Cybersecurity

Environmental Awareness and Risk Awareness

Cybersecurity is one of Aozora’s main focuses as a bank that has a responsibility for its customers’ important assets and information. Security-related incidents such as information leaks or service outages caused by cyberattacks would not only have an adverse impact on the Aozora Group’s management, including damages to our customers and affecting business continuity, but also may have a material impact on society as a whole. In order to provide reliable financial services, Aozora considers the stable operation of information systems to be one of its most important management issues. We work to maintain the cybersecurity framework and reduce risks across the Aozora Group.

Cybersecurity Management

Aozora has a security policy, a systems risk management policy and cybersecurity management with the active engagement of senior management based on a risk appetite framework approved by the Board of Directors. The Chief Technology Officer (CTO) has responsibility for cybersecurity, regularly reports to the Board of Directors and management meetings regarding the status and evaluation of risks as well as the progress of risk reduction plans, and receives appropriate direction. In addition, we periodically conduct cybersecurity drills including management to ensure effective and immediate responses to major incidents.

Aozora Computer Security Incident Response Team (CSIRT)

Aozora has established a framework in which the IT Control Division headed by the CTO is designated as the control division for overall system risks, and the Cyber Security Office established within the IT Control Division is designated as the cybersecurity department. The Cyber Security Office is staffed with specially trained personnel and manages systems development, monitoring and emergency responses. Aozora has also established a Computer Security Incident Response Team (CSIRT), which spans across Aozora Bank’s related divisions and Group companies with the CTO as the chairperson and the IT Control Division’s Cyber Security Office as the supervising department. By sharing risks inherent in the Bank and other companies’ cybersecurity incidents within the Aozora Group and conducting ongoing cybersecurity training, we can prepare more effective emergency responses for the entire Aozora Group.

Cybersecurity Management System

Ongoing Enhancement of Security

Aozora Bank has implemented multi-layered technical countermeasures, including entrance measures that prevent unauthorized network intrusions, internal measures such as a detection system that presumes internal network attacks, and exit measures to prevent the leakage of information. The effectiveness of those measures is verified by penetration testing and other security assessments conducted by external experts. In addition, we continue working to raise security awareness mainly by conducting e-learning education for all officers and employees, online seminar-style training based on employees’ job duties and targeted email training. We are committed to strengthening the cyber-resilience of the entire Aozora Group in order to respond flexibly in the event of an incident by conducting system recovery training that presumes damage from ransomware attacks.
When system vulnerability information is released or an incident that has a significant effect on society occurs at other companies, we promptly investigate its impact on Aozora, incorporate the details into our plan as appropriate, and report findings to management. In addition, we also conduct cybersecurity exercises which include members of our management team.
We plan to undergo periodic third-party evaluations of the maturity of our management system to confirm its appropriateness, and take necessary actions.
In addition to prompt reporting to the FSA and police in the event of an incident, we cooperate with government offices and related organizations, such as Financials ISAC Japan, JPCERT/CC (Japan Computer Emergency Response Team Coordination Center) and JC3, while proactively transmitting and sharing incident information in order to improve the security of Aozora Bank as well as society as a whole.