2023 UNIVERSAL REGISTRATION DOCUMENT

Risk identification	Risk management procedures
Risk identification Cyberattacks: attacks on information systems Data leaks: loss or disclosure of data Cyberespionage: eavesdropping or theft of confidential data Possible consequences: Possible consequences: Damage to the Group’s reputation Financial loss Unavailability of information systems Non-compliance	Risk management procedures In 2023, VINCI continued the rollout of its overall IT security policy, under the impetus of the Executive Committee member serving as the Group’s cybersecurity coordinator. In order to raise the Group’s level of security, VINCI’s Chief Information Security Officer (CISO) introduced a transformation plan called CyberShields for the 2022-2024 period, which has four main focus areas: The first relates to the security policy, governance, user awareness campaigns and audits. The second involves the launch of an integrated technology solution, covering the protection of emails, workstation security, Active Directory compliance and identity, vulnerability and access management. The third pertains to services, with the introduction of a cyber-as-a-service (CaaS) approach, which allows for the pooling of some investments. It is already a feature of the Group’s computer emergency response team (VINCI-Cert) created in 2019, which disseminates security alerts and information to all of the Group’s business lines. This structure is supplemented by an outsourced security operations centre (SOC), which was put in place one year ago. The last concerns automated threat detection, taking advantage of advanced algorithms as well as artificial intelligence to improve cybersecurity team effectiveness. The principal activities carried out were as follows: regular progress reports by the Information Systems Department to the Executive Committee on projects that are part of the Group’s cybersecurity programme; update of the multi-year cybersecurity plan with representatives of each of the business lines; rollout of new services by VINCI-Cert, both centrally and in the business lines, so as to improve the management of cybersecurity incidents, with dashboards for real-time tracking of incidents and responses now made available to the Group’s decision-makers; strengthening of audits and controls on the application of the IT security policy, carried out jointly with the Audit Department (the auditor reports directly to VINCI’s CISO); update of VINCI’s cybersecurity radar, which measures the level of cybersecurity maturity in all of the Group’s entities; standardisation and rollout of workstation securitisation and digital identity management mechanisms; rollout of numerous initiatives to raise awareness among all employees; more simulated phishing campaigns directed at employees to raise awareness; intrusion tests on the Group’s critical infrastructure; resilience improvements for IT infrastructure essential to the Group’s businesses (redundancy, recovery); simulation of cyber crises at Group level and by business line; implementation of an outsourced SOC providing follow-the-sun 24/7 support; establishment of a cyberattack prevention system in collaboration with VINCI Stadium aimed at securing the VINCI Group’s infrastructure assets during major events such as the Rugby World Cup in 2023 and the Olympic and Paralympic Games in 2024.

Risk identification

Risk management procedures

Cyberattacks: attacks on information systems
Data leaks: loss or disclosure of data
Cyberespionage: eavesdropping or theft of confidential data Possible consequences:

Possible consequences:

Damage to the Group’s reputation
Financial loss
Unavailability of information systems
Non-compliance

In 2023, VINCI continued the rollout of its overall IT security policy, under the impetus of the Executive Committee member serving as the Group’s cybersecurity coordinator.

In order to raise the Group’s level of security, VINCI’s Chief Information Security Officer (CISO) introduced a transformation plan called CyberShields for the 2022-2024 period, which has four main focus areas:

The first relates to the security policy, governance, user awareness campaigns and audits.
The second involves the launch of an integrated technology solution, covering the protection of emails, workstation security, Active Directory compliance and identity, vulnerability and access management.
The third pertains to services, with the introduction of a cyber-as-a-service (CaaS) approach, which allows for the pooling of some investments. It is already a feature of the Group’s computer emergency response team (VINCI-Cert) created in 2019, which disseminates security alerts and information to all of the Group’s business lines. This structure is supplemented by an outsourced security operations centre (SOC), which was put in place one year ago.
The last concerns automated threat detection, taking advantage of advanced algorithms as well as artificial intelligence to improve cybersecurity team effectiveness.

