NATIXIS_REGISTRATION_DOCUMENT_2017

3 RISKS AND CAPITAL ADEQUACY Non-compliance risk

Close tracking of upgrade requests – set up in the fourth quarter of 2017 – should also reduce Natixis’ exposure to ITSS and BC risks. In addition, Natixis acquired a new tool for monitoring IT security incidents which also makes it easier to report serious incidents to the relevant regulators. Natixis’ departments in charge of IT Systems Security (ITSS-BC and the Information Systems Security Department) defined a joined strategic plan for 2018-2020 which aims to improve measures to mitigate cyber attack risk. The plan sets out to transform our security model: from the current fortress (restricted access and protected by a single line of defense) to a system similar to that used in airports (more open, but with increased protection of sensitive assets). As regards the Business Continuity Plan, the BCP and IT Contingency Plan (ICP) plans were merged to increase their effectiveness. The 2017 second-level control plan covered most of the entities and critical IT infrastructures and was supplemented with a large-scale “Telework” test involving almost 700 staff and emergency drills. The Seine Flooding (“Crue de Seine”) project was successfully completed: new protection measures have been installed and successfully tested; the Paris IT network was secured as was most of the access of the international platforms to the network; and a new fallback solution offering greater accessibility for staff was tested. Lastly, the new real estate strategy is being implemented as leases expire. Natixis is steadily strengthening its business continuity system to contend with cyber threats. A crisis unit is in place, emergency

procedures have been distributed on what to do in case of known cyber attacks (ransomware, DDos, etc.), and we are currently reviewing ways of boosting our resilience to extreme shocks.

PERSONAL DATA PROTECTION 3.10.6

Natixis is committed to protecting the personal data of customers and employees alike. As such: processes involving the use of personal data are conducted a pursuant to the French Data Protection Act and, when necessary, are declared to the Commission Nationale de l’Informatique et des Libertés (CNIL – French Data Protection Authority) or the international equivalent; Natixis takes the necessary measures to guarantee the a confidentiality of such data and to keep the persons whose data are being processed informed so that they can fully exercise their rights of access and rectification. This is ensured at two levels of the organization: CNIL coordination (Compliance) and local CNIL representatives in every business line. Compliance with the General Data Protection Regulation (GDPR) is in progress: a body of procedures is being established, as is a register of personal data as well as an inventory – for each relevant operation – of security requirements to be compliant, and a deputy manager in charge of personal data protection has been recruited.

166

Natixis Registration Document 2017