BPCE - 2019 Universal Registration Document

RESPONSIBLE INTERNAL AND EXTERNAL PRACTICES NON-FINANCIAL PERFORMANCE REPORT

Organization GROUP SECURITY DIVISION (DS-G)

security under a Security by Design/Privacy by Design and Privacy by Default approach, enhancing the customer and employee digital security – experience, facilitating secure use of the public cloud; – to provide governance and observe regulations: • implementing governance and a common reference – framework for security matters, strengthening and automating permanent controls, – developing a Risk Appetite Framework, – managing risks caused by third parties, including in terms of – personal data protection; to continually improve understanding of the information • enhancing protection of the most sensitive assets, in line – with the risk appetite framework, in particular regarding data, implementing user identity and access management – governance, developing cyber culture within the Group and the – associated tools and methods for different target populations; to continually improve its cyber attack detection and response • capabilities: enhancing monitoring systems, in particular through the – Groupe BPCE CERT (Computer Emergency Response Team). In 2019, the cyber security strategy was implemented in the following major projects: definition of the Group Security Master Plan to establish the • Group’s ambitions in terms of cyber security, taking into account IT security, IT continuity and regulatory compliance IT projects [GDPR (1) , PSD2 (2) , etc.]; extension of the ISS mapping of all the Group’s information • systems, including entities’ private information systems and shadow IT systems. This project is scheduled for completion by the end of 2020, with an intermediate goal of mapping out the information systems serving the 28 most critical business processes by the end of the first half of 2020; production of a groupwide identity and access management • (IAM) roadmap, aimed at: establishing a Group database of individuals, applications – and organizations, implementing Group IAM governance, – integrating all the Group’s applications in the IAM, if – possible, with automatic data input and a global view of user rights; definition and initial execution of the Group Awareness Plan: • delivery of an awareness-raising kit to all Group entities for – Cyber Security month; provision of ongoing training in secure development of – applications for the Group’s developers; phishing awareness-raising campaigns for 30,000 members – of staff at 32 Group institutions; systems’ assets and improve their protection: applying and reinforcing security basics, –

The Group Security division (DS-G) establishes and adapts Group IT System Security policies. It provides continuous and consolidated oversight of information system security, along with technical and regulatory watch. It initiates and coordinates Group projects aimed at reducing risks in its field. Within its remit, DS-G represents Groupe BPCE vis-à-vis banking industry groups and public authorities. As a contributor to the permanent control system, the Group Head of Security reports to the Group Security Compliance department within the Group Corporate Secretary’s Office. Within the central institution, the Group ISS division also works regularly with the Group’s Inspection Générale division. Groupe BPCE has established a groupwide Information System Security function comprising the Head of Group Information System Security (RSSI-G), who coordinates the function, and the Heads of IT System Security for all Group entities. The heads of Information System Security for parent company affiliates, direct subsidiaries and EIGs are functionally subordinated to the RSSI-G through coordinated actions. This means that: the RSSI-G is notified of the appointment of any heads of • information system security; the Group’s information system security policy is adopted by • the individual entities, and each company’s application methods for the Group policy must be presented for validation to the Group’s Head of Information System Security prior to approval by Executive Management and presentation to the Board of Directors or the Management Board; a report on the institutions’ compliance with the Group’s • information system security policy, permanent controls, risk level, primary incidents and actions is submitted to the RSSI-G. DATA PROTECTION each entity has its own Data Protection Officer (DPO), who • reports functionally to the Group DPO Coordinator; the Group DPO Coordinator is responsible for organizing the • personal data protection process; each entity business line has data processing officers who • liaise with the DPO; training on personal data protection is provided to the DPOs • and Group employees. As of the end of 2019, 87% of new community projects received ISS and Privacy support. Cyber security strategy In response to the new challenges of IT transformation and to achieve the goals it has set, the Group has a cyber security strategy with four priorities: to support the Group’s digital transformation and growth: • raising customer awareness of how to manage cyber risks – and providing support, ramping up and standardizing security, GDPR and fraud – support in business line projects with an appropriate level of

2

(1) General Data Protection Regulation. (2) European Payment Services directive version 2.

93

UNIVERSAL REGISTRATION DOCUMENT 2019 | GROUPE BPCE