Cybersecurity

As a pioneer of Internet financial services in Japan, the SBI Group considers the enhancement of cybersecurity to be one of its most important management issues. The Company, which built up a diversified business area within the Group – with the financial sector including securities, banking and insurance at its core – has specified the Group Information Security Regulations and the SBI Group Cybersecurity Standard, to continuously maintain and improve the level of information security throughout the Group with Group companies taking cyber security measures accordingly. SBI Group Cybersecurity Standard is based on various cybersecurity frameworks including the FISC Security Guidelines for the construction of information systems by financial institutions, the framework from the National Institute of Standards and Technology (NIST) in the U.S., and the international cybersecurity standards known as the CIS Controls. This Standard has bolstered our comprehensive cybersecurity policy.
In 2023, we also began to apply the “SBI Group Guidelines for the Use of Generative AI” as a framework for ensuring security and protecting confidential information whenever generative AI is used. The Guidelines are regularly assessed and reviewed.

SBI Group’s cybersecurity system is overseen by the Officer in charge of information security at SBI Holdings, who is the Group Information Security Manager with the IT Management Department as the core of implementing Group-wide information security measures. Furthermore, the SBI Group CSIRT (Computer Security Incident Response Team) is also set up under the IT Management Department. The SBI Group CSIRT holds monthly meetings liaison meetings with Group Information Security Managers and experts in the Group, and also collaborates with external experts in cybersecurity, communicates with internal departments and subsidiaries, and shares information with the Financial Information Sharing and Analysis Center (FISC), as well as the Japan Cybercrime Countermeasures Center (JC3). Through these measures, the SBI Group CSIRT works to enhance SBI Group’s resilience by preventing security incidents by analyzing latest threat trends and minimizing damage through rapid incident response.
The SBI Group holds four cybersecurity liaison meetings per year, attended by information security managers and persons responsible for information security among Group companies. These meetings are an opportunity to share information on cybersecurity measures, trends, and other matters across the Group. We recognize that these meetings are vital for raising the overall level of cybersecurity across the Group, as the size and scope of businesses vary from company to company.
The IT Management Department and the Group Risk Management Department work closely together on a regular basis. For example, they share information every other week, and in the event of an incident, they work together to implement a join response plan. The IT Management Department, which specializes in IT security including counter cyberattacks, and the Group Risk Management Department, which manages general risks, collaborate to bolster security comprehensively and on multiple levels.
The SBI Group Cybersecurity Standard indicates security protection measures to be followed by each company, taking into account inherent risks, which are reviewed on an annual basis in light of the size and nature of the business. Furthermore, SBI Holdings conducts an external security audit of the systems we hold regularly once a year in line with the SBI Group Cybersecurity Standards.

We believe that cybersecurity policy is not just for IT specialty departments, but rather, that it is essential that all employees understand the importance of cybersecurity and take preemptive measures on a regular basis. Based on these beliefs, the Group has implemented a cybersecurity training program for the entire company, including the management team and individual managers; those engaged in development and operation of IT systems; those who plan, promote, or administer services; and employees involved in sales and operations. For those in the management level, external experts are invited to visit and conduct training, and the Board of Directors regularly discusses and deliberates on cybersecurity issues at its meetings. For those engaged in systems operation and management at Group subsidiaries, seminars are regularly held inviting outside lecturers. In addition, an information-sharing portal dedicated to cybersecurity is used to communicate calls for vigilance about vulnerabilities and steps and countermeasures to be taken, which helps leveling out biases in knowledge regardless of a company's size and field of business. For employees, the Company offers training against phishing emails and raise awareness towards risks of cyberattacks, as well as making e-learning on cybersecurity mandatory, which is essential for building a sense of ethics and sharing knowledge about the latest cybercrime, countermeasures, and how to deal with them.

For the SBI Group, which promotes advanced and diverse businesses and includes companies of various sizes and maturity levels, the presence of imbalances in cybersecurity frameworks among these companies, or in human resources and accumulated knowledge, is seen as a Group issue. Moreover, as digitalization progresses and increased geopolitical risks, cyberattacks are becoming more ingenious and sophisticated, making it difficult to provide complete protection against cyber-incidents using the existing arsenal of measures. As a measure to address these challenges, the Group has been constructing a common security platform that adopts the zero-trust security concept. By making use of this platform, individual companies are constructing an environment that enables a dynamic response against indications of an incident and their risks. The erection of a management framework like this is recognized as an effective method for putting in place a cybersecurity system at a Group characterized by the persistence of discontinuous growth. While conducting regular monitoring to detect signs of incidents, we are strengthening detection and monitoring so that we can respond quickly to DDoS attacks, ransomware attacks, information leaks and malware infections, and are working to ensure that these measures are thoroughly implemented by spreading these initiatives across the entire Group. The Group is also working to ensure thorough countermeasures by spreading these initiatives across the entire Group.
In recognition of these initiatives, SBI Holdings was also certified as a company with an excellent attitude and information disclosure in the Cyber Index Company Survey 2024*, published on January 9, 2025 by the Information Technology Federation of Japan.

* Reference: The Cyber Index Company Survey 2024 (The Information Technology Federation of Japan) (japanese only)

Privacy Policy
Handling of personal information
Handling of personal Declaration of Cyber Security Management of the SBI Shinsei Bank Group