WEBVTT 00:00:00.000 --> 00:00:15.540 Hello everyone, the CCIG is delighted to welcome you to this SME breakfast with our partners, OCEI and the State, with whom we've been working for over two decades. 00:00:15.540 --> 00:00:23.840 So it's a formula that works, it's a formula that works, and the success and number of entrepreneurs here this morning is a real pleasure. 00:00:24.420 --> 00:00:34.427 The CCIG, really in three lines, three strategic pillars. The first pillar is an entrepreneurs' club, a marketplace. We organize over 120 events, 00:00:34.292 --> 00:00:44.705 conferences and training courses a year. The second pillar is a political lobby. We bring the voice of the economy to politicians and the political arena. 00:00:44.705 --> 00:00:51.805 And we run campaigns, on our own or with party associations and business associations who are our allies. 00:00:52.060 --> 00:01:01.602 The third pillar is international trade. We support companies in their export activities, which they really need at the moment. We also organize a whole 00:01:01.540 --> 00:01:09.038 range of seminars. We're about to launch an export club. We're also organizing an economic delegation to Dubai and Cairo. 00:01:09.100 --> 00:01:15.520 And if you're interested in all we have to offer, all we do, you're welcome to ask questions or visit our website. 00:01:15.520 --> 00:01:22.260 I'll hand over to Kustrim to explain a little about the morning's activities. Thanks again for your time. 00:01:22.260 --> 00:01:24.260 Merci Elsa. 00:01:24.260 --> 00:01:34.680 So I'd like to join the Chamber and Elsa in welcoming you to this breakfast for SMEs and startups. 00:01:36.420 --> 00:01:40.960 There was little doubt that this subject would be a big hit today. 00:01:40.960 --> 00:01:44.080 So we're obviously delighted to see a full house. 00:01:44.080 --> 00:01:52.040 Obviously, today's theme is a major and growing issue for you, companies, SMEs and start-ups. 00:01:52.040 --> 00:01:58.120 The aim of the morning is to give you a number of concrete tools to help you achieve your goals. 00:01:58.120 --> 00:02:02.420 that you could put in place fairly quickly within your companies. 00:02:02.420 --> 00:02:10.980 So our aim is not simply to help you manage your data, but to provide you with the tools you need to master your data. 00:02:10.980 --> 00:02:13.160 What does it mean to have control over data? 00:02:13.160 --> 00:02:18.140 It means efficient, safe management that complies with current standards. 00:02:18.140 --> 00:02:21.580 As we all know, the standards in force are extremely complex. 00:02:21.580 --> 00:02:29.680 So today we're lucky enough to be joined by a number of experts who will be with you all morning, 00:02:29.680 --> 00:02:34.120 both in the presentation and the question-and-answer sections, 00:02:34.120 --> 00:02:38.380 to help you answer a number of questions. 00:02:38.380 --> 00:02:41.080 So what do I actually have to do every day? 00:02:41.080 --> 00:02:45.380 What technological solutions are there for me? 00:02:45.380 --> 00:02:50.640 And finally, how can I be part of an economic lever? 00:02:50.640 --> 00:02:55.720 Because data isn't just there to provide information about your situation 00:02:55.720 --> 00:02:58.900 or customer situations, but it's also an economic lever, 00:02:58.900 --> 00:03:09.540 an asset that if you know how to use it perfectly, you can obviously create performance for your company, both organizationally and in terms of the market. 00:03:09.540 --> 00:03:13.940 I'd like to thank today's speakers. 00:03:13.940 --> 00:03:24.360 For our part, we're also trying to play a role as a public administration to support you in this digital transition and digital transformation. 00:03:24.360 --> 00:03:28.280 which, as I said, is also important for Geneva's economy. 00:03:28.280 --> 00:03:30.280 It's an asset we want to develop. 00:03:30.280 --> 00:03:34.420 And the canton of Geneva's new economic strategy 00:03:34.420 --> 00:03:38.680 which was buried by the Conseil d'Etat last August, so it's hot off the press, 00:03:38.680 --> 00:03:45.360 puts a strong emphasis on supporting SMEs through the various transitions. 00:03:45.360 --> 00:03:48.000 And naturally, the digital transition is one of them. 00:03:48.000 --> 00:03:51.420 So what does all this mean in concrete terms? 00:03:51.420 --> 00:04:00.369 We really want to raise awareness and support all companies, because we don't want this to be a sector-based approach, because it's not just 00:04:00.306 --> 00:04:05.537 certain sectors that need to embrace this digital transformation, it's all sectors. 00:04:05.600 --> 00:04:12.780 So at their own pace, according to their own needs, but we need to support the whole economy in this transition. 00:04:13.020 --> 00:04:24.630 So, in concrete terms, we've already set up awareness-raising courses on topics such as cybersecurity, artificial intelligence, 00:04:24.540 --> 00:04:29.490 blockchain, data protection and digital responsibility. 00:04:29.580 --> 00:04:36.040 We now have a number of training courses and guides to help you get started. 00:04:36.140 --> 00:04:38.860 You'll find it all on innovation.ge.ch. 00:04:38.860 --> 00:04:44.380 And our ambition for the future is to develop this support offer 00:04:44.380 --> 00:04:49.600 to equip you even better for the digital challenges ahead. 00:04:49.600 --> 00:04:51.820 So, as far as I'm concerned, it's over. 00:04:51.820 --> 00:04:57.800 I'd still like to conclude with a word about an upcoming event. 00:04:57.800 --> 00:05:02.240 The Digital Economic Forum will take place on December 12 at FER Genève. 00:05:02.240 --> 00:05:05.560 As the name suggests, it will be about digital issues. 00:05:05.740 --> 00:05:17.100 As you're interested in the subject today, I invite you to go along to this conference, which is a little more mammoth, lasting half a day with plenary sessions and workshops. 00:05:17.100 --> 00:05:30.800 A few thanks to the CCIG for hosting this event, and to our partners. Normally, we play the slide and you see them, so I'd like to mention 10 names. 00:05:31.660 --> 00:05:41.300 Frédéric Thomasset, editor-in-chief of Bilan magazine, will be moderating the morning session, and will also take questions at the end. 00:05:41.300 --> 00:05:45.200 And, once again, thank you to the speakers and I wish you a very good conference. 00:05:45.200 --> 00:05:49.960 Thank you Kustrim. 00:05:49.960 --> 00:05:56.260 Let me take the lectern, presidential seat. 00:05:56.860 --> 00:06:03.260 Hello everyone, I too would like to welcome you to this breakfast for SMEs and start-ups. 00:06:03.260 --> 00:06:11.360 Today, to moderate and lead a discussion on the complex subject presented above, you need to master this data. 00:06:11.360 --> 00:06:18.860 As a prelude to this event, I took the liberty of sounding out the balance sheet ecosystem, the ecosystem of SMEs in which we like to gravitate, 00:06:18.860 --> 00:06:22.980 with whom we like to talk, to find out where we stand on this issue. 00:06:22.980 --> 00:06:29.700 So, early, late, I was told "yeah, well, little better". So 00:06:29.700 --> 00:06:34.020 I agree, it's a very diplomatic answer, so I suggest, without further ado 00:06:34.020 --> 00:06:38.400 of diplomacy, to enter into the debates today. Let me introduce the program 00:06:38.400 --> 00:06:43.980 of the day. So we're going to start, so first we have until 10 o'clock, that's the part we're going to do. 00:06:43.980 --> 00:06:47.580 presentation, with a first part on data archiving and signatures 00:06:47.580 --> 00:06:51.660 legal framework and practical implementation, management follow-up 00:06:51.660 --> 00:06:55.620 data risks and compliance, practical advice on how to protect these 00:06:55.620 --> 00:07:01.320 data, and the choice and implementation of IT solutions. Subsequently and in 00:07:01.320 --> 00:07:05.760 parallel, you know that, so those who have already participated know that there are 00:07:05.760 --> 00:07:10.200 opportunity to ask questions. We'll play the slide, so here's the 00:07:10.200 --> 00:07:15.600 slido. So from now on, as soon as the debates begin, you can 00:07:15.600 --> 00:07:19.260 you can start asking questions, I'll compile them, they'll all be together. 00:07:19.260 --> 00:07:22.700 on a tablet, so as soon as it pops into your head, you don't hesitate, don't expect 00:07:22.700 --> 00:07:28.020 not the end, and then I could moderate and pass on these questions to the 00:07:28.020 --> 00:07:34.320 speakers of the day, and without further ado, let's get started with the first 00:07:34.320 --> 00:07:46.780 presentation. Data archiving and electronic signatures, legal framework and implementation 00:07:46.780 --> 00:07:54.240 presented by Audrey Souter. Audrey Souter has almost ten years' experience 00:07:54.240 --> 00:07:58.100 in corporate law and data protection, Master's degree in commercial law 00:07:58.100 --> 00:08:02.420 Université Paris 2, a master's degree in management science from EM Lyon Business School. She is 00:08:02.420 --> 00:08:05.820 also a member of the Paris Office. She focuses on corporate law issues, 00:08:05.820 --> 00:08:09.520 particularly for restructuring operations, but also on data protection issues 00:08:09.520 --> 00:08:17.460 and governance. She is accompanied by her colleague Elisabeth Everson, who is, I might add 00:08:17.460 --> 00:08:21.860 they are both Deloitte employees, assistant managers at Deloitte Legal and qualified lawyers 00:08:21.860 --> 00:08:27.340 Geneva and is also qualified as Solicitor of England and Wales. Before joining Deloitte, 00:08:27.340 --> 00:08:32.040 Elisabeth works as an associate in a local law firm, specializing in litigation, 00:08:32.040 --> 00:08:36.940 in Swiss and international contexts, including international arbitration cases at Deloitte. 00:08:36.940 --> 00:08:40.360 Elisabeth focuses on Swiss contract law issues and new technologies, 00:08:40.360 --> 00:08:42.480 data protection, which is what drives us today. 00:08:42.480 --> 00:08:46.660 I'd like to thank you once again. 00:08:46.660 --> 00:08:55.340 I'll take the tablet with me, so don't forget the questions. 00:09:02.040 --> 00:09:18.580 Hello everyone, and welcome from me too. 00:09:18.580 --> 00:09:25.700 As mentioned by my colleague Audrey, we're going to start by explaining the legal framework, 00:09:25.700 --> 00:09:29.680 lay the foundations, especially in relation to these two questions. 00:09:29.680 --> 00:09:37.040 So, on the one hand, data retention and, in particular, electronic archiving, and on the other, electronic signatures. 00:09:37.040 --> 00:09:43.660 So we start with data retention. 00:09:43.660 --> 00:09:48.900 From a legal point of view, there are three main questions to ask. 00:09:48.900 --> 00:09:52.680 First, is there an obligation to retain data? 00:09:52.680 --> 00:09:56.680 Next, how long should I keep it? 00:09:56.680 --> 00:09:58.840 And thirdly, form. 00:09:58.840 --> 00:10:02.220 So can the shape be electronic or not? 00:10:02.220 --> 00:10:04.980 So let's look at the first two questions first. 00:10:04.980 --> 00:10:06.840 Is there an obligation? 00:10:06.840 --> 00:10:12.680 So there you have the first example that concerns you all. 00:10:12.680 --> 00:10:19.980 In principle, the law imposes an obligation to keep books and accounting records for a period of 10 years. 00:10:19.980 --> 00:10:24.520 Another example of conservation, this time for 20 years, 00:10:26.200 --> 00:10:32.480 is typically found in VAT law in relation to real estate tax documents. 00:10:32.480 --> 00:10:36.500 So there you have two examples where the law imposes an obligation. 00:10:36.500 --> 00:10:42.040 There are other situations in which there is no legal obligation to do so, 00:10:42.040 --> 00:10:47.860 it's a good idea to keep certain documents, typically in case of a dispute. 00:10:47.860 --> 00:10:51.720 So what is the shelf life? 00:10:51.720 --> 00:10:53.940 We have seen these two examples of 10 and 20 years. 00:10:54.760 --> 00:11:02.010 It's important to know that the retention period can be either a minimum or a maximum period, i.e. the maximum period during which 00:11:01.955 --> 00:11:05.085 documents cannot be kept beyond a certain length of time. 00:11:05.140 --> 00:11:15.460 We'll shortly be taking a look at the Data Protection Act (DPA), which is a rather telling example of this maximum duration. 00:11:15.460 --> 00:11:27.060 The starting point also varies. You can see the example I mentioned earlier in relation to books and records. The period runs from the end of each financial year. 00:11:29.100 --> 00:11:37.460 The most common retention period is 10 years. This period is based on several legal bases. 00:11:37.460 --> 00:11:48.760 So, once again, the one I've already mentioned. We also have article 127CO, which governs the prescription of the vast majority of civil law claims. 00:11:48.760 --> 00:11:56.700 So, that's what I mentioned before. To have all the necessary documents in case there's a dispute that concerns you, there's a lot of data, 00:11:56.840 --> 00:11:59.980 a lot of documents that you're going to want to keep for ten years or so. 00:11:59.980 --> 00:12:04.120 The special case, as I was saying, is the Data Protection Act. 00:12:04.120 --> 00:12:09.120 In general, when you have personal data, 00:12:09.120 --> 00:12:14.120 if there is no legislative text or contract imposing a specific duration, 00:12:14.120 --> 00:12:18.180 we'll need to look at the appropriate duration. 00:12:18.180 --> 00:12:21.940 So we're going to take all the circumstances into account. 00:12:21.940 --> 00:12:25.680 And basically, if there's no interest in keeping it, 00:12:26.200 --> 00:12:29.500 you will need to delete or anonymize personal data. 00:12:29.500 --> 00:12:34.780 A typical case would be the CV or diplomas of a candidate applying for a job with you. 00:12:34.780 --> 00:12:39.840 So, even if you retain this candidate, a principle after the trial period, 00:12:39.840 --> 00:12:44.780 you have no legitimate interest in keeping this data, i.e. the CV, etc. 00:12:44.780 --> 00:12:48.120 They will therefore have to be either deleted or anonymized. 00:12:48.120 --> 00:12:54.000 The slide shows other examples of delays, 00:12:54.540 --> 00:12:58.520 But I think this gives you an idea of the kind of analysis that's needed. 