Hermès // 2022 UNIVERSAL REGISTRATION DOCUMENT

4

RISK FACTORS AND MANAGEMENT RISK FACTORS

INFORMATION SYSTEMS AND CYBERATTACKS ӳ

4.1.1.3

DESCRIPTION OF THE RISK ◆

POTENTIAL IMPACTS ON THE GROUP ◆

The partial or total unavailability of certain elements of the information systems could disrupt or paralyse the processes and the activities concerned.

Information systems are of paramount importance in the smooth running of the Group’s day‑to‑day operations. They concern customers, suppliers or employees, and relate in particular to the processing and storage of their data. Personal data protection is a priority for the Group.

IMPACT PROBABILITÉ

A breach of information systems, triggered by a cyberattack, for example, could lead to a data breach, such as the unauthorised disclosure of personal data.

RISK MANAGEMENT ◆

A global information system governance model clearly defines the roles and responsibilities of the Group’s headquarters and subsidiaries. Common architecture and urbanisation rules favour a centralised model when technical or regulatory constraints allow. The sovereign functions of the information systems remain managed by the headquarters. A cybersecurity community is led by the Group team, which relies on dedicated experts and local managers. Collaboration between these different actors is facilitated by the organisation of monthly updates (sharing on current positions and the evolution of threats, monitoring of the roadmap, reminders of best practices), monthly themed webcasts and the organisation of dedicated bi‑annual seminars. Hermès’ IT spending (investment and operating budget) is reassessed each year to ensure that investments are aligned with the Group’s strategic challenges. Its objective is to align the technical infrastructures and systems with the growing needs of users, while ensuring good operational performance. They also aim to keep IT risks under control and to develop information systems, in particular for new digital and cloud uses, whilst being socially and environmentally responsible. The information systems department adheres to an information technology charter and a set of procedures applicable to all Group companies. In particular, an information systems security policy (ISSP) is updated annually to adapt to threats. Audits of IT security and compliance with procedures are carried out periodically in all subsidiaries, in collaboration with the audit and risk management department and with the help of external service providers. Exercises are carried out on a regular basis to improve incident detection and response capabilities (red team/blue team system). The terms red team and blue team, widely adopted by the cybersecurity community, are taken from military terminology and refer to the attacker (red) and the defender (blue). The objective is to check that the defence capabilities are up to standard and to improve them. The term “purple team” means that the company has internalised attack capabilities in order to test its defences on a continuous basis. In the field of IT risk prevention, IT risk mapping is regularly updated and presented to the Audit and Risk Committee. The work previously initiated was continued in 2022. This included strengthening the security of central systems, directory security, segmentation and filtering of networks, managing the life cycle of identities, securing internal and external access, preventing data leaks, protecting cloud applications and the physical security of data centres. Special attention was paid to industrial facilities and the security of connected objects. Improved backup and fault tolerance arrangements for critical systems were also included to ensure continuity of operation in the event of an incident. The information systems department has reinforced its capacity to detect and deal with incidents. All computers and servers are equipped with software to detect anomalies (endpoint detection response – EDR), enable security patches to be installed and conduct investigations in the event of doubt. Security incidents are dealt with by a dedicated team comprising the components of the incident response, SOC (Security Operation Centre) and CERT (Computer Emergency Response Team). In 2022, Hermès CERT was admitted as a member of InterCERT France, which brings together the mature incident response units of major French organisations. New initiatives to raise employee awareness of security issues have taken various forms within the framework of a global programme (conferences, films, e‑learning, escape games, dedicated website in eight languages). Each year, Cybersecurity Month gives special emphasis to these topics.

● Strategy and operations ● Industry

● CSR

● Regulatory compliance

● Finance

2022 UNIVERSAL REGISTRATION DOCUMENT HERMÈS INTERNATIONAL

370

Made with FlippingBook - professional solution for displaying marketing and sales documents online