Cybersecurity

As a pioneer of Internet financial services in Japan, the SBI Group considers the enhancement of cybersecurity to be one of its most important management issues. The Company, which has financial businesses within the Group – namely securities, banking, and insurance – has specified the SBI Group Cybersecurity Standard, which is a set of guidelines that apply to the entire Group. SBI Group Cybersecurity Standard is based on various cybersecurity frameworks including the FISC Security Guidelines for the construction of information systems by financial institutions, the framework from the National Institute of Standards and Technology (NIST) in the U.S., and the international cybersecurity standards known as the CIS Controls. This Standard has bolstered our comprehensive cybersecurity policy.

SBI Group’s cybersecurity system is overseen by the Executive Officer of SBI Holdings, who is the Group Information Security Manager with the IT Management Department as the core of its operation. Furthermore, the SBI Group CSIRT (Computer Security Incident Response Team) is also set up under the IT Management Department. The SBI Group CSIRT holds monthly meetings and also collaborates with external experts in cybersecurity, communicates with internal departments and subsidiaries, and shares information with the Financial Information Sharing and Analysis Center (FISC), as well as the Japan Cybercrime Countermeasures Center (JC3). Through these measures, the SBI Group CSIRT works to enhance SBI Group’s resilience by preventing security incidents by analyzing latest threat trends and minimizing damage through rapid incident response.
The SBI Group holds four cybersecurity liaison meetings per year, attended by information security managers and persons responsible for information security among Group companies. These meetings are an opportunity to share information on cybersecurity measures, trends, and other matters across the Group. We recognize that these meetings are vital for raising the overall level of cybersecurity across the Group, as the size and scope of businesses vary from company to company.

We believe that cybersecurity policy is not just for IT specialty departments, but rather, that it is essential that all employees understand the importance of cybersecurity and take preemptive measures on a regular basis. Based on these beliefs, the Group has implemented a cybersecurity training program for the entire company, including the management team and individual managers; those engaged in development and operation of IT systems; those who plan, promote, or administer services; and employees involved in sales and operations. For those in the management level, external experts are invited to visit and conduct training, and the Board of Directors regularly discusses and deliberates on cybersecurity issues at its meetings. For those engaged in systems operation and management at Group subsidiaries, seminars are regularly held inviting outside lecturers. In addition, an information-sharing portal dedicated to cybersecurity is used to communicate calls for vigilance about vulnerabilities and steps and countermeasures to be taken, which helps leveling out biases in knowledge regardless of a company's size and field of business. For employees, the Company offers training against phishing emails and raise awareness towards risks of cyberattacks, as well as making e-learning on cybersecurity mandatory, which is essential for building a sense of ethics and sharing knowledge about the latest cybercrime, countermeasures, and how to deal with them.

For the Company group, which promotes advanced and diverse businesses and includes companies of various sizes and maturity levels, the presence of imbalances in cybersecurity frameworks among these companies, or in human resources and accumulated knowledge, is seen as a Group issue. Also, as digitalization progresses, cyberattacks are becoming more ingenious and sophisticated, making it difficult to provide complete protection against cyber-incidents using the existing arsenal of measures. As a measure to address these challenges, the Group has been constructing a common security platform that adopts the zero-trust security concept. By making use of this platform, individual companies are constructing an environment that enables a dynamic response against indications of an incident and their risks. The erection of a management framework like this is recognized as an effective method for putting in place a cybersecurity system at a Group characterized by the persistence of discontinuous growth.
In recognition of these initiatives, SBI Holdings was also certified as one of 44 companies with an excellent attitude and information disclosure in the Cyber Index Company Survey 2023*, published on December 8, 2023 by the Information Technology Federation of Japan.

* Reference: The Cyber Index Company Survey 2023 (The Information Technology Federation of Japan) (japanese only)

Privacy Policy
Handling of personal information
Handling of personal Declaration of Cyber Security Management of the SBI Shinsei Bank Group