BPCE - 2018 Registration document

2 NON-FINANCIAL PERFORMANCE REPORT Sustainable and responsible value creation

Enhanced detection of unusual IT flows and events (cyberattack detection): a 24/7 Group Security Operation Center (SOC) was created, ● including a Level 1 supervisor; Groupe BPCE’s CERT (Computer Emergency Response Team) works ● with the InterCERT-FR community run by ANSSI; the Group is working to strengthen its presence in the European ● CERT community; in early 2019, the VIGIE community (Groupe BPCE’s collective due ● diligence system) will be expanded to include the Banque Populaire banks and the Caisses d’Epargne, in order to improve communications and oversight on their private information systems. Cybersecurity awareness In addition to maintaining the groupwide ISS awareness program, 2018 saw the development of a new employee ISS training/awareness-raising plan to be implemented in 2019 and the Group’s participation in “European Cyber Security Month”. Within BPCE’s scope of operations, the massive user authorization review defined in 2010 was continued. As of 2018, 194 applications have now been included in the scope of review of user rights and authorization management procedures, 165 (1) of which were reviewed in 2018. Not only are applications reviewed, but also user rights to IT resources (distribution lists, shared mailboxes, shared files, etc.). Moreover, new employee awareness-raising campaigns were launched: GDPR awareness; ●

specification of a groupwide GDPR permanent control database, ● used to verify that the Group’s personal data protection requirements are applied. Anti-cybercrime mechanisms As a result of its digital transformation, the Group’s information systems are becoming increasingly open to the outside (cloud computing, big data, etc.) and many of its processes are gradually going digital. Employees and customers are also increasingly using the Internet and interconnected technologies such as tablets, smartphones and mobile applications. Consequently, the Group’s assets are constantly more exposed to cyber threats. The targets of these attacks are much broader than the information systems alone. They aim to exploit the potential vulnerabilities and weaknesses of customers, employees, business processes, information systems and security mechanisms at Group buildings and datacenters. In 2016, the ECB carried out a cybersecurity audit of Groupe BPCE, covering governance of risks, cybersecurity and information technology, with a special focus on online banking security for the Banque Populaire banks and Caisses d’Epargne. Recommendations were made to Groupe BPCE in summer 2017. A number of initiatives aimed at enhancing anti-cybercrime mechanisms were continued in 2018. Enhanced user authorization checks In conjunction with Natixis, the Group strengthened the user authorization review procedure (launched in 2015) for cross-business information systems (Natixis and BPCE). The number of information system applications included in the scope of the review was increased to 58 in 2018.

phishing test and phishing awareness-raising campaign; ● participation in new employee acclimation meetings. ●

Some identified applications are inactive (11), some have no users (6), some are duplicates (5), some are simply technical building blocks (3) and others are at the planning stage. (1)

96

Registration document 2018