BPCE - 2018 Registration document

6 RISK REPORT

Non-compliance, security and operational risks

Anti-cybercrime mechanisms As a result of its digital transformation, the Group’s information systems are becoming increasingly open to the outside (cloud computing, big data, etc.) and many of its processes are gradually going digital. Employees and customers are also increasingly using the Internet and interconnected technologies such as tablets, smartphones and mobile applications. Consequently, the Group’s assets are constantly more exposed to cyber threats. The targets of these attacks are much broader than the information systems alone. They aim to exploit the potential vulnerabilities and weaknesses of customers, employees, business processes, information systems and security mechanisms at Group buildings and datacenters. In 2016, the ECB carried out a cybersecurity audit of Groupe BPCE, addressing governance of risks, cybersecurity and information technology, with a special focus on online banking security for the Banque Populaire banks and Caisses d’Epargne. Recommendations were made to Groupe BPCE in summer 2017. A number of anti-cybercrime enhancement initiatives were continued in 2018. Strengthened application entitlement controls In conjunction with Natixis, the Group strengthened the system launched in 2015 and used to review entitlements to cross-business information systems (Natixis and BPCE) granted to the institutions. The number of applications in the review scope was increased to 58 in 2018. Reinforced detection of unusual data flows and events in information systems (cyberattack detection) creation of a unified Group Security Operation Center (SOC), including a Level 1 supervisor, operating 24/7; ● integration of a Groupe BPCE CERT (Computer Emergency Response Team) in the InterCERT-FR community run by the ANSSI; ● initiative in progress to strengthen the Group’s presence in the European CERT community; ● plans to expand, as of early 2019, the VIGIE community (Groupe BPCE’s collective due diligence system) to include the Banque Populaire ● banks and the Caisses d’Epargne, in order to improve communications and oversight of their private information systems. Raising employee awareness of cybersecurity In addition to maintaining the Groupwide program to raise employee awareness of ISS, 2018 saw the development of a new ISS training/awareness-raising plan to be implemented in 2019 and the Group’s participation in “European Cyber Security Month”. Within BPCE SA ’s scope of operations, the massive “user entitlements” project defined in 2010 was continued. As of 2018, 194 applications have now been included in the scope of review of user rights and authorization management procedures. Not only are applications reviewed, but also user entitlements to IS resources (distribution lists, shared mailboxes, shared files, etc.). Moreover, new employee awareness-raising campaigns were launched: GDPR awareness; ●

phishing test and phishing awareness-raising campaign; ● participation in new employee acclimation meetings. ●

688

Registration document 2018