00:12:58.520 --> 00:13:03.700 So we look at whether it's compulsory, whether it's best practice, and how long it should be kept. 00:13:03.700 --> 00:13:06.240 What do we do with all this? 00:13:06.240 --> 00:13:10.560 In principle, we create a retention schedule. 00:13:10.560 --> 00:13:18.780 This document formalizes the retention periods for each type of document held by your company. 00:13:21.740 --> 00:13:25.820 This is something that can be part of a broader conservation policy document. 00:13:25.820 --> 00:13:28.840 where you can detail archiving processes, etc. 00:13:28.840 --> 00:13:36.440 But it's a document that sums up what you're going to keep for how long. 00:13:36.440 --> 00:13:39.900 So that covers the first two questions. 00:13:39.900 --> 00:13:45.220 And I'll hand over to Audrey for the form in which it should be kept. 00:13:45.220 --> 00:13:48.100 Thank you very much. 00:13:51.740 --> 00:14:01.960 So, as Elisabeth was saying, the first issue is the retention period. 00:14:01.960 --> 00:14:08.040 And that's true whether you archive your documents physically or electronically, 00:14:08.040 --> 00:14:09.820 retention periods will be the same. 00:14:09.820 --> 00:14:12.700 It's important to keep this in mind. 00:14:12.700 --> 00:14:17.520 The principle is that documents may be stored electronically. 00:14:17.520 --> 00:14:19.820 There are two exceptions in the law. 00:14:20.500 --> 00:14:24.740 is that you must keep a signed, printed copy of the management and audit reports, 00:14:24.740 --> 00:14:26.940 if your company is subject to revision. 00:14:26.940 --> 00:14:32.480 I would add a recommendation for employment contracts and letters of dismissal, 00:14:32.480 --> 00:14:36.080 for a question of probative value, which I'll come back to shortly. 00:14:36.080 --> 00:14:40.580 So, let's start with electronic archiving. 00:14:40.580 --> 00:14:47.740 It's the classic, paper-based, original, what we all used to do, and it's evolving. 00:14:48.380 --> 00:14:59.195 This form of conservation implies significant physical storage requirements, and it's true that, as Elisabeth was saying, we have certain conservation periods that 00:14:59.129 --> 00:15:09.354 can extend to 20 years, and in this case, physical conservation becomes a constraint for companies because it's a question of cost, space and functionality. 00:15:10.060 --> 00:15:22.340 And let's not forget other risks, such as fire. It's less frequent, we hope, but it's still a risk when you have 100% physical archiving. 00:15:22.340 --> 00:15:28.680 What's more, access to paper documents can be slow: you have to go into archives, you have to rummage around, and so on. 00:15:28.680 --> 00:15:38.680 That's why, with the trend towards dematerialization, companies are increasingly moving towards electronic archiving. 00:15:39.080 --> 00:15:47.200 So there are clear advantages in terms of space, reduced costs, easy remote access to information. 00:15:47.200 --> 00:15:58.280 On the other hand, it's important to bear in mind that, behind all this, you need to be very careful about data security, integrity and validity. 00:15:58.280 --> 00:16:03.500 The issue of the probative value of electronic documents remains unresolved. 00:16:03.500 --> 00:16:13.777 We even had a ruling in 2015 that called into question the probative value of an electronic document, since without the possibility of 00:16:13.701 --> 00:16:18.764 producing the original paper document, the person was unsuccessful. 00:16:19.860 --> 00:16:30.320 In particular, if you have a document that you have to present in electronic form, the opposing party could challenge the authenticity of this title. 00:16:30.320 --> 00:16:37.540 It is then up to the other party to prove authenticity. This is known as the burden of proof. 00:16:37.540 --> 00:16:47.800 And this is where difficulties arise, because you need to establish with certainty the authenticity of an electronically archived document whose original has been destroyed. 00:16:49.060 --> 00:16:56.100 That's why, as I was saying about employment contracts and letters of dismissal, it may be worth keeping a paper version as well. 00:16:56.100 --> 00:17:03.600 In anticipation, the challenge will be to ensure that the legal value of an electronic archive is not open to challenge. 00:17:03.600 --> 00:17:11.880 To this end, there is the electronic signature, which is a process that enables this guarantee, but we'll come back to this in more detail shortly. 00:17:19.060 --> 00:17:26.800 So now we're going to get down to the nitty-gritty of the subject, namely the principles to be respected for compliant electronic preservation. 00:17:26.800 --> 00:17:33.640 The aim is to guarantee document integrity, authenticity and forgery-proofing. 00:17:33.640 --> 00:17:35.940 I trained a lot to get there. 00:17:35.940 --> 00:17:45.760 Indeed, archiving must guarantee that the document is authentic and cannot be altered without leaving traces, in order to guarantee document reliability. 00:17:46.100 --> 00:17:49.200 So that's olico. This is one of the principles of Olico. 00:17:49.200 --> 00:17:54.300 What is the Olico? This is the ordinance concerning the keeping and preservation of account books. 00:17:54.300 --> 00:18:01.320 Olico distinguishes between two information media. 00:18:01.320 --> 00:18:03.660 There are non-modifiable information media. 00:18:03.660 --> 00:18:08.040 So that's the paper and the image support. There are no special requirements here. 00:18:08.040 --> 00:18:13.120 On the other hand, there is the case of modifiable media. 00:18:13.740 --> 00:18:21.880 In this case, a technical procedure must be used to create the document, guaranteeing the integrity of the information saved. 00:18:21.880 --> 00:18:37.940 And here again, by way of example, two common tools that guarantee this conservation are the electronic signature and Eurodating. 00:18:38.180 --> 00:18:40.780 We'll come back to the electronic signature later. 00:18:40.780 --> 00:18:44.100 Eurodating is a system that makes it possible to prove 00:18:44.100 --> 00:18:50.040 that there was no possibility of falsification at the time the information was recorded. 00:18:50.040 --> 00:18:51.860 So that's a real guarantee. 00:18:51.860 --> 00:18:56.260 It's not very common, but it's a really good measure. 00:18:56.260 --> 00:19:01.700 After that, we also brought together the principle of readability and availability. 00:19:01.700 --> 00:19:04.480 So, of course, the documents must be legible, 00:19:04.480 --> 00:19:09.840 but they must also be accessible to authorized personnel at all times. 00:19:09.840 --> 00:19:18.140 This means proactive management of your files and storage media, and continuous access. 00:19:18.140 --> 00:19:25.080 So we're proposing a few measures to put in place. 00:19:25.080 --> 00:19:31.360 So, set up a filing system for all your documents, physical or digital, specifying the distinction. 00:19:32.000 --> 00:19:41.039 Indeed, to guarantee access at all times within a reasonable period of time, that's what we've taken from the Olico text, to archives for authorized persons, in 00:19:40.929 --> 00:19:49.747 particular to simplify and accelerate control procedures, to designate a person responsible for the management of these archives, to carry out periodic checks, 00:19:49.747 --> 00:19:56.790 in particular to ensure the integrity of documents, that there has been no alteration, and to put in place protection measures. 00:19:56.900 --> 00:20:08.360 The next presentations will go into more detail on how to protect these documents and data and document the documentation procedures. 00:20:08.360 --> 00:20:14.220 So, yes, as briefly introduced, set up a conservation plan. 00:20:14.220 --> 00:20:25.240 So let's get down to the nitty-gritty of the implementation process in five key steps. 00:20:26.060 --> 00:20:47.400 The first step is to talk about an archiving procedure, defining rules and an internal process for archiving, including digitization, indexing and storage. 00:20:48.140 --> 00:20:58.307 Then, of course, there's the choice of service provider, which can be crucial. Selecting a service provider who complies with Swiss legal standards 00:20:58.172 --> 00:21:08.610 such as Olico. So we're not going to advertise today, but we're happy to advise you off-camera. There are service providers we work with, but many of them 00:21:08.610 --> 00:21:13.965 comply with all the standards in Switzerland. They're also fairly easy to find. 00:21:15.420 --> 00:21:26.440 Effectively guarantee, implement access controls to ensure strict access to archives, so that only those authorized to consult them have access. 00:21:26.440 --> 00:21:39.640 And this also overlaps with the requirements of the DPA, because it also helps to guarantee and limit the risk of expectation due to undue processing of personal data. 00:21:39.640 --> 00:21:42.500 So it's true that it really cuts both ways. 00:21:43.400 --> 00:21:52.780 Finally, system governance, and this is where we recommend quite strongly that you put in place a conservation plan, a conservation schedule. 00:21:52.780 --> 00:22:04.500 It's a really good tool, as Elisabeth explained, it allows you to enter the type of document and its retention time, 00:22:04.500 --> 00:22:12.980 if it's a minimum duration, if it's a maximum duration, and then the format and eventually the way of deleting the document. 00:22:13.400 --> 00:22:20.620 And finally, of course, system maintenance, with regular updates to guarantee long-term security. 00:22:20.620 --> 00:22:24.860 But that's for the following presentations, which should come back to these more technical aspects. 00:22:24.860 --> 00:22:29.240 I'll give the floor back to Elisabeth for the electronic signature. 00:22:29.240 --> 00:22:31.940 Thank you very much Audrey. 00:22:31.940 --> 00:22:36.680 So the second part of the presentation is a little briefer, 00:22:36.680 --> 00:22:41.280 just to introduce you to the electronic signature, so a bit of the basics in Swiss law. 00:22:41.520 --> 00:22:46.440 So, under Swiss law, there are four types of electronic signature that you see on the screen. 00:22:46.440 --> 00:22:52.800 In practice, the choice is between the electronic signature, sometimes referred to as simple, 00:22:52.800 --> 00:22:57.420 because simple is the word we use in other jurisdictions, it's the one you see on the far left, 00:22:57.420 --> 00:23:01.960 and the qualified electronic signature you see on the right. 00:23:01.960 --> 00:23:08.940 So let's take a quick look at the definitions of these two types of electronic signature, 00:23:09.440 --> 00:23:20.160 A simple electronic signature is a set of electronic data attached to or logically linked to other electronic data, used to verify their authenticity. 00:23:20.160 --> 00:23:22.840 So what is it in concrete terms? 00:23:22.840 --> 00:23:27.580 It's a signature that you scan and drag onto a Word document. 00:23:27.580 --> 00:23:32.840 It can be a signature you make on your computer with your mouse. 00:23:32.840 --> 00:23:35.580 So it's something that's not handwritten. 00:23:35.880 --> 00:23:44.360 This is the signature with the least legal legitimacy, because there is no real verification of the identity of the signatory. 00:23:44.360 --> 00:23:54.320 So, on the other side of the spectrum, on the far right, the qualified electronic signature, which is in fact based on a qualified certificate. 00:23:54.320 --> 00:23:59.320 So, to get this type of signature, you need to go through a recognized supplier. 00:23:59.580 --> 00:24:07.640 We've listed the recognized suppliers in Switzerland. There are four in all, including three for private customers. 00:24:07.640 --> 00:24:11.260 Donc, on vous a listé Swisscom, DigiCard, Swissign. 00:24:11.260 --> 00:24:16.300 So what's the point of a qualified signature? 00:24:16.300 --> 00:24:22.760 I get lost in my slides too. There you go. Thanks for your time. 00:24:25.060 --> 00:24:30.740 So the main advantage of a qualified signature is its equivalence with a handwritten signature. 00:24:30.740 --> 00:24:36.180 So what you need to know is that in Swiss law, in principle, we have freedom of contract. 00:24:36.180 --> 00:24:41.780 This means that the parties can conclude their contract in any form they wish, typically orally. 00:24:41.780 --> 00:24:47.520 There are a few examples in the law where the law imposes another form. 00:24:47.520 --> 00:24:50.540 Typically, this will be the written form, but not the only one. 00:24:51.700 --> 00:24:58.680 When written form is required, the contract must be signed by all parties concerned. 00:24:58.680 --> 00:25:03.520 And what we mean by a signature is, in principle, a handwritten signature. 00:25:03.520 --> 00:25:07.460 So what we call "wet ink", the handwritten signature. 00:25:07.460 --> 00:25:11.800 And that's where qualified electronic signatures come into their own, 00:25:11.800 --> 00:25:16.480 because by law, so this is a quote from the Code of Obligations, 00:25:16.480 --> 00:25:19.220 it is assimilated to a handwritten signature. 00:25:20.720 --> 00:25:31.720 So for contracts requiring written form, if you want them to be valid in electronic form, you can sign them with a qualified Swiss signature. 00:25:31.720 --> 00:25:40.420 So I insist on the word Swiss, and that brings us to the second part of this slide, which is international recognition. 00:25:40.420 --> 00:25:48.940 So we're talking about Swiss contracts, subject to Swiss law, which will be signed with a qualified Swiss signature. 00:25:49.680 --> 00:25:53.920 In other countries, other laws apply to qualified signatures. 00:25:53.920 --> 00:25:59.100 Typically, in the European Union, we have a regulation called eIDAS, 00:25:59.100 --> 00:26:04.940 which also recognizes several types of electronic signature. 00:26:04.940 --> 00:26:10.600 The eIDAS regulation refers to simple, advanced and qualified signatures. 00:26:10.600 --> 00:26:16.380 But what you need to know is that even if they also have a qualified signature, 00:26:16.380 --> 00:26:22.940 At present, there is no equivalence between qualified signatures, i.e. European Union, Swiss or other. 