Business and other risks

1. Management system and framework for major risks

(1) Overview of risk management system

Sompo Group operates an Enterprise Risk Management (ERM) framework to manage risk across the Group, serving as a sophisticated ‘compass’ that points the business towards the optimal direction. This embraces not just the avoidance of losses, but also the avoidance of opportunity losses for profitable risk-taking. These include, for example, potential new business investments in response to risks identified. The ERM system seeks to achieve these goals by providing and strengthening the following "three capabilities":

a.Correct understanding of the Group’s current position

b. Sensitive detection of potential risks

c.Clear indication of the routes the Group should take

ERM is effected through a series of business management processes that look to maximize corporate value by achieving a balance of capital, risk, and profit through management of the two objectives: "risk-taking for business strategies" and "risk control for a stable business foundation". In the risk-taking context, we make use of analyses on capital, risk, and profit within the Risk Appetite Framework for important management decisions, corresponding to (c) in the above diagram. For risk control, we use a framework – the Risk Control System – to identify, analyze, and assess various types of risks surrounding the Group, aiming to minimize unexpected losses and to increase the stability of profit. This corresponds to (a) and (b) in the diagram above.

＜Overview of the Sompo Group's Enterprise Risk Management＞

Overview of the SOMPO Group’s Enterprise Risk Management (ERM)

2. Risk Management Governance Structure

In order to ensure the effectiveness of "ERM" based on the "Sompo Group Basic Policy on ERM" established by the Board of Directors, "Sompo Group’s Risk Appetite Statement" – consisting of the Risk Appetite Principles, the Medium-term Risk-taking Strategy, and the Risk Appetite Indicator – is used as a guideline for risk-taking, in alignment with the Group’s strategies and business management plans.

The Group Executive Committee, an advisory body to the Group CEO, regularly holds management discussions on matters related to risk management, including the Group's risk appetite statement, medium-term Group ERM promotion policy, and risk tolerance policies and measures.

The Group ERM Committee, chaired by the Group CRO, has been established as a subordinate body of the Group Executive Committee to conduct cross-sectional management discussions on important Group ERM issues, such as risk-taking strategies, and the status of control of material risks by the department with primary responsibility and risk management department.

The results are reported to the Board of Directors through the Group Executive Committee, and we have established a framework to continuously enhance governance pertaining to group risk management, incorporating advice and recommendations from the Board.

The Group CRO ensures that the "Sompo Group Basic Policy on ERM" and the "Medium-term Group ERM Promotion Policy" are known to all Group companies, and works to improve the effectiveness of ERM for the entire Group through regular monitoring and discussions with the CROs of each company.

Group companies have established risk management systems in line with Group policies and manage risk autonomously.
The Company and its major subsidiaries have adopted a “three lines” model:
First line: Each department or business unit responsible for developing and implementing policies and measures within our company and its key subsidiaries autonomously manages its own risks.
Second line: The risk management department, along with the department in charge of relevant duties businesses, oversees and supports first line’s risk management activities.
Third line: The internal audit section independently evaluates the validity and effectiveness of the overall risk governance framework.
These measures collectively ensure and enhance the effectiveness of the Group’s risk management system.

Risk Management Governance Structure

The Risk Control System and the status of risk and capital

Under the Risk Control System, we conduct risk assessment using "the Material Risk Management" framework – firstly identifying all the material risks we face, then evaluating them from both a qualitative and quantitative perspective. For risks that can be quantified, their impacts on capital adequacy and liquidity are analyzed and assessed based on various quantitative indicators in "Capital adequacy management", "Stress testing", "Limit management", and "Liquidity risk management" frameworks. Based on these analyses, the management decides necessary risk control measures to secure and improve the Group’s financial soundness.

A．Material Risk Management

We define "risks that could have significant impacts on the business" as "material risks" and comprehensively capture and evaluate the risks faced by our business through bottom-up risk assessment and top-down confirmation and discussion by the Board of Directors and others. In conducting risk assessment, we have clarified the criteria so as to emphasize the reputational impact from the viewpoints of customers, society, and other stakeholders, in addition to economic loss and business continuity.

