Our Group fosters a corporate culture of cybersecurity and continuously improves our ability to respond to cyber-attacks, which are becoming more advanced and sophisticated every day. Through Group-wide cybersecurity measures, we are working to realize SOMPO's purpose, which is to create a society in which everyone can live a healthy, prosperous and happy life in their own way with "A Theme Park for Security, Health & Wellbeing" together with stakeholders.
Basic approach to cyber security
Recognizing that it is the social responsibility of enterprises to build a safe and secure society by devoting themselves to cybersecurity, the Sompo Group has established the “SOMPO Group Basic Policy on Cyber security” as the cornerstone to continuously improve the efficiency and effectiveness of its cyber risk management.
The risk related to cyberattacks is positioned as an important risk to be managed in the Group, and under the leadership of management, we are promoting Group-wide cybersecurity measures.
SOMPO Group Basic Policy on Cyber security
Visualization the status of cybersecurity measures
Recognizing that it is of the utmost importance to establish a corporate culture that respects cybersecurity and to continuously improve our ability to respond to cyberattacks, which are becoming increasingly sophisticated and ingenious every day, the Group is working together to improve and maintain its cybersecurity management system. We have formulated basic concepts and standards for cybersecurity based on global standard frameworks such as the NIST* CSF (Cyber Security Framework), and each Group company is working to strengthen its cybersecurity and resilience measures and systems under their respective roles and responsibilities. To ensure the continuous improvement of these initiatives in a PDCA cycle, we have built a “Cyber Metrics” tool to quantitatively monitor and visualize the status of cybersecurity measures at Group companies, and we use it to ascertain and manage the status of measures at each company.
Through a series of these ongoing initiatives, we aim to turn security into a competitive advantage in Group management by linking it not only with Group defense and operational risk mitigation, but also with various strategies such as cyber insurance and the promotion of digital transformation.
- NIST : National Institute of Standards and Technology
Promotion structure
A team of cyber experts that transcends departmental boundaries Cybersecurity is a domain in which the environment is constantly changing, and knowledge and application of cutting-edge technologies are required. We have therefore established a Cyber Center of Excellence (COE) structure within SOMPO Holdings, and this specialized team is playing a central role in promoting effective enhancement of the structure based on a division of roles among the companies. The policy and direction have been decided based on discussions by relevant executives, led by the Group CIO. In particular, in addition to the IT departments, the Office of Group CEO, Risk Management Department, and other related departments are working together to strengthen resilience, which requires action that transcends departmental boundaries. Similarly, in preparation for the occurrence of security incidents, we have established HD-CSIRT (Computer Security Incident Response Team) within Sompo Holdings. In this way, we have an organizational structure in place that enables quick and timely actions, including information sharing, decision-making, and forensic investigations, in response to a variety of emergencies. HD-CSIRT also collaborates with other companies in the industry and security-related organizations to improve the level of maturity not only of the Group but also of the entire security community.
Global risk response framework
Cyber risk knows no borders. To address this global risk, we have established cybersecurity response centers overseas as well as in Tokyo. These cyber units at overseas bases are staffed by highly knowledgeable and skilled “white hat hackers” who conduct various security tests, train each company’s security personnel, and conduct research and investigations of cyber technology. We also conduct cyber patrol activities to monitor Internet assets regardless of country or region. During normal (non-emergency) times, security personnel monitor the safety of assets within the Group to find urgent vulnerabilities and identify suspected information leaks, monitor the behavior of attackers, and raise awareness and provide technical support to the entire Group.
Initiatives
Nurturing cybersecurity personnel
Cybersecurity measures sometimes require expertise. For this reason, we have established the Cyber Lab, a cybersecurity R&D center, within Sompo Holdings to support and train each company’s cybersecurity personnel through cybersecurityrelated technical research and hands-on training. The Cyber Lab hosts regular “Cyber Tech Talks” to share knowledge about cybersecurity. At these events, our global network of cybersecurity personnel shares its knowledge and expertise and promotes the cultivation of future talent while learning from each other in a spirit of mutual encouragement. This Cyber Tech Talk initiative is based on the idea that in order to respond to cyber risks that are spreading on a global scale, it is necessary to have a network where the Group’s cybersecurity personnel can connect and interact with each other. The goal is to create an environment where information can be exchanged beyond the boundaries of one’s organization, country, region, or language.
Adapting to new technology
The Group is also actively researching new technologies, such as AI and Web 3.0, in order to incorporate and utilize them. Similarly, with regard to security, we work with the relevant departments to formulate procedures, rules, and guidelines for the safe use of new technologies and take the necessary measures to introduce innovations in a safe manner. New technologies can be applied not only to business applications but also to security. In addition to researching how new technologies can be used in cyberattacks and other threats, we conduct research and investigation on a daily basis so that we can stay alert to changes in various IT environments and always adopt the latest security measures. The Cyber Lab is also used as a base for this research and investigation. The Cyber Lab has a dedicated network environment that is isolated from the normal business environment, making it possible to conduct technical verification and similar activities safely.
Fostering a culture of security and security education
To ensure cybersecurity, it is essential to foster a “security culture” in which each employee understands the importance of cybersecurity and is aware of how to use IT assets safely. The Group implements educational programs at multiple levels, from employees to management. We are also working to acquire knowledge related to cyberattacks and raise awareness at Group companies through e-learning, phishing email training, cyber incident drills, and newsletters. In recent years, we have been focusing on strengthening resilience across the entire business and in management; for example, in our cyber incident exercises, we have introduced ransomware attack scenarios that incorporate more hands-on elements.
External recognition and Event/Media appearance
Through cybersecurity, Sompo Holdings fulfills its social responsibility as a company and actively engages in cybersecurity initiatives and information disclosure in order to gain the trust of stakeholders.
We disclose our efforts and information through securities reports and sustainability reports, appearances at events sponsored by external IT companies both domestically and internationally, and media interviews.
【Main achievements from 2023 onwards】
- Awards
Sompo Holdings was awarded a one-star rating as an outstanding company in the Information Technology Federation of Japan (IT-renmei)'s survey on corporate cybersecurity initiatives and information disclosure.(December 2023 )
- Event appearance
Nikkei Inc.「NIKKEI MESSE PREMIUM CONFERENCE SERIES」(May 2023)
ISC2「ISC2 Modernizing Security Operations」(September 2023)
ISC2「ISC2 SECURE Asia Pacific」(December 2023)
- Media coverage
Bengo4.com,Inc. UNITIS Editorial department(January 2024)
Kotora Co., Ltd.(March 2024)
