Instruction No. 10/2020 of May 29

INSTRUCTION NO. 10/2020 of May 29

SUBJECT: FINANCIAL SYSTEM

• Cybersecurity Incident Reporting

Whereas it is necessary to define the information reporting procedures regarding any situations with significant impact on the results or equity of Financial Institutions, including operational incidents related to cybersecurity and cloud computing that may affect the stability of the Angolan Financial System; Whereas it is also necessary to ensure and strengthen the reliability of information system infrastructures and data security for Financial Institutions' customers, as established in Notice No. 08/2020 of April 2; In these terms, under the combined provisions of item j) of Article 90 of Law No. 12/15 of June 17 – Financial Institutions Framework Act, and item f) of paragraph 1 of Article 21 and Article 51, both of Law No. 16/10 of July 15 – Bank of Angola Act, I DETERMINE:

1. Object and Scope 1.1 This Instruction establishes the obligation to report cybersecurity incidents to the Bank of Angola that are classified as significant or very significant. 1.2 This Instruction applies to Financial Institutions under the supervision of the Bank of Angola, hereinafter abbreviated as Institutions, in accordance with the Framework Act for Financial Institutions.

CONTINUATION OF INSTRUCTION NO. 10/2020 Page 2 of 8 2. Scope of Cybersecurity Incidents 2.1 For the purposes of this Instruction, cybersecurity incidents are considered to be breaches in a Financial Institution's information system security policy, affecting its security assumptions, notably the availability, integrity, and confidentiality of said system. 2.2 The Institutions referred to in paragraph 1 must report, on an individual and consolidated basis, to the Bank of Angola all cyber incidents that produce economic, financial, social, and reputational damages to entities within the supervision perimeter, regardless of where these entities conduct their activities, within 4 hours after the detection of the first incident. 3. Classification of Cybersecurity Incidents 3.1 Institutions must classify cybersecurity incidents as significant or very significant, using data and information collected under the cyber risk assessment, which also encompasses the derived impact. The identified parameters (significant and very significant) must be aligned between information technology and business areas, essentially aiming to avoid economic, financial, social, and reputational damages arising from these incidents. 3.2 Without prejudice to the foregoing, the Bank of Angola may, based on its assessment of incidents, alter the risk level presented by the relevant Institution. 4. Indications Regarding Materiality Criteria 4.1 To determine the number of affected users, all clients, national or foreign, individuals or companies, who have a contractual relationship with the Institutions covered by this Instruction must be considered.

CONTINUATION OF INSTRUCTION NO. 10/2020 Page 3 of 8 4.2 For assessing incidents related to cloud computing and servers, it is necessary to analyze whether central databases and backups have been compromised and what information was contained in each. 4.3 For calculating potential economic impact, global losses, direct and indirect, associated with the occurrence of the cybersecurity incident must be considered. 4.4 The global losses referred to in the preceding subpoint must be evaluated in absolute terms or, alternatively, based on their relative importance to the Institution. 4.5 Any cybersecurity incident resulting in legal or regulatory non-compliance by the affected entity must be considered significant. 4.6 Any cybersecurity incident with systemic risk potential must be considered very significant. 5. Communication Channel 5.1 Institutions must report incidents classified as significant or very significant to the Bank of Angola through the Financial Institutions Portal (FIP). 5.2 In cases where Institutions temporarily lack operational capacity to ensure incident reporting via FIP, or if the portal is unavailable due to the incident or other essentially technical reasons (duly justified), reporting may exceptionally be made via email sent to the following address: reportecibernético@bna.ao. 6. Form of Communication 6.1 Institutions must collect all possible information regarding the incident and complete the required information fields in the report, according to the Annex of this Instruction. 6.2 Entities may send additional information they deem relevant to the Bank of Angola.

