Our Group continuously improves our maturity of IT processes and ability to respond to cyber-attacks, which are becoming more advanced and sophisticated every day, by practicing appropriate IT governance and fostering a corporate culture of cybersecurity. Through Group-wide IT and cybersecurity measures, we are working to realize SOMPO's purpose, "For a future of health, wellbeing and financial protection."
Basic approach to IT Governance
Monitoring KGIs to create PDCA cycles
Each entity’s system implementation, operation processes are aligned in accordance with eachcountry and industry regulations. By continuously improving the PDCA cycle via KGI monitoring andaligning to international standards, we strive to optimize the IT processes to support the Group-widebusiness and IT strategy.
Basic approach to cybersecurity
Promoting Group-wide cybersecurity measures
Recognizing that it is the social responsibility of enterprises to build a safe and secure society by devoting themselves to cybersecurity, the Sompo Group has established the “SOMPO Group BasicPolicy on Cyber security” as the cornerstone to continuously improve the efficiency and effectiveness of its cyber risk management. The risk related to cyberattacks is positioned as an importantrisk to be managed in the Group, and under the leadership of management, we are promotingGroupwide cybersecurity measures.
SOMPO Group Basic Policy on Cyber security
Visualizing the status of cybersecurity measures
Recognizing that it is of the utmost importance to establish a corporate culture that respects cybersecurity and to continuously improve our ability to respond to cyberattacks, which are becoming increasingly sophisticated and ingenious every day, the Group is working together to improve and maintain its cybersecurity management system. We have formulated basic concepts and standards for cybersecurity based on global standardframeworks such as the NIST* CSF (Cyber Security Framework), and each Group company is working to strengthen its cybersecurity and resilience measures and systems under their respective rolesand responsibilities. To ensure the continuous improvement of these initiatives in a PDCA cycle, wehave built a “Cyber Metrics” tool to quantitatively monitor and visualize the status of cybersecuritymeasures at Group companies, and we use it to ascertain the status of measures at each company,as well as to formulate and manage KPIs. Through this series of ongoing initiatives, we aim to turncybersecurity into a competitive advantage in Group management by linking it not only with Groupdefense and operational risk mitigation, but also with various strategies such as cyber insuranceand the promotion of digital transformation.
- NIST : National Institute of Standards and Technology
Promotion structure
A team of cyber experts that transcends departmental boundaries
Cybersecurity is a domain in which the environment is constantlychanging, and knowledge and application of cutting-edge technologies are required. We have therefore established a CyberCenter of Excellence (COE) structure within SOMPO Holdings,in which cybersecurity personnel with the relevant qualifications,such as Registered Information Security Specialists and CertifiedInformation Systems Security Professionals (CISSP), play a central role in promoting effective enhancement of the structurebased on a division of roles among the companies at a globallevel. The policy and direction have been decided based on discussions by relevant executives, led by the Group CIO. In particular, in addition to the IT departments, the Office of Group CEO,Risk Management Department, and other related departmentsare working together to increase resilience, which requires actionthat transcends departmental boundaries. Similarly, in preparation for the occurrence of security incidents, we have establishedHD-CSIRT (Computer Security Incident Response Team) withinSompo Holdings. In this way, we have an organizational structure inplace that enables quick and timely actions, including informationsharing, decision-making, and forensic investigations, in responseto a variety of emergencies.
HD-CSIRT also collaborates with other companies in the industry and security-related organizations to improve the level of maturity not only of the Group but also of the entire security community.
Global risk response framework
Cyber risk knows no borders. To address this global risk, we haveestablished cybersecurity response centers overseas as well as inTokyo. These cyber units at overseas bases are staffed by highlyknowledgeable and skilled “white hat hackers” who conduct various security tests, train each company’s security personnel, andconduct research and investigations of cyber technology.
