2018 Registration document and annual fi nancial report - BNP PARIBAS 433
5RISKS AND CAPITAL ADEQUACY PILLAR 3
5
Operational risk
CYBER SECURITY AND TECHNOLOGY The use and protection of data and technologies are determining factors for the Bank s activity and its transformation process.
While the Bank continues the roll-out of Digital Banking (for the Group s customers and partners) and Digital Working (for the Group s employees), it must incorporate new technology and innovative risk management practices, and establish new working methods. This introduces new technology risks in the cyber security arena.
Technology management and information systems security is part of the Group s cyber security strategy. This strategy is focused on the preservation of the most sensitive data, regularly adapting both its internal processes and procedures, and its employee training and awareness to contend with increasingly sophisticated and varied threats.
To best protect its technology and data, the Group has adopted a comprehensive approach in cyber security management:
■ operational entities are the fi rst line of defence. S ince 2015, the Group has introduced across all of the entities a transformation programme based on the international standard NIST (National Institute of Standards and Technology). This programme is regularly updated taking into account the new threats and recent incidents identifi ed around the world;
■ a s a second line of defence, the team dedicated to managing cyber security and technology risk (RISK ORC ICT), reporting to the Chief Cyber and Technology Risk Offi cer, is tasked with:
■ presenting the Group s cyber security and technology risk position to the Group Executive Committee, the Board of directors, and the supervisory authorities,
■ monitoring the transformation programme across the entire Group,
■ integrating the cyber security and technology risk aspects into all major projects within the Group,
■ ensuring that policies, principles and major projects take aspects of cyber security and technology risk into consideration,
■ monitoring existing risks and identifying new threats likely to have a negative impact on the Group s business,
■ overseeing third-party information systems risks within a strengthened framework,
■ conducting independent assessment campaigns on priority objectives,
■ taking measures to assess and improve the Group s ability to respond to failings and incidents.
The applicable risk framework has also been revised to respond to the new technology and cyber security risks. These latter include:
■ a vailability and continuity risks:
The availability of data and information systems is vital for the bank s business continuity in a crisis or emergency. The Group regularly manages, improves, and checks the crisis management and recovery plan, by testing its capacities to back up data, and the robustness of its information systems, using stress scenarios;
■ s ecurity risks:
Information systems security risks are constantly on the rise. They come from both the bank s external environment (hackers, systems managed on a network external to the Bank, or by a third party, etc.) and its internal environment (malicious act, lack of awareness, etc.). The Group assesses the threats and corrects the risks it detects;
■ c hange-related risks:
The Group s information systems are changing rapidly due to the transformation process engendering new risks associated with such changes. These risks, identifi ed during the systems design or modifi cation phases, are regularly assessed to ensure that the proposed solutions are consistent with the needs of the Group s business lines;
■ d ata integrity risks:
Confi dentiality of customer data and transaction integrity are also areas covered by the Bank s continuous quality approach, not only to counter the threats described earlier but also to provide the Group s customers with a service that meets their expectations. The Group has also launched internal projects to comply with the European Directive No. 2016/679 of 27 April 2016, the (GDPR - General Data Protection Regulation) in 2018;
■ t hird-party information systems risks:
With certain activities outsourced, the Bank may interact with information systems other than its own. However, it remains liable to its clients and regulators for the technology and cyber security risks inherent in these third-party systems. The Group s two lines of defence manage these risks at every step of third-party information system integration until the end of the relationship.
The Group addresses both the technological and cyber security risks as well as the requirements of the laws, regulations, and standards in force.