NATIXIS - 2018 Registration document and annual financial report

3 RISK FACTORS, RISK MANAGEMENT AND PILLAR III Risk factors

Seine flooding, which led to the implementation of specific protective measures (see the risk management framework in Section 3.8.8.5 of this registration document for detailed information on the measures taken to ensure business continuity). The losses and damage that Natixis could suffer should such events occur relate to its property, financial assets, market positions and key employees. Furthermore, these events may disrupt Natixis’ infrastructure, or that of third parties with which it conducts business, and could also lead to additional costs (such as relocation costs of employees affected) and increase its expenses (in particular, due to higher insurance premiums or the exclusion of certain risks from its insurance coverage). Subsequent to such events, Natixis may also be unable to insure certain risks, resulting in an increase in its overall risk. Other adverse unforeseen political, military or diplomatic changes could occur and create social instability or an uncertain legal environment that may have an adverse impact on demand for the products and services offered, on the level of Natixis’ risks and more generally on all its activities. Natixis is exposed to emerging risks, in particular risks relating to cybercrime, which could have a material adverse impact on its business, financial position and reputation Natixis is confronted with new types of risk that have emerged in recent years, in particular the risk relating to cybercrime, and may become exposed to other emergent risks in the future. Cybercrime refers to a range of malicious and/or fraudulent acts, perpetrated digitally in an effort to manipulate data (personal, banking, insurance, technical or strategic data), processes and users, with the aim of causing material losses to companies, their employees, partners, clients and counterparties. A company’s data assets are exposed to new, complex and evolving threats liable to have material financial and reputational impacts on all companies, and in particular those in the banking sector. Given the increasing sophistication of criminal enterprises behind cyber attacks, regulatory and supervisory authorities have begun highlighting the importance of Information and Communication Technology (ICT) risk management. Preventing cybercrime risk is a priority for Natixis and as such it makes every effort to implement the guidelines established by these authorities through cooperation between its Information Systems (IS) and IT Systems Security (ITSS) departments. This has resulted in a mapping of risks relating to IT systems security as well as a wide-ranging campaign to raise all employees’ awareness of ITSS. In 2018, no major cybercrime-related incident occurred or had a material adverse impact on Natixis’ financial position or reputation. However, as cyber attacks are constantly evolving to become increasingly complex, the measures described above may not be sufficient in the future to fully protect Natixis, its employees, partners and clients. The occurrence of such attacks could potentially disrupt Natixis’ client services, result in the alteration or disclosure of confidential data or lead to business interruptions and, more broadly, have a material adverse impact on its business, financial position and reputation.

An interruption or failure of Natixis’ communication and information systems, or those of third parties, could result in lost business and other losses and costs Like most of its competitors, Natixis relies heavily on its communication and information systems to process a high volume of increasingly complex transactions for its businesses (see the risk management framework in Section 3.2.8.5 of this registration document for a description of Natixis’ communication and information systems). Although Natixis has made data transmission security a priority, any breakdown, interruption or failure of these communication and information systems could result in errors or interruptions to the systems it uses for customer relationship management, the general ledger, deposit and loan processing transactions, and/or risk management. If, for example, Natixis’ information systems shut down, even for a short period, it could be unable to meet customers’ needs in a timely manner and could thus lose business opportunities. Thus, any breakdown, interruption or failure of Natixis’ information systems, despite back-up systems and contingency plans, could result in considerable costs related to information retrieval and verification, as well as lost business or financial losses in its ongoing operations and portfolio transactions related, for example, to the failure to exercise an option or to unwind a transaction such as a hedging transaction. Furthermore, the inability of Natixis’ communication and information systems to accommodate an increasing volume of transactions could also undermine its business development capacity. Lastly, Natixis is exposed to the risk of an operational failure or interruption by its clearing agents, foreign exchange markets, clearing houses, custodians or other financial intermediaries or external service providers it uses to execute or facilitate its securities transactions. With growing interconnectivity with customers, Natixis may also be increasingly exposed to the risk of operational failure of its customers’ information systems. Natixis cannot guarantee that such interruptions or failures in its communication and information systems or in the systems of third parties will not occur or, if they do occur, that they will be adequately resolved. The occurrence of one or more of the events described above may result in lost business and other additional costs and losses for Natixis. Unforeseen events may interrupt Natixis’ operations and cause substantial losses and additional costs Unforeseen events, such as a severe natural disaster, pandemic, terrorist attack, or any other state of emergency, could lead to a sudden interruption of Natixis’ operations and cause substantial losses insofar as they are not covered or are insufficiently covered by an insurance policy. At December 31, 2018, Natixis conducted 53.6% of its business in France and is therefore more exposed to risks related to events that could occur in that country, such as natural disasters, strikes, protests and terrorist attacks. In the past, for example, Natixis had to contend with the

112

Natixis Registration Document 2018