Hermès // 2021 Universal Registration Document

4

RISK FACTORS AND MANAGEMENT RISK FACTORS

INFORMATION SYSTEMS AND CYBERATTACKS ●

4.1.1.3

DESCRIPTION OF THE RISK s

POTENTIAL IMPACTS ON THE GROUP s

Information systems are of paramount importance in the smooth running of the Group’s day-to-day operations. They may concern customers, suppliers or employees, as well as the processing and storage of data. Personal data protection is a priority for the Group.

The partial or total unavailability of certain information systems could disrupt or paralyse the processes and the activities concerned. A breach of information systems, triggered by a cyberattack, for example, could lead to a data breach, such as the unauthorised disclosure of sensitive data.

IMPACT PROBABILITY

RISK MANAGEMENT s A global information system governance model clearly defines the roles and responsibilities of the Group’s headquarters and subsidiaries. Common architecture and urbanisation rules favour a centralised model when technical or regulatory constraints allow. The sovereign functions of the information systems remain managed by the headquarters. A cybersecurity community is led by the Group team, which relies on dedicated experts and local contacts. Collaboration between these different actors is facilitated by the organisation of monthly updates (sharing on current positions and the evolution of threats, monitoring of the roadmap, reminders of best practices), monthly themed webcasts and the organisation of dedicated bi-annual seminars. Hermès’ IT spending (investment and operating budget) is reassessed each year to ensure that investments are aligned with the Group’s strategic challenges. Its objective is to align the technical infrastructures and systems with the growing needs of users while ensuring good operational performance. They also aim to keep IT risks under control and to develop information systems, in particular for new digital and cloud uses, whilst being socially and environmentally responsible. The information systems department adheres to an information technology charter and a set of procedures applicable to all Group companies. In particular, an information systems security policy (ISSP) is updated annually to adapt to threats. Audits of IT security and compliance with procedures are carried out periodically in all subsidiaries, in collaboration with the audit and risk management department and with the help of external service providers. Exercises are carried out on a regular basis to improve incident detection and response capabilities (red team/blue team system). In the field of IT risk prevention, IT risk mapping is regularly updated and presented to the Audit and Risk Committee. The work previously initiated was continued in 2021. This included strengthening the security of central systems, control over workstations, managing the life cycle of identities, securing internal and external access, preventing data leaks, protecting cloud applications and the physical security of data centres. Improved backup and fault tolerance arrangements for critical systems were also included to ensure continuity of operation in the event of an incident. The information systems department has reinforced its capacity to detect and deal with incidents. All computers and servers are equipped with software to detect anomalies (endpoint detection response – EDR), enable security patches to be installed and conduct investigations in the event of doubt. Security incidents are dealt with by a dedicated team (Security Operation Centre – SOC) and are closely monitored. Security measures were strengthened during lockdown periods and systems were created for new uses introduced by teleworking. New initiatives to raise employee awareness of security issues have taken various forms within the framework of a global programme (conferences, films, e-learning, escape games, dedicated website in eight languages). Each year, Cybersecurity Month gives special emphasis to these topics. Intrusion tests on internal, Wi-Fi and external networks were carried out, as well as IT disaster simulations, and corresponding action plans were formalised. The continuity of IT operations is also tested regularly. Crisis simulation exercises are carried out annually and are followed by feedback and action plans. In addition to the information systems department, they involve various Group departments (internal communication department, financial communication and investor relations department, insurance department, audit and risk management department, legal compliance department and the Data Protection Officer, etc.) as well as a member of the Group Executive Committee. Furthermore, the Group ensures that it complies with the various standards and regulations applicable to the protection of personal data (GDPR) and payment card data (PCI-DSS). Compliance with the latter standard is also assessed annually by a third party. The information systems department accordingly works with other departments in order to reduce the risks of damage to information systems and its impacts in the event such risks were to materialise.

O Strategy & operations

Industry O

CSR O

O Regulatory compliance

O Finance

332 2021 UNIVERSAL REGISTRATION DOCUMENT HERMÈS INTERNATIONAL