NATIXIS - Universal registration document and financial report 2019

3 RISK FACTORS, RISK MANAGEMENT AND PILLAR III Risk management

IT Systems Security 3.2.8.5

Business continuity Natixis’ business continuity framework combines incident management based on their consequences (unavailability of the IT system, sites, or critical skills or suppliers) with emergency measures specific to each scenario (overflowing of the Seine, cyberattack, etc.). Natixis regularly tests this entire framework using first- and second-level controls, crisis management exercises and backup solution tests. Natixis now has a large inventory of laptops that enable it to respond appropriately in the event of a slow-moving crisis (Seine flood, strikes, etc.) In addition, Natixis has enhanced its cyber crisis continuity framework by implementing a multi-year testing plan and conducting crisis management drills based on cyber-attack scenarios. Personal data protection 3.2.8.6 Natixis’ Data Protection Officer belongs to the ITSS-BC Department and coordinates a network of data privacy liaisons distributed across all Natixis entities. This function’s purpose is to handle all regulations relating to personal data protection and especially to ensure compliance with Europe’s General Data Protection regulation (GDPR). A Data Privacy Committee meets regularly to monitor the function’s activities and manage the remaining alignment measures required. These include the launching by the IT Department of a multi-year project for the remediation of the relevant IT assets. Natixis has a personal data register and procedures for key processes, such as handling data leaks, processing requests by individuals to exercise their rights, dealing with referrals to the authorities, updating and annually reviewing the register, carrying out the second-level control plan, managing training needs, conducting the regulatory watch and ensuring Privacy by Design/Default in projects. Internationally, in the EMEA and APAC regions, gap analysis and remediation projects related to GDPR and applicable local regulations were conducted and will continue in 2020. As for the AMER region, the function’s organization was restructured and their gap analysis and remediation projects are being prepared for launch in 2020.

and Business Continuity Natixis has set up two lines of defense to manage cyber risk, whose effective interplay is guaranteed by the regular meetings of a “Cyber security and business continuity” steering Committee. The IT Security Department (which reports to the IT Department) forms the first level and implements all the operational measures for protecting Natixis’ IT system. The IT Systems Security and Business Continuity (ITSS-BC) Department, which reports to the Compliance Department, forms the second line of defense. These two lines of defense share a common Security Operating Center (SOC). The center works directly with Groupe BPCE’s Computer Emergency Response Team (CERT). Natixis is also integrated within Groupe BPCE’s IT Systems Security, Business Continuity and Personal Data Protection functions. As such, it applies the policies and methods defined by Groupe BPCE. IT Systems Security The ITSS-BC Department coordinates its activities based on risks. It employs a method which identifies, in terms of operational risk, the risk situations of concern to the business lines and their vulnerable IT assets. Risk assessments may be conducted during the annual review or may be completed as part of work done to support another project. In 2019, ITSS-BC monitored close to 450 business line projects, half of which resulted in specific security requirements being issued in order to better manage risks. In light of these risks, the ITSS-BC Department implements an annual second-level permanent control plan covering all areas of IT system security. Consequently, each year around 6000 second-level control operations are carried out, with a special focus on access right controls and intrusion tests on IT assets exposed to the internet. The risk-based approach was also used to help define the 2018-2020 strategic program. This program, named NewSec, is intended to convert the current model, which is mainly based on perimeter security, into an “airport”-type model. Consequently, in 2019, the department continued key projects aimed at better protecting Natixis’ IT assets and improving attack detection.

150

NATIXIS UNIVERSAL REGISTRATION DOCUMENT 2019

Made with FlippingBook Annual report