Sopra Steria - 2019 Universal registration document

2 RISK FACTORS AND INTERNAL CONTROL Risk factors

LOSS, CORRUPTION OR UNAUTHORISED DISCLOSURE OF DATA ❙

Risk description

Risk management

A cyberattack, a security incident or human error could lead to the loss, corruption or disclosure of data. This risk is heightened in the context of digital transformation and in particular the transition to cloud computing and mobile technologies. It relates to information systems managed by the Group on behalf of its clients, those made available to project teams for their development work and internal systems. In addition to the significant financial consequences of client claims, non-compliance and/or potential property damage, a major security incident could have a considerable adverse impact on the Group’s reputation and lead to the loss of contracts.

Sopra Steria has established an information security policy in line with international standards and has put in place a solid organisational structure for this purpose, which is coordinated at Group level. The leadership team involved includes the Chief Information Security Officers (CISOs), along with the Information Systems Department and the Group’s security operations centre (SOC), with responsibility for detecting and responding to cybersecurity incidents. This organisational structure with its local correspondents, meeting different countries’ regulatory requirements and client needs as closely as possible, allows for in-depth knowledge of areas of risk and business demands. The Group reviews the organisation’s performance, its policies and procedures, and the investments made at least once each year, or as required whenever a security incident occurs, to adapt to changes in the context and risks, as well as to continually strengthen all measures in place. In 2019, the Group made further significant investments in its security awareness and training programme covering all employees (e-learning modules, awareness campaigns, videos, on-site training), as well as in protection and surveillance tools and to expand the involved teams. The entire system is verified on a regular basis, in particular by way of the annual audit programme and the certification audits for ISO 27001 and ISAE 34-02 covering the Group’s strategic and sensitive areas of operations. Sopra Steria has rolled out a programme to ensure compliance with the EU’s General Data Protection Regulation (GDPR) throughout the Group. Lastly, the cybersecurity insurance programme is reevaluated each year in order to better cover the risks to which the Group is exposed.

41

SOPRA STERIA UNIVERSAL REGISTRATION DOCUMENT 2019