BPCE - 2020 Universal Registration Document

NON-FINANCIAL PERFORMANCE STATEMENT

BEING A RESPONSIBLE GROUP IN ITS INTERNAL AND EXTERNAL PRACTICES

acceleration of the Security Operations Center (SOC), • organizational structure in charge of detecting, analyzing and processing cyber security incidents: establishment of a team of experts called Ethical Hackers – (Red Team) whose mission is to test the security of information systems. By the end of 2020, this team will have carried out a first appraisal mission on a complete application chain, continued improvement of the collection of events in the – centralized management of information and security events (SIEM). At the end of 2020, 67% of infrastructureequipment was covered, representing 175 billion events collected, and 98 detection scenarios had been defined and implemented; review of the Group’s IT network security model: • implementation of a new “airport”-type network security – model allowing, among other things, to control the compliance with the security requirements of equipment and users accessing IS, as well as finer, more precise and more agile protection of information system resources, overall strengthening of the surveillance system using – intrusion detection sensors; continuation of the mapping of the exhaustiveness of the • Group’s IS: this mapping includes the private informationsystems of the – institutions. To date, the ISS mapping is 84% complete for the 28 most critical business processes in a scope of 36 institutions; development of a new Group Security Master Plan for the • period 2021/2024: this master plan confirms the continuation of the structuring – projects already under way and sets new ambitions through new projects, like the previous one, this master plan aims to define the – Group’s cyber security ambitions and takes into account IT security, IT continuity and a strengthening of the data protection area; HIGHLIGHTS OF 2020: COVID AND CYBERATTACKS The risks in terms of IT security related to the massiveuse of teleworkingwere assessedand resulted in a set of measures and systems, the main ones being: raising employee awareness of the cyber security risks • associated with teleworking; accelerating the deployment of a unified remote access • solution coupled with an authenticator to secure the connection (MFA); improvedmanagement of cybercrime services (monitoring, • detection and response to incidents);

strengthening the fight against cybercrime: • in order to respond to the increase in reports of – vulnerabilities by researchers and hackers on the Group’s websites since 2019, Groupe BPCE CERT has set up a responsible disclosure service (VDP). This is a reward program for people who report bugs, especially those associated with vulnerabilities. This service, commonly known as Bug Bounty, is based on the platform of a major player in the field and makes it possible to supervise the reports of researchers. Sixty-eight alerts have been processed since the implementation of this system, a tool for sharing indicators of compromise (IOC) between – Groupe BPCE’s CERT and the Group’s SOCs was rolled out in 2020. It improves responsiveness in detecting and blocking attacks, Groupe BPCE CERT is strengthening its presence in – TF-CSIRT, an organization that brings together European CERTs and CSIRTs, by moving to “accredited” status; strengthening the fight against external fraud: • implementation of a system to improve the detection of – high-risk IBANs in remote banking in order to reduce fraud, development of Fregat, the tool for collecting external fraud – incidents (attemptedand proven fraud) which will be put into production in early 2021. It provides a qualitative and quantitative view of fraud by both major categories and detailed fraud cases, the program to combat check fraud is entering its final stage – with the implementation of Community rules. However, developments will continue with the creation of a score engine developed to combat external fraud, in order to meet the need for expertise in the External Fraud – division, a Group training course will be offered in 2021 to all its players.

the establishment of a weekly meeting between Groupe • BPCE CERT (1) and SOC (2) of the main IT systems; automation enhanced by SOC of IOC (3) processing for • preventive blocking (malicious domain names or email addresses); daily monitoring of fraud and remote banking operations; • implementation of daily customer phishing indicators; • support for return on site in terms of cyber risk • (reinstallation of IT workstations, application of patches).

No major or significant cyber security incidents were reported in 2020.

(1) Groupe BPCE CERT: Distributed response team for cyber security incidents. (2) SOC: Operational teams for the detection and response to IT security alerts and incidents. (3) IOC: Compromise indicators; technical elements used in cyber security incidents or frauds.

104

UNIVERSAL REGISTRATION DOCUMENT 2020 | GROUPE BPCE

www.groupebpce.com