Universal Registration Document 2021

RISKS, LITIGATION, AND CONTROLS RISK FACTORS

CYBERSECURITY

[103-1 Customer privacy] [103-2 Customer privacy] Risk identification

Risk monitoring and management

The security actions related to Technicolor Creative Studios content production networks are led by internal security teams which focus on the mitigation of these risks. These security actions and protocols are continuously implemented, enforced, evaluated, and updated as production needs evolve, and as new technologies or threats emerge. The Connected Home centers for product development or implementation of services include quality assurance functions that are responsible for establishing and measuring suitable quality indicators and developing action plans to improve the quality of the products and services with management reviews at key milestones. To ensure high security standards, a security approval procedure is in place for the new products delivered by the Connected Home Segment. This procedure is part of the product development project management methodology. Once products are delivered, an incident response procedure is in place to support customers. This procedure includes a vulnerability disclosure protocol, to allow security researchers to report any weakness in Connected Home products and allow us to address risks before public disclosure and/or materialization of said risk. The security policies and the use of qualified suppliers, equipment and software, combined with regular security trainings, security assessments and penetration testing, aim to mitigate the risk to an acceptable level. For physical security risks, a dedicated team conducts risk assessments on all critical sites and suggests a remediation plan for local security coordinators when needed. In 2021, working in collaboration with clients and industry organizations, the Group has continued to establish and promote secure work-from-home environments and workflows where required based on local government requirements. Technicolor security standards are continuously reviewed and updated to stay current with the industry and with established security policies. Overall, in 2021, Technicolor supported over 268 security audits, which included a combination of internal and external audits. Audit findings are tracked and managed by internal teams. In 2021, the Group delivered security awareness training to all employees and provided multiple communications around phishing, malware, and general security practices, with an increased focus on the impacts of an increase in remote work. Technicolor Cyber Security (TCS) since its introduction in 2015 is being recalibrated quarterly and its initiatives are tracked regularly. TCS technology teams have enabled faster adoption of enterprise scale tools and processes in partnership with the Global Security teams. Architecture, assessment and deployment of specific remote Artist solutions, continuous implementation, enforcement, evaluation and update of security actions, protocols and standards in new production facilities is being performed. On the other hand, tracking and management of items identified for remediation, led by internal teams within Service Now central repository are managed and reported by the Technicolor Security Operations Center (TSOC).

The secure maintenance and transmission of Technicolor and customers’ information is an essential component of the Group’s operations due to highly sensitive and confidential content. In that optic, cloud enablement and usage/support continue to evolve. The failure to have sufficient and effective content security systems and protocols both onsite and during remote working scenarios may lead to loss, disclosure, misappropriation, alteration and unauthorized sharing and access to sensitive information and assets (Intellectual Property). Product developments may become more expensive or take a longer time than initially planned due to unexpected challenges in the development cycle, potential quality issues linked to the technological complexity of the products, resource constraints or dependency on third party deliveries. Products and data may be vulnerable due to the increase in volume and sophistication of hacking or other types of malicious attacks ( e.g. , phishing) which expose the Group to liabilities, extra cost for remediation, or compensation for prejudices. New vulnerabilities must be identified and monitored appropriately to avoid successful operational attacks. Log data from infrastructure and applications in the environment are the core to identifying or investigating security events and potential incidents. If log forwarding from key devices are interrupted for a significant period, it will reduce the SOC (Security Operations Center) operational capabilities. Lack of consistent procedures could impact our ability to successfully backup and restore systems. It is feasible that a flood of security breaches, incidents or attacks could overwhelm the SOC capability to manage, investigate and escalate them. The current pandemic environment led to an increase in hybrid working environments and remote working which requires additional security and access protocols/assessments for both access solution and devices. Risks of content exfiltration have increased due to content being visible outside of our studios, expanding the security perimeter and secure production networks from our facilities into employees’ homes. Failure to properly monitor equipment use and access rights could result in confidential information being shared to competitors or customers. Failure of employees’ awareness on cyber risks increases risk of phishing campaigns and introducing malwares in our systems. Those consequences may drive key customers to withdraw work from Technicolor and are likely to expose the Group to significant financial burdens, liability, loss of reputation and loss of revenues.

3

57

TECHNICOLOR UNIVERSAL REGISTRATION DOCUMENT 2021