Material risks are comprehensively identified by the Group CRO based on risk assessments and the views of experts, etc., and risks are evaluated both qualitatively and quantitatively in terms of likelihood of occurrence and impact, based on specific scenarios of impact of risks on the Group, and the management status is discussed in the Group ERM Committee, then reported to the Group Executive Committee and the Board of Directors at least twice a year.

Risks for which the risk management structure should be reinforced are raised at the Group Executive Committee. Further, we have defined “emerging risks” as risks that, although it is difficult at this time to evaluate risks based on specific impact scenarios, have the potential to emerge or change due to changes in the environment and have a significant impact on our group in the future, and we manage them appropriately by associating them with individual material risks. In selecting emerging risks, the Group gathers information from various public and private sources, identifies potential candidates based on their possible future impact, and then designates them as emerging risks based on their materiality.

B．Capital Adequacy Management

We quantify the insurance underwriting risks, asset management risks, nursing risks, and operational risks we are exposed to maintain a sufficient level of capital relative to risks. A system has been established so that countermeasures are properly implemented if necessary.

C．Stress Testing

We conduct "scenario stress testing", "reverse stress testing", and "sensitivity analyses" on a Group-wide basis to accurately identify and manage events that could significantly affect its business management. We analyze the impact on both capital and risk and take countermeasures as required. As at the end of March 2025, we confirmed that the Group retains sufficient capital even under any of the assumed stress scenarios.

Scenario Stress Testing	We evaluate how significantly large-scale natural catastrophes, financial market disruptions, and other stress scenarios could affect business, verifying capital adequacy and the effectiveness of risk mitigation measures. We regularly verify the validity of stress scenarios to ensure that we can respond appropriately to environmental changes.
Reverse Stress Testing	We identify vulnerability by exploring specific events that breach risk tolerance levels and consider appropriate countermeasures for specific stress events in advance.
Sensitivity Analyses	We identify the impact on capital and risk from fluctuations in key risk factors. Also, we validate in-house models by comparing theoretical figures calculated by the models with the figures of actual results.

D．Risk Limit Management

We have established the maximum limit for each risk on a Group-wide basis such as credit risk, reinsurance counterparty risk, and natural catastrophe risk to avoid outsize losses arising from the occurrence of specific events. The Group sets the limits within the maximum limits based on risk characteristics and has established a system to take appropriate measures when those limits are exceeded. As at the end of March 2025, we have confirmed that each risk was appropriately controlled.

E．Liquidity Risk Management

In addition to projecting cash requirements for day-to-day operations, we project the maximum cash outflows that could result from events such as a large-scale natural catastrophe. We then conduct management to ensure we have sufficient liquid assets to meet cash requirements in these scenarios. As at the end of March 2025, we have confirmed that the Group has adequate liquid assets to meet such outflows.

3. Major risks

(1) Material risks and the assessment of their likelihood and impact

Material risks and their probability of occurrence and impact are evaluated as follows.

＜List of Material Risks＞
Category			No.	Material Risks
Ａ．Strategic risk
	External environment		1	Deterioration/transformation of competitive environment
			2	Significant change in macroeconomic environment
			3	Geopolitical risk

			4	Pandemic
			5	Changes in regulatory systems
	Business strategy		6	Insufficient governance
			7	Misjudgment of risks associated with new business and strategic investment
			8	IT strategy risk
			9	Climate change (Physical risks)
			10	Sustainability risk
	Human resources and personnel		11	Risks related to human capital
Ｂ．Market risk
	Market risk		12	Significant market deterioration
	Credit concentration risk		13	Reinsurance and investment credit risk
	Liquidity risk		14	Liquidity in the event of a major disaster
Ｃ．Operational and compliance risk
	Administrative risk		15	Risks related to outsourcing and partnerships
	IT risk		16	IT failures
	IT risk		17	Cyber security breach
	Compliance risk		18	Labor risk
			19	Leakage of confidential and customer information (excluding cyber attacks)
			20	Compliance risk
			21	Conduct risk
Ｄ．Business risk
	Insurance underwriting risk
		Cat risk	22	Mega earthquake in Japan
			23	Huge wind and flood disaster in Japan
			24	Mega natural disasters overseas
		Other	25	Cyber aggregation risk
		Other	26	Conventional terrorist attack
	Nursing care business risk
		Nursing care business risk	27	Misjudging the long-term nursing care business environment
		Nursing care business risk	28	Serious misconduct in the nursing care business
Ｅ．Other risks
	－		29	Business Interruption
	－		30	Reputational risk

