Information Security

Cybersecurity

Cybersecurity Response

Cybersecurity is one of Aozora’s main focuses as a bank that has a responsibility for its customers’ important assets and information. Cybersecurity threats are increasing year after year and the attacks are becoming more sophisticated. The latest targets for cyber-attacks have been electronic payment services as well as work-from-home IT supporting structures that have recently become widespread as a result of new working style reforms and the COVID-19 pandemic. In order to provide reliable financial services, the Bank considers the stable operation of information systems an important management issue and is committed to further strengthening its cybersecurity measures.
Security-related incidents such as information leaks or service outages caused by cyber-attacks would not only have a significant impact on the Bank's operations, including financial losses for our customers and affecting business continuity, but may also have an impact on society as a whole. Aozora has established a security policy and system risk management policy, and with the active engagement of senior management, we will work to maintain the cybersecurity framework of the entire Aozora Group while reducing risks.

Cybersecurity Management

Aozora’s Chief Technology Officer (CTO) is the Bank’s designated senior executive with responsibility for cybersecurity and regularly reports to the Board of Directors and regular management meetings regarding the status and evaluation of risks as well as the progress of risk reduction plans, and establishes a framework that enables appropriate management decisions.
When system vulnerability information is released on a daily basis or an incident that has a significant effect on society occurs at other companies, we promptly investigate its impact on the Bank, incorporate the details into our plan as appropriate, and report it to management. In addition, we also conduct cybersecurity exercises which include members of our management team.

Aozora Computer Security Incident Response Team (CSIRT)

Aozora has established a framework in which the IT Control Division is designated as the control division for overall system risks, and the Cyber Security Office established within the IT Control Division is designated as the cybersecurity department. The Cyber Security Office is staffed with specially trained personnel and manages systems development, monitoring and emergency responses. Aozora has also established a Cyber Security Incident Response Team (Aozora CSIRT), which spans across Aozora’s related divisions and Group companies with the CTO as the chairperson and the Cyber Security Office as the supervising department. By sharing risks inherent in the Bank and cybersecurity cases of other companies within the Bank and conducting ongoing cybersecurity training, we can prepare more effective emergency responses for the entire Aozora Group.

Cybersecurity Management System

an image about Cybersecurity Management System an image about Cybersecurity Management System

Ongoing Enhancement of Security

Aozora has implemented multi-layered technical countermeasures, including entrance systems that prevent unauthorized entry, internal measures such as a detection system that presumes internal network attacks, and exit measures to prevent information leakage. In addition, we continue to raise security awareness by conducting e-learning education for all officers and employees, online seminar-style training classes based on employees’ job duties, and targeted email training. We are committed to strengthening the cyber-resilience of the entire Aozora Group in order to flexibly respond to incidents by conducting scenario-based exercises for Aozora CSIRT and system recovery training regarding damage from ransomware attacks.
We have been actively engaged in promoting work-from-home prior to the COVID-19 pandemic, and have implemented the necessary authentication systems in consideration of the balance between security and convenience.
We have also adopted a high-level authentication method in cooperation with the related business divisions of the Bank in order to prepare for fraudulent transactions through the Bank’s own services, such as Internet banking, or services provided by third-party organizations that connect with Aozora, such as fund transfer service providers. At the same time, we also require high-level connection standards set by the Bank for our connection partners, and check their status annually in order to maintain Aozora’s security strength in response to changes in the operating environment.

Cooperation with Outside Parties

In addition to prompt reporting to the FSA and police in the event of an incident, we cooperate with government offices and related organizations, such as Financials ISAC Japan and JPCERT/CC, while proactively transmitting and sharing incident information in order to improve the security of the Bank as well as society as a whole.

Preparing for Potential Large-scale System Failures

We believe that proper management of customer and confidential information, the stable operation of information systems that ensure the provision of financial services are not disrupted due to system issues such as information system breakdowns or malfunctions, and information leaks due to unauthorized access to our system are important management issues. We will continue to develop necessary countermeasures in order to properly protect information assets and ensure the stable operation of information systems within the Bank.
As a general rule, we conduct load tests in a systems environment equivalent to our actual IT infrastructure in order to prevent large-scale system failures, especially when executing large system changes such as introducing new services and functions, as well as processing method and system updates. We also determine operational rules to ensure a schedule with sufficient time for system updates.
In order to detect potential system problems at an early stage, we conduct provisional initial operational checks immediately after the start of services when updating them for customers. When these services are affected by system failures, the business divisions, IT divisions, and other related divisions recognize the importance of providing appropriate responses for customers and work closely to promptly disclose information and work on early system recovery. We are committed to improving Aozora’s systems in order to provide appropriate guidance and responses to our customers.