EBRC SPECIAL EDITION - IT NATION MAG (EN) by EBRC

THE MAGAZINE OF THE CIOS and IT DECISION MAKERS IN LUXEMBOURG â&#x20AC;&#x201C; EBRC SPECIAL EDITION

Fintech

Data Centre

business continuity

security

EBRC in numbers 19%

more than

57,5 M€

50%

100%

Growth in 2015

of Turnover in 2015

Reduction of the carbon footprint of EBRC clients through the innovative “Green IT” programme

100%

Green energy usage

300

Clients partially or fully entrusted us with their IT and security

Best WorkPlace Award 2014, 2015, 2016

Data Centre availability since 2000

Data Centres in Europe: England, France, Switzerland, Germany, Luxembourg

more than

Awards & Certifications

FinTech Clients

Tier IV certified Data Centres (two of which are “Tier IV Fault Tolerant Constructed Facility”)

more than Staff members

190

Latest distinctions We owe this recognition to the talent and commitment of our employees. Our teams of experts are always ready to listen to our Clients while focusing on innovation and excellence.

Sandrine Boucquey, Head of Human Resources & Legal

The award rewards the experience we accumulated over the years. Our teams support our Clients in their migration to the cloud using a pragmatic approach that is optimised for low cost and thorough planning.

Philippe Dann, Head of Risk & Business Advisory

As part of our “Energy Savings Programme” and our ISO 14001 and ISO 50001 certifications, we aim at continuous improvement of our operational management and our energy systems. This commitment to “Green IT” is part of our culture and our E.A.R.T.H. values: Excellence, Agility, Responsibility, Trust and Human. Bruno Fery, Head of Datacentre Services

ITnation Mag

is a MAKANA Magazine

éditoRIAL

153-155 B, rue du Kiem L-8030 Strassen Grand Duchy of Luxembourg T. +352 26 10 86 26, E. info@itnation.lu

Émilie Mounier Managing Director, T. +352 691 99 11 56

“THERE IS NOTHING PERMANENT EXCEPT CHANGE.”

Cyrielle Pinalie Team leader & Account Manager, T. +352 671 26 10 26

Heraclitus of Ephesus - 540 BC

PUBLICATION Eric Busch Publication Director T. +352 691 43 45 45

Lison Jacquinot Project & Events Manager, T. +352 671 26 10 27 Jenifer Matern Web & Digital Project Manager, T. +352 26 10 86 26-24 Sébastien Lambotte Journalist T. +352 621 255 897

DESIGN Photography Agence Blitz laurent@blitz.lu T. +352 691 652 003 Michel Brumat, T. +352 26 440 947 photo@brumat.com Luc Deflorenne T. +352 691 646 264 contact@lucphoto.lu Design Laurence Vagner Layout Nathalie Ludmann, T. +33 6 73 26 74 09

This quote from Heraclitus is certainly familiar. 540 years before the start of our era, it laid the foundation for innovation. No other philosopher has ever been considered to be such a strong model by entrepreneurs and initiators of innovative projects from Europe to Silicon Valley. As a “business enabler”, we focus on and promote this view in each of our projects with and for our Clients. This support aims to share in our Clients’ journey throughout the implementation of their projects, including digital transformation, start-up launches in the FinTech sector, highly secure architectures and highly available infrastructure. With the adoption of the new General Data Protection Regulation (GDPR), our “Experience Trust” motto has become even more relevant. Since its creation in 2000, EBRC’s mission has been built on “managing and protecting sensitive information”.

Experience Trust with EBRC

MAKANA

Today’s business thrives on data.

IBAN LU53 0030 7526 7288 1000 BIC BGL : BGLLLULL TVA LU 19730379 RC Luxembourg B 95210

Data holds the seeds of tomorrow.

PUBLISHING HOUSE

It deserves being protected. It deserves being leveraged. That is all we do. That is all others reward us for.

Establishment permit N°102739 © Any reproduction, even partial, is subject to the prior written approval of the publisher. All rights reserved. ITnation 2.0 is a member of Luxorr - Luxembourg Organization For Reproduction Rights - info@luxorr.lu

Jean-François Hugon, Head of Marketing, EBRC

Fintech/case study

How did a Luxembourg FinTech start-up seduced the CAC40 Olkypay developed a new transaction platform that transversally integrates a wide variety of payment methods: direct debit orders, interbank payment orders, wire transfers, bank cards... and facilitates payment collection by offering greater autonomy to companies. Olkypay already has about fifty clients. The platform is compatible with the SEPA system and has convinced Veolia Eau, which uses it to manage all payment receipts. Today, Olkypay relies on EBRC Managed Services to fuel its development.

“By now, Veolia Eau collects all payments via the Olkypay platform, for a total amount of more than five billion euros each year.”

