GEODIS // 2022 Activity and Sustainability Report

5.4 Data protection In view of the increasing digitalization of processes and the sharing of sensitive information with its customers, GEODIS is constantly adapting its prevention, detection and protection capabilities for its IT systems. The Group may be confronted with risks of hacking, malicious use of information systems or theft of confidential information. Particular attention is paid to these threats: any disruption to operations or loss of sensitive data could have a significant impact on its business and its reputation. GEODIS is determined to control the risks relating to the data it handles and to its processing systems, whether they are dedicated to production resources or to its own operations. Substantial resources, steadily increasing since 2010, are devoted to this area in recognition of the rapid growth in the global panorama of cyber threats and the crucial importance of the Group’s infrastructures in serving its ecosystem. The cybersecurity function, which reports to the Management Board, implements a global strategy in all regions where the Group operates, irrespective of the line of business involved. Governance is established through: • a matrix organization consistent with the corporate structure; • risk analyses and ad hoc risk mitigation measures; • a general IT security policy, incorporated into the Group’s Book of Business Principles; • specific policies in line with benchmark standards in this area; • a “Security By Design” approach, which ensures that security requirements are included in the design phases of services and products rolled out by the company as part of its digital transformation. All Group entities are required to comply with these rules and principles in addition to whatever local regulations are in force. Three internal lines of defense play a part in protecting the Group’s data: • security operations, led by the technical departments, which ensure the implementation and maintenance in operational condition of risk mitigation resources; • governance, risk and compliance, led by the Group’s head of cybersecurity, managing risks, global strategies, policies and major transformation plans; • internal/external auditors monitoring their implementation and any potential deviation. To supplement this organization, the Group is supported by a network of committed partners and a significant catalog of tools enabling it to tackle the five pillars as described by the National Institute of Standards and Technology (NIST). 1. Risk identification, by way of a classification of sensitive assets, their vulnerability and potential threats that could impact their confidentiality, availability or integrity. 2. Protection of these assets and promotion of cyberculture by regularly raising awareness among users, who are the primary players in the company’s security, through training and attack simulation campaigns. More than 5,000 users are called on to take part every month. 3. An ability to detect weak signals and deviations from compliance indicating potential areas of compromise on over 30,000 active devices. 4. The means of responding to alerts and incidents, represented by its Security Operation Center and intervention teams around the world providing 24/7 coverage. 5. Cyber resilience, making it possible to anticipate potential crises more confidently. GEODIS is represented on leading cyber working groups involving major French companies, including the CESIN (Club des Experts de la Sécurité de l’Information et du Numérique), the CLUSIF (Club de la Sécurité de l’Information Français) and the CIGREF (Club Informatique des Grandes Entreprises Françaises). 74 2022 ACTIVITY AND SUSTAINABILITY REPORT 05 ETHICS

RkJQdWJsaXNoZXIy NzMxNTcx