Cybersecurity at the heart of Crédit Agricole Group’s digital trust

"Technical malfunctions, even minor ones, are immediately noticeable and cause significant dissatisfaction among our customers. These high expectations are directly linked to the trust capital we have built over the years, which is one of the Group's main assets. The optimal functioning of our information systems is a fundamental element in preserving and strengthening this trust capital." 

François Delzant, Group Cybersecurity and IT Risks Director

The purpose of cybersecurity for Crédit Agricole

The main mission of cybersecurity within the Group is twofold: to protect our assets and to guarantee the continuity of our services, while preserving the trust that our customers place in us. This trust is one of the Group’s main assets.
"Our mission for the Group is to protect our information systems and our customers' data from various threats that could disrupt our activities," the Cybersecurity Division said. These threats can be related to an accident, an error, but also to malicious actors seeking to harm, steal sensitive data or attack financial assets.

An ecosystem of technical interdependencies

Today's IT system functions as an ecosystem characterised by many technical interdependencies. The Group is increasingly linked to third parties, suppliers, partners and customers. To control the risks associated with this growing ecosystem, several approaches are favoured:

• In-house control of key activities, such as with the private cloud of - GIP
• Strict control of outsourced services
• Ensure the reversibility of activities entrusted to third parties

The new European regulatory framework DORA reinforces this approach by requiring financial institutions to take end-to-end responsibility for their digital service chains.

Facing an ever-changing cyber threat

Cybercrime ranks third among emerging risks according to Axa's 2024 Future Risks Report. The National Agency for Security of Information Systems (ANSSI) confirms a constantly increasing threat, amplified by the deterioration of international relations.
Three main threat families have been identified for the Group:

1. Cybercrime, attracted by the lure of potential profit, mainly through fraud targeting our customers
2. Activism, which seeks to disrupt our activities to affect our image and, often, that of France
3. State-related risks, including attempts at espionage or destabilisation

These threats are intensifying for several reasons:

• Heightened geopolitical tensions
• The sophistication of cybercrime, including the use of AI for advanced social engineering attacks
• Growing interdependence with the ecosystem of suppliers and partners
• Risks related to emerging technologies such as AI and quantum computing

In 2023, the teams of the Group blocked about 300 malware per month on the fleet they manage, illustrating the reality of continuous attacks against the Group.

A comprehensive cyber risk response

The Group’s response to the cyber threat is based on a comprehensive system with four complementary axes:

1. Avoid the problem as much as possible
2. Limit impact in the event of an incident
3. Be ready to manage the crisis
4. Have a proven recovery device

"You also have to be able to manage the problem when it happens, because the problem happens," says the Cybersecurity Directorate. Strong governance is also fundamental, with "clear policy, controls, well-established roles and responsibilities, good reporting".
The Group deploys a system that covers both protection mechanisms on IT tools, 24/7 detection of any suspicious activity, and response and recovery capabilities in case of problems. Ongoing tests are also conducted to check the effectiveness of defences and train to respond in the event of an incident.

Regulation: constraint or opportunity?

The financial sector is particularly regulated, with the aim of ensuring the stability of the French and European economies. The European Central Bank (ECB) regularly monitors the correct implementation of regulations through its supervision.
While these regulations may be perceived as constraints, they also represent an opportunity to strengthen the Group’s security. "This is the basis of trusted digital technology," says the Cybersecurity Directorate. The ECB is also implementing stress tests in various areas, including cybersecurity.

Security and development: a necessary balance 

We must not pit security against development. On the contrary, security can and must be a factor that enables the Group to develop, and even a differentiating factor. The technologies, well used, allow most of the time to offer a customer and employee experience at the best level without sacrificing security, especially when security is taken into account from the design phase of projects ("security by design").

The involvement of employees and customers

The involvement of employees is essential because the human factor is key in defence capabilities. The Group regularly conducts innovative awareness-raising activities (sound fiction, mini-series) and training, as well as phishing tests to train employees to distinguish malicious emails.
On the customer side, several specific support mechanisms exist, particularly for SME customers. Individual customers are also regularly made aware of the risks of fraud, to adopt good practices "cyber hygiene".

Towards strategic autonomy and digital sovereignty

The current context raises the question of the Group’s resilience on several levels:

• The ability to cope with the amplification of cyber risks
• The ability to cope with service cuts
• The ability to deal with provider failures

The central issue is strategic autonomy: developing and operating critical systems with a controlled level of dependence on suppliers and their own supply chains.

This strategic autonomy is important for two main reasons:

• With regard to customers, the Group must provide strong guarantees in terms of data protection and business continuity
• For the Group itself, it is a matter of sustainable performance

Crédit Agricole wants to boost its digital trust, i.e. guarantee the security, reliability and integrity of exchanges and data in the digital space. The topics of strategic autonomy and cybersecurity are therefore essential prerequisites for this ambition.