Since February 2016, the European Payment Services Directive (PSD) has been in force; and payment collection not meeting the SEPA procedures is no longer guaranteed (TIP, electronic payment orders, etc.). For many companies, managing this change is not without risks. This is especially true for companies collecting payments by direct debit order or via inter-bank payment vouchers (ie. “titre Interbancaire de Paiement (TIP)”), which are widespread in France. This change, however, was an opportunity for Olkypay. The Luxembourg company, which is a payment institution licensed by the CSSF, has developed a particularly innovative platform for the collection of payments. In this context, Olkypay eases the transition for its Clients, since it implements payment methods that meet the SEPA requirements, such as SEPA Direct Debit and SEPA Credit Transfer. This opportunity was a real advantage for the platform, which goes even further by bringing new solutions to companies that have difficulty with payment collection. “Our Clients can have a platform that can be directly integrated into their IT systems. Therefore, they can manage and verify Client receipts straight away, regardless of the payment mean” says Julien Rouayroux, the Head of the Back Office at Olkypay. To do this, you would usually have to ask your bank to confirm the payments have been made, by sending them a list, for example, of the Clients which chose direct debit, a bank domiciliation or which signed a TIP. This takes time and it often requires a lot of back and forth between the bank and the company to know whether the operation was successful or not... “With Olkypay, the

company has an account allowing it to collect all payments from Clients. Without the need for a third party, it is possible to check whether the expected payments have actually been made or not. It’s a real time saver”, adds Julien Rouayroux.

VEOLIA EAU, A CAC40 COMPANY, USES OLKYPAY SERVICE The other great advantage of the platform lays in transversally integrating all the available or upcoming payment means. “As a payment processing institution supervised by the CSSF, we have the opportunity to develop new means of payment, explains Julien Rouayroux. We have, for example, developed an alternative to the TIP, which is widely used in France but obsolete since 1st January 2016, by creating a similar mean of payment but legally meets the standards defined by SEPA.” This flexibility convinced Veolia Eau, a CAC40 company, which wanted to continue to offer its Clients a payment system similar to TIP. This aspect is not trivial, given that nearly one third of invoices sent by Veolia Eau to its Clients are accompanied by a TIP. By now, Veolia Eau collects all payments via the Olkypay platform, for a total amount of more than five billion euros each year.

ONE TRANSACTION, SEVERAL FORMS OF PAYMENT This is not the only innovation offered by Olkypay. With traditional banks, payment is usually vertically organised: one transaction for a single mean of payment. The platform developed by

Julien Rouayroux, Back Office Manager, Olkypay

Olkypay allows you to set up collection through various means of payment. “For a total due of EUR 100, 50 can be paid by direct debit, 25 via a bank card and 25 by wire transfer,” says Julien Rouayroux. The platform consolidates the transactions and gives a complete and straightforward set of information to the client. “A Client can allow its supplier to request several payment methods to collect the due amounts. If at the time of collection, a payment is rejected due to insufficient funds on the account, for example, our Client can take care of the collection via other means,” he says. The platform also incorporates innovative features that facilitate the collection of receivable payment. Automated processes allow the company to represent fully or partially the amount of unpaid invoices at the best time to maximise the chances of collection. Ultimately, the platform allows the Clients of Olkypay to secure payments and to reduce delays.

EBRC, A KEY PARTNER FOR OLKYPAY’S BUSINESS To meet the challenges of rapid development, Olkypay relies on EBRC’s infrastructure. “The Data Centres are nearby and we can benefit from the expertise of EBRC, which meets our requirements, explains Julien Rouayroux. With the status of a supporting PFS (Professional of the Financial Sector) offering high guarantees in terms of safety (ISO 27001) and service availability (ISO 20000), EBRC is an agile partner. It meets our requirements, those of the regulator (CSSF), those of our bank card partners (PCI DSS) and those of our Clients. The twin offer of Data Centres and services

was decisive for Olkypay in selecting our IT partner.” Moreover, with regards to financial issues, the management of Veolia Eau came to Luxembourg twice to visit the EBRC infrastructure and met with the management of the company in order to have all the necessary guarantees. “EBRC manages the IT infrastructure as Managed Services. This allows us to focus our efforts on improving the platform, which is distributed as SaaS to our Clients, and on the development of new means of payment,” adds Julien Rouayroux. In this context, EBRC also accompanies Olkypay so the company can meet the PCI DSS requirements. “Being able to offer payment methods via bank card requires to be PCI DSS certified. We are pleased therefore to be able to benefit from EBRC’s expertise to help us get it,” says Julien Rouayroux.

“With the status of supporting PFS, and with its strong guarantees in terms of security and service availability, EBRC is an agile partner. It responds to our needs, to those of the regulatory authorities, our bank card partners and our Clients.”

Fintech/EXPERT OPINION

“FinTech companies have to align with the solutions finance needs” The FinTech phenomenon is more complex than the simplistic contradiction between technological innovators talking about Bitcoin and financial institutions stuck in the spreadsheet era. But considering the large gap between the two, it is essential to think about how important and urgent it is to transform the sector. How? By first targeting those processes that can be improved with digital innovation as a support structure.

