LEGRAND_REGISTRATION_DOCUMENT_2017

03

INTERNAL CONTROL AND RISK MANAGEMENT Risk factors and control mechanisms in place

R 3.6.2.4 BUSINESS CONTINUITY Events of natural or other origin sometimes occur (such as fires, natural disasters, climate change, health risks, geopolitical events, machine failure, etc.) that could disrupt or interrupt a site’s activity. The likelihood that such events will occur and the overall exposure that could result for the Group are limited by the number and geographic dispersion of industrial sites for all operational activities. In addition, a regular analysis of the risks and vulnerabilities of the Group’s sites is carried out jointly with the Group’s insurers. These analyses cover events linked to climate risk (floods, snow, storms) and technical hazards (fire, machinery breakdowns, gas leaks, etc.). This enables the potential damage to property and related operating losses to be assessed. Based on these analysis, the Group Real Estate Department manages investments in the prevention,protection,modernization and maintenance of industrial and logistical facilities. The same analysis are carried out upstream on new building construction projects. As part of its prevention policy, Legrand conducts joint audits with experts from the Group’s insurance companies to evaluate the level of fire protection and take any action deemed necessary. In 2017, 49 such visits were made to the Group’s facilities. Finally, Legrand has taken a global insurance policy to cover direct accidental damage to property and the potential operating losses resulting from such accidents. R 3.6.2.5 SECURITYAND CONTINUITY OF IT SYSTEMS Because of the scale and number of its international operations, processes and sites, Legrand’s business activity requires multiple and often interconnected information systems. In addition, the development of connected products (Eliot) is a new aspect of the Group’s exposure to specific cybercrime risks. The riskof failure in thesesystems (networks,cloud,infrastructure and applications) operated directly or by service providers, or in both cases, the risk of a security breach, could slow or partially disrupt the Group’s industrial and commercial activity, impact the quality of customer service, or compromise the level of security and confidentiality expected by our stakeholders. Such failures could originate from inside the Group (configuration error, system obsolescence, lack of infrastructure maintenance, poor IT project management, malice) or from outside (viruses, cybercrime, etc.).

To deal with these risks, Legrand relies on a specific organization, system and resources. The following skill sets are deployed within the ISD: W a Head of Information Systems Security and his team, who work on improving system quality and security and are in charge of defining and implementing policies and projects specific to these areas, such as data backups and security plans, data protection, and dissemination to all employees of guidelines on the use of IT resources, cybersecurity and data backups, etc. This department is also responsible for conducting regular security audits and intrusion tests on the Group’s information systems, with the support of external service providers; W project teams, responsible for implementing information systems and infrastructure, are organized in accordance with established governance structures; W support teams, responsible for continuity of service of infrastructure and applications, define the investment and maintenance programs required; W a specific team, which assists and monitors the subsidiaries, as regards both the subsidiaries themselves and the application programs. In addition, Legrand has introduced a cybersecurity masterplan which aims to strengthen and supplement all the protection, detection and response measures already implemented as part of its security policy. This masterplan is structured around the W an IT systems security policy, based on applicable standards and best practice (ISO 27002, recommendations of the French National Cybersecurity Agency, etc.); W the inclusion of security in IT projects through a specific methodology; W an employee awareness program for cybersecurity; W a structured incident handling process involving a Computer Emergency Response Team (CERT); W a legal and regulatory monitoring system; W a specific program dedicated to the security and processing of personal data for the Eliot connected objects and its cloud. Relationships with suppliers responsible for outsourced IT services are governed by contracts that include continuity and security related clauses and by a governance designed for this purpose. IT related risks are coordinated by specific governance (monthly, quarterly and annual committee meetings, with oversight by the Group Risk Committee). following seven components: W a detailed analysis of IT risks;

52

REGISTRATION DOCUMENT 2017 - LEGRAND