CAPGEMINI_REGISTRATION_DOCUMENT_2017

CORPORATE GOVERNANCE - RISKS{AND INTERNAL{CONTROL

2.5 Risks and internal control

The Group continuously ensures the security of its systems and their compliance with contractual commitments and any applicable legislative and regulatory provisions. It works to implement, with stakeholders, any necessary corrective or protection measures. To this end, the Group also has a program that seeks to anticipate, prevent and mitigate cybercrime risks for its main systems. This dedicated structure is headed by the Cybersecurity and Information Protection Director (CySIP). He reports, since January{1, 2018, to the Chief Technology Officer. This program covering exposure to cyber risks comprises three subgroups dealing with governance related issues (organization, policy and communication and awareness-raising) and five operational projects (data protection, mobility management, access management, information system control and steering and strengthening infrastructures). The CySIP community includes cyber risk specialists in the following areas: CySIP Officers in the Business Units, for client project X monitoring; Chief Information Security Officers responsible for the X protection of internal information systems. The CySIP community works closely with the Data Protection Officers responsible for the protection of personal data and compliance. The aim of this program is to become a benchmark for our clients, thereby strengthening the Group’s credibility on Digital and cybercrime issues. The Group’s personal data protection policy and organization were drawn-up based on the Binding Corporate Rules defined by the European Commission (BCR) and validated by the CNIL (French National Commission for Data Protection and Liberties), for the processing and storage of our own data and that of our clients. Risk factors Capgemini has permanent operations in approximately 40 countries. The bulk of its revenues are generated in Europe and North America, which are relatively economically and politically stable. Its Rightshore® production model involves transferring a portion of the Group's production of part of its services to sites or countries other than those in which the services are used or in which the Group's clients are located and particularly India (which alone accounts for 50% of the Group headcount), Poland, China, Guatemala, Morocco and other Asian and Latin America countries. This operating method may increase the risk of business interruption at a given production site due to an incident making it difficult or impossible to access telecommunication networks, a natural disaster, political violence in a country or region or a geopolitical crisis impacting several Business Units simultaneously. Economic instability can also be a source of risk for the Group’s performance and reputation. Service continuity

Group Management has published a Code of Business Ethics and oversees its application, to reduce as far as possible the potential impact on the Group’s reputation. The Capgemini Group International Works Council covers not only European countries but also includes representatives of the main countries outside Europe (India, United States and Brazil). The Group's key managers regularly attend meetings to present changes in the Group and the main challenges facing it, and discuss them with employee representatives in an open manner and an environment of mutual understanding. Finally, as part of our “People Matter, Results Count" policy, we take account of: the motivation and career path of our employees; X the implementation of varied and attractive career plans; X the development of our employees through development and X training programs; the respect and promotion of a good work-life balance. X Risk factors New technologies (Cloud computing, “Bring your own device”, etc.) and new practices (social networks, mobility, Software-as-a-Service - SaaS, DevOps, artificial intelligence, etc.) inevitably expose the Group to new risks. Risks relating to all kinds of cyber criminality could lead to a loss of data, delays in the delivery of our projects, service interruptions at our clients, or additional costs that could impact the reputation or financial health of the Group. The information systems underlying the publication of the Group's consolidated financial statements also present a specific risk in view of the strict reporting deadlines. Risk management systems The Group has implemented business continuity procedures in the event of a disruption to IT services. The main management IT systems are covered by back-up plans in different data centers. The Group is aware of the importance of internal communication network security, and protects its networks via security rules meeting the highest international standards, proactive controls, a counter attack detection center operating 24/7 and specific technical equipment such as firewalls. We have defined a security policy founded on numerous international standards and procedures (our operating sites are certified ISO 27001). This security policy and the back-up plans are validated, updated and audited periodically. For some projects or clients, enhanced systems and network protection are provided on a contractually agreed basis. In addition, a large number of our clients have been identified as operators of vital importance by their national authorities. Certain clients will also be identified as Operators of Essential Services (OES) under Directive 2016/1148 of July{6, 2016, also known as the NIS (Network Information Security) Directive, or by Europe. The security of their information systems will therefore have to be approved by these national or European authorities and our Group, as a major sub-contractor, will also have to comply with these regulations. Information systems

2

111

REGISTRATION DOCUMENT 2017 — CAPGEMINI