Risk Management

In order to foster and instill a risk culture, the Group manages risk based on the following basic policies.

In the Group, subsidiaries (the Bank of Yokohama and Higashi-Nippon Bank) manage risk by establishing risk control departments and risk management departments for each risk type, while the Risk Management Department of the holding company oversees and integrates risk management for the entire group. The risk officer, distinct from the head of Audit, provides regular reports to the President, Representative Director, and the Board of Directors on the status of risk.

Specifically, subsidiaries appropriately manage risks in accordance with their risk profiles and reports the status of risks to the holding company, which provides necessary guidance to the subsidiary based on the reports.

The Board of Directors confirms the soundness and effectiveness of the Group's risk management, and periodically and continuously reviews risk management policies and procedures in light of the Group's strategic objectives and changes in the external environment. In addition, the Board of Directors and the ALM and Risk Management Conference (Top Management Conference) provide supervision by monitoring, discussing, and making decisions related to various types of risks and the overall risk for the Group.

The potential maximum loss (risk amount) for each risk is measured using value-at-risk (VaR) and other measures, and capital is allocated to each risk type in order to limit the amount of risk to the amount of equity capital available for risk-taking. For risk assets, the risk appetite is set so as not to exceed measured risk capacity.

The Company verifies the appropriateness of risk-taking by estimating losses for each type of risk and measuring the impact on capital, earnings, risk-weighted assets, and risk volume using group-wide stress scenarios to confirm the adequacy of capital in budgetary plans and to ensure that the profit level is acceptable to management in times of stress.The Company assesses stress tests based on capital adequacy regulations (Basel III) and other regulations.

In order to manage top risks, we set key risk indicators (KRI) as warning indicators in order to as much as possible detect the possibility of risks materializing in the future. We continuously monitor these KRIs to detect early signs of problems and we prepare to respond flexibly in the event that risks do materialize.

The items listed above are monitored, discussed, decided upon, and supervised by the Board of Directors.

The Group defines as “Top Risks” those risk events that are important to management and should be managed. We continuously monitor our top management risks and strive to perceive the signs and are prepared to respond flexibly in the event that a risk manifests.

The Group has a crisis management system in place to ensure the safety of its customers and employees, the smooth execution of financial operations, and the protection of customers' assets even in the event of an earthquake or other large-scale disaster, system failure, infectious disease epidemic, etc. In the event of a crisis, the Crisis Management Committee, which is chaired by the president and representative director, instructs companies within the Group to set up an emergency headquarters to centrally manage the response to the situation.

Furthermore, we prevent system problems that could have a serious impact on customers and have put in place a problem response system.

The Group places the highest priority on the health and safety of its customers and related parties, and will strive to maintain and continue its financial functions as part of the financial infrastructure essential to the maintenance of social functions.

The Group classifies and manages overall Group risks in the following categories: credit risk, market risk, liquidity risk, operational risk, and reputational risk. In addition, we ensure the soundness of management by identifying, evaluating, monitoring, and controlling risks in an integrated manner to the greatest extent possible, including risks related to the development, provision and revision of products and services, as well as risks related to outsourcing of operations. We are also prepared to secure stable earnings through the appropriate allocation of management resources, commensurate with the risks involved.

The Group measures the potential maximum loss (amount of risk) for each risk using VaR (value-at-risk) and other measures, and allocates capital by risk type in order to keep the amount of risk within the range of real equity capital (the risk tolerance limit, which is defined as Tier 1 common equity less deferred tax asset equivalents etc.) When allocating capital, we check the sufficiency of the buffer (unallocated capital) to ensure that our real equity capital is not exceeded in times of stress.

In order to assess the adequacy of the buffer (unallocated capital) and to confirm the appropriateness of risk-taking, the Group conducts stress tests in which stress scenarios are established and the amount of loss and risk in the event of the stress event is estimated across the risk categories.

Stress scenarios have been established for the Group taking into consideration past sharp economic downturns and future environmental changes.The Company assesses stress tests based on capital adequacy regulations (Basel III) and other regulations.

The Group has been strengthening its cybersecurity measures not only through external audits based on the Cybersecurity Framework international standard guidelines developed by the National Institute of Standards and Technology (NIST), but also through threatled penetration tests (TLPT), in which ethical hackers from a specialized security firm actually penetrate internal systems to assess vulnerabilities and identify issues. From FY2021, in addition to conducting the annual TLPT, we also began conducting external audits using the FFIEC (Federal Financial Institutions Examination Council) “Cybersecurity Assessment Tool”, which is widely used by financial institutions in the U.S., with the aim of achieving the security standards of global financial institutions, and we will continue to strengthen our efforts to address the issues identified.

