PSA - 2019 Universal Registration Document

GROUPE PSA Risk factors DPEF.B

RISKS ASSOCIATEDWITH CYBERCRIME AVERAGERISK

1.5.2.6.

Riskfactors

Riskmanagement andcontrolprocesses

Risks associatedwith cybercrimemay occur in lots of different areasonceprocessesarecomputerised. Groupe PSA has identified 5 mainareasin whichtherewouldbe majorconsequences for the business: centralinformation systems and apps: 1. hacking,data theft, loss of access,fraud, - lossof controlof processeddatain an externalcloud(appsin - SaaS mode); workstations and personal equipment: 2. confidential information leaks, - compromised networks, - ransomware; - connected vehicles: 3. mass takeovers of control, danger to occupants, vehicle thefts, - theftof customer information, applications fraud, - loss offunctionalities andservices; - industrial facilities: 4. takeover ofacilities, compromised networks, - break in production; - suppliersand serviceproviders: 5. leaks ofconfidential information a d competitive know-how, - means ofhacking intoGroup systems. -

Each of the 5 areas is managed by an InformationSystems SecurityOfficer,answerable to theGroupProtectionDirectorand the Information GovernanceManager. Eachareatakesmeasuresof a generalnatureaimed,in particular, at IT protection/detection techniquesand ongoingeducationof employees in securitybestpractices.A networkstructureensures that rules and their implementation are disseminatedat all levels of theorganisation’s hierarchy.Specificmeasuresarealso taken in each area to respondto particularrisks in line with the Group’s Information Systems Security Policy and all its operational measures, including specific policies to protect information systems. Inparticular: centralinformation systems and apps: 1. centralised management of access rights (See also - Section 1.5.2.10); workstations and personal equipment: 2. data encryption, duelfactorauthentication, robust - passwords that are changed periodically, continuous education (communication, training) of - employees:e-learning, informationwebsite,assessmentsand practices (quizzes, phishing, etc.), application of document management and “Records - Management” policies; connected vehicles: 3. specific sessions on cybercrime issues for technical - development teams, IT securityprinciplesand techniquesappliedto all on-board - and stand-alone systemsas well as to the flowsexchanged; industrial facilities: 4. identificationof at-riskequipmentand tightercontrolsover - security and antivirus software updates. Blocking of USB ports, good security practices for equipment for which service - providers are responsible; suppliersand serviceproviders: 5. communication of Groupe PSA security policies for - informationpurposesand applicationof an equivalentlevel of security, policies reflected in contractual requirements. -

RISKS ASSOCIATEDWITH TALENTMANAGEMENT AVERAGERISK

1.5.2.7.

Riskfactors

Riskmanagement andcontrolprocesses

[DPEF.B] [DV.2] Attracting and developing all talents As part of its international expansion, Groupe PSAmust be attractiveto applicantsin the differentregionswhereit operates, so as to increasethe business’humancapital and encourageits performance culture.TheGroupmust,in fact,drawon competitive teamsthroughout heworldto challenge its bestcompetitors.The successof the Push to Pass plan is due to the managementof talentat each levelof the organisation.

Talentmanagement is keyto theGroup’shumanresourcespolicy. It strivesto give all employeesthe opportunityto developtheir talents both individually and collectively, by prioritising meritocracy and rewarding results. (See 2.4.3)

34

GROUPE PSA - 2019 UNIVERSAL REGISTRATION DOCUMENT