; aid for refractive surgeries ($2,743,000).
- Maternity Aid: $1,189,804 (2024) and an additional daily hour of breastfeeding leave.
- Seniority Bonus: Days of salary according to years of service.
- Extra-legal Bonus: Four basic monthly salaries per year (June and December).
- Retirement and Disability Bonus: $2,347,246 upon retirement due to pension.
- Vacation Bonus: Equivalent to 23 days of basic salary (2024 cap: $2,845,444).
- Teller Incentive: Monthly payment for Customer Service Window Assistants and Integral Advisors without discrepancies.

Special Permits:

- Bereavement: 6-7 business days.
- Domestic Calamity: Up to 4 paid days.
- Extra-legal Maternity Leave: 10 additional calendar days.
- Paternity Leave: 10 additional calendar days.

Insurance:
- Life: $53,000,000.
- Personal Risks: $55,000,000 (for value transport or pensioners due to disability from professional risks).
- Optional Health Plan: BBVA covers up to 85% of the premium (2025 cap: CPI + 2.3% on 2024 cap value).

Loans with Preferential Conditions:
- Studies: Undergraduate, Postgraduate (70% annual value, max. $10,012,000), MOOCs; interest-free and condonable.
- Domestic Calamity: 3% annual interest.
- Housing: 1st, 2nd and 3rd loan with adjusted annual amounts (e.g., 2025: 1st $172,000,000, 2nd and 3rd $146,000,000). Preferential rates; the first credit includes 10% aid for expenses.

Working Hours and Well-being:

- 40 hours per week, 8 hours per day (cities with five-day work week).
- One hour daily for lunch during continuous workday.
- Promotes work-life balance and personal/professional life balance.

Procedures and Governance:

- Disciplinary Process: Guarantees due process and defense.
- Collective Agreement Committee: Quarterly meetings for benefit review and management.

Standard for work-life balance BBVA Colombia's standard for work-life balance establishes clear guidelines to guarantee work disconnection and respect for employees' rest times, seeking to promote well-being, health and productivity. It is applicable to all employees, including those in management and trusted positions (with specific exceptions), and prohibits work communications outside working hours, except in cases of force majeure.The standard also details situations that are not considered a violation of the right and the channels for filing complaints, with non-compliance potentially constituting workplace harassment.

BBVA Colombia's Commitment to Breastfeeding Initiatives and Benefits

BBVA Colombia, through its "Familias BBVA" program, actively promotes breastfeeding among its female employees, in line with the World Health Organization's recommendations for the well-being of mothers and babies.

1- "Love that Feeds" Program: A 54-minute online course, available on the BBVA Campus, divided into three modules. It addresses breastfeeding techniques, milk expression and supply, warning signs and complementary feeding. It has received positive evaluations for its informative content.

2- Labor Relations & Health Initiatives: Within the "Familias BBVA" program, several actions stand out:

- Breastfeeding Kit: A kit is provided with elements that facilitate the transport and conservation of milk (30 kits delivered nationwide in 2024).
- Personalized Accompaniment: Individual monitoring is carried out for each pregnant mother to ensure optimal working conditions.
- Preventive Information: Pregnant employees are sent ergonomic and physical recommendations. Friendly Breastfeeding Room: The certification of this room is maintained, guaranteeing an adequate space for breastfeeding.

Hiring

Hiring	Año 2024
Total number of new employee hires	565
Total number of open positions filled by internal candidates (internal hires)	454
Average hiring cost/FTE	132.000 COP
Total employee turnover rate	25,55
Voluntary employee turnover rate	4,1

Human Capital Management (PDF)

At BBVA, we consider the promotion of occupational safety and health fundamental, being a primary pillar and a basic objective that we seek to achieve through the continuous improvement of working conditions.

To this end, we have a Standard for Occupational Safety and Health and Prevention of Tobacco, Alcohol, and Psychoactive Substance Consumption. This standard aims to reflect our organizational model in terms of occupational risk prevention and to establish the functions of the Prevention Service. In addition to having the approval of the executive director.

This service provides advice and support to the company in relation to existing risks, covering aspects such as:

Protect the safety and health of workers through the continuous improvement of the SGSST.
Comply with current Colombian legislation on Occupational Safety and Health.
Allocate technical, financial, and human resources for the SGSST.
Promote worker participation in risk prevention training and healthy habits.
Contribute to worker safety by controlling risks.
Assign Occupational Safety and Health responsibilities throughout the organization for a healthy work environment.

