BPCE - 2018 Registration document

RISK REPORT Non-compliance, security and operational risks

The main business lines are also subject to regular review.

associated with global warming. Health-related crises are also closely monitored.

Furthermore, the Group also took part in the resolution of major crises, from the flooding of the Seine riverbank to the many crises

Information System Security (ISS) 6.11.4

ORGANIZATION The Group Security division (DS-G) establishes and adapts Group Information System Security policies. It provides continuous and consolidated oversight of information system security, along with technical and regulatory oversight. It initiates and coordinates Group projects aimed at reducing risks in its field. Within its remit, DS-G represents Groupe BPCE vis-à-vis banking industry groups and public authorities. As a contributor to the permanent control system, the Group Head of Security reports to the Compliance, Security and Operational Risk division. Within the central institution, the Group ISS division also works regularly with the Group’s Inspection Générale division. Groupe BPCE has established a groupwide Information System Security function comprising the Head of Group Information System Security (RSSI-G), who coordinates the function, and the Heads of Information System Security for all of the companies. The heads of Information System Security for parent company affiliates, direct subsidiaries and EIGs are functionally subordinated to the RSSI-G through coordinated actions. This means that: The RSSI-G is notified of the appointment of any heads of ● information system security; The Group’s information system security policy is adopted by the ● individual entities, and each company’s application methods of the Group information system security policy must be presented for validation to the Group’s Head of Information System Security prior to approval by Executive Management and presentation to the Board of Directors or the Management Board; A report on the institutions’ compliance with the Group’s ● information system security policy, permanent controls, risk level, primary incidents and actions is submitted to the Group Head of Information System Security.

ACTIVITIES IN 2018 Groupe BPCE’s information system security policy (PSSI-G) incorporates the Group’s security requirements. It is comprised of an Information System Security framework associated with the Group’s Risk, Compliance and Permanent Control Charter, 391 rules divided into 19 categories, and three organizational instruction documents (1) . It is revised annually according to an ongoing process of improvement. The 2018 revision of the PSSI-G incorporated the results of the assessment of compliance and estimation of the criticality level of each rule in the PSSI-G, conducted over the course of the year with all institutions, as well as the change in the Group’s organizational structure and governance. Moreover, the ISS permanent control Group standards were entirely revised and will be rolled out to all companies in 2019. Oversight of ISS governance and risks was enhanced in 2018, mainly by incorporating new features in the Group’s Archer platform (mapping of ISS risks): management of the PSSI-G for oversight and coordination ● purposes; identification by each institution of the PSSI-G rules applicable - to its scope of operation, assessment by each institution of its compliance with applicable - PSSI-G rules, feedback by each institution on exemptions to established rules - for which a compliance breach was observed; management of ISS action plans; ● classification of IS assets. ● Furthermore, under the GDPR (General Data Protection Regulation) compliance program, a GDPR project support system was established, including digital projects, conducted in accordance with an agile development cycle.

6

Operating procedures of the Groupe BPCE Information System Security function, ISS permanent control, classification of at-risk IS assets. (1)

687

Registration document 2018