00:26:22.940 --> 00:26:33.120 So you always have to ask yourself what law applies to the contract, which is the law that governs the formal conditions of validity. 00:26:33.120 --> 00:26:41.960 And so keep in mind that if you want to conclude a contract in written form electronically, a contract that is subject to Swiss law, 00:26:42.080 --> 00:26:52.441 The two parties, or the three parties, or all the parties, will have to use a qualified Swiss signature, and there will have to be no 00:26:52.365 --> 00:26:57.124 problem with one party typically using the European signature. 00:26:58.280 --> 00:27:02.680 I think we're coming to the end of the presentation, we're right on schedule. 00:27:02.680 --> 00:27:09.160 If we've gone too fast, we'll be happy to answer any questions you may have. 00:27:09.160 --> 00:27:16.980 And we give the floor back to Frédéric to introduce the next speaker. 00:27:16.980 --> 00:27:18.520 Thank you very much. 00:27:27.520 --> 00:27:42.940 Thank you very much for this first part. We've already had quite a few questions, so I'm delighted. I suggest we keep up the good momentum. 00:27:43.300 --> 00:27:49.560 In the second part, we'll discuss data risk management and compliance. 00:27:49.560 --> 00:27:58.360 Claudia Pallaud-Wolfer, Digital Insurance and Trust Manager at PwC, will be in charge. 00:27:58.360 --> 00:28:05.560 To introduce her, at PwC, she is in charge of IT projects, 00:28:05.560 --> 00:28:11.140 is dedicated to strategic initiatives around digitalization, digitization and IT audits. 00:28:11.420 --> 00:28:15.020 She holds a Master's degree in Accounting and Finance from the University of Fribourg. 00:28:15.020 --> 00:28:17.480 She also trained at the London School of Economics. 00:28:17.480 --> 00:28:19.580 The floor is yours. 00:28:19.580 --> 00:28:28.560 Hello everyone. 00:28:28.560 --> 00:28:31.020 I'm delighted to be here. 00:28:31.020 --> 00:28:33.940 This is my first visit to the Chamber of Commerce. 00:28:33.940 --> 00:28:40.000 I'm happy to take part in these discussions and share my knowledge. 00:28:41.080 --> 00:28:54.000 The subject I'm going to present today, I'm going to concentrate mainly on the risk part and then on the controls to be put in place around our theme, 00:28:54.000 --> 00:28:58.340 data archiving, storage and protection. 00:29:00.340 --> 00:29:12.520 Above all, I'm also going to share a little of my experience, the projects I've been involved in, so that you can hopefully get something interesting out of it. 00:29:20.280 --> 00:29:26.280 First of all, at PwC, we have a global presence. 00:29:26.280 --> 00:29:34.360 And in Switzerland, we have our headquarters in Zurich, as well as offices in every Swiss city. 00:29:34.360 --> 00:29:40.640 So I'm concentrating mainly on SME customers in French-speaking Switzerland. 00:29:41.900 --> 00:29:53.560 And following Covid, we had a lot of requests from companies who really had to move quite quickly from a paper to a digital world. 00:29:53.560 --> 00:30:05.660 So what we call EDM, electronic document management, has become very important, and in particular the need for governance around this slightly more digitized world. 00:30:06.840 --> 00:30:22.616 So the main projects I've been involved with, and the companies we've worked with, have been mainly for the implementation of key 00:30:22.496 --> 00:30:29.240 controls around EDM, as well as legal compliance audits. 00:30:29.360 --> 00:30:43.072 This ties in with the presentation we had earlier. Numerous companies have called us to help them understand the important laws that apply to all 00:30:42.978 --> 00:30:51.466 electronic document management, and the key controls or measures they need to put in place. 00:30:52.040 --> 00:31:02.952 And the latest projects, which are really audits, which is my area of expertise, IT auditing, which means complete audits of EDM, electronic document 00:31:02.880 --> 00:31:10.468 management, as well as certification, which means we really certify that the EDM complies with standards. 00:31:11.780 --> 00:31:17.100 So these are the projects I've been involved in. 00:31:17.100 --> 00:31:24.240 So, the first part deals with the risks associated with electronic archiving. 00:31:24.240 --> 00:31:32.100 So, as my colleagues said earlier, we have certain documents that are important to keep for many years to come. 00:31:32.100 --> 00:31:39.720 So, we're talking about 10 years, 20 years and how to ensure that in a digital environment, 00:31:39.720 --> 00:31:43.980 We really do keep these PDFs, for example, or these documents for so many years. 00:31:43.980 --> 00:31:47.100 So that's one of the main risks. 00:31:47.100 --> 00:31:51.980 It's all about legal compliance in relation to archiving. 00:31:51.980 --> 00:31:57.180 Other risks include data loss. 00:31:57.180 --> 00:32:00.740 When you have archives to keep for so long, 00:32:00.740 --> 00:32:05.640 are we sure that in, say, 10 years, we'll still be able to read these documents? 00:32:05.640 --> 00:32:14.900 Will the technology we have in place still be up to date, or will it be obsolete in ten years' time? 00:32:14.900 --> 00:32:20.580 So the notion of data loss is very important when we're really talking about ten or twenty years. 00:32:20.580 --> 00:32:28.760 And the other two major risks to archives are unauthorized access to them. 00:32:28.760 --> 00:32:32.480 Some documents are confidential. 00:32:33.260 --> 00:32:40.840 In 10 years' time, we shouldn't have just any employee accessing certain files, so we need to make sure we have access too. 00:32:40.840 --> 00:32:45.180 And finally, data corruption, i.e. the alteration of these archives. 00:32:45.180 --> 00:32:52.620 The second risk relates to storage. 00:32:52.620 --> 00:33:01.100 Here, we're talking more about day-to-day activities, all those documents we have in the company, which we've digitized, 00:33:01.600 --> 00:33:05.400 How do we make sure we have enough room to store them? 00:33:05.400 --> 00:33:09.820 So, one of the main risks is the explosion in data volume. 00:33:09.820 --> 00:33:17.640 So, to really have the servers in front, the capacity to store all these documents. 00:33:17.640 --> 00:33:25.280 Other risks to be mentioned in relation to storage are the lack of redundancy. 00:33:25.280 --> 00:33:42.120 We recommend two or three servers or copies, but in any case, make sure you have enough measures in place to store data, even in the event of a disaster scenario, cyber-attack, etc. 00:33:42.120 --> 00:33:49.280 Two other risks to mention are hardware breakdowns, i.e. server breakdowns that would paralyze the company. 00:33:49.640 --> 00:34:01.761 Finally, with regard to data storage, security remains important. Sensitive data, possibly, or even encryption, is recommended, as 00:34:01.669 --> 00:34:06.628 are vulnerabilities in the storage systems themselves. 00:34:13.780 --> 00:34:25.408 And for the third risk, so everything to do with data protection, so here my colleagues presented it well earlier, so there are very clear laws on data 00:34:25.332 --> 00:34:32.324 protection, so in Switzerland the data protection law, but also the RGPD or GDPR in English. 00:34:33.080 --> 00:34:44.030 So failure to comply with these regulations would also have very serious consequences for the company. So we have to make sure that we comply with these 00:34:43.889 --> 00:34:54.557 laws. And in terms of data protection, there are also risks linked to external events, such as cyber-attacks, which would mean that we'd be in a better 00:34:54.557 --> 00:35:00.279 position to really protect and guarantee that we've preserved the company's data. 00:35:01.540 --> 00:35:13.960 Or employee errors, i.e. data leaks due to a mistake, sending a sensitive document to an external person, in the worst case scenario. 00:35:13.960 --> 00:35:26.220 And then there's the loss of confidentiality, so it's more a question of unauthorized access to sensitive data within the company. 00:35:26.220 --> 00:35:32.200 So, for example, a HRD file that could be accessed by employees in other departments, etc. 00:35:32.200 --> 00:35:39.140 I wanted to add a third aspect of risk. 00:35:39.140 --> 00:35:41.760 So it's more a question of organizational risks. 00:35:41.760 --> 00:35:46.480 So it's really everything that's going to affect the company's day-to-day operations. 00:35:46.480 --> 00:35:50.480 And these are risks that are often downplayed, but which are important. 00:35:50.480 --> 00:35:56.600 So, it's human error or the lack of employee training on these subjects that's important. 00:35:56.600 --> 00:36:03.020 So, documents, document retention, paying attention to data, data to whom you send what, etc. 00:36:03.020 --> 00:36:07.780 And the absence of a disaster recovery plan. 00:36:07.780 --> 00:36:17.640 So, for the company, in the event of a disaster scenario, a simple measure that can sometimes be put in place is a SINIS recovery plan. 00:36:17.720 --> 00:36:24.720 so have a plan B, what do you do if you have a cyber-attack, how do you continue operations, etc.? 00:36:24.720 --> 00:36:28.380 So here we're more concerned with organizational and human risks. 00:36:28.380 --> 00:36:38.420 So just to remind you, if one of these risks or scenarios were to come true, 00:36:38.420 --> 00:36:41.680 so the consequences for the company can be really significant. 00:36:41.680 --> 00:36:46.500 So we're really talking about numbers and financial losses, 00:36:46.640 --> 00:36:53.160 So a cyber-attack, for example, if there's a ransom demand, often involves fairly substantial sums. 00:36:53.160 --> 00:37:04.460 But also a legal non-conformity on one of these documents which are protected by law, the OLICO, the Data Protection Act, etc. 00:37:04.460 --> 00:37:07.600 can also have far-reaching financial consequences. 00:37:07.600 --> 00:37:16.120 Last but not least, it's the company's reputation that suffers if we're not careful. 00:37:16.640 --> 00:37:25.260 And finally, in the event of server breakdowns, cyber-attacks, etc., the company's activities could be interrupted. 00:37:25.260 --> 00:37:33.980 So after talking about all these risks, we're now interested in how to protect ourselves. 00:37:33.980 --> 00:37:43.300 So my colleagues who introduced me to the following sections will go into much greater detail on the practical measures to be put in place. 00:37:43.480 --> 00:37:57.461 Let me give you an overview. What we're advocating is the key control approach, ensuring that we put in place the most important controls 00:37:57.360 --> 00:38:04.199 that will have the greatest effectiveness in mitigating these risks. 00:38:05.720 --> 00:38:14.480 I've divided them into three parts. First, there's all the more operational controls, which are often a little simpler to set up. 00:38:14.480 --> 00:38:27.360 So here, it's simply a matter of setting up IT procedures within the company to be shared with employees, or also training for employees, 00:38:27.360 --> 00:38:40.020 to make sure that everyone in the company is really careful with documents, mailings, access too, not to give access to just anyone, to any folder, especially 00:38:39.940 --> 00:38:52.520 nowadays with SharePoint, it's pretty easy to add a group to access folders, so that kind of thing, you have to make people aware to be careful about all that. 00:38:53.600 --> 00:39:05.246 And finally, access management. This is another aspect that can be implemented quite easily. But limiting access is based on the principle of fewer 00:39:05.168 --> 00:39:15.642 privileges. In other words, you only give access to people who really need it for their work. So we give as little access as possible. 00:39:17.560 --> 00:39:29.092 So the second aspect of control, here we're going a little more into technical controls, we touched on a few points earlier, but it would be to encrypt, for 00:39:29.019 --> 00:39:38.507 example, sensitive data, so we're talking about data in transit but also stored data, so once they're in the archive, for example. 00:39:41.260 --> 00:39:51.197 Also, in terms of technical controls, that's everything to do with passwords, but in this case, we really recommend MFA (multi-factor 00:39:51.123 --> 00:39:57.306 authentication), with enhanced security for access to company applications and data. 00:39:59.220 --> 00:40:01.520 Secondly, with regard to data storage, 00:40:01.520 --> 00:40:03.960 so it's really about having regular backups. 00:40:03.960 --> 00:40:08.740 And in relation to everything that's more of an external risk, 00:40:08.740 --> 00:40:11.040 so make sure you have the minimum, 00:40:11.040 --> 00:40:13.560 antivirus and firewall software, 00:40:13.560 --> 00:40:18.400 endpoint detection if possible, 00:40:18.400 --> 00:40:23.400 so systems of, what did I write there? 00:40:23.400 --> 00:40:26.100 De détection d'intrusion, in French. 00:40:28.080 --> 00:40:41.247 So that's more like technical inspections. We also mentioned it earlier, so everything to do with redatting documents. My colleagues will elaborate a little more 00:40:41.167 --> 00:40:52.800 on these issues, but there are also many technical means of protecting documents, of ensuring that there is, so to speak, a certificate on them. 00:40:52.880 --> 00:41:01.340 So eurodata will also ensure that the document has not been altered, that the document we're reading is really the original. 00:41:01.340 --> 00:41:13.460 And certified encryption keys, too, really are the way to ensure that the document comes from such a well-known source. 00:41:13.460 --> 00:41:18.040 So that's for technical inspections. 00:41:18.040 --> 00:41:21.260 and now I'll move on to the last part 00:41:21.260 --> 00:41:23.680 so it's more a question of archive controls 00:41:23.680 --> 00:41:28.500 in the archives for those documents you want to keep for a long time 00:41:28.500 --> 00:41:34.820 so we have to make sure we have integrity 00:41:34.820 --> 00:41:37.240 but also traceability in the archives 00:41:37.240 --> 00:41:41.220 so we can use electronic signatures 00:41:41.220 --> 00:41:42.640 or eurodatage as we call it 00:41:42.640 --> 00:41:45.500 to ensure that the document is really the original 00:41:45.500 --> 00:41:46.780 and has not been altered 00:41:46.780 --> 00:41:51.560 in terms of shelf life 00:41:51.560 --> 00:41:54.840 so make sure we also have controls in place 00:41:54.840 --> 00:41:58.400 in archives to preserve documents 00:41:58.400 --> 00:42:03.100 for the time required, so we talked about a filing plan earlier. 