At a recent conference on FinTech, I was able to clearly see the discrepancy between the ambitions of FinTech players, whose speeches revolved largely around Bitcoin, and the basic expectations that financial institutions have of the technology partners supposed to support them in their transformation. A representative of one of the largest banks in the world talked about the extensive use of the Microsoft Excel spreadsheet within the bank, much more than about other technological considerations right now. It seems that the two sides do not look at the same reality in the field. The impact of digital technologies on everyday life proves that it is essential to support innovation, to follow digital developments and, if possible, to be the initiators of new developments. However, we have to remember that behind the concept of FinTech, we cannot ignore the reality of financial professions themselves. One of the ambitions of the FinTech sector’s development strategy is to better withstand the inevitable transformation of the financial sector through the practical application of digital solutions in the everyday business of this sector. According to some testimonies, before even considering a revolution based on evolving technologies, companies are hard-pressed to rethink their internal organisation, the value chain and their ecosystem.

First challenge: to protect the bank’s income It is useful to remember that Bitcoin and the blockchain technology that underlies it have undeniable benefits, but they also pose a threat to the bank. All of these technologies, some more and others less, would jeopardise 30-60% of banking sector earnings today. Banks have understood this and, while not yet integrating these innovations, they are acquiring them through dedicated subsidiaries. How can you deal with this paradox in an economy that depends on the financial sector even though almost all of the technological players in the market have these financial institutions as their main Clients? In my view, the FinTech players cannot simply look at these issues through the lens of technology alone and somehow force financial companies, which are themselves focused on their business, to go along. Considering the processes currently used, those underpinning their very existence, the optimisation potential and thus the need for technology is considerable. It is essential that FinTech companies be able to better understand the business, processes, challenges and problems that the sector faces in order to contribute to the transformation of finance. The optimisation of current processes will generate new investment capabilities which, in turn, will enable the implementation of technological innovations.

Michel Rodriguez, Business Development Manager, EBRC

Second challenge: to integrate the technology as a performance driver for the financial sector While it is true that finance is forced to transform in the digital age, FinTech companies working for the finance sector also have to adapt to accompany this process. Starting out as IT service providers and technology watch services, they have to become partners accompanying the banking transformation. It is their responsibility to implement business solutions to better help their Clients evolve. Today, some processes, endlessly repeated in all banks, could be simplified, automated and pooled. In this context, our role as “FinTech facilitator” is to support the sector to enable it to increase its performance by an appropriate use of technology. A great effort has to be made to improve, automate and pool existing processes rather than to revolutionise finance. This is a lever of rationalisation and cost reduction which should enable the banks to enjoy better margins and develop new investment capabilities.

Third challenge: to help companies from within using a business-centric approach As a technology integrator, EBRC wants to place the opportunities of the digital world at the service of the bank’s business. We want to help them transform from the inside, and for that, we are working hard to adapt and understand their needs and problems. And we want to do this in all areas, whether it is sending bank statements and archiving them or facilitating payment flows and processes around specific solutions

such as SEPA or Swift. Being able to meet these needs involves understanding the Clients’ business, being able to talk to them about their everyday work and possible optimisation levers. EBRC serves many financial players and many of them are faced with similar problems or deploy the same processes. We are able to allow them to develop their business by providing common solutions based on our accumulated experiences in the field. We want to be a vector for technology distribution but also a motor for the improvement of business processes.

Fourth challenge: to remain an engine and a facilitator of innovation The core business of many FinTech companies is certainly not the direct development of technology. However, as integrators, there are many opportunities for us to suggest and apply technological solutions in particular contexts. At EBRC for example, we welcome innovative start-ups through our hosting business coupled with sophisticated and varied managed services. The attractiveness of the country and the local high-level ICT skills put us in an ideal position to remain at the forefront of innovation. In parallel, we are working with many financial institutions and therefore are in fact a facilitator positioned between the two worlds.

Fintech/case study

A unique platform to manage all cash flows The London FinTech company “Bankable” relies on Luxembourg IT infrastructure. Its innovative transactional platform operates out of EBRC Data Centres. The platform, used by banks and other international players who need to handle a very large amount of transactions, is a tool to improve efficiency, but also a source of innovation.

Eric Mouilleron, Founder and CEO, Bankable

“With EBRC, we benefit from an exceptional level of service, with secure processes and strong guarantees that can convince our new Clients and even the most demanding partners.”

