BPCE - 2018 Risk report / Pillar III

11 NON-COMPLIANCE, SECURITY AND OPERATIONAL RISKS Information System Security (ISS)

Anti-cybercrime mechanisms As a result of its digital transformation,the Group’s informationsystems are becomingincreasinglyopen to the outside (cloud computing, big data, etc.) and many of its processesare gradually going digital. Employeesand customersare also increasinglyusing the Internet and interconnected technologiesuch as tablets,smartphones and mobile applications. Consequently,the Group’s assets are constantly more exposed to cyber threats. The targets of these attacks are much broader than the informationsystems alone. They aim to exploit the potential vulnerabilitiesand weaknessesof customers, employees, business processes, information systems and security mechanisms at Group buildings and datacenters. In 2016, the ECB carried out a cybersecurity audit of Groupe BPCE, addressing governance of risks, cybersecurity and information technology,with a special focus on online banking security for the Banque Populairebanks and Caisses d’Epargne.Recommendationswere made to GroupeBPCE in summer2017. A numberof anti-cybercrimeenhancement initiatives were continued in 2018: Strengthened application entitlement controls In conjunction with Natixis, the Group strengthened the system launched in 2015 and used to review entitlements to cross-business informationsystems (Natixis and BPCE) granted to the institutions.The number of applicationsin the review scope was increasedto 58 in 2018. Reinforceddetectionof unusualdata flows and eventsin informationsystems (cyberattackdetection) creation of aunifiedGroup Security Operation Center (SOC), including aLevel 1 supervisor, operating 24/7; ● integration of aGroupe BPCECERT (ComputerEmergency Response Team) in the InterCERT-FR community run by the ANSSI; ● initiative inprogress to strengthen the Group’s presence inthe EuropeanCERT community; ● plans to expand, as of early 2019, the VIGIE community(Groupe BPCE’s collectivedue diligencesystem) to include the Banque Populaire ● banks and theCaissesd’Epargne,in order to improvecommunications and oversight of their private information systems. Raising employee awareness of cybersecurity In addition to maintaining the Groupwide program to raise employee awareness of ISS, 2018 saw the development of a new ISS training/awareness-raising plan to be implementedin 2019 andthe Group’s participation in “EuropeanCyber Security Month”. WithinBPCE SA ’s scope of operations,the massive“user entitlements”project definedin 2010 was continued.As of 2018, 194 applications have now been included in the scope of review of user rights and authorization management procedures. Not only are applications reviewed, but also user entitlements to IS resources (distribution lists, sharedmailboxes,shared files, etc.). Moreover,new employee awareness-raising campaigns were launched: GDPR awareness; ●

phishing test and phishing awareness-raising campaign; ● participation innew employee acclimationmeetings. ●

206

Risk Report Pillar III 2018