HERMÈS - 2019 Universal Registration Document

1

OVERVIEW OF THE GROUP RISK FACTORS

INFORMATION SYSTEMS AND CYBER-ATTACKS ●

1.11.1.3

DESCRIPTION OF THE RISK s

RISK MANAGEMENT s

Hermès’ expenditure on IT systems (capital and operating expenditure) is consistent with that of its peers in the sector. The aim is to bring the technology infrastructure and systems in line with the increasing needs of users and the Group’s métiers , to guarantee good operational performance, to keep IT-related risks under control and to prepare systems for the future, especially for new digital services. The Group’s IT systems department works under an information technology governance charter and has drawn up a corpus of procedures that apply to all Group companies. Audits of IT security and compliance with Group procedures are carried out periodically in all subsidiaries, in collaboration with the audit and risk management department and with the help of external service providers independent of the Group information systems department, where appropriate. In the field of IT risk prevention, IT risk mapping is regularly updated and presented to the Audit and Risk Committee. The work carried out in 2018 continued in 2019. It focused chiefly on reinforcing the security of central systems, the control of workstations for the Group as a whole, the centralisation of access rights to facilitate their management, the security of internal and external accesses the prevention of confidential data, the protection of cloud applications, the physical security of data centres and the improvement of back-up and fault-tolerance mechanisms for critical systems to ensure continued operation in the event of an incident. The Information Systems Department has reinforced its capacity to detect and deal with incidents. All computers and servers are equipped with a software to detect anomalies, enable security patches to be installed and conduct investigations in the event of doubt. Security incidents are dealt with by a dedicated team (Security Operation Centre) and are closely monitored. New employee awareness initiatives have been taken in various forms (conferences, posters, escape games, demonstrations, dedicated website in eight languages). Intrusion tests via internal, Wi-Fi and external networks were carried out, as were IT disaster simulations, and action plans were formalised. The continuity of IT operations is also tested regularly. Crisis simulation exercises are conducted every year (November 2018 and November 2019) and are followed by feedback and action plans. The Group also ensures compliance with various standards and regulations, for example in the field of payment card data management (PCI-DSS) and the protection of personal data (GDPR). The information systems department accordingly works with other departments in order to reduce the risks of damage to information systems and its impacts if such risks were to materialise.

Information systems are of prime importance for the proper performance of the Group’s daily operations, whether in relationships with clients, suppliers or employees but also with regards to the processing and storage of Group data. Personal data protection is a priority for the Group. POTENTIAL IMPACTS ON THE GROUP s The partial or total unavailability of certain information systems could disrupt processes and the concerned activities. Damage to information systems such as a cyber-attack could lead to a data breach (e.g. the unauthorised disclosure of sensitive data).

2019 UNIVERSAL REGISTRATION DOCUMENT HERMÈS INTERNATIONAL

44