During 2024, the process of nomination, selection, and definition of the members of the Joint Committee on Safety and Health at Work was carried out, who will represent employees for the 2024-2026 period.
Additionally, there is mandatory legal training that is presented with a more agile and personalized approach. Beyond being a requirement, this training is a key opportunity to strengthen employees' knowledge, protect the company's customers, and consolidate trust through its Radical Customer Perspective.
To promote continuous improvement, the bank conducts occupational health and safety risk and hazard assessments to identify potential causes of harm in the workplace, as well as procedures to investigate injuries, occupational diseases, illnesses, and work-related incidents. Likewise, it establishes specific health surveillance protocols as well as preventive health campaigns with the aim of preserving and caring for the health of its workers. BBVA prioritizes and integrates action and monitoring plans to address these risks, for example, plans to reduce accidents in Spain. These plans respond to eventual emergency situations, such as evaluation drills and local communications.

In order to ensure the effectiveness of management systems, the entity conducts internal inspections in the branches and offices of Banco BBVA Colombia.

Staff selection and attraction policy

Policy available in spanish. Review it here

BBVA integrates the principles of its policies into its relationship with the supply chain and suppliers, providing complete and transparent information in the procurement processes.

Get acquainted of the Supply and Vendors chain arrangement in BBVA Colombia

Supply and Vendors chain arrangement (PDF)

BBVA considers that the key of the future in an increasingly globalized world, is in reconciling the economic, social and environmental dimensions in an harmonic and balanced sustainable development model.

In order to integrate the environmental factors in our strategy, our management and our activity, BBVA Colombia has a policy called “Política de Gestión Ambiental” that has integral nature that reflects the commitment of our group with the respect to the environment and the efficiency in the use of natural resources in all the aspects of our activity.

A commitment based on the belief that it is possible to reconcile economic activity and sustainable development. That belief is reflected in a responsible behavior with the natural environment of all our collaborators.

Review our Policy and other documents that we have available in spanish here

At BBVA, achieving superior risk management capability is a key element in fostering growth.

	Technological risk due to potential vulnerabilities arising from continuous digital innovation	Increased severity of extreme weather phenomena, such as cyclones and floods cyclones and floods
Description	Possibility that the Bank may suffer negative financial, business, capital or reputational impacts arising from inadequate information technology and processing, in terms of availability, integrity, authenticity and confidentiality. New threats such as cyber-attacks, theft of internal and customer databases, fraud in payment systems, etc., which require significant investments in security from both the technological and human point of view.	Reduced revenues due to reduced production capacity (e.g., transportation difficulties or supply chain interruptions). Direct losses due to damage to assets (BBVA and customers) Increased insurance costs
Impact	Loss of customers and business opportunities, damage to computers and systems, breach of data protection and/or other regulations, exposure to litigation, fines, sanctions or interventions, loss of confidence in the Group's security measures, damage to its reputation, reimbursements and compensation and additional compliance costs	Reduced revenues due to reduced production capacity (e.g., transportation difficulties or supply chain interruptions). Direct losses due to damage to assets (BBVA and customers) Increased insurance costs
Mitigating actions	The Bank implements measures to ensure the security of its systems and protect the confidential information of its users, preventing the occurrence of cyber attacks that compromise the privacy and trust of its stakeholders.	In addition to the practices and methodologies used in the BBVA Group, BBVA Colombia has worked on the implementation of the Environmental and Social Risk Management System (SARAS), hand in hand with the IFC. In 2023 the Bank included SARAS in its General Sustainability Policy and the approval of the General Environmental and Social Risk Standard by the Risk Management Committee - RMC, which establishes a comprehensive management framework that includes policies, standards, procedures, tools and mechanisms for the identification, categorization, evaluation, control, monitoring and follow-up of environmental and social risks that could be generated by projects, works, activities and customers to whom financing is granted and that may result in financial, reputational, credit, market and civil liability risks for BBVA Colombia.

Crisis Management Strategy (PDF)

Contributions & Other Spending

In 2019, BBVA performed a process of strategic reflection to continue making progress with its transformation and adapt to the major trends that are changing the world and the finance industry. In this context, the strategic plan approved by the Bank's Board of Directors in 2019
seeks to accelerate this transformation and the achievement of its Purpose, "To bring the age of opportunity to everyone".

BBVA's strategy encompasses trends that are transforming the world.

There are two strategically relevant areas for BBVA.