00:42:03.100 --> 00:42:07.180 so this is where it's important to really review 00:42:07.180 --> 00:42:11.400 the company's filing plan, and to ensure proper coverage 00:42:11.400 --> 00:42:15.600 the entire list that was noted 00:42:15.600 --> 00:42:20.560 in the filing plan, so such and such a document must be kept for 2 years, such and such a document for 10 years, such and such a document for 10 years. 00:42:20.560 --> 00:42:26.380 document 20 years, etc. And then, the last point for archives is formats 00:42:26.380 --> 00:42:33.100 so it's also very important. We have formats that in 10 years' time will be 00:42:33.100 --> 00:42:37.520 unreadable, we may no longer have the necessary software to open, for example 00:42:37.520 --> 00:42:42.600 a video or a file with a rather strange format, which is what we recommend, 00:42:42.600 --> 00:42:51.260 PDFA formats are durable formats that can be read over time. 00:42:51.260 --> 00:42:59.489 And here, I wanted to open up the subject a little with everything to do with artificial intelligence, since it's very fashionable, a 00:42:59.428 --> 00:43:02.659 subject that's being talked about all over the place. 00:43:02.720 --> 00:43:04.720 How do we apply it here? 00:43:04.720 --> 00:43:09.340 It's true that electronic document management is also developing enormously. 00:43:09.720 --> 00:43:21.920 So we're seeing many companies offering software that can, for example, extract data fairly automatically, and perform intelligent searches across the entire EDM. 00:43:21.920 --> 00:43:28.800 So we search with a keyword and it pulls up all the company's documents containing that keyword. 00:43:28.800 --> 00:43:37.700 Also automatic indexing in the EDM, i.e. tools that classify documents and put them in the right place automatically. 00:43:37.700 --> 00:43:51.430 So, it's pretty impressive what's happening and what's going to happen. So, again, something to keep an eye on. And also, in terms of security and accessibility, we 00:43:51.347 --> 00:44:03.257 have more and more tools to help manage all this, with notifications if an employee tries to access, for example, a file that is not authorized. 00:44:04.300 --> 00:44:17.464 So there you have it. To be continued. And finally, I'd like to open the floor for discussion. I think the questions will come later. But I 00:44:17.371 --> 00:44:23.907 don't know if anyone has... We'll regroup at the end. All right, then. 00:44:24.000 --> 00:44:31.040 Yes, archived for several years. Thank you very much. 00:44:34.300 --> 00:44:38.740 Thank you very much for this presentation. 00:44:38.740 --> 00:44:56.140 So, as said, the discussion will take place at the end, you can continue to ask your questions, I watch them live, I select them carefully. 00:44:56.140 --> 00:45:02.540 In the following, we'll continue with some practical advice on how to protect your data. 00:45:03.700 --> 00:45:13.140 Alexandre Courois, deputy director at BDO Geneva, will be in charge, specializing in IT auditing, cybersecurity and regulatory compliance. 00:45:13.140 --> 00:45:19.020 With over 20 years' experience, he supports banks, asset managers and companies in their compliance initiatives. 00:45:19.020 --> 00:45:24.020 He is also a regular speaker and trainer on these topics. 00:45:24.020 --> 00:45:26.620 So I'll give you the floor, Mr. Courois. 00:45:33.700 --> 00:46:00.640 Hello everyone, 00:46:00.640 --> 00:46:02.920 delighted to be with you this morning. 00:46:03.700 --> 00:46:05.480 for this presentation. 00:46:05.480 --> 00:46:08.140 So, Juliette, reviewing my slides yesterday, 00:46:08.140 --> 00:46:09.560 she's not here today, but she told me 00:46:09.560 --> 00:46:11.180 "Alexandre, that's very rich." 00:46:11.180 --> 00:46:13.980 So, I think you received these slides beforehand. 00:46:13.980 --> 00:46:16.540 I'll try not to go too fast, 00:46:16.540 --> 00:46:19.320 but I may not have time to come back. 00:46:19.320 --> 00:46:20.900 behind all the notions. 00:46:20.900 --> 00:46:23.560 So don't hesitate to ask at the end of the presentation 00:46:23.560 --> 00:46:26.040 to ask myself a number of questions. 00:46:26.040 --> 00:46:28.520 I'll be delighted to answer them. 00:46:28.520 --> 00:46:31.980 As you can see, today's agenda is pretty full. 00:46:33.080 --> 00:46:45.271 I'm going to try and go into a bit more detail, but in the end it will tie in perfectly with what Claudia started to say about the technical and 00:46:45.187 --> 00:46:51.616 organizational measures you can implement to protect yourself from data loss. 00:46:54.200 --> 00:47:13.440 I'll skip the introduction. The aim for me this morning is to give you, in 15 minutes, which is a big challenge, some priority settings to apply today in your companies. 00:47:13.440 --> 00:47:26.680 It's going to be to provide you with a sort of ready-to-use checklist of what you'll need to put in place quickly to protect yourself against the risk of data loss. 00:47:26.680 --> 00:47:35.540 I'll also try to present you with some sort of action plan for 30, 60 or 90 days, and give you fairly simple KPIs for each. 00:47:35.540 --> 00:47:43.660 There are a few things I'd like to go over quickly, but please don't hesitate to ask any questions you may have. 00:47:43.660 --> 00:47:56.720 Three key ideas I've tried to identify and levers you can quickly activate. 00:47:57.620 --> 00:48:07.160 The first thing I think is key and essential is to map and classify your data. 00:48:07.160 --> 00:48:20.160 Before you know how to protect data, you need to know what you're protecting and who is responsible for protecting it. 00:48:21.860 --> 00:48:33.140 What I recommend is, first of all, to identify what I call the deposits, i.e. all the data, where they are. 00:48:33.140 --> 00:48:47.320 It can be a network share, it can be data in on-premise applications, it can be SaaS applications, it can be data on mobiles, on network shares. 00:48:48.340 --> 00:48:55.120 For each piece of data we've identified, I recommend identifying data owners. 00:48:55.120 --> 00:49:02.220 Data owners aren't necessarily technical IT people, they're mainly business people. 00:49:02.220 --> 00:49:05.840 It could be HR, finance, sales, etc. 00:49:05.840 --> 00:49:14.840 I also recommend that, once you've identified the data you want to protect, you apply it, 00:49:14.840 --> 00:49:18.020 is to make a fairly simple classification 00:49:18.020 --> 00:49:21.780 between data that we know can be accessed by anyone 00:49:21.780 --> 00:49:23.540 public data 00:49:23.540 --> 00:49:27.240 including access for outsiders 00:49:27.240 --> 00:49:28.900 and then gradually 00:49:28.900 --> 00:49:32.180 we're going to set a higher level of confidentiality 00:49:32.180 --> 00:49:35.540 typically you see it in my presentation at the very bottom 00:49:35.540 --> 00:49:38.260 I put C1 public because what I'm sharing here 00:49:38.260 --> 00:49:41.920 is not particularly confidential 00:49:41.920 --> 00:49:44.420 and I'll come back to this later 00:49:44.420 --> 00:49:50.280 each time you'll see 00:49:50.280 --> 00:49:52.420 I've given you some KPIs 00:49:52.420 --> 00:49:54.120 which you can follow in connection with 00:49:54.120 --> 00:49:56.860 the subject I'm talking about 00:49:56.860 --> 00:49:58.000 typically 00:49:58.000 --> 00:49:59.940 what we'll be able to follow 00:49:59.940 --> 00:50:00.700 is the percentage 00:50:00.700 --> 00:50:04.240 domains with honors 00:50:04.240 --> 00:50:05.800 percentage of assets 00:50:05.800 --> 00:50:07.860 classified 00:50:07.860 --> 00:50:09.980 assets are more than just data 00:50:09.980 --> 00:50:11.960 it's also the hardware 00:50:11.960 --> 00:50:12.680 behind it 00:50:12.680 --> 00:50:15.800 the number of closed public links 00:50:15.800 --> 00:50:16.920 but I'll come back to that later. 00:50:16.920 --> 00:50:18.640 and the second point 00:50:18.640 --> 00:50:21.640 which seemed to me to be the second important lever 00:50:21.640 --> 00:50:23.280 is once we've mapped out 00:50:23.280 --> 00:50:24.420 that we have classified this data 00:50:24.420 --> 00:50:27.360 is to ask ourselves what technical means 00:50:27.360 --> 00:50:29.520 and organizational tools I use 00:50:29.520 --> 00:50:31.980 to reduce the attack surface 00:50:31.980 --> 00:50:35.780 so the objective here will be to make 00:50:35.780 --> 00:50:37.320 finally illegitimate access 00:50:37.320 --> 00:50:39.900 difficult and visible 00:50:39.900 --> 00:50:43.620 a few immediate gestures 00:50:43.620 --> 00:50:45.080 and you'll see 00:50:45.080 --> 00:50:46.740 that I do a lot of hammer therapy 00:50:46.740 --> 00:50:48.020 this morning through my slides 00:50:48.020 --> 00:50:50.660 Claudia has already mentioned it 00:50:50.660 --> 00:50:52.620 but MFA for everyone 00:50:52.620 --> 00:50:54.880 it's essential today 00:50:54.880 --> 00:50:57.500 for all accounts 00:50:57.500 --> 00:50:59.580 I'll come back to this notion later. 00:50:59.580 --> 00:51:00.440 because sometimes 00:51:00.440 --> 00:51:03.240 we always think of user accounts 00:51:03.240 --> 00:51:05.260 but we forget, we neglect 00:51:05.260 --> 00:51:06.700 a number of other 00:51:06.700 --> 00:51:09.140 user accounts 00:51:09.140 --> 00:51:10.840 who have privileged access 00:51:10.840 --> 00:51:13.460 and for that reason 00:51:13.460 --> 00:51:15.340 we recommend deploying 00:51:15.340 --> 00:51:17.260 authentication 00:51:17.260 --> 00:51:19.740 on all accounts 00:51:19.740 --> 00:51:21.340 inherited authentication 00:51:21.340 --> 00:51:22.980 disabled 00:51:22.980 --> 00:51:24.760 so what is legacy authentication? 00:51:24.760 --> 00:51:27.020 authentication mechanisms 00:51:27.020 --> 00:51:28.620 that would be obsolete, for example 00:51:28.620 --> 00:51:30.400 and which would not technically 00:51:30.400 --> 00:51:33.520 finally set up 00:51:33.520 --> 00:51:34.080 MFA 00:51:34.080 --> 00:51:36.800 and so I also recommend 00:51:36.800 --> 00:51:39.000 to deactivate the so-called 00:51:39.000 --> 00:51:41.000 inherited authentication in directories 00:51:41.000 --> 00:51:43.280 to limit the risk 00:51:43.280 --> 00:51:44.680 that accounts can be created 00:51:44.680 --> 00:51:47.040 without being able to impose this mechanism 00:51:47.040 --> 00:51:49.080 multiple authentication 00:51:49.080 --> 00:51:50.800 factors. Of course, 00:51:50.800 --> 00:51:52.160 conditional access. 00:51:52.160 --> 00:51:54.960 Here too, I'll be back 00:51:54.960 --> 00:51:56.860 on this notion a little later, but 00:51:56.860 --> 00:51:59.120 as much as possible 00:51:59.120 --> 00:52:01.160 do not give access 00:52:01.160 --> 00:52:02.180 systematic 00:52:02.180 --> 00:52:04.500 director 00:52:04.500 --> 00:52:06.860 even if it's someone else's 00:52:06.860 --> 00:52:08.780 who would be entitled to this type of access 00:52:08.780 --> 00:52:17.420 We need to set up a conditional access system, giving access only to what we need, and only on a temporary basis. 00:52:17.420 --> 00:52:32.320 Access, of course, must be proportionate to each person's role within the company, and separate administrative roles must be assigned. 00:52:32.320 --> 00:52:38.600 And what I see all too often is that we have someone in IT who obviously has, by virtue of the position he occupies, 00:52:38.600 --> 00:52:43.960 because it administers a certain number of things in the information system, admin access. 00:52:43.960 --> 00:52:50.740 But his admin access is for everything, for every function, for every task he performs. 00:52:50.740 --> 00:52:55.880 We therefore recommend separating these accounts. 00:52:56.220 --> 00:52:59.620 A standard user account for standard functions 00:52:59.620 --> 00:53:03.100 within the organization. 00:53:03.100 --> 00:53:07.080 And then you have an admin role when you really need to administer your information system. 00:53:07.080 --> 00:53:17.020 Managed and costed post, here too, a stroke of the therapy hammer in relation to what Claudia said. 00:53:17.020 --> 00:53:21.080 Automatic updates, extremely important, 00:53:21.260 --> 00:53:26.200 means regularly updating hardware and software. 00:53:26.200 --> 00:53:28.820 Sounds a bit pie in the sky, 00:53:28.820 --> 00:53:30.840 but I also see too many systems 00:53:30.840 --> 00:53:36.840 which are subject to security breaches, 00:53:36.840 --> 00:53:39.320 precisely because there is no patching policy, 00:53:39.320 --> 00:53:42.940 hardware and software updates. 00:53:42.940 --> 00:53:45.880 I'll pass quickly over the KPIs, 00:53:45.880 --> 00:53:49.060 but that's typically something you can follow, 00:53:49.480 --> 00:53:54.380 MFA coverage, the number of positions managed and quantified, 00:53:54.380 --> 00:53:56.520 the number of admin accounts, that's one of the things 00:53:56.520 --> 00:54:00.240 which are always very interesting. 00:54:00.240 --> 00:54:05.580 The last key idea is to test resilience. 00:54:05.580 --> 00:54:10.520 Claudia spoke about this too, about backup and restoration. 00:54:10.520 --> 00:54:15.160 I'll tell you a bit more about it later and quickly. 00:54:15.160 --> 00:54:18.700 of what I call the 3, 2, 1, 1, 0 backup. 00:54:19.480 --> 00:54:33.992 And when you're using the cloud or a SaaS application, you need to ask yourself - and I'll come back to this when it comes to managing external service 00:54:33.897 --> 00:54:44.425 providers - what I'm actually doing, and how I'm making sure my data is backed up when I'm not doing it myself. 00:54:44.880 --> 00:54:54.420 Restoration tests are another pie in the sky, but it's a deficiency that I identify with my IT auditor's hat extremely often. 00:54:54.420 --> 00:55:00.820 We have customers who think carefully about their backups, but forget to carry out test restores. 00:55:00.820 --> 00:55:09.740 And test restoration isn't just about restoring a file because an employee has lost it or accidentally deleted it. 00:55:09.740 --> 00:55:19.920 It also means making sure you're able to restart an entire server, whether it's a physical server or a virtual server, a VM. 00:55:19.920 --> 00:55:28.200 And then it's also when you have the cloud, saying okay, I have a backup on the cloud, to access this backup I need an account. 