In recent years, cyber threats have been rapidly becoming ever-more serious and sophisticated. In order to respond to the risks of such threats, SMBC Group continually assesses and has strengthened cybersecurity measures by defining cyber risks as one of its Top Risks and establishing a Declaration of Cyber Security Management. Please refer to the bottom of the page regarding the Declaration of Cyber Security Management.

Seeking to facilitate management-led measures for fortifying response frameworks, the general manager of the System Security Planning Department has been appointed as the Chief Information Security Officer (CISO) positioned under the Group Chief Information Officer (CIO) and the Group Chief Risk Officer (CRO), with clear roles and responsibilities. The CISO spearheads the implementation of our strategy on cyber risks. Furthermore, we have a well established computer security incident response team (CSIRT) and a security operation center (SOC), and there is constant collaboration between these teams.
In addition to the three components of information security (confidentiality, integrity and availability), we also aim to ensure the four additional factors of authenticity, accountability, non-repudiation, and reliability in our Security Policy.
We consider cyber-attacks (including unauthorized access and DDos attacks), and any potential data fraud (including data alteration, encryption and deletion) as major risks, and perform analysis on threat information proactively collected from both inside and outside our Group. The results of these analyses, along with information on the assessments of security measures currently being implemented, are discussed regularly at meetings of the Board of Directors and the Management Committee to drive ongoing improvements to our cybersecurity measures in order to meet the level of evolving cyber threats.

SMBC Group’s Cybersecurity Governance System

The CSIRT is centered on the System Security Planning Department, which possesses dedicated cybersecurity functions. To ensure preparedness for cyber incidents, the CSIRT coordinates with national government agencies as well as with external institutions to share information on pertinent topics such as cyberattack methods and vulnerabilities. Utilizing such information, SMBC Group will develop action plans to address latest threats, both internally and externally. Also, when actual cyber incidents occur in SMBC Group companies, the System Security Planning Department will support them in incident countermeasures. In addition, we also regularly exercise our Cyber-attack response plans.

The SOC, which is centered on The Japan Research Institute, is dedicated to continuously fortifying cybersecurity monitoring systems to mitigate the ever-rising threat of cyberattacks. Measures taken by the SOC include the integration of the monitoring systems of Group companies and the development of global systems for conducting monitoring on a 24-hours-a-day, 365-days-a-year basis. In particular, we operate SOCs in the EMEA, Americas and APAC Divisions, and have structured a monitoring capability including collaboration with these global offices.

System Risk Management

As SMBC Group’s scope expands to include areas other than finance, we take steps to identify risks from new perspectives and to implement management systems that match the extent of risks in a given area of business. SMBC Group is enhancing its risk management support efforts, beginning with high risk areas, to assist in strengthening the risk management structure at companies requiring sophisticated risk management, regardless of their size, as well as business partners and other areas of the supply chain. In addition, we actively and openly incorporate various technological progress to improve convenience for customers. We also strengthen our risk management structure on an ongoing basis in response to environmental changes, to deal with projected risks arising from promoting digitalization in a wide range of fields, such as the creation of new businesses and boosting productivity and efficiency. As SMBC Group adopts artificial intelligence, cloud, robotic process automation, application programming interface, and other technologies, manuals have been prepared with regards to items requiring compliance at the time of implementation and items for periodic monitoring as part of efforts to reinforce group-wide IT governance.

SMBC, which is one of the core subsidiaries of the Group, operates its risk management system by conducting risk assessments based on the Security Guidelines published by the Center for Financial Industry Information Systems (FISC) and by enhancing security measures based on the results of these assessments. System failures at banks have the potential to heavily impact society. In addition, system risks are diversifying due to advances in IT and the expansion of business fields. Recognizing these facts, we have numerous measures in place for system failure prevention, including maintenance to ensure stable and uninterrupted operation, duplication of various systems and infrastructure, and a disaster prevention system consisting of data centers in eastern and western Japan. In addition, we are preparing for unforeseeable circumstances through the creation of contingency plans and the implementation of system failure drills. To maintain the confidentiality of customer data and prevent leaks of information, sensitive information is encrypted, unauthorized external access is blocked, and all other possible measures are taken to secure data.

Measures and structures concerning cybersecurity and system risk management are subjected several times a year to internal/external audits and third-party vulnerability analyses.

Employee Training and Education Concerning Cybersecurity

SMBC Group regularly provides education to employees, including employees who do not have specialist knowledge or business background regarding cybersecurity, to have them acquire regular mindsets, and acquire knowledge in order to prepare for increased digitalization in business. More specifically, we provide training as below several times a year.