Located in the heart of Europe, Bankable is a London FinTech company created by a French entrepreneur. It caters to large transactional banks, but also to multinational corporations, insurance companies, large telecom groups and global marketplaces that need to manage a massive amount of payments every day... “To meet these needs, we have created a unique transactional platform from which we facilitate the management of payments. Compatible with any technology, the platform can interface with all incoming and outgoing payment methods that exist today. Whether they are B2B payments by card, bank transfer or direct debit, or B2C, such as mobile payments and peer-to-peer transfers, our platform is flexible and fully adaptable,” says Eric Mouilleron, founder and CEO of Bankable. “We are partnering with banks, which can benefit from all the services of our platform as a white-label product, which they may offer to their own clients,” says the CEO. Bankable supports its Clients beyond the provision of this unique platform, by also offering various payment solutions.

Deploying innovative new services more quickly The platform targets both banks and international companies, for which the platform is a tool to quickly and radically improve the Client experience. For example, this is what an insurance company did while offering “delayed flight” insurance to Clients ordering flight tickets online. The subscription is made online and each payment, which is associated with useful data on the traveller, passes directly through the platform. “In this specific context, the platform incorporates a monitoring tool

for flight delays. As soon as a 2-hour-delay is detected - which gives the Client the right to compensation - a notification is automatically sent to the passenger. He is prompted for his IBAN to instantly receive the amount due by the insurer, says Eric Mouilleron. For the insurer, this automated process eliminates manual tasks on a large scale. By late afternoon, the platform allows you to initiate a single transfer operation to all the known account numbers. Policy holders thus benefit from immediate and simple processing of their case.”

A platform operated by EBRC teams Bankable is a company established in London, yet its IT platform is operated from Luxembourg. “To ensure greater peace of mind, we looked for the best partner. We found it in Luxembourg. All our servers have been entrusted to EBRC teams. We enjoy an exceptional level of service, with secure procedures and strong guarantees that allow us to convince our new Clients and our most demanding partners. In such an environment, we can consider scaling our operations without worrying, while ensuring a high quality of service to our Clients worldwide,” adds Eric Mouilleron.

Fintech/case study

Limonetik reconciles alternative payment methods Limonetik has developed a platform giving online retailers access to over 80 payment methods. To ensure the availability of its systems and the security of the cash flows, Limonetik has chosen to host its technology within EBRC Data Centres in Luxembourg.

Christophe Bourbier, CEO and Co-Founder, Limonetik

The use of credit cards for online payments is slowing. New payment methods, providing greater ease of use, among other benefits, are more and more requested. “Worldwide, there are between 200 and 300 alternative payment methods, which use is increasing. In 2015, the amounts paid by using these alternatives exceeded those paid with a credit card,” says Christophe Bourbier, CEO and cofounder of Limonetik. The French FinTech company offers a platform that combines more than 80 different payment methods. “With it, e-commerce websites but also international payment platforms can easily offer a solution meeting their Clients’ expectations.”

Serving the biggest players The Limonetik platform connects payment methods, and it manages and reconciles all flows securely passing through the platform. “We can be proud to serve the top 100 French e-commerce websites, like vente-privée.com and La Redoute. All of them use Limonetik to access all or part of the payment methods that we offer. “

Security in Luxembourg Limonetik, with its team of more than 25 people, continues its international expansion. To support its growth while ensuring the continuous availability of its services and optimal transaction security, the company trusts EBRC in Luxembourg where its IT systems are hosted. “We have no room for error. In the field of payments, data security and availability of the payment solution are critical. It is therefore necessary to

carefully manage the growth of the monetary flows related to our development, but also due to the seasonality of the commercial sector,” says Christophe Bourbier. Computer resources therefore have to evolve with the demands. “In EBRC, we found an experienced partner specialized in the management of sensitive data, and which understands the financial sector issues in terms of security and regulation while helping us grow.”

“We do not have a margin for error. In the world of payments, data security and the availability of payment solutions are critical. We have to be able to manage increasing flows of payments due to our own growth but also due to the seasonal nature of commerce.”

Data centre/case study

Big Data takes flight EarthLab wants to combine geo-spatial observation data with many others to create value-added information that meets business needs. In Luxembourg, the start-up can draw on the expertise of EBRC to preserve this valuable data and enable its Clients to make better use of it.

“EBRC is an essential support for data hosting needs. We work with international insurance players worldwide for which the confidentiality and integrity of information are crucial.”

It is always good to take a step back to look at things. The exploitation of data via analytical tools seems to offer infinite potential nowadays, but EarthLab Luxembourg intends to give it more depth. The start-up is the third member of the EarthLab galaxy, an initiative of the Telespazio group, which among other goals, intends to make better use of data extracted from geo-spatial observation. “For years, those who have mastered the techniques for Earth observation via satellites have been wondering how to better use the data. Having first pushed the technology, they have a lot of difficulty defining actual business applications based on this data, says Florian Karner, CEO of EarthLab Luxembourg. We decided to start with actual business needs that then pull the technology in their direction. We start with what the business tells us and envision the technological possibilities based on that.”