00:55:28.200 --> 00:55:36.740 And so I make sure when I do restoration tests that I'm also able to re-access these backups. 00:55:38.060 --> 00:55:42.000 Define an RPO and RTO for all critical applications. 00:55:42.000 --> 00:55:45.500 Here too, I've included some examples of KPIs. 00:55:45.500 --> 00:55:52.660 I'll be brief, but I've given you some scenarios you could potentially be involved in, 00:55:52.660 --> 00:55:56.420 As an SME or startup, you're obviously not alone, 00:55:56.420 --> 00:55:59.200 you are potentially exposed. 00:55:59.200 --> 00:56:05.840 You may be exposed to external attacks such as phishing, 00:56:05.840 --> 00:56:17.500 You can be exposed to ransomware attacks, leaks and, as Claudia said, unintentional data leaks due to human error. 00:56:17.500 --> 00:56:33.880 And so, each time, I've given you a way, so here I'm going to go pretty quickly, but I've given you the tools you can finally implement fairly quickly to prevent this type of attack. 00:56:33.880 --> 00:56:36.680 and it will never totally protect you 00:56:36.680 --> 00:56:38.620 completely, but you will limit 00:56:38.620 --> 00:56:39.740 to a very large extent 00:56:39.740 --> 00:56:42.120 so here again we could come back to it at the end 00:56:42.120 --> 00:56:44.860 if you have any questions 00:56:44.860 --> 00:56:51.600 same thing 00:56:51.600 --> 00:56:53.540 Shadow IT 00:56:53.540 --> 00:56:55.000 what I call Shadow IT 00:56:55.000 --> 00:56:56.460 it's typically 00:56:56.460 --> 00:57:00.500 use of software 00:57:00.500 --> 00:57:01.460 tools 00:57:01.460 --> 00:57:05.780 that are not officially approved within the company. 00:57:05.780 --> 00:57:11.880 And this happens very often because we're not able to provide this or that functionality. 00:57:11.880 --> 00:57:14.000 through the ERP used by the company. 00:57:14.000 --> 00:57:16.260 So we create our own tools. 00:57:16.260 --> 00:57:21.260 It can be an Excel sheet, but it can also be free tools. 00:57:21.260 --> 00:57:26.160 that we can access from within the company. 00:57:26.160 --> 00:57:28.740 So that, too, represents a risk. 00:57:29.620 --> 00:57:38.540 And there's a very easy way to prevent this by using what I've put here as a tool, as a device. 00:57:38.540 --> 00:57:45.180 Loss of stolen equipment, poorly controlled access to privileges, these are also things I see very often. 00:57:45.180 --> 00:57:50.740 Too many administrators, that's my general observation. 00:57:50.740 --> 00:57:57.580 It's not systematic, but I see too many people who have access to privileges, privileges they shouldn't have. 00:57:58.560 --> 00:58:09.480 So be very careful with this too, because it's an open door to a potential risk of data leakage or loss. 00:58:09.480 --> 00:58:25.480 I've given you as much detail as possible, but it's also to give you as much material as possible after the event. 00:58:25.620 --> 00:58:28.580 There are some things I've already mentioned that I'm going to skip over rather quickly. 00:58:28.580 --> 00:58:32.780 As you can see, mapping this data is key. 00:58:32.780 --> 00:58:37.360 I look to see if there are any key messages I've forgotten to get across, 00:58:37.360 --> 00:58:40.600 but on the whole, these are things I've already presented. 00:58:40.600 --> 00:58:48.920 As I was saying, access, access management, and Claudia put it very well, 00:58:48.920 --> 00:58:52.580 it's one of the key things in business, 00:58:53.120 --> 00:58:55.980 to which we need to pay particular attention. 00:58:55.980 --> 00:58:59.920 Here again, in terms of quick wins, 00:58:59.920 --> 00:59:04.780 we have, I repeat, but we really need to impose the MFA. 00:59:04.780 --> 00:59:07.900 The pitfall I find most often is to say to yourself 00:59:07.900 --> 00:59:10.920 that people think we've deployed the MFA everywhere. 00:59:10.920 --> 00:59:13.320 And then we listeners, when we come to watch, 00:59:13.320 --> 00:59:17.640 we can see that there are perhaps 10-15% of accounts 00:59:17.640 --> 00:59:20.740 not covered by an MFA. 00:59:21.380 --> 00:59:24.800 And these accounts, as it happens, are sometimes technical accounts, 00:59:24.800 --> 00:59:27.800 extended duty accounts, administration accounts, 00:59:27.800 --> 00:59:32.420 which can potentially do a maximum of things at network and application level. 00:59:32.420 --> 00:59:39.200 And so it's extremely important to ask which accounts are covered 00:59:39.200 --> 00:59:46.000 and above all, what rights do I allocate in relation to the use made of the account. 00:59:46.000 --> 00:59:49.680 Here again, I'll give you KPIs every time, but I'm not going to stop. 00:59:51.380 --> 01:00:00.700 Enabling encryption on workstations and mobiles, what I call painless hardening, don't get me wrong, it's what we call hardening. 01:00:00.700 --> 01:00:06.500 It's really a question of how to strengthen hardware security in the company. 01:00:06.500 --> 01:00:15.120 Very quickly, we'll be activating encryption, but Claudia talked about that, and automating updates. 01:00:15.260 --> 01:00:24.380 Again, this may sound silly, but it's extremely important to keep your systems and equipment up to date in this respect. 01:00:24.380 --> 01:00:28.080 Deploy EDR, antivirus, Claudia said. 01:00:28.080 --> 01:00:33.680 We at BDO block USB ports, but I think this is the case in many companies nowadays. 01:00:33.680 --> 01:00:42.420 It's complicated for us, because we can no longer connect backup disks to USB ports, for understandable reasons. 01:00:43.240 --> 01:00:53.400 Supporting BIOD is the opportunity offered by a company to its employees. 01:00:53.400 --> 01:00:59.380 bring your own equipment and be able to connect to the company network via the hardware. 01:00:59.380 --> 01:01:01.800 Obviously, it has to be something very carefully managed. 01:01:01.800 --> 01:01:05.920 Remove administrator rights from user workstations. 01:01:05.920 --> 01:01:11.420 The admin right is the ability to administer your PC. 01:01:11.860 --> 01:01:15.520 It's not just a matter of administering an application, we also have the possibility, 01:01:15.520 --> 01:01:21.140 and I see this a lot, people who can install whatever they want on the workstations, 01:01:21.140 --> 01:01:24.540 do what they want with their jobs, and that has to be supervised. 01:01:24.540 --> 01:01:31.440 So typically, in terms of a quick win, activate, as I said, disk encryption, 01:01:31.440 --> 01:01:37.300 block removable media by default and allow only justified exceptions, 01:01:37.300 --> 01:01:39.480 because of course it's not a question of closing everything down. 01:01:41.080 --> 01:01:52.520 And then implement conditional access rules: either an unmanaged device, or one that's not up to date, must obviously not access sensitive data. 01:01:52.520 --> 01:02:08.940 It's true that I forget to move on at the same time, I'm sorry, but since you know my presentation by heart already, it's okay. 01:02:11.080 --> 01:02:22.007 Claudia mentioned backups, and I like to remind people of the 3.2.1.1.0 backup rule, which means three copies of each piece of data, on two different media, 01:02:21.938 --> 01:02:29.891 one copy, which is fundamental for me, and one off-site copy to avoid exposing yourself too much to a cyber attack. 01:02:29.960 --> 01:02:42.391 I have a lot of customers who do all this very well, but forget about off-site copying, and if they do get hacked, especially the server on 01:02:42.303 --> 01:02:47.152 which the data is saved, they're all bent out of shape. 01:02:47.240 --> 01:02:56.680 So it's important to make an off-site copy of this data, and typically an immutable copy, to be able to conserve it. 01:02:57.240 --> 01:03:08.440 And the last thing I've already insisted on, which is zero, is do test restores and make sure your test restores are good. 01:03:08.440 --> 01:03:15.720 Here again, all too often, I run into the pitfall of not having a periodic restore test. 01:03:15.720 --> 01:03:25.740 As far as quick wins are concerned, to activate immutability, I haven't practiced off-site copying. 01:03:26.340 --> 01:03:33.810 Launch as early as this week, so when I say as early as this week, don't get me wrong, but these are questions you can ask yourself right 01:03:33.757 --> 01:03:36.767 now, a restoration test that doesn't just restore files. 01:03:36.820 --> 01:03:46.600 I'm going to move on quickly to encryption, because I think that if you have any questions, because there are some fairly technical terms, 01:03:46.530 --> 01:03:51.630 please don't hesitate to ask me questions at the end of the presentation. 01:03:52.300 --> 01:03:54.180 But encrypt your data, as Claudia said, 01:03:54.180 --> 01:03:57.200 data at rest, data in transit. 01:03:57.200 --> 01:04:00.960 When you have SaaS applications, 01:04:00.960 --> 01:04:04.500 i.e. applications managed by an external service provider, 01:04:04.500 --> 01:04:06.540 it's important to ask the question 01:04:06.540 --> 01:04:11.560 whether the data passing through the service provider in question 01:04:11.560 --> 01:04:14.480 is it secure and encrypted. 01:04:14.480 --> 01:04:21.040 What is DLP? 01:04:21.040 --> 01:04:28.140 stands for Data Leakage Protection, and is a set of tools designed to protect against the risk of data leakage. 01:04:28.140 --> 01:04:35.380 Whether you're an SME or a start-up, you don't always have the means to equip yourself with this type of tool, 01:04:35.380 --> 01:04:42.480 but should you wish to do so, it's always a good idea to equip yourself with this type of tool, 01:04:42.480 --> 01:04:48.060 because it allows us to define a certain number of rules to guard against the risk of data leakage, 01:04:48.580 --> 01:05:00.251 Particularly in the case of very complex matters such as Iban number detection, AVS number detection, these kinds of keywords which, should an employee 01:05:00.175 --> 01:05:09.024 inadvertently wish to send this type of content in an e-mail, would ensure that the e-mail never leaves the company. 01:05:10.560 --> 01:05:26.013 In terms of quick wins, typically, create three basic DLP rules, enable auditing on your solutions, whether Microsoft 365 or Google, 01:05:25.897 --> 01:05:32.124 and avoid opening too many links to the outside world. 01:05:32.240 --> 01:05:33.740 That's what I recommend. 01:05:40.560 --> 01:05:52.849 Don't forget, when you call on a service provider, that it's still your responsibility, the data remains your responsibility, so trust doesn't exclude control, 01:05:52.772 --> 01:06:03.763 which is why I recommend that when you call on a local service provider, you have a minimum due diligence with a certain number of expectations. 01:06:04.360 --> 01:06:13.880 It may be the existence of an SOC or ISAE certificate, which will give you assurance as to the level of internal control in place at the service provider. 01:06:13.880 --> 01:06:26.900 There will also be data localization guarantees, again in line with what my colleagues said this morning, in particular about data privacy issues. 01:06:28.060 --> 01:06:41.500 This means defining key contractual clauses, with clear deadlines for incident notification, management of the service provider's subcontractors, data portability, etc. 01:06:41.500 --> 01:06:46.680 When it comes to quick wins, you should always demand the best from your service provider. 01:06:46.680 --> 01:06:55.833 When it comes to large, local service providers, we generally have this assurance, because we have an ISAE or SOC certificate which verifies that the 01:06:55.772 --> 01:07:02.439 expected technical measures are in place at the service provider in question, but this is not always the case. 01:07:02.580 --> 01:07:12.322 Not all service providers have this type of certificate, and so in these cases, it's a good idea to ask the questions and then typically require what I've 01:07:12.259 --> 01:07:19.877 already presented, i.e. multi-factor authentication, single sign-on, i.e. the ability to connect to all systems once only. 01:07:20.000 --> 01:07:31.255 And then, of course, when you can, and for those who are more expert, it's to collect the SOCs, not just for the external auditors, but also for you, to give you the 01:07:31.188 --> 01:07:39.613 assurance that my service provider is doing the job properly, that he has put in place all the security measures on his side. 01:07:39.680 --> 01:07:48.740 And then, of course, there's running and independent backups. 01:07:50.000 --> 01:07:55.960 time goes by 01:07:55.960 --> 01:07:59.040 but ask me questions 01:07:59.040 --> 01:08:01.080 at the end please on the action plan 01:08:01.080 --> 01:08:02.740 that I didn't have time to present to you 01:08:02.740 --> 01:08:05.180 thanks to all 01:08:05.180 --> 01:08:16.280 I didn't mean to interrupt 01:08:16.280 --> 01:08:17.220 so abruptly 01:08:17.220 --> 01:08:20.420 it's true that I'm talkative 01:08:20.420 --> 01:08:23.580 no I used expert and passionate 01:08:23.580 --> 01:08:24.460 I didn't say chatty 01:08:24.460 --> 01:08:26.260 but very well 01:08:26.260 --> 01:08:29.240 without further ado we'll move on 01:08:29.240 --> 01:08:31.480 to the last presentation 01:08:31.480 --> 01:08:33.140 of the morning before continuing 01:08:33.140 --> 01:08:34.340 with questions 01:08:34.340 --> 01:08:37.280 so the last presentation 01:08:37.280 --> 01:08:39.060 is entitled Selection and layout 01:08:39.060 --> 01:08:40.080 IT solutions 01:08:40.080 --> 01:08:42.900 Mr Adélite Uwineza 01:08:42.900 --> 01:08:45.340 manager cyber security chez EY 01:08:45.340 --> 01:08:48.460 will be in charge of this presentation. 01:08:48.460 --> 01:08:51.680 To recall his career, 01:08:51.680 --> 01:08:55.080 he holds a master's degree in business engineering 01:08:55.080 --> 01:08:57.660 with a specialization in innovation and technology management. 01:08:57.660 --> 01:09:00.660 Over 8 years' experience in cybersecurity, 01:09:00.660 --> 01:09:03.080 he has successfully completed safety implementation projects, 01:09:03.080 --> 01:09:06.660 mainly in NGOs, pharmaceutical companies and banks. 01:09:06.660 --> 01:09:09.640 Please join me in continuing this presentation. 01:09:09.640 --> 01:09:12.080 And don't worry, as Alexandre said, 01:09:12.080 --> 01:09:13.500 all questions can come later. 