● On the one hand, the promotion of digitization in which data and technology help improve the financial health of our customers, who will be able to make better informed decisions.
● On the other, support for sustainable finance. The climate transition will require significant investments in the short term and long term in many industries. At BBVA, we are aware of the important role banks may play in this transition providing financing and advice to our clients

Policy Influence/Advocacy and Trade associations-Climate Aligned

Participation in international initiatives related to Sustainability

According to its Sustainability General Policy, BBVA supports and participates in the initiatives that it considers more relevant in line with the bank's strategy and its priority areas of action, which promote the positive contribution of the finance sector in our society. Thus, BBVA actively participates in different global and regional initiatives that aim to promote the decarbonisation of the planet (including alignment with the Paris Agreement), the protection of the environment and natural capital and promote inclusive growth and diversity.

At global level, BBVA is a member of UNEP FI, Co-Chair of its Global Steering Committee representing the European Banks and a member of its Leadership Council till December 2023. From 2021, BBVA is a signatory of the Net Zero Banking Alliance and is nowadays a member of its Steering Group. BBVA Asset Management is a member of the Net Zero Asset Managers initiative.

Through advocacy, BBVA aims to share its experience and expertise with policy makers, but with a focus on regulatory matters and not on political affairs. BBVA continued to adopt an active role within the framework of future EU regulatory initiatives. In this context, our interests covers EU regulatory initiatives in the field of financial services (which include Sustainable Finance; Banking Union; prudential requirements CRR/CRD, Capital Markets, retail banking, payments, structural reforms in the banking sector, etc.), as well as other initiatives in areas such as Digital economy, Innovation and Technology, Corporate Governance and Company Law, Audit, Consumer Protection, Competition, Taxation and Corporate Social Responsibility, among others. For that purpose, BBVA participates in the public consultations or position papers that the regulators and other authorities launch to gather input from stakeholders, either individually or via the associations of which we are members. The responses to these consultations and position papers in Europe and globally are available on the Transparency Register or on the public websites of the associations (e.g. EBF, IIF, AFME, etc). BBVA has a robust internal process to ensure that the information provided to the market associations is consistent with BBVA’s Sustainability General Policy, in line with the bank’s strategy and its priorities.

The areas in charge of regulatory and non-regulatory advocacy on sustainability have procedures to ensure that the positions they defend in different fora are in line with our net zero ambition and sustainability performance as agreed in our governing bodies.

Management system in place

Additionally, the Bank’s sustainability advocacy strategy (beyond regulators) is structured around a dedicated Working Group (WG) which meets on a monthly basis with the participation of Public Affairs, Legal, Research, Regulation, Reputational Risk, Competition, Communications, Risk Management, Compliance, Internal Audit, Investor Relations, Premises, Talent & Culture, among other areas. In this WG, technical- assessment of new sustainability commitments is carried out and proposals are made to be submitted to the Head of the Global Sustainability Area for decision on adhesion and disengagement of commitments, and the fulfillment of the obligations that these commitments entail is monitored. These responsibilities related to sustainability advocacy are part of the Duties and Authority of the Head of the Global Sustainability Area.

This WG is global in scope, covering all jurisdictions in which the Bank operates. Assessment of local commitments is carried out with the teams involved in the appropriate jurisdiction in each case.

In general, BBVA contributes to consultations on sustainability issues through trade associations and banking associations, either global or local (such as European Banking Federation, Asociación Española de Banca, Asociación de Bancos de México, Asobancaria in Colombia, ASBANC in Peru...). In general we make sure that the position of these associations are in line with our own positions. In the event that the position of these associations does not exactly coincide with that of BBVA, or BBVA considers that the industry’s position needs to be completed, qualified or emphasized, BBVA would express its views individually.

As examples, in the IOSCO (International Organization of Securities Commissions) consultation on voluntary carbon markets, BBVA issued its own response, and also in that of the Scope 1 and Scope 2 standards of the ISSB ((International Sustainability Standards board), in both cases not because of a position different from that of the trade associations but rather to emphasize its own vision.

Since 2004, BBVA has adhered to the Equator Principles (EP), which include a series of standards for managing environmental and social risk in project finance. The EPs were developed based on the International Finance Corporation's (IFC) Policy and Performance Standards on Social and Environmental Sustainability and the World Bank's General Guidelines on Environment, Health and Safety. These principles have become the benchmark standard for responsible financing.

