NATIXIS_PILLAR_III_2017_EN

NON-COMPLIANCE RISK IT Systems Security and Business Continuity

More specifically, risk linked to capital markets activities is closely monitored and subject to specific first- and second-level controls overseen and implemented by a dedicated team within CIB Compliance. Social engineering-type payment fraud is also subject to constant vigilance and specific prevention measures, as this continuously evolving fraud is particularly widespread and has evolved to impact the different commercial banking business lines. Lastly, the risk of information leakage, which has become a major risk, is subject to a specific control and investigation employing the expertise of fraud and IS security experts as well as the legal and HR functions as necessary.

of interest, conducting anti-corruption due diligence when initiating business relationships with third parties (clients, suppliers, intermediaries), and prior to forming partnerships or carrying out merger and acquisition transactions and by supervising recruitments. They also endeavor to evaluate the situation of third-parties in terms of corruption and influence-peddling issues (reputation and background analysis), identify the factors of exposure to corruption risk (such as the presence of public decision-makers among the direct or indirect beneficiaries of a transaction), ensure the economic justification of the role of various participants in a transaction, check that effective payments of funds are justified, etc. They also set out to avoid the risk of impropriety through which certain practices could give rise to giving/accepting gifts or invitations, payments as part of patronage or sponsoring initiatives, donations or third-party compensation. The rules and procedures of this prevention framework are set out in Natixis’ anti-corruption Policy that is applicable to all its entities and employees. Internationally, Natixis ensures strict compliance with local regulations, such as the UK Bribery Act and the Foreign Corrupt Practices Act. System Security, with a tight focus on the control of access rights. The user access management overhaul program that began in 2012 was concluded in 2017. The tool manages approximately 1.2 million access rights for over 21,000 employees and contractors. The controls also check compliance with the security policy. Natixis was an active participant in the review of Groupe BPCE’s IT system security policy, which comprised some 400 rules at end-2017. Close tracking of upgrade requests – set up in the fourth quarter of 2017 – should also reduce Natixis’ exposure to ITSS and BC risks. In addition, Natixis acquired a new tool for monitoring IT security incidents which also makes it easier to report serious incidents to the relevant regulators. Natixis’ departments in charge of IT Systems Security (ITSS-BC and the Information Systems Security Department) defined a joined strategic plan for 2018-2020 which aims to improve measures to mitigate cyber attack risk. The plan sets out to transform our security model: from the current fortress (restricted access and protected by a single line of defense) to a system similar to that used in airports (more open, but with increased protection of sensitive assets).

PREVENTION OF CORRUPTION

To comply with the requirements set out in Article 17 of the law of December 9, 2016 on transparency, prevention of corruption and the modernization of the economy (“Sapin II”), in 2017 Natixis carried out a campaign to strengthen and align some of the rules and procedures of its compliance framework to the best international standards in corruption prevention. These rules and procedures aim to identify high-risk situations by drawing on prevention and management of situations of conflicts

IT Systems Security and Business 11.5 Continuity

The objectives of IT Systems Security and Business Continuity Department, which is organized as a function, are to protect Natixis’ information assets, identify risks (relating to information availability, integrity, confidentiality and traceability), to request, where applicable, a remediation plan to be put in place, to provide expertise and advice to the business lines and to keep the overall crisis set-up in working order. To meet these objectives, the department draws on its own resources to provide cross-business functions. It also relies on representatives within the business lines (IT Systems Security managers and Business Continuity Plan managers) and the IT Department. The ITSS-BC Department coordinates its activities based on risks. It employs a method which identifies, in terms of operational risk, the risk situations of concern to the business lines and their IT assets that may be vulnerable. This method has since been adopted by Groupe BPCE. Risk assessments can be conducted during the annual review or can result from supporting a project. In 2017, the ITSS-BC monitored close to 300 business line projects, half of issued specific security requirements in order to better mitigate risks. In light of these risks, the ITSS-BC Department runs an annual second-level permanent control plan covering all areas of IT

11

133

NATIXIS Risk report Pillar III 2017