2020 Universal registration document and annual financial report - BNP PARIBAS 293

5risks and CaPital adequaCy Pillar 3

5

Annual risk survey

2.2 An interruption in or a breach of the BNP Paribas Group s information systems may cause substantial losses of client or customer information, damage to the BNP Paribas Group s reputation and result in financial losses.

As with most other banks, the BNP Paribas Group relies heavily on communications and information systems to conduct its business. This dependency has increased with the spread of mobile and online banking services, and the development of cloud computing. Any failure or interruption or breach in security of these systems could result in failures or interruptions in the BNP Paribas Group s customer relationship management, general ledger, deposit, servicing and/or loan organisation systems or could cause the BNP Paribas Group to incur significant costs in recovering and verifying lost data. The BNP Paribas Group cannot provide assurances that such failures or interruptions will not occur or, if they do occur, that they will be adequately addressed.

In addition, the BNP Paribas Group is subject to cybersecurity risk, or risk caused by a malicious and/or fraudulent act, committed virtually, with the intention of manipulating information (confidential data, bank/ insurance, technical or strategic), processes and users, in order to cause material losses to the BNP Paribas Group s subsidiaries, employees, partners and clients and/or for the purpose of extortion (ransomware). An increasing number of companies (including financial institutions) have in recent years experienced intrusion attempts or even breaches of their information technology security, some of which have involved sophisticated and highly targeted attacks on their computer networks. Because the techniques used to obtain unauthorized access, disable or degrade service, steal confidential data or sabotage information systems have become more sophisticated, change frequently and often are not recognized until launched against a target, the BNP Paribas Group and its third-party service providers may be unable to anticipate these techniques or to implement in a timely manner effective and efficient countermeasures.

Any failures of or interruptions in the BNP Paribas Group s information systems or those of its providers and any subsequent disclosure of confidential information related to any client, counterpart or employee of the BNP Paribas Group (or any other person) or any intrusion or attack against its communication system could cause significant losses and have an adverse effect on the BNP Paribas Group s reputation, financial condition and results of operations.

Regulatory authorities now consider cybersecurity as a growing systemic risk for the financial sector. They have stressed the need for financial institutions to improve their resilience to cyber-attacks by strengthening internal IT monitoring and control procedures. A successful cyber-attack could therefore expose the Group to a regulatory fine, especially should any personal data from customers be lost.

Moreover, the BNP Paribas Group is exposed to the risk of operational failure or interruption of a clearing agent, foreign markets, clearing houses, custodian banks or any other financial intermediary or external service provider used by the BNP Paribas Group to execute or facilitate financial

transactions. Due to its increased interaction with clients, the BNP Paribas Group is also exposed to the risk of operational malfunction of the latter s information systems. The BNP Paribas Group s communications and data systems and those of its clients, service providers and counterparties may also be subject to malfunctions or interruptions by as a result of cyber-crime or cyber-terrorism. The BNP Paribas Group cannot guarantee that these malfunctions or interruptions in its own systems or those of other parties will not occur or that in the event of a cyber-attack, these malfunctions or interruptions will be adequately resolved. These operational malfunctions or interruptions accounted for an average of 3% of operational risk losses over the 2012-2020 period.

2.3 Reputational risk could weigh on the BNP Paribas Group s financial strength and diminish the confidence of clients and counterparties in it.

Considering the highly competitive environment in the financial services industry, a reputation for financial strength and integrity is critical to the BNP Paribas Group s ability to attract and retain customers. The BNP Paribas Group s reputation could be harmed if it cannot adequately promote and market its products and services. The BNP Paribas Group s reputation could also be damaged if, as it increases its client base and the scale of its businesses, the BNP Paribas Group s comprehensive procedures and controls dealing with conflicts of interest fail, or appear to fail, to address them properly. At the same time, the BNP Paribas Group s reputation could be damaged by employee misconduct, fraud or misconduct by financial industry participants to which the BNP Paribas Group is exposed, a decline in, a restatement of, or corrections to its financial results, as well as any adverse legal or regulatory action, such as the settlement the BNP Paribas Group entered into with the US authorities in 2014 for violations of US laws and regulations regarding economic sanctions. The loss of business that could result from damage to the BNP Paribas Group s reputation could have an adverse effect on its results of operations and financial position.

3. MARKET RISK The BNP Paribas Group s market risk is the risk of loss of value caused by an unfavourable trend in prices or market parameters. The parameters affecting the BNP Paribas Group s market risk include, but are not limited to, exchange rates, prices of securities and commodities (whether the price is directly quoted or obtained by reference to a comparable asset), the price of derivatives on an established market and all benchmarks that can be derived from market quotations such as interest rates, credit spreads, volatility or implicit correlations or other similar parameters.

BNP Paribas Group is exposed to market risk mainly through trading activities carried out by the business lines of its Corporate & Institutional Banking (CIB) operating division, primarily in Global Markets, which represented 15.4% of the BNP Paribas Group s revenue in 2020. BNP Paribas Group s trading activities are directly linked to economic relations with clients of these business lines, or indirectly as part of its market making activity.