SuMi Trust Holdings has set systems maintenance and combatting cyber attacks as one of its management foundation materialities, and considers it an important management issue. Information assets are one of the most important management resources and pose risks that may undermine the foundation of corporate management. The Group, therefore, appropriately maintains and manages all information assets it holds.

Information Security Responsibilities

SuMi TRUST Holdings clearly states, in the Information Security Management Rules under the Risk Management Rules on which directors have the authority to amend and approve, that the head of overall information security risk management is the officer in charge of the IT & Business Process Planning Department, and that the supervising department conducting overall information security risk management is the IT & Business Process Planning Department.

Response to Threat of Cyberattack

The threat of cyberattacks and the damage they can inflict are growing both in Japan and overseas. Under such circumstances, SuMi TRUST Holdings is engaged in the following activities to protect the precious assets of its clients from the attacks.

Improvement of Internal Response Systems in Preparation for Cyberattacks

The Group has formulated its Cyber Security Management Declaration against cyberattacks, working to strengthen security measures led by management.

To respond to cyberattacks, SuMi TRUST Holdings monitors computer systems of SuMi TRUST Bank around the clock. In addition, SuMi TRUST Holdings has established SuMiTRUST-CSIRT as an internal organization for gathering information, conducting analysis, and implementing measures relating to cyberattacks, and coordinates with outside expert organizations to strengthen its management system.

Enhancement of Internet Banking Transaction Security

In terms of internet banking, SuMi TRUST Bank offers "Rapport," a type of security software specifically for internet banking, free of charge to help shield clients' precious deposits and other assets from fraudulent transactions. Furthermore, the Bank has introduced a telephone authentication service*1. It is strongly recommended that all internet banking clients register for telephone authentication in order to prevent any unauthorized payments.

In addition, to combat DDoS attacks*2 in the internet banking service, the Bank has introduced an attack mitigation service designed to handle large-scale attacks, thereby reducing the risk of service interruptions caused by DDoS attacks.

SuMi TRUST Holdings will continue to keep abreast of other companies' moves and new technologies and implement thoroughgoing security measures so that clients' transactions remain safe. The measures include the early detection and prevention of unauthorized remittances.

  • *1An authentication service using a client's mobile phone, smart phone, or home phone number in addition to the Sumitomo Mitsui Trust Direct card's confirmation number when making first transfer to a new account.
  • *2A Distributed Denial of Service (DDoS) attack is a type of cyber attack that causes system disruption through malicious, high-volume communication traffic.

Risk Assessment

For the Group's overall systems, self-evaluations are carried out every year using the System Risk Evaluation Table of the System Risk Management Guidelines established in line with the Center for Financial Industry Information Systems' (FISC) security measures, and the results are reported to the officer in charge. Furthermore, with regard to cyber security, we conduct regular assessments in Japan and overseas.

Security Training

The Group conducts the following training every year to train management, disseminate knowledge of information security risk management, strengthen the cyber security response department, and raise awareness within the Group.

Training Cyber security training for management (once a year)
e-learning* Information security training, including data privacy management (once every six months)
Countermeasures training on e-mail cyberattacks (targeted attacks) (twice a year)
Training Response to suspicious e-mails that simulate targeted e-mail attacks on random people (monthly)
Exercise Participation in external exercises involving cyber attack scenarios (twice a year)

*Training is available not only for full-time employees but also for some employees of outsourcing contractors.

Page Top