BPCE - 2018 Registration document

NON-FINANCIAL PERFORMANCE REPORT Sustainable and responsible value creation

identification by each institution of the PSSI-G rules applicable - to its scope of operation, assessment by each institution of its compliance with applicable - PSSI-G rules, feedback by each institution on exemptions to the applicable - rules, for which a compliance breach was observed; management of ISS action plans; ● classification of IS assets. ● General Data Protection Regulation (GDPR) systems Under the program aimed at bringing the Group into compliance with the requirements of the General Data Protection Regulation (GDPR), a GDPR project support system was established, including digital projects, conducted in accordance with an agile development cycle: Organization appointment of a Data Protection Officer (DPO) at all entities; ● implementation of a personal data protection process; ● appointment of Business division data processing officers in the ● Group’s entities to liaise with the DPO; training for all Group DPOs; ● preparation and application of a data protection awareness course ● for all Group employees. Resources implementation of a groupwide GDPR program comprising 12 ● projects covering different issues: legal/regulatory aspects, compliance, IT, human resources, processes, sub-contracting; mapping of personal data processing; ● creation of a shared center of expertise to support personal data ● protection projects: risk analysis, identification of risk mitigation and protection measures, etc.; capitalization on existing ISS and anti-cybercrime resources: ● the Group’s IT system security policy (PSSI-G), incorporating the - Group’s security requirements, defense-in-depth strategy, in particular with the definition and - implementation of best practices for secure application development, information leakage identification systems, - VIGIE (collective cybersecurity vigilance system), - the Group Computer Emergency Response Team (CERT). - Controls permanent controls conducted by all Group entities to ensure that ● PSSI-G rules are actually observed;

DATA PROTECTION AND CYBERSECURITY Organization The Group Security division (DS-G) establishes and adapts Group IT System Security policies. It continuously monitors information system security, and performs an associated technical and regulatory watch, at the consolidated level. It also initiates and coordinates Group projects aimed at reducing risks within its remit. DS-G represents Groupe BPCE in its relations with banking industry bodies and public authorities. As a contributor to the permanent control system, the Group Head of Security reports to the Compliance, Security and Operational Risks division. Within the central institution, the Group ISS division also works regularly with the Group’s Inspection Générale division. Groupe BPCE has established a groupwide Information System Security function, which comprises the Head of Group IT System Security (RSSI-G), who coordinates the function, and the Heads of IT System Security for all Group entities. The Heads of IT System Security for parent company affiliates, direct subsidiaries and EIGs work under the functional authority of the RSSI-G. This authority is exercised through coordinated actions: the RSSI-G is notified of the appointment of any Heads of IT ● System Security; the Group’s IT system security policy is adopted by the entities, ● each of which must provide the Group Head of IT System Security with a details on how the policy will be applied, prior to approval by Executive Management and presentation to the Board of Directors or the Management Board; a report on the institutions’ compliance with the Group’s IT system ● security policy, permanent controls, risk level, primary incidents and actions is submitted to the Group Head of IT System Security. Activities in 2018 The Group’s IT system security policy (PSSI-G) incorporates the Group’s security requirements. It is comprised of an IT System Security framework associated with the Group’s Risk, Compliance and Permanent Control Charter, 391 rules divided into 19 categories and three organizational instruction documents (1) . It is revised annually for continuous improvement purposes. The 2018 revision incorporated the results of an assessment of the compliance and criticality level of each rule in the PSSI-G, conducted over the course of the year with all institutions, as well as the change in the Group’s organizational structure and governance. Moreover, the Group ISS permanent control framework was overhauled and will be rolled out to all companies in 2019. Oversight of ISS governance and risks was enhanced in 2018, mainly by incorporating new features in the Group’s Archer platform (mapping of ISS risks): management of the PSSI-G for oversight and coordination ● purposes:

2

Operating procedures of the Groupe BPCE IT System Security department, ISS permanent control, classification of sensitive IS assets. (1)

95

Registration document 2018