4352019 Universal registration document and annual financial report - BNP PARIBAS

5risks and CaPital adequaCy Pillar 3

5

Operational risk

Technology management and information systems security is part of the Group s cyber security strategy. This strategy is focused on the preservation of the most sensitive data, regularly adapting both its internal processes and procedures, and its employee training and awareness to contend with increasingly sophisticated and varied threats.

To best protect its technology and data, the Group has adopted a comprehensive approach in cyber security management through its three lines of defence:

■ operational entities are the first line of defence. Since 2015, the Group has introduced across all of the entities a transformation programme based on the international standard NIST (National Institute of Standards and Technology). This programme is regularly updated taking into account the new threats and recent incidents identified around the world;

■ as a second line of defence, the team dedicated to managing cyber security and technology risk (RISK ORC ICT), reporting to the Chief Cyber and Technology Risk Officer, is tasked with:

■ presenting the Group s cyber security and technology risk position to the Group Executive Committee, the Board of directors, and the supervisory authorities,

■ monitoring the transformation programme across the entire Group,

■ integrating the cyber security and technology risk aspects into all major projects within the Group,

■ ensuring that policies, principles and major projects take aspects of cyber security and technology risk into consideration,

■ monitoring existing risks and identifying new threats likely to have a negative impact on the Group s business,

■ overseeing third-party information systems risks within a strengthened framework,

■ conducting independent assessment campaigns on priority objectives,

■ taking measures to assess and improve the Group s ability to respond to failings and incidents;

■ as the third line of defence, the role of General Inspection is to:

■ assess the processes put in place to manage ICT risks, as well as associated controls and governance,

■ check for compliance with laws and regulations,

■ propose areas of improvement to support the mechanisms put in place.

The Group is responding to new technological and cybersecurity risks as follows:

■ availability and continuity risks:

BNP Paribas relies heavily on communication and information systems across all its business activities. Any breach in the security of these systems could lead to failures or interruptions in the systems used to manage customer relations or to record transactions (deposits, services and loans) and could incur major costs to recover and verify compromised data. The Group regularly manages, improves and checks its crisis management and recovery plans, by testing its data recovery services and the robustness of its information systems, using various scheduled stress scenarios;

■ security risks:

the Bank is vulnerable to cybersecurity risk, or risk caused by malicious and/or fraudulent acts, committed virtually, with the intention of manipulating information (confidential, bank/insurance, technical or strategic data), processes and users, that may result in material losses for the Group s subsidiaries, employees, partners and customers. The Group continually reassesses all threats (increasing over time and in terms of their sophistication) and corrects the risks detected in good time by means of taking effective counter measures;

■ change-related risks:

the Group s information systems are changing rapidly in the light of digital transformation. These risks, identified during the systems design or modification phases, are regularly assessed to ensure that the proposed solutions are consistent with the needs of the Group s business lines;

■ data integrity risks:

confidentiality of customer data and transaction integrity are areas covered by the same systems set up in response to Regulation (EU) No. 2016/679 of 27 April 2016 (General Data Protection Regulation GDPR) intended to provide the Group s customers with a service that meets their expectations;

■ third-party information systems risks:

the Bank is exposed to risks of default, breaches or operational capacity constraints when it interacts with third parties, including customers, financial intermediaries and other market operators. The Group s three lines of defence manage these risks at every step of third-party information system integration until the end of the relationship.

The Group addresses both technological and cyber security risks as well as the requirements of the laws, regulations, and standards in force.