＜Material Risk Heat Map＞

Material Risk Heat Map

	The degree of Impact			Probability of Occurrence
	Financial Loss	Business continuity	Reputation	Probability of Occurrence
Very Large	≧ 500 bill. JPY	License cancellation	Brink of corporate failure	≧ once a year
Large	≧ 200 bill. JPY	Disruption of core business	≧ 5 years damage	≧ once in 10 years
Medium	≧ 10 bill. JPY	Partial disruption	≧ 2 to 3 years damage	≧ once in 100 years
Small	＜ 10 bill. JPY	－	＜ 2 years damage	＜ once in 100 years

The status of emerging risks is as follows.

＜List of Emerging Risks＞
Innovative medical technology	Overview of risks	The possibility of changes in insurance needs due to changes in treatment methods for diseases and injuries caused by innovative medical technologies Possibility of significant fluctuations in projected benefit payments due to the large number of third-sector insurance holdings in the life insurance business and the spread of innovative diagnostic and treatment technologies in the market, leading to earlier detection of diseases, higher survival rates, and longer treatment periods
Innovative medical technology	Examples of countermeasures	Investigating the landscape and impact of innovative medical technologies. Analyzing the implications of the research findings on future insurance businesses, and considering future responses, such as utilizing the findings for the development of products and services.
Biodiversity	Overview of risks	Reputational risks associated with biodiversity loss, stemming from stricter regulations, business impacts, changes in government policies, and shifting consumer preferences. In terms of physical risks, more intense and frequent typhoons and hurricanes; reduced capacity for disaster mitigation from ecosystems; increased insurance payouts (e.g., fire) because of escalating damage; higher reinsurance costs; reduced insurance income due to underperformance in sectors highly dependent on nature following the degradation of ecosystem services; and a drop in investment returns. In terms of transition risks, increased liability insurance payouts due to nature-related lawsuits, and reputational/valuation risks stemming from variations in biodiversity/natural capital initiatives and disclosures in products and services.
Biodiversity	Examples of countermeasures	Continuously monitoring trends in biodiversity and natural capital disclosure standards and assessing their impact on our company. In addition, analyzing our insurance business value chains, both domestically and internationally, to understand our dependence on and impact on biodiversity and natural capital.
New risks posed by generative AI, etc.	Overview of risks	Inability to adapt to social changes resulting from the rapid spread of AI, or lost opportunities and reduced competitiveness due to delays in AI adoption. Providing misinformation to customers, infringing on intellectual property rights, data breaches, etc., through the business use of AI, and the resulting loss of social trust.
New risks posed by generative AI, etc.	Examples of countermeasures	Promoting the use of AI in internal operations, etc. Establishing a governance structure, including risk assessments during AI system development and monitoring after implementation. Providing internal training and awareness through guidelines for internal users.
Critical infrastructure outages due to highly uncertain factors	Overview of risks	Business interruption and unexpected large insurance payouts resulting from a large-scale, long-term outage of critical physical or digital infrastructure due to inadequate security.
	Examples of countermeasures	Conducting research and analysis on the likelihood of disasters caused by various highly uncertain factors, including solar storms, and their potential impact on critical infrastructure.
Changes in global laws, regulations, and guidelines related to human rights	Overview of risks	Changes in global human rights laws, regulations, and guidelines increase societal sensitivity to human rights, leading to more human rights lawsuits and reputational damage from stakeholders. Human rights lawsuits from stakeholders can result in litigation costs. Furthermore, if our group's human rights efforts are deemed inadequate, we could suffer reputational damage, brand erosion, and a decline in corporate value and trust.
	Examples of countermeasures	Publishing policies aligned with the requirements of business and human rights regulations and guidelines, enhancing human rights risk assessments, and engaging in dialogue with stakeholders. Establishing a system for implementing human rights due diligence across the entire group.

