In an era where digital technology is integral to business operations, the threat of cyberattacks has become a management risk no company can ignore. Attack methods are growing more sophisticated, and the resulting damage, from customer and confidential data leakage to system shutdowns, can seriously undermine a company’s business and credibility. Small and medium-sized enterprises (SMEs), which often struggle to secure specialized personnel and budgets, are particularly vulnerable. In fact, SMBC Group was fielding daily inquiries from customers whose business continuity had been disrupted by cyberattacks.
Against this backdrop, SMBC Group’s Digital Strategy Dept. began exploring the commercialization of cybersecurity support beyond the traditional boundaries of finance. Seeking specialist advice, they sought the cooperation of the Cybersecurity Management Dept., which oversees the Group’s overall countermeasures. Yasunori Aoki, who led those countermeasures, had also become increasingly aware that cyberattacks are both a social and management issue and was considering how he could apply his own knowledge and experience for the benefit of society as a whole. Through repeated discussions, the two departments began cementing plans to establish a specialized cybersecurity company, an unprecedented move for a Japanese bank.
Security Measures Co-created
from the Customer’s
Perspective,
Backed by the
Bank’s Extensive Defense
Expertise
In February 2025, SMBC Group established SMBC CyberFront Inc. as a joint venture with MS&AD Group and CHANGE Group. Under the leadership of Aoki, appointed President and Chief Executive Officer after an open recruitment process, the company offers a unique advisory service that does not sell specific security products.
Its biggest feature is neutrality. Drawing on the advanced defense expertise developed as a bank frequently targeted by cyberattacks because of the sensitivity of the information it holds, the company works with customers from their perspective to devise optimal countermeasures without selling specific security products. This business model emerged from a series of interviews Aoki and his team conducted with about 30 companies. Aoki summarizes the structural issues revealed by this research as follows:
“Against the backdrop of Japan’s declining birthrate, aging population, and overall population decrease, there is a shortage of security experts. Meanwhile, cyberattacks are becoming more advanced and frequent due to factors like the advances of AI. This supply-demand imbalance has led to a concentration of scarce expertise on high-priced services for large corporations, causing a polarization of security levels. SMEs, which have limited budgets, are lagging on countermeasures.”
The research revealed that many companies wanted not expensive, comprehensive consulting, but an objective assessment of their current situation and guidance on where to begin.
This led to the creation of the company’s current core offering: an advisory service. To encourage the first step in implementing countermeasures, it also provides free or low-cost security diagnostics. By presenting objective and quantitative assessments to management, the company has built a framework that supports concrete investment decisions.
However, the service did not take shape overnight. Director and General Manager Mayumi Kurita recalls, “Even for a standard contract, there was no existing template.”
The service was established and has been continuously refined through trial and error, incorporating customer feedback during delivery.
Raising the Security Level of
Society as a Whole: Delivering
Services That Combine
Business Viability and
Public Interest
The establishment of the first cybersecurity company by a Japanese banking group was unprecedented. As a result, internal discussions included concerns over business viability (“Can this be profitable as a business?”) and assertions of public interest (“We have a duty to protect our customers as a social infrastructure provider.”) Outside Director Takashi Hashimoto, one of the company’s founding members, reflects:
“As the threat of cyberattacks grew and inquiries from customers increased, a shared understanding emerged that we needed to address this issue. Protecting the security of a single customer contributes to the security of its business partners and, by extension, Japanese society as a whole. The idea that this contribution was a role SMBC Group should fulfill became the decisive push.”
Although established in this way, the company initially had no direct connections with customers. However, the strong relationships of trust that SMBC Group had built with its customers over many years proved to be a powerful asset. Hibiki Sakai of the company’s Sales Promotion Dept., who witnesses this value firsthand, explains:
“We benefit greatly from the relationships with management that SMBC’s sales representatives have cultivated over the years. Customers accept us, thinking, ‘If they are being introduced by our SMBC representative, we can trust them.’ The initial hurdle we would normally have to overcome is essentially eliminated.”
Customers who have used the service have expressed strong approval, with comments such as, “This is a unique initiative, different from what banks have done before,” and “We wish we had a service like this before we were attacked.” One customer added, “If there are companies that, like us in the past, have not yet recognized the importance of countermeasures, we would be willing to attend meetings ourselves to strongly recommend this service.” For the team, such feedback is an opportunity to reaffirm the value of their service.
A Strong Foundation Enables
Corporate Challenges:
Creating Value Supported
by Security
Going forward, the company plans to accumulate and systematize the knowledge gained through consulting to expand its services and reach more customers. The name “Front”
in SMBC CyberFront Inc., as envisioned by Aoki and his team, carries three meanings: a “front desk”
as a point of contact for inquiries, the “front line”
, standing before customers to protect them, and the “forefront”
in the pursuit of cutting-edge technology. The company’s mission is to realize this vision and raise Japan’s overall security level.
Furthermore, Hashimoto highlights a “spirit of mutual support”
as the philosophy that should underpin this business.
“In the world of cybersecurity, attackers are a common enemy, and there is a culture of collaborating and sharing threat intelligence across corporate and industry boundaries. We aim to place this ‘spirit of mutual support’ at the core of our business and ensure our activities strengthen Japan’s cybersecurity posture.”
Finally, Kurita positions security as the foundation for corporate growth and outlines a path toward Japan’s Regrowth.
“It is strong defenses that enable customers to proactively engage in their business. For example, challenges involving new technologies, such as the adoption of AI, invariably carry risks. Only when they have ‘defenses’ to properly manage these risks can companies confidently allocate resources to ‘offensive,’ growth-oriented business initiatives. Robust defenses support offensive business activities aimed at growth, which in turn create new value. We intend to expand this virtuous cycle throughout society.”