IT / Cyber Security

As IT and digital continue to have growing impact on management strategy, our Group places strong emphasis on IT governance under the leadership of senior management. By appropriately controlling the use of IT, we aim to maximize the value it brings to our business while minimizing associated risks – ultimately contributing to enhanced corporate value.
Specifically, to stably support the Group's global management and realize sustainable value provision to customers around the world, we have established the “Group IT Governance Basic Policy” and are promoting the development of an IT governance structure – encompassing rules, personnel, and organizational readiness – based on COBIT^*, an internationally recognized standard. In addition, we also hold regular meetings with IT leaders from Group companies both in Japan and overseas to share our IT and digital strategies and accelerate collaboration across the Group. Through these efforts, we strive to build IT and digital capabilities that drive Group-wide synergies and contribute to enhancing overall corporate value.
At the same time, we are thoroughly managing the risk of “system risk” – which includes system outages, malfunctions, or unauthorized use that could damage customer trust, disrupt operations, or result in financial loss. In accordance with the “Group System Risk Management Policy”, each Group company is required to establish policies, operational frameworks, and processes for managing system risk, and to continually evaluate and improve their effectiveness.
To address risks associated with the utilization of AI, we identify and assess risks according to the specific use cases and environments in which AI is deployed. By implementing appropriate controls, we promote initiatives that enhance the safe and reliable use of AI. These efforts are designed to improve customer convenience and operational efficiency, thereby advancing the responsible and effective utilization of AI technologies.

Our Group has established the Chief Information Security Officer (CISO) position in charge of group-wide information security measures, as it aims for a further evolution in the areas of people and organizations, processes, and technologies, so as to protect the information assets of the Group from cyberattacks, which grow more sophisticated with each day, and continue to deliver a sense of security, safety, and stability to our customers and other stakeholders.

We established the “Cybersecurity Policy for Daiichi Life Group”, under which Group companies share specific matters for promoting cyber security. For our information systems, we take action against new threats as needed, such as combining multiple systems to detect unauthorized access, viruses, and other threats to protect from them. In addition, we cooperate closely with external organizations in an effort to share and utilize security information and optimize the cyber security measures for the overall Group, including overseas Group companies engaged in the life insurance business. We conduct vulnerability analysis to identify system vulnerabilities and verify whether or not they can actually be penetrated, and conduct penetration tests at key group companies according to the results of these analysis.

We also established the “Rules on Handling of Cyber Incidents” in the Group to strengthen our cyber incident response system. We set up a Computer Security Incident Response Team (CSIRT), which consists mainly of full-time members with a high level of expertise. This team engages in activities for strengthening the cyber security of the Group, such as response training for all officers and employees assuming an attack.

In addition, internal audits are conducted on a risk basis according to the results of annual risk assessments conducted by the Internal Audit Unit to verify the status of efforts to strengthen the cybersecurity management system of the company and its group companies. The results of the internal audits are reported to management, and if an event requiring improvement is identified, it is communicated to the audited organization and the status of improvement is subsequently followed up.