BPCE - 2018 Risk report / Pillar III

NON-COMPLIANCE, SECURITY AND OPERATIONAL RISKS Information System Security (ISS)

Information System Security (ISS) 11.4

Organization The Group Security division (DS-G) establishes and adapts Group Information System Security policies. It provides continuous and consolidated oversight of information system security, along with technical and regulatoryoversight. It initiates and coordinatesGroup projectsaimed at reducingrisks inits field. Within its remit, DS-G represents Groupe BPCE vis-à-vis banking industry groups and public authorities. As a contributorto the permanentcontrol system, the Group Head of Security reports to the Compliance, Security and Operational Risk division. Within the central institution, the Group ISS division also works regularly with the Group’s Inspection Générale division. Groupe BPCE has established a groupwide Information System Security function comprising the Head of Group InformationSystem Security (RSSI-G), who coordinates the function, and the Heads of Information System Security for all of the companies. Activities in 2018 Groupe BPCE’s information system security policy (PSSI-G) incorporatesthe Group’s security requirements.It is comprised of an Information System Security framework associated with the Group’s Risk, Compliance and Permanent Control Charter, 391 rules divided into 19 categories,and three organizationalinstructiondocuments (1) . It is revised annually according to an ongoing process of improvement. The 2018 revision of the PSSI-G incorporated the results of the assessment of compliance and estimation of the criticalitylevel of each rule in the PSSI-G, conductedover the course of the year with all institutions,as well as the change in the Group’s organizational structure and governance. Moreover, the ISS permanent control Group standards were entirely revised andwill be rolled out to all companies in 2019. Oversight of ISS governanceand risks was enhanced in 2018, mainly by incorporating new features in the Group’s Archer platform (mapping of ISS risks):

The heads of Information System Security for parent company affiliates,direct subsidiariesand EIGs are functionallysubordinatedto the RSSI-G throughcoordinated actions. Thismeans that: The RSSI-G is notified of the appointment of any heads of ● information system security; The Group’s information system security policy is adopted by the ● individual entities, and each company’sapplicationmethods of the Group information system security policy must be presented for validationto the Group’s Head of InformationSystemSecurityprior to approval by Executive Management and presentation to the Board of Directorsor theManagement Board; A report on the institutions’ compliance with the Group’s ● information system security policy, permanent controls, risk level, primary incidents and actions is submitted to the Group Head of Information System Security. management of the PSSI-G for oversight and coordination ● purposes; identificationby each institution of the PSSI-G rules applicable - to its scope of operation, assessmentby each institutionof its compliancewith applicable - PSSI-G rules, feedback by each institution on exemptions to established rules - for which acompliancebreach wasobserved; managementof ISS action plans; ● classification of IS assets. ● Furthermore, under the GDPR (General Data Protection Regulation) complianceprogram, a GDPR project support systemwas established, including digital projects, conducted in accordance with an agile development cycle.

11

Operating procedures of the Groupe BPCE Information System Security function, ISS permanent control, classification of at-risk IS assets. (1)

205

Risk Report Pillar III 2018