(2) Material Risks - Assessments, and Countermeasures

Strategic risk
1. Deterioration/transformation of competitive environment ＜Risk overview＞ Impact on our group's financial performance due to: deterioration or damage to competitiveness and revenue base from insufficient response to new entrants from digital and other industries and the advancement of digital technologies including generative AI; shrinking market size due to the expansion of the sharing economy and domestic population decline/aging; and reduced insurance needs from fewer accidents resulting from technological innovation. ＜The status of countermeasures＞ We are executing our digital strategy and M&A activities to advance our transformation toward realizing the "SOMPO’s Purpose." This includes enhancing productivity in existing businesses through the use of generative AI and data-driven decision-making workflows, creating new value through digital technology and new products and services addressing social issues in areas such as disaster prevention, mitigation, and mobility, and promoting digital transformation (DX) by hiring and developing specialized digital talent to support these efforts.
2. Significant change in macroeconomic environment ＜Risk overview＞ Significant revenue decline due to a global economic slowdown, the potential inability to pass on increased business costs and insurance payouts resulting from rapid inflation to our product and service prices, and the devaluation of financial assets. ＜The status of countermeasures＞ We are closely monitoring the impact of macroeconomic conditions, such as a global economic slowdown and rapid fluctuations in inflation rates, on our business, and are taking measures based on appropriate estimations of premium income, insurance payouts, etc. Furthermore, as changes in the macroeconomic environment can significantly impact our capital position through fluctuations in the value of investment assets, we are analyzing the impact on our group under multiple scenario settings and implementing countermeasures.
3. Geopolitical risk ＜Risk overview＞ Consequential effects on our group from heightened geopolitical tensions, such as retaliatory sanctions and the occurrence of significant events (including financial asset devaluation, increased insurance payouts, and business interruption). ＜The status of countermeasures＞ We are investigating scenarios that could significantly impact our group (including market effects), utilizing insights from external experts, assessing the financial implications, and closely monitoring the potential managerial impact. We are also maintaining an effective crisis response system by developing manuals and business continuity plans that outline actions for officers and employees during a crisis, and conducting training and self-assessments.
4. Pandemic ＜Risk overview＞ The impact on our group in the event of a global pandemic that restricts people's lives and industrial activities (including increased insurance payouts, unmet business plans due to a global economic slowdown, business interruption, and financial asset devaluation). ＜The status of countermeasures＞ Drawing on the experience gained during the COVID-19 pandemic, we have formulated business continuity plans to prepare for the occurrence of new infectious diseases and other pandemics. We conduct regular training exercises and validate the effectiveness of these plans. Furthermore, we continue to monitor environmental changes to flexibly adapt to the opportunities and threats arising from subsequent major shifts.
5. Changes in regulatory systems ＜Risk overview＞ The risk of inadequate response to significant changes in laws, regulations, supervisory frameworks, financial administrative policies, etc., pertaining to the insurance business (including administrative sanctions, lost innovation opportunities, increased business costs, payment of damages from litigation, and reputational damage). ＜The status of countermeasures＞ We strive to stay abreast of revisions to relevant laws and regulations and implement necessary responses. In addition, we are monitoring trends in structural reforms of the non-life insurance industry in a timely manner, including discussions at the "Expert Panel on Structural Issues and Competition in the Non-Life Insurance Sector" and the Financial System Council's "Working Group on Regulatory System Especially for Non-Life Insurance business".
6. Insufficient governance ＜Risk overview＞ The risk arising from inadequate functioning of group governance (including the establishment and operation of internal control systems), such as: failure of our company's supervisory function due to insufficient communication and information sharing between our company and group companies; and inability to achieve strategic goals, deviations from regulations, and reputational damage due to the malfunction of internal control systems relating to decision-making processes, etc. ＜The status of countermeasures＞ In order to ensure effective group governance, we are continuously reviewing and strengthening our management and monitoring system to appropriately assess the adequacy and effectiveness of internal controls at group companies on a risk-basis in a timely manner. Specifically, regarding Sompo Japan, we have increased the number of our company's executives serving concurrently as directors and strengthened oversight by having the Group CEO serve as Chairman of the Board of Directors. Furthermore, we are working to enhance communication between our company and group companies, including the reporting of negative information, and to promote the use of the internal whistleblowing system and foster a speak-up culture.
