Hermès // CSR Extract 2023

4

RISK FACTORS AND MANAGEMENT RISK FACTORS

4.1.1 RISKS RELATED TO STRATEGY AND OPERATIONS 4.1.1.1 INFORMATION SYSTEMS AND CYBERATTACKS ●

DESCRIPTION OF THE RISK s

POTENTIAL IMPACTS ON THE GROUP s

Information systems are of paramount importance in the smooth running of the Group’s day‑to‑day operations. They concern customers, suppliers or employees, and relate in particular to the processing and storage of their data. Personal data protection is a priority for the Group.

Partial or total unavailability of certain information system elements could disrupt or paralyse key production or distribution processes.

IMPACT PROBABILITY

A breach of information systems, caused by a cyberattack, for example, could result in a data breach leading to the unauthorized disclosure of personal data or the leakage of confidential information.

RISK MANAGEMENT s

A global information system governance model clearly defines the roles and responsibilities of the Group’s headquarters and subsidiaries. Common architecture and urbanisation rules favour a centralised model when technical or regulatory constraints allow. The sovereign functions of the information systems remain managed by the headquarters. The Group Cybersecurity Director manages all activities at both the headquarters and subsidiaries. He leads a set of committees, allowing projects and the evolution of cyber risks to be monitored in order to report to the Executive Committee as well as to the Audit and Risk Committee through the IT Safety and Group Safety Committees. A cybersecurity community is led by the Group team, which relies on dedicated experts and local managers. Collaboration between these different actors is facilitated by the organisation of monthly updates (sharing on current positions and the evolution of threats, monitoring of the roadmap, reminders of best practices), monthly themed webcasts and the organisation of ad hoc events. Hermès’ IT spending (investment and operating budget) is reassessed each year to ensure that investments are aligned with the Group’s strategic challenges. Its objective is to align the technical infrastructures and systems with the growing needs of users, while ensuring good operational performance. They also aim to keep IT risks under control and to develop information systems, in particular for new digital and cloud uses, whilst being socially and environmentally responsible. The information systems department adheres to an information technology charter and a set of procedures applicable to all Group companies. In particular, an information systems security policy (ISSP) is updated annually to adapt to threats. Audits of IT security and compliance with procedures are carried out periodically in all subsidiaries, in collaboration with the audit and risk management department and with the help of external service providers. They ensure that the internal control systems remain effective and adapted to the main current and emerging threats and are aligned with the laws and regulations applicable wherever the House operates. In the field of IT risk prevention, IT risk mapping is regularly updated and presented to the Audit and Risk Committee. This exercise is supplemented by the regular assessment of cyber maturity, including the main regions around the world. A Zero‑Trust approach has been initiated, enabling modernisation of the security of infrastructures, directories, management of the identity life cycle, access security (employees, partners and privileged accounts), prevention of data leaks, protection of cloud applications and the physical security of data centres. Special attention was paid to industrial facilities (in particular at the time new structures were acquired) and the security of connected objects. Improved backup and fault tolerance arrangements for critical systems were also included to ensure continuity of operation in the event of an incident.

Strategy and operations

Industry

CSR

Regulatory compliance

Finance

2023 UNIVERSAL REGISTRATION DOCUMENT HERMÈS INTERNATIONAL EXTRACT FROM 2023 UNIVERSAL REGISTRATION DOCUMENT HERMÈS INTERNATIONAL

386