Sopra Steria - 2019 Universal registration document

2 RISK FACTORS AND INTERNAL CONTROL Risk factors

UNAVAILABILITY OF IT SERVICES AND INFRASTRUCTURE AND/OR INTERRUPTION OF ACTIVITIES AT SITES ❙

Risk description

Risk management

A cyberattack, a disaster or an incident preventing access to the electrical grid or telecommunications networks may result in the unavailability of IT services and infrastructure or the interruption of activities at a site or sites. The reliability of information systems and communications infrastructure is an issue of growing importance, given the Group’s business model integrating service centres as well as national and worldwide shared data centres in nearshore and offshore countries. Any failures could have an impact on both internal and client systems, resulting in a potential risk of non-compliance in the execution of contractual services, and consequently potential demands for damages and interest and/or loss of income.

Business continuity to ensure our ability to meet our commitments to our clients and our internal operating requirements is one of the key criteria in the definition of the policy for the Group’s production sites and the implementation decisions. The policy concerning site locations and all decisions taken in this regard follow the guidance provided by the Group. The decision to expand into new countries and regions is an integral part of this policy to maintain security and reduce risk exposure, allowing for the management of backup plans. A redundancy principle is applied for all critical system components, thanks to multi-site replications and supplier redundancies. Contracts with our suppliers are reviewed according to their nature by the Information Systems Department or the PurchaseDepartment, taking account of the same security and service level requirements. In the case of outsourcing or subcontracting, the same level of service is demanded of our suppliers. The Group has put in place strict prevention and security procedures covering areas such as physical security, power cuts at critical sites, information systems security, and data storage and backups. These procedures and technical measures are constantly reevaluated in order to make the necessary adjustments to remediation measures. In addition to all these actions, the Information Systems Department has expanded its teams to include more specialists in cybersecurity monitoring and intelligence, vulnerability management, follow-up actions on computer emergency response team (CERT) reports, and system obsolescence management. The Group ensures the continuity of existing systems by way of preventive testing plans and regularly conducts intrusion tests to assess the resilience of new systems put into service during the year.

43

SOPRA STERIA UNIVERSAL REGISTRATION DOCUMENT 2019