2021 Universal Registration Document

2 RISK FACTORS AND INTERNAL CONTROL Risk factors

ACQUISITIONS ❙

Risk description The Group’s development strategy is based in part on its ability to identify potential acquisition targets and integrate them into its general offering, whether to supplement or improve it. Any major difficulty in integrating companies, generating the expected synergies, retaining staff of acquired entities or achieving a return on these acquisitions in future could have a negative impact on the Group’s financial results and outlook. Risk management measures Proposed acquisitions in the process of being identified, assessed or issues relating to the environment. All procedures associated with negotiated are reviewed on a regular basis by a dedicated this upstream process are included in the “M&A Playbook”, which committee. Due diligence procedures are implemented for all now applies to M&A and corporate venture deals.

proposed acquisitions in order to identify the inherent risks of the potential deal. These audits – carried out in collaboration with external advisors – concern both financial aspects and the valuation of the target, as well as operating, legal and taxation aspects, human resources, governance, compliance and business ethics, and

Any acquisitions are then subject to an integration programme, making it possible to anticipate and then monitor all key stages of the process from a strategic, operating, financial and human perspective. These integration policies and procedures are in addition to the “M&A Playbook”.

ATTACKS ON REPUTATION ❙

Risk description Given its size, multiple geographical locations and positioning in projects at the heart of the clients’ information systems and more visible projects for end clients (e.g. platform activities in the United Kingdom, major public sector transformation projects, payroll outsourcing activities), the Group could become increasingly exposed to the spreading of negative information in the media, whether proved or not, stemming from media attacks by external or internal stakeholders or negative comments on social media. If the Group were to be the object of damaging media coverage or negative messages, this could have an adverse impact on its image and attractiveness and have repercussions on its financial performance. Risk management measures The Group has set up a media monitoring system in order to be should spread widely, crisis communication procedures may also be informed as soon as possible of any publications about it and be activated with the support of specialist agencies, with no guarantee able to react. If any criticism of or allegations against the Group that the negative effects of such attacks can be fully neutralised. Risk description A phishing campaign or the exploitation of a security flaw in the technical infrastructures or solutions used by Sopra Steria are examples of cyberattacks. They could result in a breakdown or disruption of essential systems for activities contractually authorised with clients and/or for the Group’s internal operations, or the loss, corruption or disclosure of data. A cyberattack on a client, even if indirectly caused by a service provided by the Group, could also have major repercussions for Sopra Steria. This risk inevitably increases in the context of digital transformation (including services hosted in the cloud and mobile technologies). Widespread working from home is also a factor that increases cyberthreats. Cyberattacks by malicious actors (hackers, criminal organisations and state-backed organisations) have increased sharply in both frequency and sophistication, and this trend only looks set to intensify in the future. These risks are significant in terms of both their probability and their impact and are at the heart of Sopra Steria’s strategic concerns. Their potential impacts include the financial implications of client claims relating to contractual commitments, the interruption of internal operations, high incident recovery costs and regulatory non-compliance as well as reputational damage for the Group and the potential loss of future contracts. RISKS RELATED TO OPERATIONAL ACTIVITIES 1.3.2. CYBERATTACKS, SYSTEMS SECURITY, DATA PROTECTION ❙

Risk management measures Sopra Steria has established an information security policy in line with international standards and has put in place solid governance for this purpose, which is coordinated at the Group’s highest level. The leadership team involved includes the Chief Information Security Officers (CISOs), along with the Information Systems Department (ISD) and the Group’s security services, the security operations centre (SOC) and computer emergency response team (CERT), with responsibility for detecting and responding to cybersecurity incidents. This organisational structure with its correspondents

within entities, meeting different countries’ regulatory requirements and client needs as closely as possible, allows for in-depth knowledge of areas of risk and business demands. It is aimed at anticipating, preventing and managing cyber risks in relation to information systems, including both internal systems and those used for projects and services delivered or managed on behalf of the Group’s clients. The Group is continually investing in its security awareness and training programme covering employees (e-learning modules, awareness campaigns, videos, on-site and remote

40

SOPRA STERIA UNIVERSAL REGISTRATION DOCUMENT 2021

Made with FlippingBook - Online catalogs