7. Misjudgment of risks associated with new business and strategic investment ＜Risk overview＞ Impairment of invested capital, reputational damage, and failure to achieve the expected return on investment from digital technologies and systems due to inadequate risk awareness regarding strategic investments and new businesses (including those related to digital technology). ＜The status of countermeasures＞ While we carefully discuss the validity of major investments, such as digital strategies, M&A, and large-scale system development at the Board of Directors level, etc., before execution, the anticipated results may not be achieved due to environmental changes or unforeseen difficulties. Therefore, even after execution, we regularly confirm that the validity remains and that withdrawal criteria are not triggered, based on pre-defined standards.
8. IT strategy risk ＜Risk overview＞ The risk of schedule extensions, budget overruns, and reduced quality in large-scale system development projects due to factors such as rapid changes in the external environment, deficiencies in project management, the complexity of system development, and talent shortages that significantly impact various businesses. Impact on business opportunities, reduced ROI, damage to corporate reputation, and loss of competitiveness compared to other companies. ＜The status of countermeasures＞ In order to ensure appropriate IT governance, we have established management processes aligned with international standards. We have also established a system for monitoring of large-scale system development projects and are striving to ensure proper project execution.
9. Climate change (Physical risks) ＜Risk overview＞ Impact on underwriting income due to the occurrence or increased frequency of larger-than-expected wind and flood damage (including snow and hail damage, etc.) caused by climate change. Accumulation of risk and reduced profit stability due to a hardening reinsurance market and a significant decrease in reinsurance capacity as a result of increased wind and flood damage. ＜The status of countermeasures＞ We are advancing our initiatives based on research findings from external organizations such as the IPCC (Intergovernmental Panel on Climate Change) and NGFS (Network for Greening the Financial System), as well as scientific knowledge obtained in collaboration with universities and other research institutions. Through large-scale analysis using meteorological and climate big data, we are working to understand the long-term effects of rising average temperatures on the average trend changes in typhoons, floods, and storm surges affected by sea-level changes, as well as the occurrence trends of extreme disasters. Furthermore, to control the impact of massive wind and flood damage on our group, we are revising products and reviewing underwriting conditions.
10. Sustainability risk ＜Risk overview＞ Increasing social pressure on corporations regarding sustainability, coupled with a slow or inadequate response in developing products and services that support the transition to a decarbonized society, can lead to reputational damage from stakeholders. Furthermore, the strengthening of regulations concerning climate change responses could result in a decline in the value of fossil fuel assets (stranded assets). The occurrence of inappropriate actions or events that violate business and human rights norms, along with insufficient responses or failures to rectify such issues, can lead to reputational damage from stakeholders. ＜The status of countermeasures＞ Regarding transition risks, we are actively pursuing our Green Transition Plan, primarily focused on insurance underwriting and asset management. Concerning human rights risks, we identify and assess potential impacts and risks across the entire value chain of each business. These efforts are overseen by the Group Sustainable Management Committee, chaired by the Group Chief Sustainability Officer (CSuO), which monitors progress, facilitates discussions, and reports to the Board of Directors and other relevant bodies.
11. Risks related to human capital ＜Risk overview＞ Failure to foster a corporate culture that embraces diverse perspectives, leading to decreased employee engagement. Inability to strengthen group talent and inadequate attention to DEI (Diversity, Equity, and Inclusion) initiatives, hindering talent acquisition and preventing the execution of strategic workforce planning. ＜The status of countermeasures＞ Regarding human capital risks, we are enhancing our HR systems to promote individual career development and improve talent competitiveness. This includes implementing a job-based HR system and policies supporting diverse work styles, enabling employees to build careers aligned with their 'MY Purpose' (individual life goals, purpose, or meaning of work). We are also providing employees with access to platforms designed to foster self-directed learning. Furthermore, we are committed to inclusive talent acquisition, regardless of gender, disability, nationality, age, or other attributes. We are increasing investment in employee development to enhance specialized skills. Finally, we are revising our Group Corporate Philosophy System, including establishing required ethical and behavioral principles, to transform and embed a shared understanding, mindset, values, and behaviors across our Group's officers and employees.
Market risk
