NATIXIS_PILLAR_III_2017_EN

2 GOVERNANCE AND RISK MANAGEMENT ORGANIZATION Risk factors

Natixis is exposed to emerging risks, including risks relating to cyber security Natixis is confronted with new types of risk that have emerged in recent years, in particular cyber risk, and may become exposed to other emergent risks in the future. Cyber risk is caused by a malicious and/or fraudulent act, perpetrated digitally in an effort to manipulate data (personal, banking/insurance, technical or strategic data), processes and users, with the aim of causing material losses to companies, their employees, partners and clients. Cyber risk has become a top priority in the field of operational risks. A company’s data assets are exposed to new, complex and evolving threats liable to have material financial and reputational impacts on all companies, and specifically those in the banking sector. Given the increasing sophistication of criminal enterprises behind cyber attacks, regulatory and supervisory authorities have begun highlighting the importance of ICT (Information and Communication Technology) risk management. Natixis has made the resilience of its technical infrastructures, business continuity, and data transmission security a top priority, both in terms of pre-empting and being capable of responding to threats. However, as cyber attacks are constantly evolving to become increasingly complex, these efforts may not be sufficient to fully protect Natixis, its employees, its partners and client. Despite Natixis’ efforts, such attacks could potentially disrupt client services or result in the alternation or disclosure of confidential data, could lead to business interruptions, costs related to information retrieval and verification and reputational harm. Any of these impacts could adversely affect Natixis’ business, results of operations and financial condition. Any interruption or failure of Natixis’ information systems, or those of third parties, may result in lost business and other losses Like most of its competitors, Natixis relies heavily on its communication and information systems to process a high volume of increasingly complex transactions for its businesses. Any breakdown, interruption or failure of these systems could result in errors or interruptions to customer relationship management, general ledger, deposit, transaction and/or loan processing systems. If, for example, Natixis’ information systems failed, even for a short period, it would be unable to meet customers’ needs in a timely manner and could thus lose transaction opportunities. Likewise, a temporary breakdown of Natixis’ information systems, despite back-up systems and contingency plans, could result in considerable information retrieval and verification costs, and even a decline in its business if, for instance, such a breakdown occurred during the implementation of hedging transactions. The inability of Natixis’ systems to accommodate an increasing volume of transactions could also undermine its business development capacity. Natixis is also exposed to the risk of an operational failure or interruption by one of the clearing agents, foreign exchange

markets, clearing houses, custodians or other financial intermediaries or external service providers it uses to execute or facilitate its securities transactions. With growing interconnectivity with customers, Natixis may also be increasingly exposed to the risk of operational failure of its customers’ information systems. Natixis cannot guarantee that such breakdowns or interruptions in its systems or in those of other parties will not occur or, if they do occur, that they will be adequately resolved. Unforeseen events may interrupt Natixis’ operations and cause substantial losses and additional costs Unforeseen events, such as a severe natural disaster, pandemic, terrorist attacks, or any other state of emergency, could lead to a sudden interruption of Natixis’ operations and cause substantial losses insofar as they are not covered or are insufficiently covered by an insurance policy. These losses could relate to property, financial assets, market positions and key employees. Such unforeseen events may, additionally, disrupt Natixis’ infrastructure, or that of third parties with which it conducts business, and could also lead to additional costs (such as relocation costs of employees affected) and increase Natixis’ costs (in particular insurance premiums). Subsequent to such events, Natixis may be unable to insure certain risks, resulting in an increase in Natixis’ overall risk. Other adverse unforeseen changes may occur in political, military or diplomatic environments and may create social instability or an uncertain legal environment that may negatively impact the demand for the products and services offered by Natixis. Tax laws applicable in the countries where Natixis operates could have a material impact on Natixis’ results Natixis is subject to the tax regulations in force in the various countries in which it operates. As an international group doing business in several countries, Natixis has structured its commercial and financial activities in light of diverse regulatory requirements and its commercial and financial objectives. Natixis aims to create value in serving its customers by drawing on the synergies and sales capacities of its various entities. Natixis is required to comply with recently adopted reporting requirements which are part of the global fight against tax evasion and, more generally, with any mechanisms that could be adopted being part of the global fight against tax evasion. Natixis reports transparently on its organizational structure and operations, and discloses its revenues and the corresponding taxes on a country-by-country basis for greater clarity on the determining factors of its tax expense. Natixis observes the Code of Practice on Taxation for Banks. These new reporting requirements and, more generally, any mechanisms adopted in order to enhance cooperation between tax administrations in the fight against tax evasion will subject Natixis to increasing additional administrative burdens and to costly reporting obligations.

24

NATIXIS Risk report Pillar III 2017