Cap Gemini - Registration Document 2016

1

PRESENTATION OF THE GROUP AND ITS ACTIVITIES

1.7 Risk analysis

Information systems

Service continuity

Risk factors

Risk factors

delivery of our projects, service interruptions at our clients, or additional costs that could impact the reputation or financial health of the Group. and new practices (social networks, mobility, Software-as-a-Service - SaaS, etc.) inevitably expose the Group to new risks. Risks relating to cyber criminality of all kind could lead to a loss of data, delays in the New technologies (Cloud computing, “Bring your own device”, etc.) consolidated financial statements also present a specific risk in view of the strict reporting deadlines. The systems underlying the publication of the Group’s management systems event of a disruption to IT services. The main management IT systems are covered by back-up plans in different data centers. The Group has implemented business continuity procedures in the The Group is aware of the importance of internal communication network security, and protects its networks via security rules procedures (our operating sites are certified ISO 27001). This security policy and the back-up plans are validated and audited periodically. meeting the highest international standards, proactive controls, a detection center operating 24/7 and specific technical equipment such as firewalls. Rules and procedures are defined in a security policy founded on numerous international standards and For some projects or clients, enhanced systems and network protection are provided on a contractually agreed basis. the Cyber Security and Information Protection Director (CySIP). The Group also has a program that seeks to control the cyber risks for its main systems. This dedicated structure is headed by This program covering exposure to cyber risks comprises three subgroups dealing with governance related issues (organization, policy and communication and awareness-raising) and five operational projects (data protection, mobility management, access management, information system control and steering and strengthening infrastructures). The CySIP community includes cyber risk specialists in the following areas: CySIP Officers in the business units, for client project monitoring; ◗ Data Protection Officers responsible for the protection of ◗ personal data; Chief Information Security Officers responsible for the protection ◗ of internal information systems. The aim of this program is to become a benchmark presented to our clients which helps strengthen the credibility of the Group on Digital and cybercrime issues. The Group’s policy and organization for the protection of personal data were drawn-up Corporate Rules - BCR) and validated by the CNIL (French National Commission for Data Protection and Liberties), for the processing and storage of our own data and that of our clients. based on rules defined by the European Commission (Biding

services to sites or countries other than those in which the services are used or in which the Group’s clients are located and particularly India, Poland, China and other Asian and Latin Capgemini’s evolving production model, Rightshore ® , involves transferring a portion of the Group’s production of part of its operational units could be affected simultaneously. The use of a large number of production sites increases the range of contingency options available to the Group. America countries. The development of this model has made the Group more reliant on telecommunications networks, which may increase the risk of business interruption at a given production site due to an incident or a natural disaster, in so far as several Risk management systems Production systems and services provided by the Group to its subsidiaries are duplicated and covered by back-up plans that are tested. Telecommunications networks used by the Group are duplicated in cases where “Rightshored” production resources are deployed. In the event of a breakdown in the preferred (fastest) communications network between Europe and India, service measures. possibly the country. Communication (for example e-mail) and collaborative systems are covered by a redundant architecture at two data centers ensuring service continuity, or are hosted by a supplier with systems with similar redundancy and reliability with the Good Practice Guidelines of the Business Continuity Institute (BCI). These measures take account of various degrees of hypothetical threats along with the related damages considering the situation and impacts on the site, urban agglomeration and continuity is ensured by tried and tested alternative routes. The Group’s Indian subsidiary has set up a Business Continuity Management (BCM) structure to ensure service continuity in line or contact, are the responsibility of the Group subsidiaries. disruption to the specific IT infrastructures of a given center, client Business continuity and resumption plans in the event of a Where required by specific contracts, a business continuity plan is prepared by selecting appropriate measures according to the criticality of the service. Reviews and simulations are performed in the subsidiary entities to test the efficiency of these plans. Certain of these entities have heightened security requirements reflecting certain clients’ imperatives and they are consequently certified ISO 27001 compliant by an independent agency.

Suppliers and sub-contractors

Risk factors

Technology Services and networks businesses. While alternative solutions exist for most software and networks, the failure of a supplier to deliver specific technology or expertise could have prejudicial consequences for certain projects. Capgemini is dependent upon certain suppliers, especially in its

30

Registration Document 2016 — Capgemini