Via 40

Project Sofia

The Project is the concession of the Government of Colombia, acting through the Agencia Nacional de Infraestructura or ANI (the “Owner”), for the design, build, finance, operate and maintain agreement of the existing Bogota-Girardot toll road. The Project involves upgrading and operation. The Project is part of Colombia’s primary road network and it is located along the Bogotá – Buenaventura Corridor, which connects the center, west and south regions of the country.

To date, the Sponsor has been working in two activities to address gender diversity, equality and inclusion. One is strengthening women’s organization initiatives to develop entrepreneurial activities. The other entails an equal gender opportunity hiring program across different levels of the organization.

The project is financing of the expansion of the Puerto de Buenaventura Aguadulce. Sociedad Puerto Industrial Aguadulce (“SPIA”) is a joint-venture terminal with a capacity of 600,000 containers per year, located in the Port of Buenaventura, in Buenaventura District, Valle del Cauca Department, Colombia. The terminal is a multipurpose port with two (2) terminals under

one environmental license. The first terminal is a cargo terminal and the second one is a bulk cargo terminal for coal and other raw materials

Based on the investigation performed by ANLA in February 2020, the Buenaventura Bay is located within four (4) ecosystems: marine (34414 Ha – 8%), cost (25498 Ha – 6%), aquatic (15182 Ha – 4%) and terrestrial (334405 Ha – 82%). Regarding flora, there are mangrove and tropical rainforest. Additionally, the Project is located within Choco Biogeographic, one of the regions with the major diversity of the world with 778 species of birds, 180 species of mammals, 188 species of reptiles and 137 species of amphibia.

The report mentioned that “Buenaventura and the surrounding Pacific territories are exposed to violence from criminal gangs and armed groups that fight for this area, where state neglect is evident, and which is strategic for the exit to the sea of illicit substances and contraband, in addition to being the main port for goods in the Colombian Pacific”. The review of this risk revealed that as a result of SPIA's physical security team and established protocols for monitoring the security of the area with the public forces, there are low risks associated with crime and social instability in this specific location (SPIA infrastructure).

Corporate Finance

Category					Monetary Value FY 2023
Green loans, social loans, sustainable loans					2.722.319
Sustainability-linked corporate loans					62.819
Total value of corporate lending					14.716.843
Total sustainable value					2.785.138
Percentage of total sustainable value over total value					18,92%

Consumer Finance

Category					Monetary Value FY 2023
Sustainable loans and mortgages					677.012
Total value of personal and mortgage lending					20.852.144
Percentage of total sustainable value over total value					3,25%

SME Lending

Category					Monetary Value FY 2023
Sustainable SME loans					195.708
Total value of SME lending					3.534.306
Percentage of total sustainable value over total value					5,54%

BBVA Colombia plays an important role in contributing to the country's development and well-being through initiatives and programs that promote sustainable progress. With a comprehensive approach, the Bank has not only dedicated itself to improving its financial services to make them simpler and more accessible, but has also actively worked to address the challenges of inequality, injustice and poverty facing Colombia. Below are several figures that show the positive impact on some group to promote inclusive and sustainable economic growth.

Women-owned SMEs	Small farmers	POS (Point of sales) Link Loan
Financing to small and medium-sized enterprises led by women, which meet a minimum 30% shareholding and/or female legal representation. Number of clients reacherd 280 Number of transactions 350 Investment 165.897 MM COP	We finance small, low-income farmers through companies that integrate farmers' agricultural production into their value chains Number of clients reacherd 19 Number of transactions 19 Investment 88.512 MM COP	POS Link Loan allows SMEs clients to acquire a short term loan through the digital channel, this loan takes into account their average monthly sales (last 6 months), with a maximum term of 120 days and with daily installment payments of capital.. Number of clients reacherd 764 Number of transactions 1406

Sustainability at the core of BBVA's strategy

Encouraging new business through sustainability

Sustainable business channel

Target 2025
300 MM€

FROM 2018 TO SEPTEMBER 2023
185 MM€

Achieving Zero Net Emissions by 2050

Setting and managing decarbonization targets for 2030

SECTORS

Oil and Gas
Mobile
Cement
Electricity generation
Steel
Carbon

TO SEPTEMBER 2023

76% of the loan portfolio portfolio corresponds to clients who are progressing in their transition¹.

For BBVA, one of the most important elements is to have an adequate communication between the teams in charge of attending the different stages of the incident, for which, timely reporting, involving whoever is considered necessary and escalating depending on the severity or specialty of the teams is fundamental to ensure the correct coordination of the response processes.In addition, there is an Internal Discipline and Administrative-Labor Measures Committee, which resolves disciplinary processes whose facts are related, among others, to irregularities detected in the area of operations, possible fraud, violation of BBVA regulations and negligence in the performance of duties.