CONTINUATION OF INSTRUCTION NO. 10/2020 Page 4 of 8 6.3 The Bank of Angola may at any time, whenever deemed necessary, request additional information from Institutions regarding reported cybersecurity incidents. 7. Communication Model 7.1 Incident reporting is divided into three phases: Initial, Interim, and Final, which must be completed incrementally and sequentially. 7.2 Institutions must submit the initial report within the periodicity defined in Article 8 of Notice No. 08/2020 of April 2, on Cybersecurity Policy and Adoption of Cloud Computing. The initial report must include information with the general characteristics of the incident, as well as its possible consequences. 7.3 Institutions must submit an interim report within 20 (twenty) days after the initial report, completing the information fields identified in the reporting model. The interim report must contain detailed information about the type of incident and its impact. 7.4 Institutions must submit a final report within up to 45 (forty-five) days after the initial report. The final report must reflect information collected from internal investigation into the causes of the incident, as well as potential mitigating measures adopted or planned to resolve the incident and prevent recurrence in the future. 7.5 In the event that the incident is not entirely resolved within 45 (forty-five) business days after the initial report, Institutions must still submit the final report to the Bank of Angola within the stipulated timeframe for this purpose. 7.6 Without prejudice to the preceding subpoint, Institutions must, whenever the incident is not resolved after 45 (forty-five) days from the date of the initial report, inform the Bank of Angola about the reasons that led to the non-resolution of the reported incident.

CONTINUATION OF INSTRUCTION NO. 10/2020 Page 5 of 8 8. Sanctions Violation of the provisions contained in this Instruction is punishable under Law No. 12/15 of June 17 – Financial Institutions Framework Act. 9. Doubts and Omissions Doubts and omissions resulting from the interpretation and application of this Instruction are resolved by the Bank of Angola. 10. Entry into Force This Instruction enters into force within 30 (thirty) days after its publication. PUBLISHED. Luanda, May 29, 2020. THE GOVERNOR JOSÉ DE LIMA MASSANO

CONTINUATION OF INSTRUCTION NO. 10/2020 Page 6 of 8 ANNEX Reporting Model Incident Classification: Cybersecurity Incident Reporting Report Date (significant/very significant) Email: Tel: Contact person at the entity for updates Second contact person at the entity for updates Name of affected entity Type of affected entity Country of affected entity (branches and representative offices) Interim Report (15 days after incident) A detailed description of the incident is requested. Include information (if known and/or applicable):

• Context of incident detection, who was involved, what happened, how the incident was detected
• Attacker(s), cause of the incident
• Affected systems/areas and impact
• Affected channels
• Specify if third parties/suppliers were affected (name of affected supplier, how it was affected) and the impact on the supervised entity Final Report (maximum 45 days after incident) Updated information relative to the Interim Report and further details are requested:
• Exploitable technical vulnerabilities (indicate CVE number, if known)
• Entry vector
• Internal escalation/crisis management/relevant actions taken
• Investigation (external parties involved)
• Remediation actions
• Additional security controls applied as a result of the incident
• Lessons learned
• Root cause analysis
• Other relevant information Email: Initial Report (4 hours after incident) A general description of the incident is requested. Date of incident detection Description of the Incident

CONTINUATION OF INSTRUCTION NO. 10/2020 Page 7 of 8 ANNEX - Reporting Model (Cont) Information Security Description of the Incident Type of incident: Scan, Infection, Malware, Information Collection, Fraud, Intrusion/Tentative of Intrusion, Trojan horse, Spear phishing, Ransomware, Phishing/*ishing, SAAS Attack, Pretexting, Mobile malware, Virus/worm, Other Additional Information: Other Impact of the incident (possible multiple selections) Affected ATMs? Online Banking Fraud? Leakage of sensitive customer information? Critical service disruption? (If yes, hours of disruption:) Malware, Social Engineering, Other Incident discovered by: Internal IT Security, External Supplier, Internal Employees, Misuse or unauthorized use of resources, Illegitimate use of third-party names, Account compromise, Indeterminate, Other Login Attempt Information about the attacker(s) Hacktivists, Unknown, Terrorists, Internal Employees, External Auditor, Attacker (notice), Other hackers, State-sponsored Hackers, Pretexting, Distribution Sniffing, Other Verification of legal or regulatory requirement breach Media coverage? Information leakage (If yes, please specify.) Other impacts: Other Leakage of information related to the institution? (If yes, please indicate) Estimated indirect financial losses in euros Were there direct or indirect financial losses? Direct financial losses in euros Affected external supplier?

CONTINUATION OF INSTRUCTION NO. 10/2020 Page 8 of 8 ANNEX - Reporting Model (Cont.)