Cybersecurity

Basic Policy

Cybersecurity is one of Aozora’s main focuses as a bank that has a responsibility for its customers’ important assets and information. Incidents such as information leaks and service outages caused by cyberattacks may have a material impact not only on Aozora’s management, including damages to our customers and affecting business continuity, but also on society as a whole. In order to provide reliable financial services, Aozora considers the stable operation of information systems to be one of its most important management responsibilities. We work to maintain the cybersecurity system and reduce risks across the Aozora Group.

Management System

Aozora has established a security policy and a systems risk management policy, and conducts cybersecurity management with the active engagement of senior management based on a risk appetite framework approved by the Board of Directors.

Aozora has established a framework in which the IT Control Division headed by the Chief Technology Officer (CTO), who is responsible for cybersecurity, is designated as the control division for overall system risks. The Cyber Security Office, a dedicated cybersecurity department formed within the IT Control Division and staffed with specially trained personnel, manages systems development, monitoring, and emergency responses. In addition, we have established a Cyber Security Incident Response Team (Aozora CSIRT), which spans across Aozora’s related groups/divisions and Group companies. By sharing cybersecurity trends and risks inherent in the Bank as well as conducting ongoing cybersecurity training, the entire Group remains prepared for emergency situations.

Cybersecurity Management System

an image about Cybersecurity Management System an image about Cybersecurity Management System

Initiatives to Enhance Security

Multi-layered technical countermeasures and
verification of effectiveness

  • Entrance measures to prevent unauthorized network intrusion
  • Exit measures to prevent the leakage of information
  • Internal measures that presume attacks on the internal network
  • Verification of effectiveness of technical countermeasures through penetration testing by external experts

Strengthening of cyber-resilience

  • Regular cybersecurity exercises involving members of the management team
  • Recovery tests using actual systems and equipment on the assumption that an incident has occurred

Analysis of threat trends

  • Gathering information on key issues including vulnerabilities, attack strategies, and instances of damage suffered by other companies
  • Systematic responses based on a study of potential impacts affecting Aozora and related risks

Security training for officers and employees

  • Improve ability to identify suspicious emails and ability to respond when opening them through targeted email training
  • Training through e-learning, videos, and online seminars based on the results of targeted email training and threat trends
  • The job title of Chief Technology Officer (CTO) has been changed to Chief Information Officer (CIO) due to the organizational change effective from April 1, 2025.