Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Overview

The Company has policies and procedures in place to address information technology and cybersecurity risks as part of its corporate risk management process. These processes are integrated into Afya’s enterprise risk management (ERM) framework to ensure alignment with our overall approach to corporate risk. This includes activities such as risk identification, classification, and mitigation, as well as the development of action plans aligned with industry best practices.

Cybersecurity initiatives at Afya are overseen by our Chief Information Security Office, or CISO. The CISO’s responsibilities include defining and aligning action plans with Afya’s corporate risk management team. Additionally, the CISO serves as the Data Protection Officer, handling privacy and data protection matters and defining cybersecurity strategies for the entire company. This includes ensuring effective monitoring, threat detection, response to events and incidents, and overall cybersecurity management. Cybersecurity monitoring with respect to our newly acquired companies is managed from the outset by our IT technical team. Exposure to risk during this period is naturally greater as such acquired company is not always mature in terms of cybersecurity risk management, but we seek to mitigate these risks by making adjustments to their practices and applying our policies.

Risk Management and Strategy

Afya has comprehensive policies, procedures, and a dedicated risk management team responsible for addressing corporate risks across various themes, including strategic, operational, financial, and compliance areas. Within each theme, Afya identifies and manages risks related to quality, procurement, cybersecurity, privacy and data protection, financial reporting, legal compliance, regulatory matters, as well as risks related to ESG.

The Company follows a structured approach, including a risk matrix with defined risk levels and criticality, which guides the need for risk treatment and the development of action plans. These plans are monitored by the responsible parties for each theme under the oversight of the risk and controls department. Furthermore, Afya has an assessment process that evaluates cybersecurity, privacy, and data protection policies of critical suppliers before onboarding. This process aligns with frameworks such as COSO-ERM and COSO Internal Control - Integrated Framework. To ensure compliance with industry standards and enhance cybersecurity maturity levels, Afya engages specialized companies to review its plans and procedures, aiming to adopt market best practices.

Within the further detailed governance scheme, the Company has established the audit, risk, and ethics committee to oversee risk management guidelines through a structured approach known as the three lines of defense:

·

First Line of Defense: This comprises risk owners who are responsible for executing processes, identifying risks, and implementing action plans. Working closely with the risk and controls department, they proactively identify potential risks within their operations, including financial, operational, and cybersecurity aspects. This includes analyzing activities and relationships with suppliers and third parties.

·

Second Line of Defense: The compliance, corporate risks, and internal controls area collaborates with risk owners to monitor risks and action plans. The risk and controls department coordinates progress and action plans in partnership with internal audit teams and other Afya units such as the technology team, the information security team, and the privacy team. They report their findings to the audit, risk, and ethics committee.

·

Third Line of Defense: Represented by the internal audit team, this line conducts independent evaluations for management. They perform substantive tests of internal controls to detect operational and financial deviations resulting from failures or fraudulent activities.

For the monitoring and response to cyber incidents, Afya has teams responsible for detecting and monitoring the Company’s environment, conducting threat intelligence, intrusion testing, and verifying the coverage and effectiveness of its detection and monitoring tools.

Cybersecurity Risk Management Processes Integrated [Text Block]

Furthermore, Afya has an assessment process that evaluates cybersecurity, privacy, and data protection policies of critical suppliers before onboarding. This process aligns with frameworks such as COSO-ERM and COSO Internal Control - Integrated Framework.

Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]

true

Cybersecurity Risk Board of Directors Oversight [Text Block]

Governance

Afya places significant emphasis on cybersecurity within its information technology area, covering areas such as incident management, information technology governance, privacy and data protection, cybersecurity, infrastructure, and systems management. These efforts are led by our chief information officer, or CIO, and our CISO. The CISO, drawing from extensive experience in leading technology and information security departments in large companies, is responsible for developing a proactive security strategy capable of continuous threat exposure management, in balance with the organization’s business goals. This includes ensuring compliance with relevant information security and data privacy regulations, conducting training for the security team and promoting user awareness to keep stakeholders informed about emerging technologies and threats.

Afya’s governance structure includes the audit, risk, and ethics committee, which oversees risks identified by the risk and controls department, including cyber risks. The audit, risk, and ethics committee reports to our board of directors on a quarterly basis and, where applicable, review of specific incident responses. Our board of directors then sets strategic objectives and monitors the company’s risk landscape and corresponding action plans.

Afya’s cybersecurity team operates through a technical committee that meets biweekly to monitor and improve infrastructure and technology related to cybersecurity. The team identifies potential improvements, which are then evaluated by the management committee to determine their feasibility and potential project status under department oversight. Afya continually adopts technological solutions to enhance monitoring, detection, recovery, and protection capabilities within the organization.

In terms of disaster preparedness, Afya has a comprehensive disaster recovery plan that includes a dedicated committee, trigger mechanisms, and defined recovery points focused on the Company’s infrastructure. Additionally, Afya maintains a robust business continuity plan involving key teams and critical service mapping, with criteria for defining criticality, financial impact, and brand reputation.

Afya’s privacy team is responsible for addressing risks and controls related to personal data. They adhere to industry best practices such as ISO27000, LGPD, GDPR, and the NIST Cybersecurity Framework, leveraging governance, risk management and compliance solutions to support their risk management processes.

According to processes and controls established by Afya, as of December 31, 2024, no events were identified that could indicate the materialization of risks or the identification of material incidents under the cybersecurity aspect that affected or could affect the business strategy, results of operations, or financial condition of the company. Minor incidents that occurred during the period were identified, treated, and communicated in accordance with the protocols, policies, and procedures established for response. However, despite our efforts, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced an undetected cybersecurity incident.

For more information about these risks, please see “Item 3. Key Information—D. Risk Factors—Risks Relating to Our Business and Industry— Failure to prevent or detect a malicious cyber-attack on our systems and databases could result in a misappropriation of confidential information or access to highly sensitive information” and “—Our success depends on our ability to monitor and adapt to technological changes in the education sector and maintain a technological infrastructure that works adequately and without interruption” in this annual report.

Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

Our board of directors then sets strategic objectives and monitors the company’s risk landscape and corresponding action plans.

Cybersecurity Risk Management Positions or Committees Responsible [Flag]

true

Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]

The audit, risk, and ethics committee reports to our board of directors on a quarterly basis and, where applicable, review of specific incident responses.

Cybersecurity Risk Management Expertise of Management Responsible [Text Block]

Afya’s cybersecurity team operates through a technical committee that meets biweekly to monitor and improve infrastructure and technology related to cybersecurity.