Hermès // CSR Extract 2023

RISK FACTORS AND MANAGEMENT RISK FACTORS

The cybersecurity department has reinforced its capacity to detect and deal with incidents. All computers and servers are equipped with software to detect anomalies (endpoint detection response – EDR), enable security patches to be installed and conduct investigations. Security incidents are dealt with by a dedicated team comprising the components of the incident response, SOC (Security Operation Centre) and CERT (Computer Emergency Response Team). CERT Hermès is a member of InterCERT France, which brings together the mature incident response units of major French organisations. Exercises are carried out regularly by the internal teams to continuously test and adjust the response system (red/blue/purple team initiatives). A second team dedicated to the qualification and treatment of vulnerabilities manages the Group’s attack surface. New initiatives to raise employee awareness of security issues have taken various forms within the framework of a global programme (conferences, films, e‑learning, escape games, dedicated website in eight languages). Each year, Cybersecurity Month gives special emphasis to these topics. Employees are encouraged to use an internal whistleblowing system to report safety incidents of which they are aware so that these can be addressed immediately. Intrusion tests on internal, Wi‑Fi and external networks were carried out, as well as IT disaster simulations, and corresponding action plans were formalised. The continuity of IT operations is also tested regularly. Crisis simulation exercises are carried out annually and are followed by feedback and action plans. In addition to the information systems department, they involve various Group departments (internal communication department, financial communication and investor relations department, insurance and prevention department, audit and risk management department, legal compliance department and the Data Protection Officer, etc.) as well as a member of the Executive Committee. Furthermore, the Group ensures that it complies with the various standards and regulations applicable to the protection of personal data (in particular GDPR, the Group's standard in terms of personal data) and payment card data (PCI‑DSS). Compliance with the GDPR standard is ensured by a global governance made up of relays (Group and local) and assessed regularly through internal controls and external audits. In 2022, the Group’s personal data protection standard was audited by an external firm on various topics, in particular related to data governance and the processing of customer, employee and third‑party data. The information systems department accordingly works with other departments to reduce the risks of damage to information systems and its impacts in the event such risks were to materialise.

4

Strategy and operations

Industry

CSR

Regulatory compliance

Finance

2023 UNIVERSAL REGISTRATION DOCUMENT HERMÈS INTERNATIONAL EXTRACT FROM 2023 UNIVERSAL REGISTRATION DOCUMENT HERMÈS INTERNATIONAL

387