HERMÈS - 2020 Universal registration document

4

RISKS AND CONTROL RISK FACTORS

INFORMATION SYSTEMS AND CYBERATTACKS ●

4.1.1.3

DESCRIPTION OF THE RISK s

RISK MANAGEMENT s

Hermès’ expenditure on IT systems (capital and operating expenditure) is consistent with the practice of its peers in the sector. Its objective is to align the technical infrastructures and systems with the growing needs of the Group’s users and métiers while ensuring good operational performance. They also aim to keep IT risks under control and to develop information systems, in particular for new digital uses, whilst being socially and environmentally responsible. The Group’s information systems department adheres to an information technology governance charter and has a corpus of procedures that apply to all Group companies. Audits of IT security and compliance with procedures are carried out periodically in all subsidiaries, in collaboration with the audit and risk management department and with the help of external service providers. In the field of IT risk prevention, IT risk mapping is regularly updated and presented to the Audit and Risk Committee. The work carried out in 2019 continued in 2020. It focused chiefly on: reinforcing the security of central systems, the control of workstations for the Group as a whole, the centralisation of access rights to facilitate their management, the security of internal and external accesses, the prevention of confidential data leaks, the protection of cloud applications, the physical security of data centres and the improvement of back-up and fault-tolerance mechanisms for critical systems to ensure continued operation in the event of an incident. The information systems department has reinforced its capacity to detect and deal with incidents. All computers and servers are equipped with software to detect anomalies, enable security patches to be installed and conduct investigations in the event of doubt. Security incidents are dealt with by a dedicated team (Security Operation Center) and are closely monitored. Security measures were strengthened during lockdown periods and new uses were supervised. New employee awareness initiatives have taken various forms (conferences, films, e-learning, escape games, dedicated website in eight languages). Intrusion tests on internal, Wi-Fi and external networks were carried out, as well as IT disaster simulations, and corresponding action plans were formalised. The continuity of IT operations is also tested regularly. Crisis simulation exercises are carried out regularly and are followed by feedback and action plans. The Group also ensures compliance with various standards and regulations, for example in the field of payment card data management (PCI-DSS) and the protection of personal data (GDPR). The information systems department accordingly works with other departments in order to reduce the risks of damage to information systems and its impacts in the event such risks were to materialise.

Information systems are of prime importance in the proper performance of the Group’s daily operations, whether in relationships with clients, suppliers or employees but also with regard to data processing and storage. Personal data protection is a priority for the Group. POTENTIAL IMPACTS ON THE GROUP s The partial or total unavailability of certain information systems could disrupt processes and the activities concerned. A breach of information systems such as a cyberattack could lead to a data breach, with perhaps the unauthorised disclosure of sensitive data.

328 2020 UNIVERSAL REGISTRATION DOCUMENT HERMÈS INTERNATIONAL