Our Group continuously improves our maturity of IT processes and ability to respond to cyber-attacks, which are becoming more advanced and sophisticated every day, by practicing appropriate IT governance and fostering a corporate culture of cybersecurity. Through Group-wide IT and cybersecurity measures, we are working to realize SOMPO's purpose, "For a future of health, wellbeing and financial protection."
Basic approach to IT Governance
Monitoring KGIs to create PDCA cycles
Each entity’s system implementation, operation processes are aligned in accordance with each country and industry regulations. By continuously improving the PDCA cycle via KGI monitoring and aligning to international standards, we strive to optimize the IT processes to support the Group-wide business and IT strategy.
Basic approach to cybersecurity
Promoting Group-wide cybersecurity measures
Recognizing that it is the social responsibility of enterprises to build a safe and secure society by devoting themselves to cybersecurity, the Sompo Group has established the “SOMPO Group Basic Policy on Cyber security” as the cornerstone to continuously improve the efficiency and effectiveness of its cyber risk management. Cybersecurity risks are classified as material risks by our Group ERM Committee. The Group CIO is responsible for countermeasures, driving unified cybersecurity initiatives across the entire Group.
SOMPO Group Basic Policy on Cyber security
Visualizing the status of cybersecurity measures
Recognizing that it is of the utmost importance to establish a corporate culture that respects cybersecurity and to continuously improve our ability to respond to cyberattacks, which are becoming increasingly sophisticated and ingenious every day, the Sompo Group is working together to improve and maintain its cybersecurity management system. We have formulated basic concepts and standards for cybersecurity based on global standard frameworks such as the NIST* CSF (Cyber Security Framework), and each Group company is working to strengthen its cybersecurity and resilience measures and systems under their respective roles and responsibilities. To ensure the continuous improvement of these initiatives in a PDCA cycle, we have built a “Cyber Metrics” tool to quantitatively monitor and visualize the status of cybersecurity measures at Group companies, and we use it to ascertain the status of measures at each company,as well as to formulate and manage KPIs. Through this series of ongoing initiatives, we aim to turn cybersecurity into a competitive advantage in Group management by linking it not only with Group defense and operational risk mitigation, but also with various strategies such as cyber insurance and the promotion of digital transformation.
- NIST : National Institute of Standards and Technology
Promotion structure
A team of cyber experts that transcends departmental boundaries
Cybersecurity is a domain in which the environment is constantly changing, and knowledge and application of cutting-edge technologies are required. We have therefore established a Cyber Center of Excellence (CoE) structure within Sompo Holdings, in which cybersecurity personnel with the relevant qualifications, such as Registered Information Security Specialists and Certified Information Systems Security Professionals (CISSP), play a central role in promoting effective enhancement of the structure based on a division of roles among the companies at a global level.The policy and direction have been decided based on discussions by relevant executives, led by the Group CIO. In particular, in addition to the IT departments, the Office of Group CEO, Risk Management Division, and other related departments are working together to increase resilience, which requires action that transcends departmental boundaries.
Furthermore, from the perspective of the effectiveness and efficiency of countermeasures, we strive to continuously enhance our management framework through internal audits focused on IT infrastructure, cybersecurity, and data privacy, as well as third-party assurances including Information Security Management Systems (ISO 27001) standard assessments.
HD-CSIRT (Computer Security Incident Response Team) also collaborates with other companies in the industry and security-related organizations to improve the level of maturity not only of the Sompo Group but also of the entire security community.
Global risk response framework
Cyber risk knows no borders. To address these global risks, our company is responding to cyber threats not only with our domestic Group companies but also in collaboration with Group companies around the world. Security engineers belonging to the Cyber CoE provide support for various security tests, train security personnel at each company, and conduct research on cyber technologies, all from a Group companies across the Group perspective.
Emergency Response System
To prepare for security incidents, Sompo Holdings has established an HD-CSIRT (Computer Security Incident Response Team) within the organization. This ensures systematic readiness to promptly and efficiently execute various necessary responses during emergencies, such as information sharing, decision- making, and forensic investigations. Furthermore, we have established crisis response manuals and incident response guidelines for business continuity. We also regularly conduct practical cyber incident exercises based on specific scenarios, such as malware infections, striving to enhance our resilience.
Initiatives
Implementing protection measures
The Sompo Group implements comprehensive technical measures based on a multi-layered defense approach, focusing on ensuring the confidentiality, integrity, and availability of systems and data, in addition to administrative measures such as organizational structures and rules. For networks, in particular, we are striving to ensure security by introducing the Secure Access Service Edge (SASE) platform, an integrated security model, and conducting monitoring activities at our Security Operation Center (SOC). These efforts are made to respond flexibly to changes in work style and system configurations, based on the concept of “zero trust security” which involves authenticating the security of all communications.
