3. Cyber-crime and information system failures
Description of the risk
In a world where digital technologies are evolving at an unprecedented pace, dependence on information technologies is a major strategic challenge. This dependence exposes the Groupe to increased significant risks, including increasingly sophisticated malicious attacks, technical failures and internal threats, which may result in service disruptions, data alterations, personal or sensitive data leaks and the disclosure of confidential information.
2025 was marked by the continued intensification of attacks leveraging artificial intelligence, supply chains and cloud infrastructure vulnerabilities. The rise of automated attacks and Advanced Persistent Threats increases the complexity of protecting the Groupe’s and its partners’ digital assets. The asymmetry between attackers and defenders is becoming increasingly pronounced.
Since 2020, rapid digital transformation and the widespread adoption of hybrid working, combined with the extensive use of Cloud solutions and outsourced IT infrastructures, have expanded the Groupe’s attack surface. We are seeing a continuous increase in distributed denial of service (DDoS) attacks, ransomware incidents and advanced phishing campaigns leveraging generative AI. These threats may directly affect the Groupe’s business, disrupt its operations and expose its clients and partners to security risks.
Systemic failures may result from malicious activities, natural disasters or technical deficiencies. They may affect not only the Groupe, but also its partners and suppliers, potentially leading to prolonged disruptions and impairing the ability to serve clients effectively.
In addition, cybersecurity regulatory requirements continue to evolve, imposing enhanced risk monitoring, stronger governance and faster incident response. In response to these developments, the Groupe continuously adapts its practices and strengthens its security controls to ensure compliance with the expectations of clients, partners and regulators.
Finally, internal risks remain a major concern. Insufficiently trained personnel or inadequate access management may lead to the unintentional disclosure of critical information. Internal malicious acts, although rare, may also cause significant reputational harm to the Groupe.
Risk management
The Global Security Office (GSO) implements remediation and resilience strategies based on robust security policies, continuous employee training, regular security audits and well-established incident response plans. Compliance with continuously evolving regulations is also a key priority, aimed at mitigating non-compliance risks and potential fines.
The adoption of regular maintenance practices and the systematic deployment of security updates are essential to preventing vulnerabilities. The Groupe has also strengthened its business continuity and resilience frameworks through crisis simulation exercises and attack testing. In addition, the increased exposure resulting from hybrid working models and remote access requires heightened attention to home network security and secure remote access to the Groupe’s information systems.
As part of its overall risk management approach, the Groupe continues to roll out ISO 27001 certification across its sites and conducts regular cybersecurity risk quantification exercises. Cybersecurity was also a topic of discussion at Board level, including within the Board of Directors, the Strategic, Environmental and Social Committee, and the Audit and Financial Risks Committee in early 2025.
The Groupe also assesses and mitigates supply-chain-related risks by ensuring that suppliers and partners comply with stringent security standards in order to prevent cross-functional attacks. In this context, the Groupe is deploying CNAPP (Cloud Native Application Protection Platform) and SSPM (SaaS Security Posture Management) solutions to ensure continuous monitoring and to strengthen cybersecurity controls among critical suppliers.
In response to the increase in phishing and social engineering attacks, the Groupe has implemented a proactive approach to protect its reputation and enhance internal security. This includes raising employee awareness of best practices in vigilance and digital security, as well as increasing the frequency of phishing simulation campaigns. The Groupe has also strengthened the capabilities of its Security Operations Center (SOC) through the integration of artificial intelligence-based solutions.
These measures are intended to limit the potential impacts of cybercrime and systemic failures, including remediation costs, revenue losses and reputational damage to the Groupe.