Combining the data of heaven and earth Before becoming the head of EarthLab, Florian Karner worked in insurance. In his new role, he aims at creating products and services based in particular on geoinformation. “We realised that to create information that is useful to the Client, the data retrieved from satellite observations has to be cross-referenced with other structured and unstructured data from many diverse sources, extracted from ground sensors, observations made by aircraft or drones, and mixed with data from social networks, adds the CEO. The most important thing is to combine this data to provide useful

information to the Client, allowing it to evolve or become more efficient.” Based on this principle, each entity of the EarthLab galaxy endeavours to use data to answer specific concerns in a given sector. The first branch, in Aquitaine, provides information to the wine industry stakeholders. It aims at improving coastal surveillance and monitoring the Landes forest. Another entity, in Gabon, operates in maritime surveillance, including the fight against piracy and pollution. “The Luxembourg branch is the first to be an entirely private entity and intends to meet various needs in the world of insurance and industry,” says Florian Karner.

Towards new services in insurance and industry Starting with the need that is expressed, and by considering the available data, whether from satellite observation or not, EarthLab studies possible combinations through algorithms to offer added value to insurers or industrial companies. The insurance business, which relates to the fair assessment of risk, on which the amount of premiums and financial portfolio management strategies depend, could derive great benefits from this approach. “If the insurer is able to better predict risk, to anticipate incidents based on the data he has, he can develop a considerable competitive advantage, says Florian Karner. Obtaining useful information very quickly, he can ease the operations in terms of prevention and risk mitigation, with possible effects on margins or the premium levels. This also makes

Florian Karner, CEO, EarthLab Luxembourg

it possible to offer new products or facilitate the settlement of claims.” Such information should for example enable the emergence of parametric insurance. When offering a product, the compensation terms are set according to various parameters that are directly and objectively measurable. If the measurements made by satellite observation or via other means confirm that the conditions are met, there is no need to ask for specialist reports before initiating compensation. “In this field, we are positioning ourselves as experts in data processing, by mastering various data sources, but we are not necessarily flood or industrial risk specialists. To develop our models and algorithms, we rely on experts who support us based on the needs expressed by the Client,” says Benjamin Hourte, Chief Technology Officer of EarthLab Luxembourg.

The need to offer fast data processing, in a resilient manner, also requires relying on a partner offering real guarantees. EBRC’s Tier IV certified environment, with sensitive information management procedures that have been established and proven for over 15 years, allows us to reassure our Clients and focus on value creation.” As a start-up, EarthLab Luxembourg has found a framework in which it can quickly develop. “In the area of Big Data, we face giants. So we had to find a way to develop by using flexible infrastructure, while ensuring that the exploited data is protected. EBRC community cloud perfectly meets our needs,” says Benjamin Hourte. EarthLab therefore now has a hybrid architecture with dedicated infrastructure and the ability to access pooled IT resources when needed.

Benjamin Hourte, Chief Technology Officer, EarthLab Luxembourg

Flexibility and security guaranteed by EBRC Considering the available technology and the opportunities of better data analysis, EarthLab surely has a promising future. To support its development from Luxembourg, the start-up can count on the support of EBRC. “EBRC is an essential support for data hosting needs. We work with international insurance players worldwide for which the confidentiality and integrity of information are crucial. Furthermore, data is the core value in our approach. Providing high-quality services based on SaaS solutions means the data of our business partners is exposed, explains Benjamin Hourte.

Data Centre/case study

EURid, the manager of “.eu” domain names, chooses EBRC “Trusted Services Europe” EURid, the manager of the European “.eu” domain name registry, has chosen to setup its servers in Luxembourg. With nearly 4 million registered domain names so far, EURid benefits from the most advanced ICT services in terms of security, availability and eco-efficiency at EBRC.

Marc Van Wesemael, CEO, EURid

Based in Brussels, the non-profit EURid has a mandate from the European Commission to manage domain names ending in “.eu” and it is therefore an essential node in the European Internet. “Since 2013, we have been managing the registry of domain names ending in “.eu” for any company, organisation or individual residing in the European Union, Iceland, Liechtenstein or Norway”, explains Marc Van Wesemael, the CEO of EURid. “We now have more than 4 million domain names on record and have thus become the 4th most popular domain extension in Europe. 500 million citizens in 31 countries already connect to a website with an .eu domain name, confirming its status as a key extension especially for SMEs wishing to expand their activities beyond national borders.” To ensure the proper development of its business, EURid was looking for a new Data Centre and a partner who could meet specific criteria in terms of security, availability and eco-efficiency. “Our aging Data Centre in Brussels was not able to support our continued development. Part of our servers are already hosted in Amsterdam, and we conducted a competitiveness analysis in Belgium, France, Germany and Luxembourg. In the end, we chose EBRC.” Through this new partnership, the infrastructure has been significantly strengthened. EURid says it is now ready to cross the symbolic threshold of 5 million extensions.

