Security

SuMi TRUST Group considers information assets to be one of the most important management resources, and has set the protection of personal information and client data as one of the materiality themes. In addition, the Group also identifies information security risk as “Risk that the Group may incur losses due to the improper management or maintenance of information assets, including through information leaks, information errors and misuse of information, as well as an inability to use the information system,” and positions it as one of the risk sub-categories under operational risk. It has assigned an officer in charge and established a control department to properly manage client information and implement cybersecurity measures.

In addition, we have established and announced Sumitomo Mitsui Trust Group Privacy Policy, which is a set of policies designed to ensure the protection of the personal information of our clients and shareholders, and have declared to abide by them.

We established internal rules and regulations regarding the management framework and handling of information in accordance with the Personal Information Protection Act, related laws and regulations, and “Guidelines for Personal Information Protection in the Financial Field” established by the Financial Services Agency. Also Sumitomo Mitsui Trust Bank, Limited holds regular training sessions for all employees twice a year. Through these efforts, we ensure that all employees are fully acquainted with the points of concern regarding the handling of information in their daily operations and to promote a principles-based understanding of information security.

Matters related to information security risk, as a risk sub-category within operational risk, are deliberated on comprehensively by the Risk Management Committee at Sumitomo Mitsui Trust Holdings and by the Operational Risk Management Committee at Sumitomo Mitsui Trust Bank, Limited, covering a series of processes such as the development of a management framework, formulation of plans, and the identification, evaluation, monitoring and control of risks. In addition, policies and plans are decided by the Board of Directors after deliberation by the Executive Committee.

Based on the rules regarding authority, the series of processes are executed by the Business Process Planning Department, the IT System Planning and Management Department, and other control departments responsible for information security risk management. The officer in charge of the Business Process Planning Department and the officer in charge of the IT System Planning and Management Department are responsible for overall information security risk management.

The Group has designated addressing cyberattacks as one of the materiality themes as well as a top risk, and we are planning and promoting our cyber security measures at the initiative of management through the formulation of Cyber Security Management Declaration.

*1CSIRT (Computer Security Incident Response Team): In-house organization that collects, analyzes, and responds to early warning information about attacks

The Group has built a common infrastructure for internet communications, and Security Operation Center (SOC) monitors the common infrastructure network 24 hours a day, 365 days a year and detects threats by conducting correlation analysis of various types of data. This information is consolidated in SuMiTRUST-CSIRT, and we have established a monitoring system centered on the CSIRT.

We have established a multi-layered defense consisting of entry, exit and internal measures as a technical countermeasure against cyberattacks, and are working to reduce risk by implementing various measures including countering DDoS attacks and attacks on vulnerabilities, detecting and blocking phishing websites.

In addition, in order to ensure that our clients use our Internet banking services with a sense of security, as a countermeasure against phishing, we have limited maximum amounts for money transfer and strengthened information collection on threat trends . Further, as a technical countermeasure, we are working to strengthen the monitoring of unauthorized transactions.

We are also working to collect and analyze information on attacker trends and to improve our intelligence functions to enhance the Group’s vulnerability management.

In addition, we regularly conduct self-analysis of risk situations using cybersecurity heat maps as well as third-party assessments using international cybersecurity assessment tools such as FFIEC-CAT^*2. We also participate in cyber exercises hosted by Information Sharing and Analysis Center (ISAC)^*3 and National Center of Incident Readiness and Strategy for Cybersecurity, conduct our Group’s own exercises for management and Group companies, and through PDCA cycle, we are working to enhance measures to strengthen cyber resilience. In addition, we have taken out cyber insurance to safeguard against emergencies.

*2FFIEC-CAT: A risk assessment tool (Cyber Assessment Tool) released by the Federal Financial Institutions Examination Council (FFIEC) for financial institutions

*3Information Sharing and Analysis Center (ISAC): Information sharing organization for Japanese financial institutions

To develop personnel with advanced expertise in cybersecurity, CSIRT collaborates with external experts in internal review meetings, participates in external communities such as ISAC and FS-ISAC^*4, and provides external training and certification support.

Also, Sumitomo Mitsui Trust Bank, Limited is continuously engaged in employee education through information security training and phishing email training for all employees, and cyber exercises conducted in cooperation with external organizations.

In addition, the CSIRT and the application and infrastructure development departments have formed an organization called the Task Force to discuss and coordinate the challenges related to cybersecurity measures to improve effectiveness, complement each other's expertise, and pool human resources.

*4FS-ISAC (Financial Services Information Sharing and Analysis Center): Information sharing organization for financial institutions, mainly in the United States

In order to minimize the impact of large-scale failures and disasters on information systems, and to prepare for early recovery and business continuity, we are working to strengthen resilience by clarifying the Group's communication and response systems, developing alternative measures and recovery procedures, and providing operational education and training. In addition, for risks related to delays and cost increases arising from system development of a certain scale, we monitor the progress and quality control aspects of large-scale system development projects, report to the IT Council, and consult with them in order to ensure proper management of system development.

The IT Council is an advisory body to the Executive Committee, and it consists of the officer in charge of the IT System Planning and Management Department, who serves as the chairperson, officers in charge and general managers of the respective corporate management departments, and external members with expertise. It deliberates on important system investments and system technology matters from a multifaceted perspective. In terms of risk management, the Council deliberates on risks arising from system development, cybersecurity, and system risks. In addition, as an advisory body, the Council actively utilizes the knowledge of external members with expertise to enrich discussions and enhance management.