BPCE - 2020 Universal Registration Document

6

NON-COMPLIANCE AND SECURITY RISKS RISK FACTORS & RISK MANAGEMENT

Information System Security (ISS) 6.11.4

ORGANIZATION The Group Security department (DS-G) is in charge of Information System Security (ISS) and the fight against cybercrime. It defines, implements and develops Group ISS policies. It provides continuous and consolidated oversight of information system security, along with technical and regulatory oversight. It initiates and coordinates Group projects aimed at reducing risks in its field. It also represents Groupe BPCE vis-à-vis banking industry groups and public authorities. Groupe BPCE has established a groupwide Information System Security function comprising the Head of Group Information System Security (RSSI-G), who coordinates the function, and the Heads of IS System Security for all Group entities. As such, the ISS managers of the parent company affiliates, direct subsidiaries and IS EIGs are functionally attached to the RSSI-G. This functional link takes the form of leadership and coordination actions. This means that: the RSSI-G is notified of the appointment of any heads of • information system security; the Group information system security policy is adopted by • individual entities in accordance with application procedures subject to validation by the Head of Group ISS; ANTI-CYBERCRIME SYSTEMS As a result of its digital transformation, the Group’s information systems are becoming increasingly open to the outside world (cloud computing,big data, etc.)and many of its processes are gradually going digital. Employees and customers are also increasingly using the internet and interconnected technologies such as tablets, smartphones and applications on tablets and mobile devices. Consequently, the Group’s assets are constantly more exposed to cyber threats. The targets of these attacks are much broader than the information systems alone. They aim to exploit the potential vulnerabilities and weaknesses of customers, employees, business processes, information systemsand securitymechanismsat Groupbuildingsand data centers. A unified Group SecurityOperationCenter (SOC) integratinga level 1, operating in 24x7 is operational. Several actions have been carried out to strengthen the measures taken to combat cybercrime: work to secure websites hosted externally; • improved website and application security testing • capabilities; implementation of a Responsible Vulnerability Disclosure • program by Groupe BPCE CERT.

a report on the institutions’ compliance with the Group’s • information system security policy, permanent controls, risk level, primary incidents and actions is submitted to the Group Head of IS System Security. The project to develop an exhaustive ISS map of the Group’s information systems, including the establishments’ private information systems, continued. Two major projects were undertaken: development of a Group security framework based on the • NIST reference system to regularly assess the Group’s maturity on the five pillars of Detect, Identify, Protect, Respond and Recover, to set quantified objectives and to manage actions; group Identity and Rights Management (IAM) program with • the following objectives: establishing a Group database of individuals, applications – and organizations, implementing Group IAM governance, – including, if possible, all Group applications in the IAM – roadmap, with automatic provisioning and an overview of authorizations. Raising employee awareness of cybersecurity In addition to maintainingthe Group’s common foundationfor raising awareness of ISS, the year 2020 was marked by the industrialization of phishing awareness campaigns and by the renewal of participation in “European Cybersecurity Month.” Within the scope of BPCE SA, in addition to the recurring reviews of applicationauthorizationsand rights to IS resources (mailing lists, sharedmailboxes,shared files, etc.),the process of mapping all websites. published and the monitoring of vulnerability treatment plans have been strengthened. Moreover, new employee awareness-raising and training campaigns were launched: phishing test and phishing awareness-raising campaign; • participation in new employee acclimation meetings. •

Permanent controls on IT security were stepped up during the crisis. The IT supervision teams ( via the SOC and CERT) were expanded and Groupe BPCE employee awareness-raising initiatives were strengthened in terms of fraud risks.

692

UNIVERSAL REGISTRATION DOCUMENT 2020 | GROUPE BPCE

www.groupebpce.com