12. Significant market deterioration ＜Risk overview＞ We invest broadly in domestic and international securities. Fluctuations in stock, foreign exchange, and interest rate markets could lead to realized investment losses, mark-to-market losses, or declines in fair value, which could negatively impact our Group's financial performance. We sell long-term insurance products with guaranteed interest rates (the rate of return promised to customers at the time of contract). In periods of declining interest rates, there is a risk that actual investment returns may fall below the guaranteed interest rates. Conversely, in periods of rising interest rates, there is a risk of increased policy surrenders, primarily in savings-type products, as customers may switch to products with higher guaranteed interest rates. In our domestic life insurance business, the long-term nature of insurance products leads to a high interest rate sensitivity of insurance liabilities. A mismatch between the interest rate sensitivity of assets and liabilities could significantly increase the risk of a decline in adjusted net worth during periods of interest rate volatility. ＜The status of countermeasures＞ The Group has established a plan to reduce our holdings of shares that could potentially hinder fair competition in insurance transactions to zero by the end of fiscal year 2030. We are accelerating the pace of reduction, especially from fiscal year 2024 onwards, and are steadily decreasing our remaining balance. We are also working to mitigate the impact of stock market declines. Regarding the impact of exchange rate fluctuations, we monitor currency risk exposure on a Group-wide basis and manage the risk of a significant reduction in equity capital due to a stronger yen. To address the interest rate sensitivity of long-term insurance liabilities, such as maturity refunds for endowment insurance and our domestic life insurance business, we execute long-term investments and financing activities, balancing economic value-based perspectives with accounting perspectives under the Insurance Business Act. This reduces the overall interest rate sensitivity of our assets and liabilities, mitigating the impact of interest rate fluctuations on adjusted net worth. Furthermore, in our domestic life insurance business, we are working to increase the proportion of products less sensitive to interest rates, such as protection-type products. We regularly assess the impact of stress scenarios that could have a material impact on our business, such as significant market deterioration.
13. Reinsurance and investment credit risk ＜Risk overview＞ The impact on our Group's financial performance from declines in the value of financial assets or increased insurance payouts due to bankruptcies or creditworthiness deterioration of investees, borrowers under guarantee insurance, or failures of reinsurance companies, leading to unrecoverable reinsurance claims. ＜The status of countermeasures＞ To avoid concentration risk in our investments, lending, and reinsurance placements, we set limits based on internal credit ratings for individual counterparties. We regularly monitor compliance with these limits and manage our exposures to ensure they are not exceeded.
14. Liquidity in the event of a major disaster ＜Risk overview＞ The impact on our Group's financial performance from the need to secure financing through substantial borrowing or asset sales during large-scale disasters or similar events. ＜The status of countermeasures＞ Liquidity is managed separately for each insurance subsidiary. We ensure that sufficient liquid assets are maintained to meet financing needs in the event of catastrophic disasters or increased policy surrenders due to rising interest rates.
Operational and compliance risk
15. Risks related to outsourcing and partnerships ＜Risk overview＞ The occurrence of circumstances that make it difficult to continue outsourced operations due to insufficient operational capabilities, bankruptcy, legal or regulatory violations, misconduct, or service withdrawal by key external vendors, including agencies, as well as the resulting payment of compensation and reputational damage. ＜The status of countermeasures＞ Following the administrative actions levied against our company and Sompo Japan, our Group is actively implementing measures to prevent recurrence. A central element of this effort is cultivating a robust corporate culture that prioritizes compliance and customer protection. To fundamentally reshape the understanding, mindset, values, and actions of our Group officers and employees, we have undertaken a revision of the Group Corporate Philosophy System, which includes establishing the mandatory code of conduct. We are committed to further embedding these principles through comprehensive communication, training, and other initiatives. Beyond simply establishing a system to ensure proper corporate conduct aligned with legal regulations, social norms, and corporate ethics, we are diligently working to enhance the effectiveness of our Group-wide internal control system. This includes a thorough analysis of incidents across our Group companies to implement targeted solutions addressing common vulnerabilities.
16. IT failures ＜Risk overview＞ The risk of system failures, including information system outages and malfunctions, due to internal factors such as equipment failure, human error, and information system deficiencies, as well as external factors such as natural disasters. The potential for recovery costs, lost revenue due to service disruptions, and negative impacts on business operations and relationships due to reputational damage. ＜The status of countermeasures＞ To ensure appropriate IT governance, we have established management processes aligned with international standards. We aim to prevent system failures by defining various procedures and standards. Furthermore, we continuously strive to mitigate system risks by implementing various measures, including regular analysis of system failures, development of a Business Continuity Plan (BCP), and conducting routine training exercises.