Initiatives
Implementing protection measures
In addition to management-side measures such as organizational systems and rules, the Sompo Group has put in placecomprehensive technical measures with a precondition fordefense in depth. For networks, in particular, we are striving toensure security by introducing the Secure Access Service Edge(SASE) platform, an integrated security model, and conductingmonitoring activities at our Security Operation Center (SOC).These efforts are made to respond flexibly to changes in workstyle and system configurations, based on the concept of "zerotrust security" which involves authenticating the security of allcommunications. Moreover, we implement various measures,including the application of security guardrails to prevent errorsin cloud configurations, cyber patrol activities to monitor andprotect Internet assets regardless of country or region, andvulnerability assessment and penetration tests for the IT assetsof domestic and overseas Group companies. We monitor thesafety of assets within the Group under normal conditions, andissue Group-wide warnings and provide technical support whenwe identify urgent vulnerabilities in our assets, suspected information leaks, or attacker activities.
Nurturing cybersecurity personnel
Cybersecurity measures sometimes require expertise. For this reason, we have established the Cyber Lab, a cybersecurity R&D center, within Sompo Holdings to support and train each company’s cybersecurity personnel throughcybersecurity-related technical research and hands-on training. The Cyber Lab hosts regular “Cyber Tech Talk” to shareknowledge about cybersecurity. At these events, our global network of cybersecurity personnel shares its knowledge and expertise and promotes the cultivation of future talent while learning from each other in a spirit of mutual encouragement. This Cyber Tech Talk initiative is based on the idea that in order to respond to cyber risks that are spreading on a global scale, it is necessary to have a network where the Group’s cybersecurity personnel can connect and interact with each other. The goal is to create an environment where information can be exchanged beyond the boundarie of one’s organization, country, region, or language.
Adapting to new technologies
The Group is also actively researching new technologies, such as AI and Web 3.0, in order to incorporate and utilize them. Similarly, with regard to security, we work with the relevant departments to formulate procedures, rules, and guidelines for the safe use of new technologies and take the necessary measures to introduce innovations in a safe manner. New technologies can be applied not only to business applications but also to security. In addition to researching how new technologies can be used in cyberattacks and other threats, we conduct research and investigation on a daily basis so that we can stay alert to changes in various IT environments and always adopt the latest security measures. The Cyber Lab is also used as a base for this research and investigation. The Cyber Lab has a dedicated network environment that is isolated from the normal business environment, making it possible to conduct technical verification and similar activities safely.
Fostering a culture of security and security education
To ensure cybersecurity, it is essential to foster a “security culture” in which each employee understands the importance ofcybersecurity and is aware of how to use IT assets safely.
The Group implements educational programs at multiple levels, from employees to management. We are also working to acquire knowledge related to cyberattacks and raise awareness at Group companies through e-learning, phishing email training, cyber incident drills, and newsletters. In recent years, we have been focusing on increasing resilience across the entire business and in management; for example, in our cyber incident exercises, we have introduced ransomware attack scenarios that incorporate more hands-on elements.
Promoting cloud migration
The Group has established a Cloud Center of Excellence (COE)system within Sompo Holdings to promote cloud migration asa means of responding flexibly to the constantly evolving business environment while remaining competitive. The Cloud COEestablishes guidelines for the safe and secure use of publiccloud systems, and provides personnel and knowledge support to enable the promotion of cloud migration among Groupcompanies. Cloud migration enables us to reduce costs andto ensure scalability and service availability, as well as security through common security functions, among other benefits.It also helps us to contribute to reducing carbon emissions byactively adopting public cloud systems that are committed toand invest in clean energy.
External recognition and Event/Media appearance
Through cybersecurity, Sompo Holdings fulfills its social responsibility as a company and actively engages in cybersecurity initiatives and information disclosure in order to gain the trust of stakeholders.
We disclose our efforts and information through securities reports and sustainability reports, appearances at events sponsored by external IT companies both domestically and internationally, and media interviews.
【Main achievements from 2024 onwards】
- Awards
Sompo Holdings was awarded a one-star rating as an outstanding company in the Information Technology Federation of Japan (IT-renmei)'s survey on corporate cybersecurity initiatives and information disclosure.
This is the second consecutive year we have received this award.(January 2025 )
- Event appearance
Bengo4.com,Inc. UNITIS Editorial department「Security Innovation Conference 2024 Summer」(July 2024)
ISC2「ISC2 SECURE Asia Pacific」(August 2024)
- Media coverage
Kinzai Institute for Financial Affairs,Inc. (July 2024)
