Société Générale / Risk Report - Pillar III

9 OPERATIONAL RISK

ORGANISATION OF OPERATIONAL RISK MANAGEMENT

dentifying existing and future security threats and risks for the p Group as well as its weaknesses to confront them; developing and disseminating Group mechanisms and policies to p better protect its activities and ensure it is capable of withstanding security crises; implementing the Group’s security oversight mechanism; p organising the Group’s crisis management system; p coordinating relations with national, European and international p security agencies in respect of security issues; developing and coordinating economic intelligence; p assisting in combating fraud; p strengthening the security culture within the Group (training, p communication campaigns, etc.). The management of all these risks is based on operational risk systems and the second line of defence is provided by the Risk Department. Risks related to information security Information is a strategic asset for Societe Generale. Whether on paper, digital or exchanged orally, the use and access to information must be in compliance with regulations and laws. To this end, the Group Security Department, housed at the level of the General Secretariat, published in April 2019 a new Group Information Security Policy (PGSIN). The PGSIN provides a holistic view of the subject by strengthening the consideration of human aspects (e.g. vigilance inside and outside our premises, and in social networks) and by capitalising on IT security policies (e.g. information encryption). The PGSIN also recalls the importance of spreading the security culture in the Group. Following the publication of the PGSIN in the SG Code, the Group Security Department, in co-construction with the Teams of the Resources and Digital Transformation Division, has launched or supported initiatives to strengthen materialisation of this policy (e.g. the construction of information security awareness modules for Group employees and also external providers; information protection). These actions are linked to the IT security master plan described below. With regard to IT systems, the Head of IT Security and IT Operational Risk is housed at the Corporate Resources and Digital Transformation Division. Under the functional authority of the Director of Group Security, he proposes the strategy to protect digital information and animates the community of IT security. The IT security framework is aligned with the market standards (NIST, ISO 27002), and implemented in each BU/SU. At the operational level, the Group relies on a CERT (Computer Emergency Response Team) unit in charge of incident management, security watch and the fight against cybercrime. This team uses multiple sources of information and monitoring, both internal and external. Since 2018, this unit has also been strengthened by the establishment of an internal Red Team whose main tasks are to assess the effectiveness of the security systems deployed and to test the detection and reaction capabilities of the defence teams (Blue Teams)

during an exercise simulating a real attack. The services of the Red Team enable the Group to gain a better understanding of the weaknesses in the security of the Societe Generale information system, to help in the implementation of global improvement strategies, and also to train cybersecurity defence teams. Given the increasing number and sophistication of digital attacks, the risk of cybercrime is becoming increasingly significant for players in the banking industry. The Societe Generale focuses strongly on data and information systems to protect its customers. It is addressed in a cooperative way by the IT security and operational risks teams and is monitored by the General Management within the framework of an IT security master plan. A budget of EUR 650 million was allotted over three years to address cybercrime risk. Consequently, to support the “Transform to Grow” Group strategic plan, the IT security master plan has been structured around five major pillars to steer actions out to 2020 that addresses: security for the Bank's customers: enhancing the secure digital p experience and strengthening our customers' cyber security culture; protection of key assets: continue security actions closer to the data p and securing the most sensitive applications; continued reinforcement of the Group's detection and reaction p capabilities; developing the agility and trust zones of our IT systems and p processes to facilitate internal and partner exchanges; developing the expertise of the IT security sector by creating a Cyber p Institute, raising awareness and assisting employees. A central team at the Resources and Digital Transformation Department is responsible for managing and monitoring IT operational risks. The main missions of the team are: identifying and evaluating the major IT risks for the Group, including p extreme risk scenarios (eg. cyber-attack, failure of a provider), to enable the Bank to improve its knowledge of its risks, be better prepared for extreme risk scenarios and better align their investments with their IT risks; providing elements enabling the Bank's management to steer risks, p in particular via Key Risk Indicators (KRIs). These are communicated to Societe Generale's Risk Committee and to the Risk Committee of the Board of Directors. They are reviewed regularly to stay aligned with the IT and security strategy and their objectives; more generally, ensuring the quality and reliability of all devices p addressing IT operational risks. Particular attention is paid to the permanent control system for its IT risks, which is based on the definition of normative IT and security controls and the support of the Group in the deployment of managerial supervision on this subject. In 2019, as part of the “PCT” permanent control transformation program, a new version of the IT risk/IT security normative controls was developed and must be deployed across the Group by Q3 2020. The management of all these risks is based on operational risk systems and the second line of defence is provided by the Risk Department.

181

| SOCIETE GENERALE GROUP | PILLAR 3 - 2020