EDF / 2019 Universal registration document

2. Risk factors and control framework Risks to which the Group is exposed

4D – Attacks against assets, including cyberattacks The Group faces the risk of malicious acts against its tangible or intangible assets, particularly its information system. Criticality in view of the control actions undertaken: Intermediate. The facilities or assets operated by the Group or its employees may be the target of external attacks or malicious acts of any kind. An attack or malicious act committed on these facilities could have consequences such as injury to persons and/or damage to property, the Group being held liable on the grounds of measures judged to be inadequate and interruptions to operations. The Group would also be forced to make additional investments or incur additional costs if laws and regulations relating to the protection of sensitive sites and critical infrastructures became more stringent. The Group operates multiple, interconnected and complex information systems (databases, servers, networks, applications, etc.) that are essential to the conduct of its commercial and industrial activity, the preservation of its human, industrial and commercial assets, and the protection of personal data (of customers and employees) which must adapt to a rapidly changing context (digital transition, development of teleworking, new ways to share work in extended companies with suppliers, changes in regulations, etc.). The frequency and sophistication of information system hacking and data corruption incidents are increasing worldwide. A malicious attack may have a negative impact on the Group’s operational activity, its financial, legal or property position or its reputation. The EDF group has defined an Asset Security policy in the face of malicious acts and an Information System Security policy to prevent this risk and limit its impact in the event of an attack. These policies are supplemented by guidelines on the protection of personal data. However, the Group cannot rule out an attack on its information systems that would have consequences on the Group’s operational activity, its finances, its legal position, in particular with regard to the integrity of personal data, or its reputation. A charter for the use of IT resources is annexed to the Company’s internal regulations. IT security training courses adapted to different profiles (users, project managers, IS security managers, etc.) are offered to employees. The Audit Committee of the Board of Directors receives reports on cyber security risk management. Several dozen security audits are carried out each year by external PASSI qualified IS security audit companies (IS security audit providers) by the ANSSI (French National Agency for Information Systems Security), both on IT infrastructures and on business information systems. In addition, the EDF group SOC (Security Operational Center) reports on IS security incidents on a monthly basis. In 2019, the main actions deployed in the field of cyber security and protection of intangible assets were as follows: notifying cyber security objectives to the Directors of the main Group Entities; ■ defining a security reference framework based on the rules of the French National ■ Agency for Information Systems Security (ANSIS); carrying out six campaigns to raise awareness regarding the protection of ■ information at the Group level, and a large number of campaigns led by local management and adapted to the specific nature of the businesses run by the Entities; conducting two crisis exercises on EDF’s Datacentres; ■ carrying out a cyber security crisis exercise at Group level enabling EDF to test its ■ ability to withstand cyberattacks; updating the policy to combat malicious acts targeting intangible assets in order ■ to address new cyber and behavioural risks; creating a Group-level incident response function (CERT). ■

4E – Operational continuity of supply chains and contractual relationships. The Group is exposed to the operational continuity of supply chains and contractual relationships with its suppliers as well as to fluctuations in the price and availability of materials, equipments or services it purchases in the course of its business activities. Criticality in view of the control actions undertaken: Intermediate. The Group’s needs can arise in markets with limited surface area or increasing tensions, in particular due to the structure and evolution of the industrial offer or the increase in competition from new uses in particular between the growing needs of information systems and the needs of energy players Climate change-related transition may also introduce new tensions in supply chains. Certain materials, equipment or services could also be subject to increased demand relative to the available industrial supply, which could have an impact on their cost and availability These market pressures may increase the cost of supplying certain critical products or services and lead to a reduction in supply by some suppliers in response to a contraction in their margins. Fluctuations in the price and availability of certain raw materials or products that play a key role in setting the price of electricity and energy services may affect the Group’s supply capacity and results. The Group uses technologies, mainly in the fields of nuclear, hydraulic or renewable energy generation, electrical storage or mobility, that require materials or elements that may be highly sensitive in terms of access  (1) . The scarcity or conditions of access to certain raw materials may be critical for the Group due to geological, geopolitical, industrial, regulatory or competitive limitations, particularly in a context of energy transition. The development of uses, particularly related to storage, the growth of renewable energies and the penetration of low-carbon electricity, could pose problems of access to certain materials: Lithium for batteries, ferromagnetic rare earths for wind power, Indium or Selenium for solar energy… These difficulties could limit the Group’s ability to achieve its development objectives. In addition, control of the conditions under which raw or semi-finished materials are extracted, processed, packaged or made available for the Group’s needs may be subject to provisions calling for greater control of regulatory requirements and a duty of vigilance. Moreover, the Group currently depends on a limited number of industrial players with specific skills and the required experience. This situation reduces competition in markets where EDF is a buyer and exposes the Group to the default risk of one or more of these specialised suppliers or service providers. This is particularly the case for Orano (which accounts for more than 34% of EDF’s purchases of all types of fuel in 2019), Westinghouse and GE. Changes to the shareholding or governance of these various providers may also have an impact on the cost, the operational continuity of ongoing contracts and the cost of services provided or delivered products. Regular monitoring of the situation of these suppliers is carried out through specific reviews. The Group’s performance is also based on the contracts signed with suppliers of equipment or services. Improved management of contracts entered into by EDF is a major issue in controlling operations, deadlines and associated costs. It is the role of the Contract Management function which aims to improve the management of risks and create opportunities in the management of contracts. This function calls upon Contract Managers positioned in the business lines throughout the contractual process. It is an additional line of defence in the management of contracts, in relation to corporate and the divisions. The Contract Management Department, which reports to the General Secretary, is responsible for structuring this function, leading the Contract Management process, measuring its performance and professionalising the players.

(1) The topic of Uranium supply is not considered here. It is dealt with in Risk 5D Control of the fuel cycle.

121

EDF | Universal registration document 2019

Made with FlippingBook - Online magazine maker