How do you assess the cyber maturity of your supply chain?
Crédit Agricole has several thousand suppliers who do not all have the same level of cyber maturity. Large companies have anticipated and are following regulatory developments such as DORA, which establishes principles but leaves some room for interpretation.
With other suppliers, we deploy a number of tools, emphasize contractualization, and carry out awareness-raising work with the Group Procurement Department.
Once a year, we organize a networking day to review regulatory developments. For some small suppliers, almost daily training is required. We therefore have frequent exchanges with suppliers, both at the group level and within the various entities that have their own responsibility in this process.
In a context of increasingly sophisticated threats, what do you really expect from your service providers?
Transparency. One of our suppliers experienced a small data leak and was instructed not to say anything—this is always a very bad sign.
We don’t audit them for fun, but they are an integral part of our value chain, and we need transparent and responsible communication.
Tools such as Security Rating create another opportunity to engage in dialogue with a supplier and to better manage cyber risk. Having regular exchanges beyond tendering or contractual phases is an important way to raise supplier awareness and help them improve.
"For some small suppliers, almost daily training is required” - Cyril Roger
In a group as federated as Crédit Agricole, how do you coordinate cyber crisis units?
The Crédit Agricole Group has a high level of maturity in this area. We have established lines of defense and clearly defined mandates between the group’s various structures and the central teams.
We have adjusted our systems based on key principles of cross-functionality, explicit mandates, and sufficient tooling—but without creating unnecessary complexity.
About Cyril Roger
Cyril ROGER has been Head of the IT Supplier Ecosystem Framework at the Crédit Agricole Group since 2024. An engineer by training, he joined the Fédération Nationale du Crédit Agricole in 2012, first as Head of Security & Safety, then as Head of the Procurement and Supplier Relations Department, before joining Crédit Agricole SA in mid-2024.
