NATIXIS - 2018 Registration document and annual financial report

RISK FACTORS, RISK MANAGEMENT AND PILLAR III Risk management

Natixis is also integrated within Groupe BPCE’s “IT Systems Security”, “Business continuity” and “Personal data protection” functions. As such, it applies the policies and methods defined by Groupe BPCE. IT system security The ITSS-BC Department coordinates its activities based on risks. It employs a method which identifies, in terms of operational risk, the risk situations of concern to the business lines and their IT assets that may be vulnerable. Risk assessments may be conducted during the annual review or may result from the supporting of a project. In 2018, ITSS-BC monitored close to 200 business line projects, half of which resulted in the issuing of specific security requirements in order to better mitigate risks. In light of these risks, the ITSS-BC Department implements an annual second-level permanent control plan covering all areas of IT system security. Every year, around 6,000 control operations are therefore carried out, with a special focus on access right controls and intrusion tests on IT assets exposed to the Internet. The risk-based approach also enabled the defining of the 2018-2020 strategic program. This program, named “NewSec”, is intended to convert the current model, which is mainly based on perimeter security, into an “airport”-type model. 2018 therefore saw the launching of key projects for improving the identification of Natixis’ IT assets. Business continuity Natixis’ business continuity framework combines management of incidents according to their consequences (unavailability of the IT system, sites or employees) with emergency measures specific to each scenario (overflowing of the Seine, etc.). Natixis regularly tests the whole of this framework through first- and second-level controls, crisis management exercises and backup solution tests. Natixis used the end of the project on the overflowing of the Seine and the roll-out of a large fleet of laptops as an opportunity to make changes to its user fallback system. The distribution of fallback sites was reviewed and the use of “Telecommuting” solutions was expanded. This quest for efficiency also prompted an overhaul of the business continuity plan management tool and the crisis management mobile application. The business continuity teams are now focusing most of their efforts on increasing resilience to successful cyber attacks. Personal data protection 3.2.8.6 Natixis has taken steps to guarantee the protection of the personal data of both customers and employees. A wide-reaching project aimed at compliance with the General Data Protection regulation (GDPR) was launched within Natixis. The work carried out enabled the drafting of policies and procedures, awareness-raising and training for employees, the identification of personal data processing operations and the necessary remediation actions, the alignment of the Asset Management business lines, the appointment of a Data Protection Officer (DPO) and the creation of a data privacy function.

Prevention of corruption In accordance with the requirements set out in Article 17 of the law of December 9, 2016 on transparency, the prevention of corruption and the modernization of the economy (“Sapin II”), Natixis has strengthened and added certain rules and procedures to its compliance framework to align them with the highest international standards in corruption prevention. In 2018, this included the publication of a policy dedicated to the prevention and detection of corruption that was disseminated to all employees and the adding of rules on this theme to the Internal Rules. The various high-risk situations are also managed through dedicated procedures, such as the procedures on the prevention and management of conflict of interest situations, the conducting of anti-corruption due diligence when initiating business relationships with third parties and prior to forming partnerships or carrying out merger and acquisition transactions, and the supervision of recruitment. High-risk practices, including giving/accepting gifts or invitations, patronage initiatives, sponsoring, donations and third-party compensation, are also governed by specific procedures. To ensure the dissemination and appropriation of these rules and procedures, compulsory e-learning training has been rolled out and specific training sessions have been held for the members of Natixis’ Executive Committee. More than 12,500 training actions were carried out as a result in 2018. The anti-corruption framework as a whole is managed and coordinated by a dedicated team within the Financial Security Department. This relies on a network of anti-corruption correspondents within all of Natixis’ business lines, subsidiaries and branches, in France and abroad. Governance is provided through existing Risk Management and Control Committees and through the introduction of specific Committees. The corruption aspects are also fully incorporated within the existing permanent control system, particularly through specific controls covering the high-risk situations and practices referred to above; In addition to the French regulations that apply to all Natixis entities, Natixis ensures strict compliance with the local regulations applicable to its foreign operations, such as the UK Bribery Act and the US Foreign Corrupt Practices Act. The main corruption prevention program rules and procedures can be found in Natixis’ anti-corruption policy, available on the website www.natixis.com . Natixis has set up two lines of defense to manage cyber risk, whose effective interplay is guaranteed by the holding of regular meetings of a “Cyber security and business continuity” steering Committee. The IT Security Department (which reports to the IT Department) forms the first line of defense and implements all the operational measures for protecting Natixis’ IT system. The IT Systems Security and Business Continuity Department (ITSS-BC—reporting to the Compliance Department) forms the second line of defense. Both lines of defense share a common Security Operating Center (SOC) which works directly with Groupe BPCE’s Computer Emergency Response Team (CERT). IT Systems Security and Business 3.2.8.5 Continuity

3

157

Natixis Registration Document 2018

Made with FlippingBook HTML5