BPCE - 2020 Universal Registration Document

NON-FINANCIAL PERFORMANCE STATEMENT

BEING A RESPONSIBLE GROUP IN ITS INTERNAL AND EXTERNAL PRACTICES

NPS PROGRESS The Net Promoter Score is the difference between the number of promoters (score of 9 or 10) and the number of detractors (score from 0 to 6).

Individual customers

Professional customers

Corporate customers

2020- 2019

2020- 2018 2020 2019 2018

2020- 2019

2020- 2018 2020 2019 2018

2020- 2019

2020- 2018

2020 2019 2018

Banque Populaire Caisse d’Epargne

+2 (6)

(4)

(10) (17)

+6 +4

+12 +11

+7 +1

(5) (7)

(12) (24)

+12

+19 +25

+14

4 0

2

+10

+16 +19

(10)

+8

+9

(10)

+9

2

INFORMATION SYSTEMS SECURITY AND DATA PROTECTION Preventing risks relating to cyber threats, safeguarding the information systems and protecting data – in particular the personal data of our customers, employees and all our stakeholders – are key priorities and the focus of Groupe BPCE’s concerns. Trust lies at the heart of the Group’s digital transformation, and it firmly believes that cyber security is essential for its businesses. CYBER SECURITY STRATEGY In response to the new challenges of IT transformation and to achieve the goals it has set, the Group has a cyber security strategy with four priorities: support the Group’s digital transformation and growth: • raise customer awareness of how to manage cyber risks, – and provide support, accelerate and standardize security, personal data protection – and fraud support in business projects with an appropriate level of security as part of a security and data protection approach from the design of new offers and new products, improve the user experience in terms of digital security for – both customers and employees; provide governance and observe regulations: • implement governance and a common reference framework – for security matters, strengthen and automate permanent controls, – define a risk appetite model for cyber risk management, – manage the risks brought by third parties (partners, service – providers, etc.), including in terms of personal data protection; to continually improve understanding of the information • systems’ assets and improve their protection: apply and reinforce security basics, – strengthen the protection of the most sensitive assets in – line with the risk appetite model, and in particular data protection, establish enhanced governance of identities, i.e. people – (employees, service providers, partners, etc.) accessing its information systems and the authorizations assigned to them, develop cyber culture within the Group, and the associated – tools and methods for different target populations;

continually improve its cyber attack detection and response • capabilities; strengthen cyber security monitoring systems, particularly • through the Groupe BPCE CERT (1) . IMPLEMENTATION To accelerate its implementation, this strategy was included among the twelve components of the Tech and Digital Action Plan and received an additional budget of €16 million under this plan. In 2020, despite the health situation, the deployment of this cyber security strategy continued at a steady pace through the following major projects: first implementations of the Identity and Rights Management • (IAM) roadmap through a dedicated Group program whose objectives are to: establish a Group database of individuals, applications and – organizations, implement Group IAM governance, – integrate, if possible, all the Group’s applications in the IAM – with an automated allocation of access rights and a consolidated view of rights; increased security of access to the Group’s IS: • implementation and deployment of a single sign-on portal for – Group employees, with a high level of security, while allowing a significant reduction in costs. At the end of 2020, more than 50,000 of the 100,000 employeesused this portal for all their access, generalization of strong authentication. At the end of 2020, – more than 40,000 employees had a means of enhanced authentication (smartphone, biometrics, etc.); continued implementation of the Group Awareness Plan: • delivery of a new awareness-raisingkit to all of the Group’s – establishments to host Cyber Security Month, comprising five educational videos, two podcasts, ten “Golden rules” sheets and a poster, generalization of the operational deployment of the – developer self-training tool for the development of secure applications without vulnerabilities. 690 developers, or 95% of the target, completed the entire self-training course, conducting regular phishing awareness campaigns with – Group employees. Nine campaigns conducted in 2020, each targeting between 34,000 and 48,000 employees, development of customer awareness content, 29 frequently – asked questions (FAQs) produced, awareness of the GDPR Regulation followed by all new – entrants. Specific training for project managers has also been rolled out within the central institution;

(1) CERT [Computer Emergency Response Team] or CSIRT [Computer Security Incident Response Team]: Alert and reaction center for computer attacks.

103

UNIVERSAL REGISTRATION DOCUMENT 2020 | GROUPE BPCE