Risk description A phishing campaign or the exploitation of a security flaw in the technical infrastructures or solutions used by Sopra Steria could result in a breakdown or disruption of essential systems for activities contractually authorised with clients and/or for the Group’s internal operations, or the loss, corruption or disclosure of data. A cyberattack on a client, even if indirectly caused by the provision of services by the Group, could also have major repercussions for Sopra Steria. This risk inevitably increases in the context of digital transformation (including services hosted in the cloud and mobile technologies). Widespread working from home is also a factor that increases cyberthreats. Malicious attacks on the systems of businesses and organisations by hackers, criminal organisations or even state-linked organisations have increased exponentially over the last few months in terms of the number, frequency and sophistication, and this trend only looks set to be amplified in the future. The Group was the victim of an unprecedented cyberattack in October 2020. The malware concerned was a new version of the Ryuk ransomware, previously unknown to antivirus software providers and security agencies. These risks are significant in terms of probability and impact. They are at the heart of Sopra Steria’s strategic concerns: in addition to the significant financial consequences of client claims relating to contractual commitments, interruption of internal operations, high recovery costs relating to an incident and non-compliance with regulations, a major security incident could have a considerable adverse impact on the Group’s reputation and lead to the loss of future contracts.
Risk management measures Sopra Steria has established an information security policy in line with international standards and has put in place a solid organisational structure for this purpose, which is coordinated at the Group’s highest level. The leadership team involved includes the Chief Information Security Officers (CISOs), along with the Information Systems Department (ISD) and the Group’s security operations centre (SOC), with responsibility for detecting and responding to cybersecurity incidents. This organisational structure with its correspondents within entities, meeting different countries’ regulatory requirements and client needs as closely as possible, allows for in-depth knowledge of areas of risk and business demands. The Group is continually investing in its security awareness and training programme covering employees (e-learning modules, awareness campaigns, videos, on-site and remote training), as well as in protection and surveillance tools and to expand the involved teams. The Information Systems Department therefore permanently enhances its procedures in terms of cybersecurity monitoring and intelligence, vulnerability management, follow-up actions on computer emergency response team (CERT) reports, system obsolescence management, and the siloing and tightening of systems. Security tests on deliveries of the Group’s services are permanently reinforced by means of processes, tools and employee training. Sopra Steria ensures the reliability of existing systems by way of preventive testing plans and regularly conducts intrusion tests to
assess the resilience of new systems put into service during the year. The entire system is verified on a regular basis, in particular by way of the annual audit programme and the certification audits for ISO 27001 and ISAE 34-02 covering the Group’s strategic and sensitive areas of operations. The Group reviews its policies and procedures, organisation and investments at least once a year, or as required whenever a security incident occurs, to adapt to changes in the context and risks, as despite everything these remain significant for the Group in view of the unprecedented escalation in threats. Thanks to this comprehensive approach, the Group was able to reduce the potentially extremely critical impact of the massive attack detected in October 2020. This attack was rapidly blocked by in-house IT and cybersecurity teams. The measures implemented immediately made it possible to contain the malware to only a limited part of the Group’s infrastructure and to protect its customers and partners. The remediation plan has allowed for the gradual restoration of workstations, R&D and production servers, internal tools and applications, as well as client connections. In the light of this event, the Group has decided to further step up its existing plans and launched a reinforcement programme, the two main aims of which are to improve its security response and shorten the time required to restart IT systems.