3. Cybercrime and IT systems failures
Description of the risk
In a world where digital technology is evolving at breakneck speed, dependence on information technologies is a major strategic challenge. This dependence exposes the Groupe to increased significant risks, including ever more sophisticated malicious attacks, technical failures and insider threats, which may lead to service interruptions, personal or sensitive data alteration and leaks and the disclosure of confidential information.
2024 was marked by an intensification of attacks exploiting artificial intelligence, supply chains and cloud infrastructure vulnerabilities. The rise of automated attacks and Advanced Persistent Threats increases the complexity of protecting the digital assets of the Groupe and its partners.
Since 2020, the Groupe’s attack surface has expanded due to rapid digital transformation and the widespread shift to hybrid working, combined with the extensive use of cloud solutions and outsourced IT infrastructures. We are seeing a continuous increase in distributed denial of service (DDoS) attacks, ransomware and advanced phishing campaigns leveraging generative AI. These threats can directly affect the Groupe’s business, disrupt its operations and expose its clients and partners to security risks.
Systemic failures can be the result of malicious activities, natural disasters or technical deficiencies. They affect not only the Groupe, but also its partners and suppliers, potentially leading to long periods of disruption that could compromise our ability to serve our clients effectively.
In addition, regulatory requirements for cybersecurity continue to evolve, requiring increased risk oversight, better governance and faster incident response. Faced with these changes, the Groupe is constantly adapting its practices and strengthening its security controls to ensure its compliance with the expectations of clients, partners and regulators.
Finally, internal risks remain a major concern. Insufficiently trained staff or poor access management can lead to the unintentional disclosure of critical information. Internal malicious acts, although rare, can also seriously damage the Groupe’s reputation.
Risk management
The Global Security Office (GSO) implements remediation and resilience strategies, including rigorous security policies, ongoing employee training, regular security audits and well-established incident response plans. Compliance with evolving regulations is also a top priority to minimize non-compliance risks and potential fines.
The adoption of regular maintenance practices and systematic application of security updates are crucial to prevent vulnerabilities. The Groupe has also worked to improve its business continuity and resilience plans through crisis simulation exercises and attack tests. In addition, remote working requires special attention to the security of domestic networks and secure remote access to the Groupe’s information systems.
As part of its risk management approach, the Groupe continues to roll out ISO 27001 certification at its sites. Cybersecurity risks are also regularly quantified and were shared in 2024 with the Strategy and Risk Committee. This has been a working topic for the Board of Directors, the Strategic, Environmental and Social Committee as well as the Audit and Financial Risks Committee in early 2025.
The Groupe also assesses and mitigates supply chain risks, ensuring that suppliers and partners comply with strict security standards to prevent cross-functional attacks. The Groupe also deploys CNAPP (Cloud Native Application Protection Platform) and SSPM (SaaS Security Posture Management) solutions for ongoing monitoring and to strengthen cybersecurity controls at critical suppliers.
Faced with an increase in phishing and social engineering attacks, the Groupe is implementing proactive strategies to safeguard its reputation and ensure internal security, making our teams aware of best practices in vigilance and digital security and by increasing the frequency of phishing simulations. The Groupe has also strengthened the capacity of the Security Operations Center (SOC) with artificial intelligence solutions.
These measures aim to minimize the potential impacts of cybercrime and systemic failures, remediation costs, revenue losses and damage to the Groupe’s reputation.