MS&AD Insurance Group
Information Security Management Basic Policy
In light of the importance of protecting information assets, the MS&AD Insurance Group (hereinafter referred to as "the MS&AD Group") has established the "MS&AD Insurance Group Information Security Management Basic Policy."
1. Basic Concept
The MS&AD Group has set information security management as one of the top priorities for the group management in an effort to create one of the world's top insurance and finance groups that continues to seek sustainable growth and increased corporate value. The MS&AD Group aspires to proactively strengthen and continuously improve the information security management of the entire group in an attempt to provide high quality services and earn the trust of society, including customers.
2. Definitions of Information Assets and Information Security
(1) "Information assets" are defined as all information, including customer information, and all systems that process and manage that information. Risks that threaten "information assets" (information asset risk) consist of the following two types of risks.
- Risk resulting in loss due to information leakage, loss, damage, alteration, etc. (information risk)
- Risk resulting in loss due to problems with the information system, such as a breakdown, malfunction, or unauthorized use (system risk)
(2) "Information security," including cybersecurity, is defined as maintaining information assets' confidentiality (protecting them from unauthorized access), integrity (ensuring that information is accurate and consistent), and availability (keeping them so that they can be used anytime)."
(3) "Cybersecurity" is defined as protection against cyberattacks; specifically, preventing cyberattacks from causing problems, such as information leakage, loss, damage, alteration, or destruction of security and credibility of the information system.
3. Building an Information Security Management Framework
(1) The Board of Directors of MS&AD Holdings appoints the Group Chief Information Security Officer (CISO) to build a framework and enhance information security management.
(2) The MS&AD Group builds a framework to detect threats to information assets and always understands changes in the external environment, such as those related to cybersecurity, to ensure information security and respond to emergencies quickly. Notably, the MS&AD Group has set up a Computer Security Incident Response Team (MS&AD-CSIRT) specialized in cybersecurity, which takes measures to not only respond to cybersecurity incidents but also prepares measures to prevent incidents, deals with aftermath of incidents and develop improvement plans thereafter.
4. Information Security Management Activities
(1) Each company of the MS&AD Group develops a plan-do-check-act (PDCA) cycle for continuous improvement in order to take appropriate measures in accordance to global information asset risks.
(2) Each company of the MS&AD Group sets up an information security management section and develops rules regarding the management of information to conduct appropriate information security management.
5. Participation and Education of All Officers and Employees
(1) All officers and employees of the MS&AD Group abide by the laws and regulations, this basic policy, and the various rules on information security management.
(2) Education is carried out periodically to ensure that all officers and employees observe the obligation to protect information assets and carry out and improve information security management activities.
6. Customer Information Management
The MS&AD Group abides by the related laws and regulations, handles customer information appropriately, and takes appropriate measures for security management in order to protect customer information.
7. Outsourcing Management
The MS&AD Group develops a framework to appropriately manage the contractors to which the operations are outsourced.