01:09:14.780 --> 01:09:18.260 We'll still have half an hour to debate, which is both long and short. 01:09:18.260 --> 01:09:24.320 Thank you very much Frédéric for that flattering introduction. 01:09:24.320 --> 01:09:33.480 I'll be taking over from my colleagues, Audrey, Elisabeth, Claudia and Alexandre, 01:09:33.480 --> 01:09:39.400 in an attempt to complete them by sharing with you some food for thought 01:09:39.400 --> 01:09:44.140 on how to identify and select the solutions best suited to your needs, 01:09:44.700 --> 01:09:49.960 from electronic signatures to electronic archiving, 01:09:49.960 --> 01:09:59.660 or data risk management, or generally in the area of managing the protection of sensitive data. 01:09:59.660 --> 01:10:05.580 So now that my colleagues have all presented, I realize that this is no easy task. 01:10:05.580 --> 01:10:16.200 to present these points without repeating myself too much, but I will try to hit the hammer with a 01:10:16.200 --> 01:10:22.200 on the nail with a different hammer the real one for this carpenter's analogy I haven't been more 01:10:22.200 --> 01:10:29.520 but on the points where I'm going to feel like I'm repeating myself, so it's about 01:10:29.520 --> 01:10:36.600 complex subjects, so it's quite normal that we won't be able to cover everything in 15 minutes. 01:10:36.600 --> 01:10:41.400 but we're going to try and explore a few ideas anyway. 01:10:41.400 --> 01:10:46.080 Together, we will then look at a few examples of Haitian solutions that are adapted to your needs. 01:10:46.080 --> 01:10:51.180 to your needs based on a few use cases I've selected, and then I'll 01:10:51.180 --> 01:10:58.040 would like to finish with a brief introduction to some of the advantages of choosing solutions 01:10:58.040 --> 01:11:03.320 cloud. As you'll soon realize, I'm a big fan of cloud solutions, but I'm not the only one. 01:11:03.320 --> 01:11:10.860 it's personal. So without further ado, let's get straight to the solutions. 01:11:10.860 --> 01:11:14.460 data protection solutions. So these are things that have already 01:11:14.460 --> 01:11:18.480 mentioned, but when it comes to data protection, the first thing to go is 01:11:18.480 --> 01:11:22.560 is to identify your data. You're going to need solutions that 01:11:22.560 --> 01:11:27.560 identify and map your data, not existing data 01:11:27.560 --> 01:11:32.600 when you implement your solution, but solutions that are able to identify 01:11:32.600 --> 01:11:37.340 of new information coming in and assigning them the right level of sensitivity. 01:11:37.340 --> 01:11:44.800 Secondly, as we've already mentioned, it's important to protect your data. 01:11:44.800 --> 01:11:50.000 once you've identified them, whether at rest or in transit, 01:11:50.000 --> 01:11:54.320 when transferring them from point A to point B, or during use. 01:11:55.180 --> 01:11:58.760 So it's important to have solutions that allow you to apply encryption. 01:11:58.760 --> 01:12:03.980 It's important to have solutions that allow you to manage access to this data, 01:12:03.980 --> 01:12:09.460 to determine who should have access to this data, and which profile should not have access at all. 01:12:09.460 --> 01:12:15.560 These are things that can be complemented, for example, with DLP solutions, which we've already talked about, 01:12:15.560 --> 01:12:24.620 that will integrate, for example, with your e-mail service solutions to warn you when you are about to send sensitive data 01:12:24.620 --> 01:12:29.280 or when you've already pressed send, to be able to intercept this sensitive information 01:12:29.280 --> 01:12:32.300 before they leak outside your organization. 01:12:32.300 --> 01:12:38.620 When it comes to data protection, it's very important to remember 01:12:38.620 --> 01:12:43.240 that data protection has three main dimensions. 01:12:43.240 --> 01:12:46.860 We've already talked about confidentiality with encryption. 01:12:46.860 --> 01:12:53.260 Availability, because without your data, there's a good chance of 01:12:53.260 --> 01:12:59.520 that you can't do your job, and finally integrity, which my colleagues have already detailed in some detail. 01:12:59.520 --> 01:13:05.400 In terms of integrity, it's all about making sure that when your data is modified, 01:13:05.400 --> 01:13:10.260 you are able to identify that these data have been modified, 01:13:10.260 --> 01:13:17.740 whether these modifications are accidental or intentional. 01:13:18.640 --> 01:13:26.400 And last but not least, you need to be able to restore this data so that you can restore the version that you consider to be the most up-to-date. 01:13:26.400 --> 01:13:32.060 or the version that's not corrupted in the event of, say, ransomware and the like. 01:13:32.060 --> 01:13:38.820 Of course, if you can integrate your DLP solutions, for example, 01:13:38.820 --> 01:13:46.320 or your access management tools with monitoring and incident detection tools, 01:13:46.780 --> 01:13:53.660 This will enable you to be proactive in identifying data incidents before they happen, 01:13:53.660 --> 01:14:02.360 or to be able to intervene in time once these data leaks, or incidents involving sensitive data, have already materialized. 01:14:02.360 --> 01:14:09.360 We move on to the next point concerning secure archiving and electronic signatures. 01:14:09.360 --> 01:14:13.860 So, granted, these are two different subjects. 01:14:14.260 --> 01:14:22.360 However, as my colleagues have already mentioned, these two activities are very often subject to the same rules. 01:14:22.360 --> 01:14:32.380 For example, the EIDAS standards that will govern regulations on trust services. 01:14:32.380 --> 01:14:41.360 So it's important to choose solutions that comply with these different requirements to which you or your activities are subject. 01:14:42.980 --> 01:14:54.360 Also very important when selecting a backup solution or even an electronic signature solution, is to have audit trail traceability functionalities. 01:14:54.360 --> 01:15:05.419 This brings us back to the point about integrity. If we take the example of a contract, you sign a contract with an employer, if the employer can 01:15:05.343 --> 01:15:10.684 modify your contract after signing to add clauses you don't agree with, 01:15:10.760 --> 01:15:15.380 you need to be able to detect it and react. 01:15:15.380 --> 01:15:20.980 Therefore, you must be able to prove that this modification took place after signature. 01:15:20.980 --> 01:15:26.480 So I'll take an obviously extreme example just to make the point. 01:15:26.480 --> 01:15:35.420 Once again, I'd like to stress the point about data retention. 01:15:36.420 --> 01:15:45.500 You need solutions that allow you to control the length of time your data is retained. 01:15:45.500 --> 01:15:53.320 In other words, we're in a situation where data sometimes needs to be kept for a minimum period. 01:15:53.320 --> 01:15:59.280 This is the case for financial data, which must be kept for a period of, say, 10 years. 01:15:59.280 --> 01:16:05.400 But there is also data that should only be kept for as long as you need it. 01:16:06.360 --> 01:16:09.460 And beyond the time when you need them, you have to get rid of them. 01:16:09.460 --> 01:16:16.680 So, it's important to have mechanisms and tools that enable you to monitor retention time. 01:16:16.680 --> 01:16:25.780 and perhaps alerting features that allow you to delete this data once it is no longer relevant to your business. 01:16:25.780 --> 01:16:36.340 The next point is that I'd still advise you to choose solutions that integrate with your classic office tools. 01:16:36.360 --> 01:16:46.917 What I mean by this is that if you choose tools that aren't compatible, you're going to have to translate these documents, these data, into very 01:16:46.845 --> 01:16:54.148 specific formats before you can send them for signature, for example, or before you can archive them. 01:16:54.220 --> 01:16:57.600 So it's a question of simplicity, quite simply. 01:16:58.380 --> 01:17:04.240 When it comes to storing this data, of course, you have on-prem or cloud solutions, 01:17:04.240 --> 01:17:10.280 but I kept the point about the cloud to be consistent with my last point. 01:17:10.280 --> 01:17:19.460 In terms of regulatory compliance requirements, 01:17:19.460 --> 01:17:24.160 there are four main points to bear in mind when choosing a solution. 01:17:24.740 --> 01:17:30.260 Firstly, you need a solution that allows you to manage your data processing register. 01:17:30.260 --> 01:17:41.940 This management of the data processing register is what will enable you to document, for example, everything concerning the reasons why you collect the data, 01:17:41.940 --> 01:17:48.460 the categories of people and data you process, and the purposes for which you process the data. 01:17:51.020 --> 01:18:02.000 So it's a good idea to prioritize solutions that enable you to manage and collect consent and preferences. 01:18:02.000 --> 01:18:15.680 It's something that will make it easier for you, for example, to prove that you have prior consent for the data you collect before you can even collect or process it. 01:18:19.500 --> 01:18:31.680 When it comes to compliance, you'll also be faced with the need to respond to requests from data subjects, i.e. the people whose data you're processing. 01:18:31.680 --> 01:18:43.720 So, if you can choose a solution that will enable you to centralize all these questions and answer them centrally, perhaps by grouping, that's preferable. 01:18:43.720 --> 01:18:49.340 The final point is that regulations are bound to evolve. 01:18:50.240 --> 01:18:56.180 I think it's safe to say that most of today's regulations didn't exist 20 years ago. 01:18:56.180 --> 01:18:58.860 And those that did exist must already have evolved considerably. 01:18:58.860 --> 01:19:02.140 So we can expect these regulations to continue to evolve. 01:19:02.140 --> 01:19:11.180 When choosing a solution, in this case, you need to choose a scalable solution that can support you over time, 01:19:11.180 --> 01:19:14.920 which will be able to integrate new regulations and requirements. 01:19:19.500 --> 01:19:29.111 In terms of risk management, I'm not going to dwell too much on that, I think it's been covered quite a lot, but obviously, always remember the importance of 01:19:29.050 --> 01:19:35.759 first mapping data and classifying it before you can protect it, before you can even think about protecting it. 01:19:35.820 --> 01:19:39.420 and this usually requires tools in their own right. 01:19:39.420 --> 01:19:46.980 It's better to use tools that integrate risk management frameworks. 01:19:46.980 --> 01:19:52.700 such as DPIA or TIA (TIA stands for Threat Impact Assessment), 01:19:52.700 --> 01:19:57.420 and DPIA stands for Data Protection Impact Assessment or Privacy, depending, 01:19:57.420 --> 01:20:05.180 which will serve as a means of providing you with an overview 01:20:05.180 --> 01:20:12.040 on compliance with your own data management controls. 01:20:12.040 --> 01:20:19.440 Also, if you have the possibility of having a tool that gives you a governance dashboard and reporting, 01:20:19.440 --> 01:20:23.400 ideally with real-time alerting and monitoring, 01:20:23.400 --> 01:20:28.880 this will give you a constant overview of the areas in which you are compliant. 01:20:28.880 --> 01:20:31.540 and the areas in which you are non-compliant, 01:20:31.540 --> 01:20:35.560 in order to provide a solution within an acceptable timeframe, 01:20:35.560 --> 01:20:40.920 but above all so that you don't lose sight of precisely those points on which you're non-compliant. 01:20:40.920 --> 01:20:49.000 I don't know if it's worth going through a few examples here, 01:20:49.000 --> 01:20:52.440 maybe we can do it during the Q&A session, 01:20:52.440 --> 01:20:58.760 but very quickly, in terms of archiving and electronic signatures, 01:21:00.160 --> 01:21:09.340 For electronic signatures, we'll be looking at solutions such as DocuSign, Adobe or Swisscom Trust Services for a local solution. 01:21:09.340 --> 01:21:15.820 And when it comes to data management and archiving, we may be looking at solutions such as Box or M5. 01:21:15.820 --> 01:21:20.060 Obviously, the list of solutions here is not exhaustive. 01:21:20.060 --> 01:21:26.220 These are selected solutions that may be better suited to SMEs, i.e. small and medium-sized businesses. 01:21:26.220 --> 01:21:33.760 But there are other solutions, of course, and it's very important to do your analysis before selecting the solution. 01:21:33.760 --> 01:21:42.920 When it comes to risk and data management, we'll be looking at solutions such as OneTrust, TrustArc, Osano and Dataguard. 01:21:42.920 --> 01:21:52.000 And you'll notice that in terms of compliance and risk management, we're mainly using the same tools. 01:21:52.000 --> 01:21:55.160 We use tools that combine the two activities. 01:21:56.220 --> 01:22:06.348 And I'd just like to make one point about One Trust. So, it may not be a tool that's entirely suited to small and medium-sized businesses. So, it all depends on your 01:22:06.287 --> 01:22:14.899 level of maturity. It's an assessment that needs to be made beforehand to determine whether it's really a tool that's right for your business. 01:22:15.660 --> 01:22:22.440 But I was a little embarrassed not to mention the market leader in compliance management. 01:22:22.440 --> 01:22:28.540 So I've made a point of putting the tool on the slide so that you can still do your research. 01:22:28.540 --> 01:22:33.080 And if you have to rule it out, you can rule it out, but with all the information. 01:22:33.080 --> 01:22:41.060 When it comes to data protection, especially if you're looking for a backup and restore solution 01:22:41.060 --> 01:22:43.720 to protect you from ransomware attacks, 01:22:43.720 --> 01:22:45.860 you're more likely to opt for Microsoft, 01:22:45.860 --> 01:22:48.320 Acronis, Sophos, etc. 01:22:48.320 --> 01:22:52.160 So you'll find plenty of solutions on the market, 01:22:52.160 --> 01:22:54.700 on-premise or cloud solutions. 01:22:54.700 --> 01:23:02.180 And even if a fairly thorough prior assessment 01:23:02.180 --> 01:23:05.980 is necessary to determine whether you need a cloud model. 