Other information of interest https://www.bbva.com/es/innovacion/ciberseguridad/

Security Incident Management

The following are the positions involved in the incident management process depending on thedepending on the magnitude of the incident:

BBVA Colombia's General Information Security and Cybersecurity Policy

The Policy, updated on May 22, 2025, protects the information and assets of the BBVA conglomerate in Colombia. It seeks to mitigate risks, guaranteeing the integrity, onfidentiality, availability, and authenticity of data, aligning with the EBA and Colombian regulations. Its pillars include integrity, prudence in risk management, a profitable and sustainable business, and legal compliance, focusing on an organizational framework, technical and organizational controls, alignment with the Group's strategy, and fostering a security culture. The management model is based on Group guidelines, a centralized operational model, and internal control with three lines of defense. The policy is mandatory for employees, suppliers, partners, and BBVA entities in Colombia, covering the entire lifecycle of information assets. Non-compliance may result in disciplinary sanctions.

Additionally, the policy defines specific roles and responsibilities, such as those of Corporate Security (policy executor) and the local CSO (policy responsible), and emphasizes the importance of coordination between internal and external actors, as well as communication with authorities and regulatory bodies. It includes a glossary of key terms related to information security and cybersecurity.

BBVA Group has established a global information security structure for all its geographies. This structure includes a CSO at the Holding level and functional execution units for the Data CISO and corporate functions. For the geography of Colombia, a CSO Country Leader Manager has been appointed.

BBVA Group's General Operational Resilience Policy

The policy, mandatory for the entire Group, ensures the integrity and reliability of systems and networks. It is governed by principles such as integrity, prudence, transparency, sustainability, legal compliance, availability, confidentiality, authenticity, and physical security. It includes identification of Critical Processes, third-party risk management, training, incident management, testing, and continuous improvement, with an ICT Risk Management Framework that details the risk cycle and the importance of backups.

The Business Continuity Management Framework identifies critical processes to ensure their maintenance and rapid recovery after interruptions, minimizing impacts. Internal regulation will be developed to manage continuity and operational crises. The Group will also establish processes for operational incidents that affect continuity and security, including an ICT process to detect, manage, and communicate relevant incidents to clients and authorities, classifying them by criticality.

Information Security and Cybersecurity Incident Management Standard V7

BBVA Colombia's policy defines a framework for security incident management, following the NIST SP 800-61 standard, to minimize impacts, classify incidents, and ensure compliance. It applies to all personnel and third parties with access to the Bank's systems. The principles emphasize rapid and effective management of any event that compromises systems, the entity, or clients.

The management phases include: prevention (team, plan, asset identification, tools, and awareness), detection (anomaly identification and mandatory reporting), analysis/containment/eradication/recovery (verification, root cause, resolution, vulnerability correction, and restoration), and post-incident (review, improvements, reports, and lessons learned).

Cyber incidents are classified by severity (Non-Significant, Significant, Severe) with sublevels (C to A+), based on systemic impact, service interruption, reputation, data loss, and economic impact. An escalation, notification, and internal and external communication plan (clients, regulators) is detailed.

Standard for Decision-Making and Relevant Follow-up in the Field of Information Security and Cybersecurity Management BBVA Colombia

This BBVA Colombia standard seeks to manage information security and cybersecurity, addressing concerns of the Financial Superintendency about possible conflicts of interest in Corporate Security. It establishes that key decisions must be approved by a different body, the Information Security and Cybersecurity Committee, which meets quarterly and supervises the implementation and effectiveness of the standard. It includes the approval of internal regulations, fraud parameters, controlled pilots, and risk monitoring. Corporate Security is responsible for presenting information to the Committee. The standard is governed by integrity, transparency, prudence, and legal compliance.

Additionally, internal and external audits are carried out annually to evaluate the corporate security structure.

The internal audit conducted in the first half of the year evaluated cybersecurity controls, focusing on protection against cyberattacks, intrusions, unauthorized access, theft, loss or misuse of information, and deficiency management.

E&Y's external audit report from November 2024 evaluates BBVA Colombia's General IT Controls (ITGCs). It focuses on the scope, methodology (with High, Medium, Low risk levels), and evaluation results. The areas evaluated include Program and Data Access, Change Management, and Computer Operations.