The principal activities carried out were as follows:

regular progress reports by the Information Systems Department to the Executive Committee on projects that are part of the Group’s cybersecurity programme;
update of the multi-year cybersecurity plan with representatives of each of the business lines;
rollout of new services by VINCI-Cert, both centrally and in the business lines, so as to improve the management of cybersecurity incidents, with dashboards for real-time tracking of incidents and responses now made available to the Group’s decision-makers;
strengthening of audits and controls on the application of the IT security policy, carried out jointly with the Audit Department (the auditor reports directly to VINCI’s CISO);
update of VINCI’s cybersecurity radar, which measures the level of cybersecurity maturity in all of the Group’s entities;
standardisation and rollout of workstation securitisation and digital identity management mechanisms;
rollout of numerous initiatives to raise awareness among all employees;
more simulated phishing campaigns directed at employees to raise awareness;
intrusion tests on the Group’s critical infrastructure;
resilience improvements for IT infrastructure essential to the Group’s businesses (redundancy, recovery);
simulation of cyber crises at Group level and by business line;
implementation of an outsourced SOC providing follow-the-sun 24/7 support;
establishment of a cyberattack prevention system in collaboration with VINCI Stadium aimed at securing the VINCI Group’s infrastructure assets during major events such as the Rugby World Cup in 2023 and the Olympic and Paralympic Games in 2024.

1.3.2 Fraud

Risk identification	Risk management procedures
Risk identification Fraud: intentional act by an employee or a third party aimed at embezzling Group assets The systems of a group as decentralised and diversified as VINCI are exposed to the risk of both internal and external fraud, especially as regards payment systems. Attempts at fraud generally target the individuals involved in external payment processes. Possible consequences: Financial loss Damage to the Group’s reputation	Risk management procedures External fraud prevention involves several Finance Department, Security Department and Information Systems Department units. The core system includes reporting via an online platform (with a link on VINCI’s intranet), enabling central services to react immediately and facilitating analysis of fraud attempts. The fraud prevention instructions available on the Group’s intranet specify correct conduct in the event fraud is suspected, guidelines concerning means of payment and awareness-raising measures to be taken in regard to the key personnel faced with this kind of situation. Specific information and recommendations are regularly distributed to CFOs and anti-fraud coordinators.Internal fraud prevention is based on VINCI’s Code of Ethics and Conduct as well as on specific training or awareness initiatives. It is described in paragraph 2.4, “Business ethics”, of chapter E, “Workforce-related, social and environmental information”, pages 219 to 221. The procedure entitled “Preventing and combating fraud at VINCI SA” published on the Group’s intranet covers internal and external fraud and lists the Group personnel involved in combating fraud. It also provides an overview of all systems implemented to prevent and combat fraud effectively.

Risk identification

Risk management procedures

Fraud: intentional act by an employee or a third party aimed at embezzling Group assets

The systems of a group as decentralised and diversified as VINCI are exposed to the risk of both internal and external fraud, especially as regards payment systems. Attempts at fraud generally target the individuals involved in external payment processes.

Possible consequences:

Financial loss
Damage to the Group’s reputation

External fraud prevention involves several Finance Department, Security Department and Information Systems Department units. The core system includes reporting via an online platform (with a link on VINCI’s intranet), enabling central services to react immediately and facilitating analysis of fraud attempts.

The fraud prevention instructions available on the Group’s intranet specify correct conduct in the event fraud is suspected, guidelines concerning means of payment and awareness-raising measures to be taken in regard to the key personnel faced with this kind of situation.

Specific information and recommendations are regularly distributed to CFOs and anti-fraud coordinators.Internal fraud prevention is based on VINCI’s Code of Ethics and Conduct as well as on specific training or awareness initiatives. It is described in paragraph 2.4, “Business ethics”, of chapter E, “Workforce-related, social and environmental information”, pages 219 to 221.

The procedure entitled “Preventing and combating fraud at VINCI SA” published on the Group’s intranet covers internal and external fraud and lists the Group personnel involved in combating fraud. It also provides an overview of all systems implemented to prevent and combat fraud effectively.

1.4 Workforce-related and social risks

The Group’s workforce-related and social risks are set out in full in section 4 of chapter E, “Workforce-related, social and environmental information”, which reports on the duty of vigilance plan (see page 260). The information provided in this section includes both the impact that VINCI’s activities can have on workforce-related and social issues and, vice versa, the potential effects of those issues on the Group.

Group companies are subject to risks related to the working conditions of their employees. They must also deal with the significant impact they have on stakeholders and communities in the regions where they are active. These workforce-related and social risks are taken into account at every project stage and are analysed far upstream so as to identify local issues and the expectations of stakeholders, including employees and their representatives. Appropriate measures are implemented as a result of this analysis. Similar analyses are carried out regularly throughout the life of each project.

2023 UNIVERSAL REGISTRATION DOCUMENT

General and financial elements

1.3.2 Fraud

1.4 Workforce-related and social risks