01:23:05.980 --> 01:23:07.500 or if you need an on-premise model, 01:23:08.300 --> 01:23:15.120 Still, it's important to mention a few of the advantages of cloud solutions, which shouldn't be overlooked. 01:23:15.120 --> 01:23:19.940 Let's start with the first, the sinews of war: money. 01:23:19.940 --> 01:23:26.120 It goes without saying that every company and every business manager has to think about... 01:23:26.120 --> 01:23:33.220 Today, it has been established that cloud solutions are cost-saving solutions, 01:23:33.220 --> 01:23:36.160 firstly, because you only pay for what you use, 01:23:36.680 --> 01:23:49.780 And secondly, because it allows us to outsource part of the day-to-day management of these tools to companies that generally specialize in this area. 01:23:49.780 --> 01:23:57.080 And if you have to do it yourself, for example, or even incident management or security incident prevention, 01:23:57.080 --> 01:23:59.860 these are very expensive activities if you have to do them yourself. 01:24:01.060 --> 01:24:06.220 And also, the companies that usually manage these solutions, 01:24:06.220 --> 01:24:12.200 these are fairly robust companies with a certain maturity in terms of security. 01:24:12.200 --> 01:24:17.860 So, when you entrust them with your data, it doesn't limit the impact in the event of data loss. 01:24:17.860 --> 01:24:24.060 On the other hand, it greatly reduces the probability of data mining. 01:24:27.760 --> 01:24:41.460 Of course, always in line with the robustness of these partners, it's very important to have a partner with whom you can share responsibility for regulatory compliance. 01:24:41.460 --> 01:24:50.480 I say share, because when you delegate the part, the processing for example, the data processing, you don't delegate the responsibilities. 01:24:50.480 --> 01:24:54.940 We still retain responsibility as the entity collecting the data. 01:24:57.760 --> 01:25:08.460 So all this helps to improve your reputation and your confidence not only with your customers, but also with your other partners. 01:25:09.460 --> 01:25:28.820 Management in the cloud is accompanied by a high degree of automation, which increases productivity and saves management time. 01:25:28.820 --> 01:25:34.580 And last but not least, escalability. 01:25:34.580 --> 01:25:46.220 I don't think I'm wrong in saying that the aim of any company, small or medium-sized, is to grow, to remain sustainable and to continue to grow over time. 01:25:46.520 --> 01:26:00.586 And so, when you turn to cloud solutions, you turn to scalable solutions, flexible solutions that can support your growth and keep your 01:26:00.484 --> 01:26:05.618 cost management in line with your rising expenses. 01:26:05.720 --> 01:26:15.980 So let me conclude by saying that on the market, you're going to find quite a few solutions to meet the various needs we've discussed. 01:26:16.520 --> 01:26:24.020 It's up to you to do the work necessary to identify your needs, before we can direct you towards any solution. 01:26:24.020 --> 01:26:37.340 Very often, as a good business manager, you'll tend to make decisions that are mostly guided by cost. 01:26:37.340 --> 01:26:46.060 But don't forget to consider other needs, and your long-term strategic plan. 01:26:46.520 --> 01:26:51.220 Your tactical plan for the medium term and your operational plan for the short term. 01:26:51.220 --> 01:26:53.160 Thank you very much for your attention. 01:26:53.160 --> 01:27:02.040 Thank you very much. 01:27:02.040 --> 01:27:05.440 We'll now open the floor to questions and answers. 01:27:05.440 --> 01:27:08.660 I don't know who spoke, but we haven't forgotten you in relation to the slide. 01:27:08.660 --> 01:27:11.640 It was over there, but we'll come back to it. 01:27:11.640 --> 01:27:16.380 In fact, I'd just like to start, and this will summarize several questions that are out there. 01:27:16.520 --> 01:27:24.280 the presentation is dense, and the regulations seem substantial 01:27:24.280 --> 01:27:31.000 and then some worry about their ability to integrate them as SMEs 01:27:31.000 --> 01:27:36.820 and finally, it's addressed to all of you, perhaps Claudia or Alexandre. 01:27:36.820 --> 01:27:40.940 I don't know who wants to answer, but in the end, should we be worried about this load? 01:27:40.940 --> 01:27:45.520 and to what extent are there solutions tailored to SMEs? 01:27:45.520 --> 01:27:47.120 I don't know who wants it. 01:27:47.120 --> 01:27:52.720 Great, the mic's going to spin, I think. 01:27:52.720 --> 01:27:54.140 First of all, this is better. 01:27:54.140 --> 01:27:59.180 So yes, in answer to your question, 01:27:59.180 --> 01:28:01.940 is there anything to worry about as an SME? 01:28:01.940 --> 01:28:05.000 to tick all the boxes? 01:28:05.000 --> 01:28:07.780 So I'd say don't worry, 01:28:07.780 --> 01:28:09.720 but it's still an important subject. 01:28:09.720 --> 01:28:12.220 So, as we said, the consequences, 01:28:12.220 --> 01:28:15.200 they can be financial, legal or reputational. 01:28:15.520 --> 01:28:20.320 So perhaps we should start with the simplest measures. 01:28:20.320 --> 01:28:27.060 As my colleagues have said, map the data, start with that. 01:28:27.060 --> 01:28:32.580 It may take a little time, but it's not too time-consuming or costly either. 01:28:32.580 --> 01:28:35.760 So, list the data a little bit, classify what we have. 01:28:35.760 --> 01:28:39.840 Then start with the simplest. 01:28:39.840 --> 01:28:46.960 So, you'll see the slides again, but anything organizational is often quite simple to set up. 01:28:46.960 --> 01:28:53.020 Training, internal procedures and then technical aspects too. 01:28:53.020 --> 01:29:01.520 And don't hesitate to call in experts on these very subjects as soon as things get technical. 01:29:01.520 --> 01:29:08.620 So, don't hesitate to call on external help for this. 01:29:09.840 --> 01:29:13.900 Perhaps, Alexandre, in the end, everything we're discussing is really designed for SMEs? 01:29:13.900 --> 01:29:15.180 I think there is some concern. 01:29:15.180 --> 01:29:18.540 So it's always the same. 01:29:18.540 --> 01:29:22.520 I've tried to present some fairly simple and fairly inexpensive measures. 01:29:22.520 --> 01:29:26.380 Set up... 01:29:26.380 --> 01:29:30.180 So I didn't necessarily have time to present my checklist at the end. 01:29:30.180 --> 01:29:30.980 Excuses for that. 01:29:30.980 --> 01:29:32.220 And I apologize. 01:29:32.220 --> 01:29:36.500 But once again, if you have any very specific questions, I won't hesitate. 01:29:37.220 --> 01:29:46.900 But I think that the main measures to take into account will enable you to cover the vast majority of requirements, 01:29:46.900 --> 01:29:52.380 regulatory requirements in particular, they are still time-consuming. 01:29:52.380 --> 01:29:54.640 Time is money. 01:29:54.640 --> 01:30:04.060 Adélite presented a number of solutions which, as he rightly said, are not necessarily adapted to each and every one of you. 01:30:04.060 --> 01:30:19.060 But setting up a DLP-type tool doesn't have to be ultra-expensive. Activating a certain number of parameters in your systems is technical, but not necessarily costly. 01:30:19.460 --> 01:30:29.920 Implementing best practices in terms of staff entry and exit management processes, rights and account management is time-consuming, but it doesn't have to be. 01:30:29.920 --> 01:30:37.080 It doesn't necessarily require you to set up expensive, dedicated solutions to do this. 01:30:37.080 --> 01:30:50.640 There's a lot of good farming sense in all the measures we suggest. After that, there will always be certain tools that will make your life much easier. 01:30:50.640 --> 01:31:02.462 And then, Adélit presented a few examples. But I'd say that 80% of the things you can implement are fairly easy and don't require any 01:31:02.462 --> 01:31:06.840 investment on your part, apart from a little time. 01:31:08.200 --> 01:31:20.063 Drawing up a treatment register, if we take the NLPD requirements into account, takes a little time. On the other hand, you don't have to buy an 01:31:19.982 --> 01:31:26.239 extremely expensive solution to manage your risks, to manage your treatments. 01:31:26.320 --> 01:31:39.260 This can be done in the form of an Excel file, and I've seen this with a number of customers, including small banks and securities houses. 01:31:39.260 --> 01:31:41.400 so overall there are 01:31:41.400 --> 01:31:42.360 a lot of common sense 01:31:42.360 --> 01:31:45.340 process, process, process 01:31:45.340 --> 01:31:46.680 this is extremely important 01:31:46.680 --> 01:31:49.920 and the technique, I'm not going to say it's a detail 01:31:49.920 --> 01:31:53.340 but most of the tools 01:31:53.340 --> 01:31:55.520 I consider, I think you have 01:31:55.520 --> 01:31:57.300 you all already have them 01:31:57.300 --> 01:31:59.240 then did you set up 01:31:59.240 --> 01:32:00.840 the processes involved to 01:32:00.840 --> 01:32:03.560 set up these tools, manage rights properly 01:32:03.560 --> 01:32:04.900 etc, that's something else 01:32:04.900 --> 01:32:07.180 but this is where the bulk of the work 01:32:07.180 --> 01:32:08.240 it has to be done in fact 01:32:08.240 --> 01:32:15.240 Thank you for your time. Before we forget, do you want us to come back to this question attached to the slide? 01:32:15.240 --> 01:32:26.799 Just before, to try and complete the picture, all too often we see initiatives that are held back by the fear of realizing that there are a lot 01:32:26.719 --> 01:32:31.980 of administrative responsibilities that come with data management. 01:32:33.740 --> 01:32:39.760 Fines are too high for non-compliance. 01:32:39.760 --> 01:32:41.920 But in fact, all this is false. 01:32:41.920 --> 01:32:44.640 So there's a proportionality to keep in mind. 01:32:44.640 --> 01:32:53.080 As a small or medium-sized company, you don't have to deploy the same resources as large corporations. 01:32:53.080 --> 01:33:00.920 And the same goes for fines: you won't be fined the same as the big companies. 01:33:01.880 --> 01:33:05.380 There's a notion of due diligence to always keep in mind. 01:33:05.380 --> 01:33:12.740 You have to do your best, but if you don't, you don't have to close the door. 01:33:12.740 --> 01:33:17.240 When you go to the cloud, of course it comes with a risk. 01:33:17.240 --> 01:33:19.580 In the end, it's all a question of risk management. 01:33:19.580 --> 01:33:23.920 That doesn't mean you delegate all responsibility. 01:33:23.920 --> 01:33:35.596 This doesn't mean that the service provider you give responsibility for managing and hosting your data will go bankrupt tomorrow, a 01:33:35.508 --> 01:33:40.512 risk you've already accepted by opting for this solution. 01:33:40.600 --> 01:33:43.100 And that's why I come back to what I said at the beginning. 01:33:43.100 --> 01:33:53.086 It's very, very important to take the time to assess your needs. Assessing your need also means assessing your risk appetite, the risk 01:33:53.013 --> 01:33:58.227 you're willing to accept, and taking your decisions into consideration. 01:33:58.300 --> 01:34:10.100 We agree, there's no legal framework today that fixes, perhaps I'm asking you, which service provider we have access to as a company based in Switzerland? 01:34:10.100 --> 01:34:17.040 Today, in Switzerland, there is a requirement to keep data in Switzerland. 01:34:17.040 --> 01:34:23.120 When we use American cloud solutions that send data to the USA, 01:34:23.120 --> 01:34:26.600 we don't comply with Swiss law at all. 01:34:26.600 --> 01:34:33.820 Today, that's why, for example, Microsoft offers hosting in Geneva and Zurich. 01:34:33.820 --> 01:34:36.880 It's to meet these needs. 01:34:37.480 --> 01:34:48.649 So when you go through Microsoft, today what Microsoft assures is that your data is stored in Switzerland, and in a way, there's no legitimacy on the 01:34:48.575 --> 01:34:55.306 part of the United States to be able to retrieve that data at some point if they so decide. 01:34:55.380 --> 01:35:06.103 In fact, we're once again dealing with systemic risks, risks that we're discovering today. Five years ago, would we have imagined that 01:35:06.024 --> 01:35:10.281 the situation we're in today with Trump was realistic? 01:35:10.360 --> 01:35:16.780 I'd like to take the liberty, but you may all be frustrated, of returning to some down-to-earth, technical questions. 01:35:16.780 --> 01:35:24.540 We've got a bunch too. I suggest, for example, that I speak to you, Audrey, or to you, Elisabeth. 01:35:24.540 --> 01:35:31.120 Someone asked us what the legal requirements are for archiving a company's data when it ceases trading. 01:35:37.540 --> 01:35:41.060 Indeed, when a company ceases to operate, it is subject to the law. 01:35:41.060 --> 01:35:48.880 In fact, the retention periods will not change as the company is dissolved and goes into liquidation. 01:35:48.880 --> 01:35:56.440 That's why, as we used to say, a tool is old school compared to all other considerations, 01:35:56.440 --> 01:36:01.800 but it does mean having a conservation schedule and a conservation plan, 01:36:02.260 --> 01:36:10.700 Will your company actually survive certain legal conservation obligations? 01:36:10.700 --> 01:36:18.300 We're going to jump back into the debate a little here, but we're coming back to the legitimacy of the signature questions. 01:36:18.300 --> 01:36:24.520 Some people are asking for details of the signatures recognized, including when we enter into contracts with suppliers abroad. 01:36:25.000 --> 01:36:31.400 Does this mean which signatures or legislation are the law? 01:36:31.400 --> 01:36:39.500 All right, then. So, I think the first thing to know is that, as I was saying, the contract, the formal validity of a contract, 01:36:39.500 --> 01:36:42.500 it will depend on the applicable law. 01:36:42.500 --> 01:36:48.560 So, as I was saying, we focused on contracts that are subject to Swiss law. 01:36:48.560 --> 01:36:53.560 In which case, formal validity is governed by Swiss law. 01:36:54.620 --> 01:36:58.860 And so we look at whether Swiss law requires written form. 01:36:58.860 --> 01:37:04.260 In which case, we'll need a handwritten signature or a QIS, a qualified signature. 