17. Cyber security breach ＜Risk overview＞ The risk of cyberattacks causing security breaches within our Group or at our agencies and vendors, leading to information system outages, malfunctions, unauthorized access, data destruction or alteration, significant data breaches, or supply chain disruptions. Potential consequences including investigation and recovery costs, lost revenue due to service disruptions, and negative impacts on business operations and relationships due to reputational damage, as well as violations of data protection laws such as the Personal Information Protection Act and the EU General Data Protection Regulation (GDPR). ＜The status of countermeasures＞ We recognize that continuously improving our response capabilities is paramount in the face of increasingly sophisticated and complex cyberattacks. We are strengthening our cyberattack management framework and, as a Group, are committed to enhancing our cybersecurity measures and continuously improving our response capabilities. On April 21, 2025, we discovered unauthorized third-party access to Sompo Japan's web systems, and we acknowledge the potential breach of some customer information. We are assessing the impact of this incident and taking appropriate measures, and we are also reviewing our management framework based on the lessons learned from this event.
18. Labor risk ＜Risk overview＞ Violations of domestic and international labor laws, litigation related to excessive workloads, and increased employee attrition, potentially leading to business disruption, reputational damage, and inadequate health and well-being initiatives. The occurrence of employee physical and mental health issues, decreased productivity leading to increased costs, and increased employee turnover primarily due to various forms of harassment, including power harassment, potentially resulting in difficulties in talent acquisition and staffing. ＜The status of countermeasures＞ To address labor-related risks associated with excessive working hours and other issues, we are committed to: ensuring strict adherence to proper time and attendance management; eradicating harassment; promoting mental health initiatives; advancing health and well-being programs; and fostering an inclusive culture through initiatives such as expanding career recruitment.
19. Leakage of confidential and customer information (excluding cyber-attacks) ＜Risk overview＞ The risk of significant payouts and reputational damage resulting from major data breaches caused by officers or employees across Group companies. ＜The status of countermeasures＞ We have established the 'SOMPO Group Basic Policy on Customer Information Management,' among other policies, and have implemented various security control measures to prevent major data breaches.
20. Compliance risk ＜Risk overview＞ Violations of laws and regulations applicable to each of our Group's businesses, as well as those applicable in the countries and regions where we operate internationally, potentially leading to the payment of fines, penalties, and other sanctions. Also, misconduct by officers and employees, criminal acts by external parties, and the payment of damages resulting from litigation. The erosion of our Group's social trust and credibility due to legal violations, scandals, or other misconduct. ＜The status of countermeasures＞ Beyond simply establishing a framework to ensure proper corporate activities in accordance with legal regulations, social norms, and corporate ethics, we are actively working to enhance the effectiveness of our Group-wide internal control system. This includes analyzing specific examples of misconduct and other incidents occurring within Group companies and implementing targeted solutions to address common, Group-wide vulnerabilities. To promote a culture of compliance among our officers and employees, we provide training on the 'SOMPO Group Compliance Code of Conduct' and 'SOMPO's Yes,' a decision-making framework designed to guide employees toward ethical judgments and actions in their work. We are committed to embedding and reinforcing a strong compliance mindset throughout the organization. Furthermore, to facilitate the early detection of misconduct and other incidents, we have established a common Group-wide consultation and reporting channel for our whistleblower program and are continuously evaluating and refining its effectiveness.
21. Conduct risk ＜Risk overview＞ The erosion of corporate value due to a gap between the products, services, and business practices offered by our Group and the expectations of society and our stakeholders, including customers. The potential for our Group's governance regarding products and services, personal information collection, AI utilization, and other areas to fall short of stakeholder expectations and/or negatively impact market integrity. ＜The status of countermeasures＞ To foster a sound corporate culture that prioritizes compliance and customer protection, we have updated the 'SOMPO Group Compliance Code of Conduct' for all Group officers and employees and have established 'SOMPO's Yes,' a decision-making framework. We are committed to ongoing communication, training, and other initiatives to promote widespread understanding and adoption of these principles.
Business risk