A partnership based on trust EBRC, the only service provider in the world operating three Tier IV Design certified Data Centres, two of which also benefit from Tier IV Fault Tolerant Constructed Facility certification, offers EURid a unique ecosystem based on a fully certified offering to that complies with ISO 27001, ISO 20000 and ISO 9001. Yves Reding, the CEO of EBRC, emphasises its strong commitment to the environment. “EURid perfectly embodies one of our corporate values: Responsibility. We are aware of our social responsibility, and we are committed to sustainable governance, so we pay special attention to social matters and to our impact on the environment.” EBRC has therefore based its Green IT programme on international certifications and compliance with standards like ISO 14001 (environmental management) and ISO 50001 (energy management). “These last two years, the DNS (Domain Name System) environment has become increasingly competitive. This is why it is essential for EURid to have competent partners that are responsive and dynamic. That is necessary in order to continue to improve the services we offer to our Clients and partners, says Marc Van Wesemael. We believe EBRC will be a great ally for the challenges ahead. We chose

EBRC not only based on its guarantees in terms of security, but also for its social and environmental commitment that match our own constant search for excellence.”

Luxembourg, the world capital of domain name management The Prime Minister and Minister of Communications and Media, Xavier Bettel, welcomes this new establishment of European scale and importance. “Luxembourg is home to a large number of companies in the field of domain name management and can claim the title of world capital in that field. EURid’s decision to entrust the management of its technical platform to a Luxembourg company further confirms that. With its highly secure Tier IV Data Centres and its local expertise, Luxembourg is a trusted centre for the management of electronic data. With “Digital Lëtzebuerg”, we continue to consistently strengthen this position.”

Inauguration of the IT room of EURid. From l. to r.: Marc Van Wesemael, Xavier Bettel, Yves Reding

BUSINESS CONTINUITY/A first in Luxembourg

Arendt Services and EBRC obtain ISO 22301 certification Arendt Services, a specialised PFS (Professional of the Financial Sector) that offers a full range of business services to support Clients in their establishment and management in Luxembourg as well as EBRC (European Business Reliance Centre), the European specialist for ICT solutions since 2000 and a supporting PSF itself, are the first companies in Luxembourg to obtain ISO 22301 certification, a Business Continuity standard. The certification highlights the strengths of Arendt Services, including its reliability and a corporate culture centred on quality, and reinforces EBRC’s pioneering position in the management of sensitive information and Business Continuity.

"In addition to their pioneering role, these companies highlight the role of Luxembourg as a European hub in ICT that combines advanced infrastructure with a multidisciplinary and scientific approach to technology."

Ensuring Business Continuity in a crisis is one of the business main concerns. The partnership between Arendt Services and EBRC allows them to provide a comprehensive solution to this problem. The certification of both companies ensures 'end-to-end' service continuity for Clients, through the implementation of a Business Continuity Management System (BCMS) and a certified backup site, enabling guaranteed Business Continuity in a crisis. In order to obtain this certification, Arendt Services and EBRC have implemented and documented all processes to ensure the robustness and efficiency of their Business Continuity measures such as: • the Business Continuity Policy • a Business Impact Analysis (BIA) for all of their activities and interdependencies • a Risk Analysis (threats, vulnerabilities, impacts, recommendations for the management of risks) • the Business Continuity Strategy (human resources, data, applications, critical suppliers) • the plans for continuous operations, communication, IT recovery, crisis management... In this context, EBRC and Arendt Services have successfully demonstrated their ability to effectively trigger recovery plans for their Clients by conducting IT system

failover tests and deployment exercises for staff on the backup site. EBRC and Arendt Services have also setup performance indicators and continuous improvement procedures and a process to enable the effective management of any arising non-conformities. Étienne Schneider, the Deputy Prime Minister and Minister of Economy reacted by saying: "I congratulate EBRC and Arendt Services on their role as the first PFS in Luxembourg to adopt this ISO standard. In addition to their pioneering role, these companies highlight the role of Luxembourg as a European hub in ICT that combines advanced infrastructure with a multidisciplinary and scientific approach to technology." Olivier Hamou, CEO of Arendt Services, adds: "With this standard, we meet the needs of our Clients requiring integrated, solid and proven solutions. This certification perfectly matches Arendt Services philosophy, focused on contributing to the sustainability of its Clients business." The process initiated by Arendt Services, and which required a strong commitment from all professional teams in the company, was completed in just 12 months, thanks to the expertise of its partner EBRC. Arendt Services and EBRC thus contribute

Yves Reding, CEO, EBRC to the development of the digital policy of the Luxembourg government. "This recent certification corresponds exactly to the requirements of the 'Digital LĂŤtzebuerg' initiative, which aims to strengthen the position of the Grand Duchy in ICT." The ISO 22301 certification covers both EBRC 'Trusted Data Centre Services' and the 'Trusted Resilience Services'. EBRC is the only company in Luxembourg to control the entire value chain in the field of Business Continuity (Business and IT Process Analysis, Recovery solutions, preparation for Crisis Management). Through its 'Trusted Advisory Services' in the management of Business Continuity, EBRC accompanied Arendt Services in its own implementation of ISO 22301.