01:37:04.260 --> 01:37:07.460 I don't know if that answers the question, 01:37:07.460 --> 01:37:13.620 if there were any clarifications, or if the person who asked the question perhaps wanted to make some clarifications. 01:37:13.620 --> 01:37:17.040 I don't know who asked it. 01:37:17.040 --> 01:37:21.540 Then, of course, if you have a contract that is subject to another law, 01:37:22.380 --> 01:37:26.880 you will look for formal validity in this other law. 01:37:26.880 --> 01:37:33.420 And so, typically, if we imagine a contract that is subject to German law, 01:37:33.420 --> 01:37:39.860 We'll now take a look at the formal validity under German law. 01:37:39.860 --> 01:37:46.440 And if German law requires a written form, a qualified signature, etc., this is not a problem. 01:37:46.440 --> 01:37:51.660 We can envisage two signatures in two systems, or it's something that... 01:37:51.660 --> 01:37:57.020 So if you have a contract governed by Swiss law, which requires written form, 01:37:57.020 --> 01:38:03.640 we'll need either a handwritten signature or a qualified signature. 01:38:03.640 --> 01:38:09.340 We won't be able to have a qualified Swiss signature and a qualified foreign signature. 01:38:09.340 --> 01:38:11.840 Because, as I said, there's no equivalence. 01:38:11.840 --> 01:38:19.240 So if you have a contract subject to Swiss law that requires a qualified or handwritten signature, 01:38:20.260 --> 01:38:31.102 Typically, a signature under the eIDAS regulation, i.e. a signature that is recognized as qualified in Europe, in the European Union, 01:38:31.022 --> 01:38:35.520 will not be equivalent to the Swiss qualified signature. 01:38:35.600 --> 01:38:40.420 Therefore, formal validity will not be given. 01:38:40.420 --> 01:38:44.100 I don't know if that's clear enough. 01:38:44.700 --> 01:38:51.700 Typically, if you take out a contract with someone outside Switzerland, 01:38:51.700 --> 01:38:58.860 but where you still have a contract that is subject to Swiss law, i.e. Swiss formal validity, 01:38:58.860 --> 01:39:07.740 you can have yourself signing with a qualified signature and the other person signing a wedding, i.e. a handwritten signature. 01:39:07.740 --> 01:39:10.120 So this is something that could be envisaged. 01:39:10.120 --> 01:39:14.660 If you contract with someone who does not have a qualified Swiss signature, 01:39:14.700 --> 01:39:26.300 Thank you, Claudia. Claudia, maybe you mentioned someone is asking us about the PDFA format. Is it 100% forgery-proof? 01:39:26.300 --> 01:39:32.040 But beyond that, I even think it raises the question of the evolution of formats, of what will last over time. 01:39:32.040 --> 01:39:40.200 And in the end, can we really calculate and predict it? How can we be sure that everything we're doing here, which is a fundamental question, 01:39:40.200 --> 01:39:43.440 and also cross-reference with global geopolitics, 01:39:43.440 --> 01:39:45.860 all you want, but at the end of the day, how do we make sure 01:39:45.860 --> 01:39:49.000 that what we're implementing today will hold up? 01:39:49.000 --> 01:39:52.500 And what about these formats, in this case PDF? 01:39:52.500 --> 01:39:55.680 I'd say that's a good question, and I'd love to have the answer, 01:39:55.680 --> 01:40:00.180 but unfortunately, I can't necessarily predict everything that's going to happen. 01:40:00.180 --> 01:40:04.080 As we can see with artificial intelligence, things are moving very, very fast. 01:40:04.080 --> 01:40:08.020 So PDF A is what we see today, 01:40:08.020 --> 01:40:11.760 We know it's going to be there for years to come. 01:40:11.760 --> 01:40:19.100 So I think it's already a good measure to make sure that this is the format we keep. 01:40:19.100 --> 01:40:23.560 But as we know, this is an area that is evolving and will continue to evolve. 01:40:23.560 --> 01:40:25.920 And you have to keep up. 01:40:25.920 --> 01:40:33.680 The only thing I can advise is to stay tuned, and keep up to date with the latest developments, 01:40:33.680 --> 01:40:44.420 To find out perhaps a little bit about the people around you, in the networks, in these discussions. But I can't. 01:40:44.420 --> 01:40:58.020 No, but absolutely. We're talking to an SME audience. Every change entails a cost. I imagine that we do risk ratios for change, and then we go for what's safest, I guess. 01:40:59.960 --> 01:41:09.340 Same question, and by the way, maybe I'm staying with you, because in the end, you presented the notion of AI as the advantage it can have. 01:41:09.340 --> 01:41:15.780 There are also questions about all the... in terms of data protection, about everything that the use of AI can entail too, 01:41:15.780 --> 01:41:26.780 and finally, increased security measures. How do we manage this AI? Is it all to the good? 01:41:26.780 --> 01:41:28.620 So it's true that with everything that's... 01:41:28.620 --> 01:41:31.120 And I'm asking you, but honestly, anyone can participate. 01:41:31.120 --> 01:41:35.320 Don't hesitate to let me know if there's anything you'd like to add. 01:41:35.320 --> 01:41:40.160 So it's true that there's also artificial intelligence, 01:41:40.160 --> 01:41:43.760 so all the regulations and safety precautions are in place. 01:41:43.760 --> 01:41:47.260 It's also something that's beginning to be put in place, 01:41:47.260 --> 01:41:51.520 regulations around AI in Europe and around the world. 01:41:53.140 --> 01:42:04.637 But it's true that sometimes technology moves almost faster than regulation, so it's a very good point when you point the finger a little at AI and 01:42:04.484 --> 01:42:15.905 risk, because it's true that when we implement these tools, we often forget to think about all the compliance and control issues around AI, where the 01:42:15.905 --> 01:42:21.807 data really goes, this external service provider if it's an external company. 01:42:21.960 --> 01:42:27.440 How well do we know him? Do we know that he has really studied the issue, etc.? 01:42:27.440 --> 01:42:34.340 So I'm not a specialist in all things artificial intelligence. 01:42:34.340 --> 01:42:36.240 So I don't really want to get into that. 01:42:36.240 --> 01:42:46.620 But it's true that I think, before implementing a tool in his company that seems very good, 01:42:46.620 --> 01:42:55.849 You really need to find out, first about the contract, maybe get someone in the company who's a bit more legal, a legal hat, and then go 01:42:55.782 --> 01:42:59.193 and read in conjunction with the safety department. 01:42:59.260 --> 01:43:07.360 Do we really have clauses in the contract that allow us to move in the direction of protecting data, etc.? 01:43:07.360 --> 01:43:20.760 So, don't just go in with your eyes closed and implement an artificial intelligence tool at home without reading the clauses and finding out about this part. 01:43:20.760 --> 01:43:25.360 Anyone else, for example, Alexandre, on this use of AI? 01:43:25.360 --> 01:43:35.700 I think that's fair to say, and I, as a listener, am a fond user of AI more and more, to be very honest with you. 01:43:35.700 --> 01:43:52.880 In fact, I'm sure there's a slide I haven't had time to present to you on the subject, but it must be the subject of technical measures framed in the same way as a business application. 01:43:53.620 --> 01:44:06.360 Of course, we have to be very careful about the access we give our employees and the opportunities they have to use AI in particular. 01:44:06.360 --> 01:44:15.920 It must be a controlled use because typically today, me at BDO, if this afternoon, after our exchange, 01:44:15.920 --> 01:44:18.200 I had fun copying 01:44:18.200 --> 01:44:20.040 paste into or upload to 01:44:20.040 --> 01:44:21.680 a customer file 01:44:21.680 --> 01:44:24.680 I would immediately 01:44:24.680 --> 01:44:25.380 I retouched 01:44:25.380 --> 01:44:27.880 by my 01:44:27.880 --> 01:44:30.100 CISO, by BDO's CISO 01:44:30.100 --> 01:44:32.080 Switzerland, why? 01:44:32.080 --> 01:44:32.900 because 01:44:32.900 --> 01:44:36.140 BDO, for example, but this is the case of 01:44:36.140 --> 01:44:38.460 other customers of mine, have implemented 01:44:38.460 --> 01:44:39.760 tools that enable 01:44:39.760 --> 01:44:41.980 they're not necessarily going to 01:44:41.980 --> 01:44:44.300 to dissecting the contents of the 01:44:44.300 --> 01:44:57.780 But if I put in a file with a customer's name or keywords that would be very sensitive, immediately or within two days, I'll get an email and I've done the test, to be very honest. 01:44:57.780 --> 01:45:05.560 I get an e-mail from the CISO telling me why you uploaded this file to ChatGPT, for example. 01:45:05.560 --> 01:45:13.680 Obviously, we're going to have to regulate the use of artificial intelligence. 01:45:13.680 --> 01:45:27.119 I'll take the example of using artificial intelligence, I don't know, to build a work program, a presentation, but in the same way, we, as auditors, are going to have to change 01:45:27.043 --> 01:45:40.104 our way of auditing a little because I have a number of customers who are starting to implement artificial intelligence in their systems, particularly in the banking sector. 01:45:40.180 --> 01:45:52.881 And so, as an auditor, I'm going to have to take a look at the algorithm. I don't know if I'll go that far, but in the end, how the AI is 01:45:52.789 --> 01:45:58.088 trained, how it's all framed to make sure there's no bias. 01:45:58.180 --> 01:46:08.519 So we're working on it. I don't think I'm the only one at BDO, but I think audit firms like ours are working on how, in the long term, we're going to 01:46:08.451 --> 01:46:13.792 have to audit these AI models, because quite clearly, they're taking up space. 01:46:13.860 --> 01:46:21.800 So, as I say, this has to be one of our concerns. 01:46:21.800 --> 01:46:27.920 I'm just going to ask a few more questions, because there are a lot of them. One thing that comes up a lot is the question of responsibility. 01:46:28.180 --> 01:46:31.840 who is responsible for data storage? 01:46:31.840 --> 01:46:34.240 I know you've presented it a lot, but I see that it comes up a lot. 01:46:34.240 --> 01:46:38.400 So, someone say, does this responsibility lie with a board of directors or with management? 01:46:38.400 --> 01:46:41.420 We were talking earlier about data owners in the company. 01:46:41.420 --> 01:46:51.080 Finally, who is deemed responsible for this conservation? 01:46:51.080 --> 01:46:57.780 In fact, the person responsible will be the one collecting the data. 01:46:57.960 --> 01:47:00.680 So it's the data controller. 01:47:00.680 --> 01:47:10.920 And then, internally, within your company, it's usually the administrators. 01:47:10.920 --> 01:47:16.940 After that, some large companies may appoint a data protection advisor, 01:47:16.940 --> 01:47:21.980 at RGPD level, he's known as the DPO, Data Protection Officer. 01:47:21.980 --> 01:47:25.180 But that remains an internal function. 01:47:25.300 --> 01:47:29.620 So this could create internal responsibilities in terms of this person's duties. 01:47:29.620 --> 01:47:34.700 But the ultimate responsibility remains with the company's management. 01:47:34.700 --> 01:47:40.180 After the legal entity, we'll be looking for natural persons. 01:47:40.180 --> 01:47:46.840 Someone asked us whether, in the question, for example, of document alteration or conservation archiving, 01:47:46.840 --> 01:47:49.960 it's an email exchange with a legal document attached. 01:47:53.620 --> 01:47:58.120 Legal value is a somewhat abstract concept in itself. 01:47:58.120 --> 01:48:02.500 So, indeed, if it's part of a dispute, it can always be produced. 01:48:02.500 --> 01:48:08.480 Then there's the question of the probative value of an email, 01:48:08.480 --> 01:48:12.260 It all depends on what you're trying out. 01:48:12.260 --> 01:48:16.880 The attachment, then we switch back to what the attachment is. 01:48:16.880 --> 01:48:26.560 If it's a contract, for example, signed electronically, yes, in that case it's the document itself. 01:48:26.560 --> 01:48:34.000 As mentioned above, if it has been properly archived electronically, it has full probative value. 01:48:34.000 --> 01:48:41.600 We're coming to the end. There are a lot of questions that are very... In fact, we're looking for solution listings. 01:48:41.600 --> 01:48:46.560 I encourage you to discuss it. There were a few proposals on the table. 01:48:46.880 --> 01:48:56.320 I deliberately left that out, because I didn't think it was the point of this discussion. But I understand that a concrete solution is what you're all looking for. 01:48:56.320 --> 01:49:07.500 So I encourage you to continue. We're coming to the end of these debates. I'd like to thank you for your participation. I can see that this is a lively debate. 01:49:07.500 --> 01:49:13.500 but honestly, at the end, I didn't raise them again because there were still some left, but we can talk about that. 01:49:13.500 --> 01:49:19.280 The question of whether the cloud can really remove this data, I'll leave you to debate afterwards. 01:49:19.280 --> 01:49:26.420 In any case, I'd like to thank you for everything, for your questions, for your participation, and I'd like to thank all those who took part. 01:49:26.420 --> 01:49:31.480 As you can see, we've got another slideau coming up, and that's for today's session. 01:49:33.160 --> 01:49:43.720 You will then have access to these sessions, these mornings are recorded, so you can relive them on video on the site mentioned here. 01:49:43.720 --> 01:49:50.380 I'd like to thank all the partners who make these breakfasts possible. 01:49:50.380 --> 01:50:00.254 I'll just finish this. So, the CCIG, FER Genève, BDO, Deloitte, EY, KPMG, PwC, Entreprises Romandes and Bilan, which we are delighted to join in 01:50:00.187 --> 01:50:10.062 this initiative. I would like to thank all the participants, the OCEI for organizing these breakfasts, and I would also like to remind you that the 01:50:10.062 --> 01:50:15.033 next one will take place on November 28, on the subject of customs duties. 01:50:15.100 --> 01:50:18.180 Here too, I imagine, we can have lively debates. 01:50:18.180 --> 01:50:20.760 So there you have it, thank you. 01:50:20.760 --> 01:50:26.380 I invite you to continue the conversation next door for those who would like to continue the debate. 01:50:26.380 --> 01:50:26.940 Thank you very much.