●Initiatives to promote and establish awareness of and sensitivity to risks
Our group provides education for all executives and employees on risk management and compliance at the time of joining the company, and provides awareness and regular education of risk management.
●Cybersecurity oversight system
The Group established a risk control system based on the “Basic Policy on Sompo Group ERM (Strategic Risk Management)” set out by the Board of Directors, and classifies risks that may have a significant impact on the Group as “material risks”. The Group Chief Risk Officer (CRO) carries out an exhaustive assessment of risks of each business, regularly reports the risk management status to the Managerial Administrative Committee (MAC), Board of Directors, etc. and verifies the efficacy of countermeasures taken. The Chief Information Officer (CIO) is in charge of taking countermeasures for system failures, including cyberattacks, as material risk at the Group ERM Committee.
It is essential to address cyber risks that increase in response to technological advances and changes in the environment to deliver “security and health” which the Group values to customers, business partners, and shareholders. We also established the "Basic Policy on Group Cybersecurity", and are trying to establish an efficient and effective cyber risk management system for the entire Group based on the understanding that cybersecurity initiative is corporate social responsibility.
Moreover, we established a Cybersecurity Group as a specialized organization in the IT Strategy Planning Department to deal with cyber risks that are becoming more sophisticated and complicated every day, and are working on developing strategies and strengthening security across the Group. The major mission of this group of specialists is to jointly manage cyber risks with the persons responsible for cybersecurity at each Group company in both normal times and emergencies, and improve the levels of maturity on a Group-wide basis, while carrying the function of the Computer Security Incident Response Team (CSIRT) of SOMPO Holdings.
We will closely align cybersecurity with business strategy and IT strategy, turn it into competitive advantage in each business, and realize digital transformation in a secure and safety manner.
●Whistle-blowing and Consultation System
- With the aim of preventing misconduct, including violations of laws and regulations, as well as harassment and other problematic behavior, and maintaining and enhancing corporate value through self-regulation, the Sompo Group maintains a whistle-blowing system for internal reporting and consultation by establishing external hotlines in addition to internal hotlines at each Group company, and by continuously informing employees of these hotlines.
- Each Group company has a system in place in accordance with the relevant laws and regulations of each country. In Japan, we have a system in place in accordance with the revised Whistleblower Protection Act (effective June 2022), and overseas, we have a system in place based on both local laws and Group system development standards.
Flow of procedures after receiving reports or consultations
- This includes persons who have resigned from their jobs within one year, and persons who are employed by other companies and engaged in work for SOMPO in Japan (eligibility varies depending on circumstances in each country).
- Anonymous reporting is also accepted.
- Email, telephone, and other reporting and consultation methods are available (available methods vary depending on circumstances in each country).
- Consultations regarding how to use the system and how whistleblowers and consulters are protected are also available (scope of consultation available varies depending on circumstances in each country).
- The supervisory department is responsible for leading investigations and corrective actions in cases, as well as analyzing trends and formulating countermeasures.
- Significant reports (including reports in which directors and executive officers are suspected to be involved) shall be reported to the Audit Committee which is an independent body from the management, and response policies shall be determined by the Audit Committee.
Examples of receiving reports and consultations
■Work environment ■Harassment ■Violation of human rights ■Violation of laws and rules etc.
Information on how to contact customers and stakeholders is available on each company's website.
●Number of whistle-blowing cases
●Customer privacy protection
Sompo Japan takes appropriate actions within the organization, such as treating what was recognized in the company as a complaint and reporting it to external related party. The table below shows the number of complaints for which we were able to confirm the facts out of the total complaints about customer privacy violation received in FY2022.
The number of complaints received from the regulatory authority was zero regarding the above.