Olivier Hamou, CEO, Arendt Services

About ISO 22301 ISO 22301 is an international standard for the management of Business Continuity designed to protect potential companies against potential disruptions to their business by implementing the measures necessary to ensure their survival and sustainability. Since its creation in 2012, it enables the identification of both internal and external threats that may affect crucial operational functions. To date, few companies have obtained this certification. Specifically, the standard enables companies to initiate a predictable and appropriate response to crisis, to maintain vital activities and core functions of the business, to reduce costs thanks to a perfect understanding of the processes, to protect the organisation's reputation and to ensure Clientâ&#x20AC;&#x2122;s confidence, a true competitive advantage.

The companies of Luxembourgish and French origin that have certified Arendt Services and EBRC are, respectively, PECB Europe and Bureau Veritas.

SECURITY/Expert opinion

“Getting ready to respond to a cyberattack of international scale” EBRC is preparing and reinforcing its ability to understand the mechanisms of cyberattacks and respond to them. Enhanced cooperation with POST Luxembourg and national players in cybersecurity will allow for better coordination of resources and expertise to mitigate risk exposure and reduce the impact of a security incident. In an environment where the protection and management of data are increasingly critical, this is a prerequisite for confidence.

The cybercrime threat is constantly evolving. A few years ago, cybercriminals were attacking systems. Today, they directly target data itself. Recent cases of ransomware attacks based on locky or crypto-locker programs are important examples of this evolution in Luxembourg and abroad.

Testing the response to a major attack

“EBRC has the advantage of being able to handle even the most complex exercises.”

Because detection is not enough, we also have to think of the response in case of attacks. The response can be tested through simulations. We want to go further in this area and test a range of scenarios of increasing complexity by imagining, for example, an attack that could affect Luxembourg on a larger scale. How would we be affected? What are the interdependencies with the outside and how can we deal with them? How do we organise ourselves to restart our services and those of our Clients as quickly as possible if an attack was able to undermine our defenses? How does communication with Clients and the authorities work in case of an attack of a scale that is beyond the scope of EBRC? EBRC has the advantage of being able to simulate the most complex exercises. And we do it effectively and regularly, with actual large-scale exercises. We test our capabilities by testing the security of our systems and the continuity of operations in case of an attack. This year, we did it to test our organisation in such a situation. EBRC has participated in the CyberEurope 2016 program organised by ENISA. The program simulated massive attacks across the European continent and has

shown how the local stakeholders react. Furthermore, it has offered 'table top' exercises involving all countries in Europe. For EBRC, leading player in the management of sensitive data, this type of exercise is crucial. Although we strive to protect ourselves against most threats, complete elimination of risks is impossible. In case of a global attack - a scenario that is not impossible nowadays - we have to be able to return to normal operations in the shortest period of time. We have to be prepared for any eventuality.

Protecting systems is not enough Ensuring the safety of our Clients comes down to constantly adapting the way in which we understand the threat. This requires, among other things, the implementation of an information-centric approach. Protecting only systems is no longer adequate; we need to implement security measures centered on the data and design improved responses to attackers of a new type that are no longer satisfied with stealing data but also aim to locally corrupt it. We therefore have to strengthen our ability to detect and respond to incidents affecting data, while continuing to ensure a high level of system and infrastructure security: EBRC has decided to bring together security experts and IT operations managers within a structure dedicated to designing a response to any kind of IT security problem. In other words, EBRC has put together its CERT (Cyber Emergency Response Team). This internal multidisciplinary team is a unique combination of skills; it allows us to

Lionel Dupré, CISO and DPO, EBRC

become even more mature and efficient in our response to incidents and cyberattacks.

Better detection of malicious behaviour

A CERT to better prepare against threats

Securing data involves moving beyond traditional approaches to protection systems.

The approach is a coherent part of the strategy defined with our shareholder POST Luxembourg: having presented our common security offering, we are now strengthening the management and fight against cyberthreats through the CERT. We are implementing a systematic way to ensure our technology watch and the surveillance of threats. The CERT is involved in the community: the technological watch enables us to collect information on the modus operandi of the attacks, which are becoming increasingly sophisticated and complex. EBRC's CERT will therefore help to increase the available knowledge about attack methodologies in cooperation with the security teams of the POST Luxembourg group but also with the CIRCL of the larger CERT/CSIRT community. A better way to fight threats depends on a more intense exchange of information about attacks. The goal is simple: to understand how cybercriminals operate in order to protect ourselves better, and to better protect our Clients who have trusted us with their systems and data.

A major challenge is to develop and evolve processes and incident detection techniques by improving our understanding of malicious behaviour. In the past, protection revolved around well-established rules: if a deviation from these rules was observed, a warning was triggered and a reaction engaged. We now have to go further and build on behavioural models.