  • New employee training to have new employees acquire basic knowledge on cyber security
  • Study booklets and e-learning content to have employees keep and utilize their acquired knowledge
  • Targeted e-mail training to increase awareness of spear phishing attacks
  • Senior Management training to increase executive knowledge on latest cyber threats and cyber security viewpoints from a management perspective
  • Cyber drills to increase organization-wide incident management and decision capabilities
  • Red Team Drills (*1) to increase CSIRT/SOC incident response and technical monitoring capabilities
  1. (*1)  A drill where teams are split into attack-side (red team) and defense-side (blue team), and the defense-side detects, analyzes and responds to an attack by the attack-side

In addition to employee training, we publish educational comics for customers.

Also, in order to deal with increasing cyber threats, we consider development of specialist cyber security personnel a top issue, and utilize content from external and internal sources to develop skills daily. In addition, we have an external certification support program.

Also, when employees detect cybersecurity issues such as receiving suspicious emails, there is a concrete escalation process that all employees should follow, and the explanation of this process is included in the trainings above. Specifically, the SOC is contacted, and the PC affected by the malware is quarantined from the network. This process is also included in drills to check employee awareness and process usefulness.

Cyber Security Management Statement

In response to the “Declaration of Cyber Security Management” published by the Japanese Business Federation in March 2018, Sumitomo Mitsui Financial Group and its group companies have established a “Cyber Security Management Statement” as below.

Cyber Security Management Statement

Sumitomo Mitsui Financial Group “SMFG” and its group companies understand the necessity of “Actively implementing cyber security measures from the dual viewpoints of value creation and risk management” which is listed as an important issue by the Japanese Business Federation’s “Declaration of Cyber Security Management”, and have established a “Cyber Security Management Statement”. We will continue to continually strengthen cyber security measures led by executive management to deal with increasingly serious and complex cyber threats.

  1. 1.Placement of Cyber Security as a management-level issue
    We will take proactive measures regarding cyber security from a management-level, and consider cyber security as investment in our company. In addition, senior management will continually take steps to understand the latest landscape of cyber security, consider cyber threats as one of the major risks facing our group, and manage risks by demonstrating leadership and being directly responsible for security measures.
    Specifically, we have defined cyber risk as one of the top risks of SMFG, periodically discuss and review cyber security measures at management committees, and assign appropriate resources for project implementation.
  2. 2.Development of management policy and disclosure
    We will develop our management policy and incident response structure/business continuity plans by considering not only identification and defense, but also detection, incident management, and recovery. Our management will be proactive in communicating our policy to internal and external stakeholders, and we are active in disclosing our risk management measures and structure in our publicly available disclosure statements.
    Specifically, we have a dedicated department for cyber incident response (CSIRT), take appropriate measures to manage threats, and have dedicated policies and manuals in case of an incident. We establish a basic policy for risk management annually, periodically conduct drills, and assess contingency plans. We also disclose our security enhancement policies in disclosure statements
  3. 3.Establishment of internal/external structure and measures
    We distribute appropriate resources internally, implement appropriate physical/technological/personnel security measures, and train our employees in various positions and levels of our group.
    In addition, we will take appropriate measures to secure our supply chain, including partners and outsourced companies.
    Specifically, we will place necessary personnel in specialized cyber security departments, utilize dedicated security education programs to educate employees, and implement the latest technologies to manage security. In addition, we will monitor security at our business partners and outsourcers, and appropriately monitor and manage any vulnerabilities in any assets we procure.
  4. 4.Providing secure systems and services to society
    We will implement cyber security measures in business activities including system/service development and after release.
    Especially, we have implemented security measures in services such as our internet banking through password cards and via our smartphone application, in order for customers to use our services safely with confidence. We also conduct fraudulent activity monitoring.
  5. 5.Contribution to a safe business ecosystem
    Through cooperation and collaboration with related regulators, government agencies, and industry bodies, we will proactively share information and contribute to developing professional interpersonal networks within the industry. In addition, we will share information on threats and countermeasures with our customers, contributing to strengthening cyber security in society as a whole.

    Specifically, we will make timely and appropriate reports government bodies such as the FSA, the Cyber Security Center of the Cabinet Secretariat, and the Information-technology promotion agency. In addition, we will share information with industry security information sharing bodies such as Financial ISAC, JPCERT, and aim to strengthen our cyber security structure globally.