How do you assess the cyber maturity of your supply chain?

Crédit Agricole has several thousand suppliers with varying levels of cybersecurity maturity. Large companies have anticipated and are following regulatory developments, such as DORA which sets principles but allows for a certain degree of freedom of interpretation.

With other suppliers, we are deploying a number of tools, emphasizing contractualization, and working to raise awareness with the group's purchasing department.

Once a year, we organize a meeting day where we review regulatory developments. For some small suppliers, training is required on an almost daily basis. We therefore engage in extensive dialogue with suppliers, both at the group level and within the various entities that have their own responsibilities in this process.

In a context of increasingly sophisticated threats, what do you really expect from your service providers?

Transparency. One of our suppliers suffered a minor data leak and was instructed not to say anything, which is always a very bad sign.

We don't audit them for fun, but they are an integral part of our value chain and we need transparent and responsible communication.

Tools such as Security Rating create another opportunity to engage with a supplier and better manage cyber risk. Having regular discussions beyond the tendering or contracting phases is an important way to raise awareness among suppliers and help them improve.

“For some small suppliers, training is needed on an almost daily basis,” says Cyril Roger

In a group as federal as Crédit Agricole, how do you coordinate cyber crisis units?

The Crédit Agricole Group has a great deal of experience in this area. We have established clearly defined lines of defense and mandates between the group's various structures and central teams.

We have adjusted our systems, with the key principles of cross-functionality, explicit mandates, and sufficient tools that do not add complexity.

About Cyril Roger

Cyril ROGER has been head of the IT Supplier Ecosystem at the Crédit Agricole Group since 2024. An engineer by training, he joined the Fédération Nationale du Crédit Agricole in 2012, first as head of Security and Safety, then as head of the Purchasing and Supplier Relations department, before joining Crédit Agricole SA in mid-2024.