Operational efficiency The CERT enhances operational efficiency: it incorporates the technological watch and a continuous evaluation of threats; it improves the technical and organisational aspects allowing us to create specific procedures to respond more quickly to incidents. With this new element, EBRC further increases its efficiency and enables the 'industrialisation' of the processes needed to systematically manage the security of infrastructures and data.

“Fighting these threats properly requires a more effective exchange of information relating to those attacks.”

This transversely integrated expertise in the CERT will strengthen the SOC (Security Operations Centre) offering developed by EBRC as well as our investigative solutions.

SECURITY/Cybersecurity forum 2016

“Act Now, Tomorrow will be too late” “Man and his safety must be the first concern of any technological adventure.” This quote attributed to Albert Einstein reflects the spirit of the first edition of the Cybersecurity Forum, which brought together more than 300 cybersecurity professionals.

Despite the recent results of a study conducted in advance of the conference that revealed that the confidence level in Luxembourg is very high regarding the degree of protection implemented in different organisations, participants were able to appreciate the magnitude of the cyber-threat: • 67% of companies have been victims of a breach in the last 12 months • €75.000: average cost of a breach • 21% of breaches are detected by a third party • 69% of breaches are detected after 1 to 6 months (source: PAC study) In this context, the following teaser quote by Marc Elsberg, author of the technological thriller “Black-Out”, seems as appropriate as ever: “Act Now, Tomorrow will be too late”. This principle was thus a natural fit for POST and EBRC as they unveiled their new offer.

POST and EBRC present their unique endto-end offering built on the principle of the pyramid of needs. It is designed with the help of the finest expert partners, serviced by a pool of 60 consultants, and supported by a SOC (Security Operations Centre) and a CERT (Cyber Emergency Response Team).

RESILIENCE The resilience and robustness of the infrastructure is the foundation of the pragmatic approach taken by POST and EBRC. Together, the two players can provide a unique environment based on: • a unique network of “Tier IV Design” and “Tier IV Fault Tolerant Constructed Facility” certified Data Centres • guarantees provided by the standards ISO 9001, ISO 27001, ISO 20000, ISO 27018, and ISO 22301 • a “high availability” backbone that integrates line encryption and DDoS protection services • international connectivity (Teralink) with exceptionally low latency. Above and beyond their own skills in cybersecurity, POST and EBRC have created an ecosystem of strategic partners enabling them to ensure better control and protection of the environment for the Client.

Claude Strasser and Peter Zimmer inaugurate the Cybersecurity Forum 2016

VISIBILITY Because the flow of information does not limit itself to the scope of a single business, it is crucial to analyse all flows to guard against threats and attacks that might be underway. The monitoring of information systems via a SOC (Security Operations Centre) allows for 24/24, 7/7 logging of events as well as thorough analysis and detection of any abnormalities to setup a response and an appropriate resolution strategy in case of an incident or attack.

DATA CENTRISM Big Data, Internet of Things, hyper connectivity… Data is at the heart of organisations and a powerful source of value creation for the economy. Leaks and data theft are an inherent part of this reality. In an environment where interactions are multiplying, with increasingly open and exposed systems, it is becoming more difficult to protect yourself, despite a whole array of means of protection that can be put in place. In this context, POST and EBRC propose solutions for surveillance and detection. Their aim is to detect whether data has leaked, is subject to malicious transactions, the source of blackmail, ransom demands, or if information for a future attempt at hacking a company has been traded.

guarantees to protect companies against the risks associated with the immaterial damage resulting from a cyberattack.

CLIENT CENTRISM With their “Advisory & Professional Services”, the experts in POST and EBRC’s teams are getting as close as possible to the Client's reality, his strategy, and his constraints to ensure a proper understanding of his business, the management of his operations and the continuity of his daily business activity. POST and EBRC work together as trusted teammates with high value-added services for the Client to enable him to devote himself entirely to the development of his business. The two companies are now offering this innovative approach to cybersecurity to their Clients after having tested and applied it to their own infrastructure.

“We do not just advocate solutions, we implement them for ourselves, to be able to offer them in the most pragmatic way possible.”

“We do not just advocate solutions, we implement them for ourselves, to be able to offer them in the most pragmatic way possible”, say Mohamed Ourdane (Head of Cybersecurity Department, POST) and Philippe Dann (Head of Risk & Business Advisory, EBRC). “Experiencing these solutions for ourselves is an additional guarantee for our Clients and proof that we do our utmost for them,” they add.

Moreover, POST and EBRC offer their Clients e-insurance services based on an offer that combines services and

Trusted Services Europe Innovate & Conquer the European Market Trusted Advisory Services

Trusted Managed Services

Trusted Cloud Europe

Trusted Security Europe

Cloud Provider of the Year

Experience Trust

Trusted Resilience Services

Trusted Data Centre Services

Cloud Service Provider Europe