Moreover, we implement various measures, including the application of security guardrails to prevent errors in cloud configurations, cyber patrol activities to monitor and protect Internet assets regardless of country or region, and vulnerability assessment and penetration tests for the IT assets of domestic and overseas Group companies.
We monitor the safety of assets within the Group under normal conditions, and issue Group-wide warnings and provide technical support when we identify urgent vulnerabilities in our assets, suspected information leaks, or attacker activities.
Nurturing cybersecurity personnel
Cybersecurity measures sometimes require expertise. For this reason, we have established the Cyber Lab, a cybersecurity R&D center, within Sompo Holdings to support and train each company’s cybersecurity personnel through cybersecurity-related technical research and hands-on training. The Cyber Lab regularly hosts online and in-person events titled “Cyber Tech Talk” and “Global Cyber Tech Forum” to enhance cybersecurity knowledge.
These gatherings enable cybersecurity professionals worldwide to share their expertise, sharpen their skills through mutual learning, and foster the development of future talent. These initiatives are based on the idea that in order to respond to cyber risks that are spreading on a global scale, it is necessary to have a network where our Group’s cybersecurity personnel can connect and interact with each other. The goal is to create an environment where information can be exchanged beyond the boundaries of one’s organization, country, region, or language.
Adapting to new technologies
The Sompo Group is actively conducting research and investigations to incorporate and utilize new technologies such as AI and quantum- resistant cryptography. Similarly, with regard to security, we work with the relevant departments to formulate procedures, rules, and guidelines for the safe use of new technologies and take the necessary measures to introduce innovations in a safe manner.
New technologies can be applied not only to business applications but also to security. In addition to researching how new technologies can be used in cyberattacks and other threats, we conduct research and investigation on a daily basis so that we can stay alert to changes in various IT environments and always adopt the latest security measures. The Cyber Lab is also used as a base for this research and investigation. The Cyber Lab has a dedicated network environment that is isolated from the normal business environment, making it possible to conduct technical verification and similar activities safely.
Fostering a culture of security and security education
To ensure cybersecurity, it is essential to foster a “security culture” in which each employee understands the importance of cybersecurity and is aware of how to use IT assets safely.
The Sompo Group implements educational programs at multiple levels, from employees to management. We are also working to acquire knowledge related to cyberattacks and raise awareness at Group companies through e-learning, phishing email training, cyber incident drills, and newsletters. In recent years, we have been focusing on increasing resilience across the entire business and in management; for example, in our cyber incident exercises, we have introduced ransomware attack scenarios that incorporate more hands-on elements.
Promoting cloud migration
The Sompo Group has established a Cloud Center of Excellence (CoE) system within Sompo Holdings to promote cloud migration as a means of responding flexibly to the constantly evolving business environment while remaining competitive. The Cloud CoE establishes guidelines for the safe and secure use of public cloud systems, and provides personnel and knowledge support to enable the promotion of cloud migration and AI utilization among Group companies. Cloud migration enables us to reduce costs and to ensure scalability and service availability, as well as security through common security functions, among other benefits. It also helps us to contribute to reducing carbon emissions by actively adopting public cloud systems that are committed to and invest in clean energy.
Addressing Third-Party Risks
Modern business relies on collaboration with various external providers (third parties) and operates within complex supply chains.
In recent years, cyberattacks targeting these supply chains have increased. If one company is attacked, the impact can ripple through the entire network of business partners. Since cybersecurity measures are essential not only within the Sompo Group but also among our business partners, such as agents/agencies and contractors, the Sompo Group implements security checks during contract formation and conducts regular monitoring.
By implementing supply chain-aware initiatives, we strive to minimize Security risks, protect valuable information assets such as customer data, and pursue stable business operations.
External recognition and Event/Media appearance
Through cybersecurity, Sompo Holdings fulfills its social responsibility as a company and actively engages in cybersecurity initiatives and information disclosure in order to gain the trust of stakeholders.
We disclose our efforts and information through securities reports and sustainability reports, appearances at events sponsored by external IT companies both domestically and internationally, and media interviews.
【Main achievements from 2024 onwards】
- Awards
Sompo Holdings was awarded a one-star rating as an outstanding company in the Information Technology Federation of Japan (IT-renmei)'s survey on corporate cybersecurity initiatives and information disclosure.
This is the second consecutive year we have received this award.(January 2025 )
- Event appearance
Bengo4.com,Inc. UNITIS Editorial department「Security Innovation Conference 2024 Summer」(July 2024)
ISC2「ISC2 SECURE Asia Pacific」(August 2024)
- Media coverage
Kinzai Institute for Financial Affairs,Inc. (July 2024)