22. Mega earthquake in Japan, 23. Huge wind and flood disaster in Japan, 24. Mega natural disasters overseas ＜Risk overview＞ The impact on underwriting income due to substantial insurance payouts resulting from large-scale natural disasters. The difficulty in managing risk in accordance with our risk appetite due to challenges in securing reinsurance arrangements and other related factors. ＜The status of countermeasures＞ To manage natural catastrophe risk and prevent excessive concentration, we establish limits by region and type of natural disaster based on the Group's capital levels. We regularly monitor compliance with these limits and manage our exposures to ensure they are not exceeded. We also conduct regular stress tests to confirm capital adequacy, while stabilizing our business through reinsurance and capital enhancement. Furthermore, we quantitatively assess the risk of insurance payouts due to natural disasters to ensure appropriate premium rates and product design.
25. Cyber aggregation risk ＜Risk overview＞ The impact on underwriting income due to substantial insurance payouts resulting from large-scale cyberattacks. ＜The status of countermeasures＞ Within our major insurance subsidiaries, we calculate the probable maximum loss (PML) for cyber insurance based on quantitative risk modeling and regularly monitor our position against pre-defined limits or guidelines.
26. Conventional terrorist attack ＜Risk overview＞ The extensive damage resulting from large-scale terrorist attacks, including human, physical, and economic disruption. ＜The status of countermeasures＞ We calculate the probable maximum loss (PML) for conventional bomb terrorism and regularly monitor our position against pre-defined limits.
27. Misjudging the long-term nursing care business environment ＜Risk overview＞ The risk of misjudging the long-term care business environment stemming from our full-line provision of care services, ranging from in-home care to facility-based care. The potential for difficulties in securing staff due to revisions to the Long-Term Care Insurance Act and long-term care service fees, increased competition in the long-term care market, and a widening gap between the supply and demand of long-term care personnel. ＜The status of countermeasures＞ Recognizing the growing gap between the supply and demand of long-term care personnel, SOMPO Care Inc. aims for the sustainable growth of its long-term care business by pursuing 'The Future of Care.' This involves leveraging data and technology to streamline operations in care facilities, creating time for personnel to focus on tasks that only humans can perform, and achieving productivity gains with enhanced quality. Furthermore, we intend to transform the future of long-term care by extending this approach across the entire long-term care industry.
28. Serious misconduct in the nursing care business ＜Risk overview＞ The risk of serious misconduct damaging our brand value. The occurrence of food poisoning, outbreaks of infectious diseases, and accidents specific to elderly care, leading to damage to social trust, credibility, and reputation. ＜The status of countermeasures＞ To build trust with our clients, SOMPO Care Inc. is committed to establishing robust corporate governance and operational management systems. The Governance, Risk, Quality, and Compliance Committee has been established as an advisory body to the Management Committee to deliberate on matters related to internal controls, including responses to significant risk management and quality events, as well as internal audit results. Furthermore, Head Office Risk Management Department aggregates accident information and works to disseminate and ensure the thorough implementation of preventative measures.
Other risks
29. Business Interruption ＜Risk overview＞ A situation in which the smooth operation of essential functions, such as head office operations, insurance claims payments, and the provision of long-term care services, is hindered by events such as: large-scale natural disasters (including major earthquakes), large-scale terrorist attacks, pandemics (including novel infectious diseases), and major system failures caused by cyberattacks. ＜The status of countermeasures＞ Our Group has long maintained Business Continuity Plans (BCPs) to prepare for emergencies such as large-scale natural disasters (including major earthquakes), pandemics (including novel infectious diseases), and major system failures caused by cyberattacks. We conduct regular training exercises and continuously strive to validate and improve the effectiveness of these BCPs. More recently, we have been working to further enhance our crisis response capabilities and ensure the continuity of critical operations across our Group companies. This includes: reviewing the BCPs of each Group company based on damage scenarios for a major Tokyo earthquake and a Nankai Trough earthquake; deploying the latest communication tools and power facilities; and clarifying our cyber response emergency structure and intra-group collaboration workflows.
30. Reputational risk ＜Risk overview＞ Damage to brand value resulting from the dissemination of negative information in mass media reports and online articles. ＜The status of countermeasures＞ Regarding reputational risk, our established policies clearly define methods for controlling the risk of damage to our reputation due to negative information. We strive to mitigate the impact through prompt and appropriate responses. We have also developed criteria for determining when information disclosure is necessary during a crisis to ensure timely and accurate communication. Furthermore, we have established a system for the early detection of reputational issues within the Group based on established reporting procedures for adverse information.