2.1 4 GUARANTEEING INFORMATION
SYSTEM SECURITY THROUGH ENHANCED CYBERSECURITY AT BOLLORÉ LOGISTICS AND AMONG ITS PARTNERS AND CUSTOMERS The digitalization of the supply chain has evolved, leading to a rapid transformation of Bolloré Logistics’ environment while generating a wealth of opportunities and risks. Like other companies, Bolloré Logistics is increasingly vulnerable to the following risks: • reputational damage or reduced turnover due to a data breach;
2020 CSR REPORT
BOLLORÉ LOGISTICS
• systems risks due to unauthorized access or control of a system; • system vulnerability inherent to cloud data storage and cloud computing.
76
According to a study led in 2019 by CESIN (information and digital security experts association), eight in ten companies claim to have been badly affected by cyber attacks which seek out sensitive company data or personal information (e.g. bank data, login details, etc.) in order to use or sell it for profit. The CESIN study underlines the severe consequences of these attacks on company activity (production stoppage, significant unavailability, loss of turnover, etc.). Phishing and ransomware are well-known examples of malevolent acts that harm private individuals and companies. The information system security policy is overseen by the Information Systems Department, organized by the Bolloré Transport & Logistics division and managed by the Chief Information Security Officer. It was updated in 2019 and therefore applies to all business units, including Bolloré Logistics. This policy underpins the information system strategies as well as the charters for information system users and administrators. The information system security management system aims to: • prevent by minimizing exposure to risk through suitable measures; • react effectively to incidents and crises • check the proper application of measures and compliance to ensure the continuous improvement of information security.
The information system security management system ( I S M S) u s e d i n t h e G r o u p i s b a s e d o n t h e ISO 27001.2013 standard, which manages security in all of its subsidiaries worldwide. It is also based on a delegation and responsibility model with the use of the LISO (Local Information Security Officer) network. In its transport and logistics organization activities, Bolloré Logistics exchanges data with its external partners, such as transport and data suppliers and customers. Thus, the company’s policy covers cyber resilience issues in order to: • Implement security measures to respond to cyber risks identified by General Management; • Guarantee the service provided to customers of the Information Systems Department to meet the expectations of Bolloré Logistics’ end customers; • Ensure the security of data processed on behalf of customers; • Ensure the security of information system users’ personal data • Comply with the contractual and regulatory requirements in terms of information security Thus, a comprehensive system is in place combined with specific documents and procedures, such as the access control, server security, application-based security plan, backup, audit and physical security strategies. A master plan with a three-year road map is periodically monitored by the company’s General Management. The ISO 27001.2013 certification process is underway with the aim of achieving certification by late 2021. The IT System Department uses EGERIE solutions to manage risk. In 2019, Bolloré Transport & Logistics set up a Security Operations Center to help the company and its subsidiaries better respond to current risks and develop resilience and expertise on these sensitive information security breach topics. Specific Bolloré Logistics issues in this area are analyzed and taken on board in a specific cybersecurity approach.
