BPCE_PILLAR_III_2017

11 NON-COMPLIANCE RISKS, SECURITY AND OPERATIONAL RISKS IT System Security (ISS)

   ANTI-CYBERCRIME MECHANISMS As a result of its digital transformation,the Group’s informationsystems are becomingincreasinglyopen to the outside (cloud computing, big data, etc.) and processes are gradually going digital. Employees and customers are also increasingly using the Internet and interconnected technologiesuch as tablets,smartphones and applications on tablets and mobile devices. Consequently,the Group’s assets are constantly more exposed to cyberthreats. The targets of these attacks are much broader than the informationsystems alone. They aim to exploit the potential vulnerabilitiesand weaknessesof customers, employees, business processes, information systems and security mechanisms at Group buildings and datacenters. In 2016, the ECB carried out a cybersecurityaudit of Groupe BPCE, relating to governanceregarding risks, cybersecurityand information technology,with a special focus on online banking security for the Banque Populairebanks and Caisses d’Epargne.Recommendationswere made to GroupeBPCE in summer2017. A numberof initiativesaimed at enhancinganti-cybercrimemechanisms werecontinuedin 2017. Strengthened application access controls In conjunction with Natixis, the Group strengthened the system launched in 2015 and used to review access rights to cross-business informationsystems (Natixis and BPCE) granted to the institutions.The number of applicationsin the review scope was increasedto 29 in 2017. Reinforced detection of unusual flows and events in information systems (cyberattack detection) Implementationof systems to detect any compromiseto customerdata that, in additionto directly preventingfraud, provide information ● used to define detection scenarios addressed by the Security Operations Center (SOC). Creation of Groupe BPCE’s CERT (Computer Emergency Response Team) to extend oversight and improve information-sharing on ● incidents, fraudand attemptedfraud. The Group’s cybersecurityalert system, named VIGIE, which was establishedin 2014, was expandedwith more than 70 members from all Group institutions. In 2017 VIGIE proved to be aneffect defense against he Wannacryand Petya cyber attacks. Raising employee awareness of cybersecurity The Group-wide approach to raising employee awareness of ISS was expanded in 2016 through a serious game that was developed by CIGREF (an IT club for large French corporations)and relayed by the Group’s institutions.Two awareness-raisingfilms (one for advanced attacks and one for phishing) were also produced. Within BPCE’s scope of operations, the massive user authorization project defined in 2010 was continued. In 2017, the rights of 115 applications were reviewed aswell as user authorization management procedures. Moreover,new employee awareness-raising campaigns were launched: SeriousGame-IT Security training campaign; ●

phishing test and phishing awareness-raising campaign; ● participation innew employee acclimationmeetings. ●

196

Risk Report Pillar III 2017

Made with FlippingBook - Online magazine maker