The Group regards the information and the information systems such as computers and networks possessed to execute business operations as its information assets and addresses the initiatives for information security to handle them safely.
For the details, please refer to “Basic Information Security Policy” and “Certifications.”
The Group largely classifies Security into two aspects: Information Security and System Security and the potential risks and the countermeasures for each aspect are as follows:
1. Information security
(1) Information Security Promotion System
The President Executive Officer, and directors in charge of information security shall appoint a chief information security officer (CISO), who serves as a central information hub for the Group-wide security management.
Since the Group has different business models in each segment with varying risks of security to be addressed, each group company implements the required security measures and has received external certifications. In addition, the CISO conducts reviews for multifaceted checks of the security system. And the Group has established the system in CISO serve a central role in promptly collaborating with the company’s management and appropriately responding to major security incidents when they occur in the Group.
To promote information security in daily business operations, the Information Security Promotion Committee, composed of Information Security Promotion Committee members who are selected from each segment, plays a central role based on the framework of ISMS（JIS Q 27001: ISO/IEC 27001,）an information security certification standard. The committee also conducts awareness-building and educational activities based on the information security threat trends, thereby enabling the maintenance of information security in an ever-changing threat environment.
Besides, with the establishment of the Information Security Office in April 2022 as a specialized structure of information security, the Group organizes the system for planning and executing the responses to the overall information-related challenges of the Group.
(2) Personal Information Management
The Group has established a system to ensure safe personal information management with certification of Privacy Mark (JIS Q 15001) in each company.
The Group posts the personal information protection policies of each Group company on its website and discloses the response policies regarding the purposes of use of personal information, provision of personal information to third parties, outsourcing to handle personal information, complaints and consultations about personal information, and various safety control measures.
(3) Awareness building for the employees
The company conducts employee training about information security based on the operation of ISMS (ISO27001) for all employees of the Group as needed.
2. System Security
(1) About the Internal IT environment
Regarding the IT environment used for business operations, the company has been strengthening the countermeasures against malware or ransomware, reflecting the recent trends of cyberattacks. The company has installed endpoint security products powered by AI engines and expedites organizing the security operation center where unknown malware can be detected and eliminated. For storing critical information, the company regularly takes several generation backups against potential infection by ransomware and implements countermeasures to prevent the information required for business operations from deletion or disappearance.
(2) Payment System
The payment business of the Group is designated by the government as a designated company with critical infrastructure. Aiming for non-disruptive system operations (excluding downtime for maintenance,) the Group implements a redundant database configuration with real-time replication between multiple geographically distant center areas, a disaster recovery system, and thorough BCP measures by decentralization of data center operating bases and expansion of the system.
These initiatives include viewpoints of sustainability as well as risk management to continuously provide a safe and secured system with non-storage of credit card information at EC merchants when using the payment services by building a highly secured environment and management system. Information management in the Group complies with PCI-DSS, the credit card industry’s security standard. Besides, the Group has a dedicated operations room for handling credit card information and executes strict security management.
To ensure that all executive directors and employees are aware of the importance and that information security is continuously maintained, the Group regularly provides training on information security to all employees as required by their duties.
(3) About the Crypto asset exchange system
The Group implements and operates the safety measures for crypto asset management based on the checklist for crypto asset safety management formulated by Japan Virtual and Crypto Assets Exchange Association. As for the risk management of the system handling crypto assets, the company discloses the system risks management policy on the subsidiary’s website, which the company is dealing with crypto assets and executing the business operations based on the policy.
Regarding crypto assets management as a crypto asset exchange dealer, all assets are managed in a cold wallet. Other security management systems related to crypto asset management comply with the security standards for crypto asset management, and the Group has established its in-house operations upon risk assessment of crypto asset management system.