255 Life Is On | Schneider Electric www.se.com Chapter 3 – How we manage risk at Schneider Electric Strategic Report 3. 1. Event triggered risks 1.1 Risk of cybersecurity on the Schneider Electric infrastructure and its digital ecosystem Risk description Schneider Electric, like other organizations with a similar global footprint and presence, is exposed to the risk of cyberattacks and data privacy breaches. As an industrial and technology company, the Group has IT and Operational Technology activities spread over more than 25 sites, with dozens of R&D sites, and more than 200 production and logistic units. On those sites, Operational Technology systems are converging more and more with IT systems, especially through the use of Internet of Things (IoT) expanding the overall attack surface. Additionally, the move from a product-centered business model to a service-oriented business model with software (e.g., digital offers like “Advisors” software suites or managed digital services) and augmented data naturally increases cybersecurity risks, such as data breaches and intellectual property theft. Risk monitoring and management The NIST framework (Identify, Protect, Detect, Respond, and Recover) is used with a Cyber Risk Register and High-Value Assets program: • Cyber threats are mitigated by implementing cyber practices and capabilities, policy-driven controls, and enforcing mechanisms. For example, the Group implemented a Data Protection program, Source Code Management framework, and System & Solution security program. • Global Cyber incident management and response process is in place. Events and incidents are monitored through a Security Operations Center, driven jointly with the Group’s partners. • 99% of employees were trained on cybersecurity in 2021. Specific employee categories received mandatory trainings for risks linked to their activity. • Multiple cyber risk assessments were completed in 2021 by the Group’s cybersecurity consulting partners. Furthermore, the Group is conducting regular crisis simulation exercises on different scenarios. • Schneider Electric’s posture is continuously revisited and adapted through “reality checks”, including emergency and improvement plans across the Company and cyber scoring platforms. • Independent “reality checks” were performed: three cross- cutting internal audits and external assessments. 1.2 Export controls Risk description International, foreign, and national export control laws and regulations govern the transfer of goods, services, and technologies within a country or between countries and/or their nationals. Elements that may trigger restrictions and licensing requirements may include, but are not limited to, countries, parties, product, and end-uses. Schneider Electric being a Multi-National Corporation (MNC) with international operations spanning across more than 100 different countries worldwide, must constantly ensure full compliance to such laws and regulations by implementing a robust corporate export control compliance program. Any implications may result in a significant impact on the Group’s businesses, results, reputation, and financial position. Albeit that Schneider Electric’s product portfolio only has a limited product range that may have dual-use goods features as well as non-dual-use goods (e.g., breakers) that may be used in sensitive applications; restriction or licensing requirements may apply to these products, especially if associated with politically sensitive countries and destinations. Risk monitoring and management Schneider Electric has comprehensive policies and processes to ensure compliance with applicable export control laws and regulations (“Schneider Electric Export Control Program”) and to mitigate the above described risks. The Global Export Control Center of Excellence, as part of the Schneider Electric Global Legal and Risk Management Function, oversees the monitoring and enforcement of the Schneider Electric Export Control Program. The Schneider Electric Export Control Program may include, but is not limited to, embargo and restricted country, denied party, dual-use goods, and sensitive end-users screenings; incorporation of Export Control provision in the main sales and procurement contractual template; and conducting of regular awareness and online and classroom training sessions for all relevant Schneider Electric employees. The Schneider Electric Export Control Program will continue its enhancement and updates to ensure compliance with applicable export control laws and regulations.
Universal Registration Document Page 256 Page 258