BPCE - 2019 RISK REPORT Pillar III

First page Table of contents Previous page 211 Next page Last page

NON-COMPLIANCE AND SECURITY RISKS

INFORMATION SYSTEM SECURITY (ISS)

ANTI-CYBERCRIME SYSTEMS As a result of its digital transformation, the Group’s information systems are becoming increasingly open to the outside world (cloud computing, big data, etc.) and many of its processes are gradually going digital. Employees and customers are also increasingly using the Internet and interconnected technologies such as tablets, smartphones and applications on tablets and mobile devices. Consequently, the Group’s assets are constantly more exposed to cyber threats. The targets of these attacks are much broader than the information systems alone. They aim to exploit the potential vulnerabilities and weaknesses of customers, employees, business processes, information systems and security mechanisms at Group buildings and datacenters. In response to these threats, a number of anti-cybercrime enhancement initiatives were continued in 2019. Reinforced detection of unusual data flows and events in information systems (cyberattack detection) Creation of a unified Group Security Operation Center (SOC), including a Level 1 supervisor, operating 24/7. • Integration of a Groupe BPCE CERT (Computer Emergency Response Team) in the InterCERT-FR community run by the • ANSSI. 2019 expansion of the VIGIE community (Groupe BPCE’s collective due diligence system) to include the Banques Populaires • and the Caisses d’Epargne, in order to improve communications and oversight of private information systems used at these institutions. Raising employee awareness of cybersecurity In addition to maintaining the Groupwide program to raise employee awareness of ISS, 2019 saw the development of a new ISS training/awareness-raising plan to be implemented during the year, and the Group’s participation in “European Cyber Security Month”. Within BPCE SA’s scope of operations, 168 applications were included in the scope of review of authorization rights and management procedures. Not only are applications reviewed, but also user entitlements to IS resources (distribution lists, shared mailboxes, shared files, etc.). Moreover, new employee awareness-raising and training campaigns were launched: GDPR training for project leaders and product range managers; •

phishing test and phishing awareness-raising campaign; • participation in new employee acclimation meetings. •

11

211

RISK REPORT PILLAR III 2019 | GROUPE BPCE

Made with FlippingBook - professional solution for displaying marketing and sales documents online