BPCE_REGISTRATION_DOCUMENT_2017

RISK REPORT Non-compliance risks, security and operational risks

managing the implementation of the Group Contingency and ● Business Continuity Plans (CBCPs) and keeping them operational; ensuring compliancewith regulatory provisions governing business ● continuity; participating inGroupe BPCE’sinternal and external bodies. ●

in question. The development of a cyber Contingency and Business Continuity Plan(CBCP) waslaunchedin 2017. Group crisis governance, which provides enhanced coordination of incidents involving several Group companies or their suppliers, has a multi-disciplinarymonitoring unit capable of handing incidents in cooperative mode. The Group management procedure for serious incidents wasfinalized in2017. The new supplier tracking system, implemented by the central institution,was adopted in June 2017. It is based on a decentralized model, drawing on contributions from the business lines to take advantage of their operational skills and knowledge while taking a Groupwide approach to ensure consistency. Continuity mechanisms are presented to the Group’s CBCP steering committeeon a regular basis. ACTIVITIES IN 2017 The Group’s IT system security policy (PSSI-G) incorporates the Group’s security requirements. It is comprised of anIT System Security framework associated with the Group’s Risk, Compliance and Permanent Control Charter, 430 rules divided into 19 categories and three organizational instruction documents (1) . It is revised annually accordingto an ongoing process of improvement.The 2017 review of the PSSI-G examined legal and regulatory developments (French Military Spending Act, new directive on payment services, European Data Protection regulation) and changes in group structure and governance. Moreover, the information system security permanent control Group standards were also entirely revised and will be rolled out to all companies in2018. In 2017,IT System Security risk mapping was expandedto include: operational availability of the group’s Archer IT System Security ● risk-mapping platform to group companies; convergence of standards in the IT System Security function; ● coordination withoperationalrisks. ● The Group Security division also took over responsibility for overseeing the groupwide implementation of European Data Protection Regulation (EDPR) requirements. Twelve projects were identified for this purpose (overall organization and standards, creation of a consistent data processing register, incorporation of EDPR requirements inprojects, training and awareness-raising, etc.). As part of the Group’s digital transformation,an IT System Security support system for digital projects was introduced, specifically tailored to the agile development cycle.

ACTIVITIES IN 2017

The importanceof digital technologyin the bank’s activities and the heightenedrisk of cybercrimecalls for the developmentof a specific responsein terms of emergencymanagementand businesscontinuity in the event of cyber-attacks,drawn up jointly with the departments

3

IT System Security (ISS) 3.11.6

ORGANIZATION Created on September 1, 2017, the Group Security division (DS-G) establishes and adapts Group IT System Security policies. It provides continuous and consolidated monitoring of information system security, along with technical and regulatory monitoring. It initiates and coordinates Group projects aimed at reducingrisks inits field. Within its remit, DS-G represents Groupe BPCE with respect to banking industry groups and to public authorities. As a contributorto the permanentcontrol system, the Group Head of Security reports to the Compliance, Security and Operational Risks division. Within the central institution, the Group ISS division also maintains regular contact with the Group’s Inspection Générale division. Groupe BPCE has established a groupwide Information System Securitydepartment.It includesthe Head of Group IT SystemSecurity (RSSI-G), who coordinates the function and the Heads of IT System Security for all of the companies. The heads of IT System Security for parent company affiliates, direct subsidiaries and EIGs are functionally linked to the RSSI-G. This functional link is achieved through coordinated actions. This means that: the RSSI-G is notifiedof the appointmentof any heads of IT system ● security; the Group’s IT system security policy is adopted within the ● companies and that each company’s application methods of the Group IT system security policy must be presentedfor validationto the Group’s Head of IT System Security prior to approval by ExecutiveManagementand presentationto the Board of Directors or the Management Board; a report on the institutions’compliancewith the Group’s IT system ● securitypolicy, permanentcontrols,risk level, primaryincidentsand actions is submitted to theGroup Head of ITSystemSecurity.

Operating procedures of the Groupe BPCE IT System Security department, information system security permanent control, classification of sensitive IS assets. (1)

199

Registration document 2017