To clarify that we implement management-driven cybersecurity measures, we formulated the "Cybersecurity Management Declaration" in April 2022. In terms of the system, our security policy stipulates that the director in charge of the ICT Management Department is the security officer in charge of security for the entire Group. In addition, at regular ALM and Risk Management Meetings and President Reporting and CSIRT Meetings, which are composed mainly of directors, reports are given on threats and regulatory trends, security measures based on these trends, and their current status as agenda items, and management provides appropriate guidance and checks concerning the contents of the reports. Furthermore, the contents of these reports are reported to the Board of Directors on a regular basis and as circumstances change, and the Board of Directors oversees the execution status.

When using cloud services or entrusting our Group's information to contractors, we evaluate how the contractors and subcontractors comply with our Group's security standards not only at the time of contract, but also periodically after the contract is concluded. For highly important information, we verify compliance at least once a year. Specifically, we evaluate the security of the systems of contractors and subcontractors and such things as the state of their training of employees (including those of their contractors and subcontractors) about information management systems. When standards are not met, we request improvements or change the subcontractor.

As initiatives to protect personal information, we publish our purposes of use for personal information on our homepage and elsewhere in accordance with the relevant laws and regulations, manage this information appropriately, and in order to prevent information from being leaked outside the company or viewed by persons whose work does not require it, we control access physically and systematically, including by granting authorization according to role. We have also developed various rules and regulations, strictly classify and define information, and ensure that all executives and employees are fully aware of this.

During the planning and development stages, system specifications are reviewed for security by personnel specializing in security and system risk, and in order to enhance safety, we have an external security vendor carry out periodic vulnerability assessments before and after a new system is released to the public. When storing personal information such as customer information in our systems, we control access physically and systematically, including by granting authorization according to role, and encrypting the data using dedicated tools. We also encrypt communications when customers connect to our official website and Internet banking from their devices. The head of each department is responsible for these systems, for their security, and for managing them. The Audit Department conducts objective checks to ensure the appropriate and safe handling of customers' personal information. In addition, we run our credit card issuance operations in compliance with PCIDSS, the international security standard for the credit card industry.

In order to respond to the evolving threat of cyberattacks, from FY2023 we have formed a Cyber Security Office within the ICT Management Department and established a Cyber Defense Center within that office. The Cyber Defense Center consists of the Concordia Financial Group CSIRT, which comprises the CSIRT members from each group company, and a private SOC.

In addition to collecting and disseminating routine threat information and investigating and responding to attacks when they are detected, the Concordia Financial Group CSIRT prepares for emergencies by regularly participating in training organized by the National Center of Incident Readiness and Strategy for Cybersecurity (NISC), the Financial Services Agency (FSA), and Financials ISAC Japan in order to verify cooperation among government agencies, industry organizations, and Group companies. In order to regularly exchange information, verify systems, and conduct joint training, We have also formed the MEJAR-CSIRT with the regional financial institutions that operate the MEJAR core system and with NTT DATA . From FY2023, the “CMS-CSIRT” will be established with banks participating in the NTT Data Regional Bank Joint Center in order to strengthen the security position of regional financial institutions, not only through joint training and study sessions, but also through joint procurement of products and resource sharing.

The private SOC utilizes the latest integrated log monitoring tools and automation tools for early detection of security incidents and to respond to them . In addition to establishing an organizational structure, we have formulated response plans for different types of incidents, such as ransomware infection, DDoS attacks, information leaks, etc., in case a security incident should occur. This response plan is continuously improved based on the results of the various drills mentioned above. In the event of an incident, we investigate the cause and take measures to correct the situation and to prevent recurrence (preventive actions) in cooperation with the relevant departments.

To improve cybersecurity literacy, the Group provides all officers and employees (including part-time and temporary employees) with training and education based on the Security Policy. For drills, we conduct suspicious e-mail drills and other drills multiple times a year in order that our response to any emergency situation that may arise will be quick and smooth. The training is conducted in an E-learning format and covers topics such as recent cyber-attack cases and content for ensuring the safety of information assets. We also provide level-specific training for new employees, newly appointed and existing managers, supervisors, etc. and hold seminars for management-level employees taught by outside experts. Through these efforts, we maintain our cybersecurity skills and further improve our response procedures for each particular type of incident (ransomware infection, DDoS attack, information leak, etc.)

Full-time employees of the Cyber Defense Center are encouraged to obtain CISSP and Registered Information Security Specialist certification. (All certification training, acquisition, and maintenance costs are covered by the company.)

We also work to improve the knowledge and skills of our full-time employees by providing training for more specialized international certifications such as the Global Information Assurance Certification (GIAC) and the Offensive Security Certified Professional (OSCP) certification, by sending them to security conferences, and by sending them to the Institute of Information Security (Master's Program). In addition to this, we have set targets for mid-career specialists and will continue to recruit and train them.

In response to the high frequency of fraudulent remittances caused by phishing and other scams, we have joined the Japan Cyber Crime Center (JC3) and are working to collect information on Internet-based financial crimes. When we obtain information on fraudulent remittance methods, suspicious e-mails that fraudulently use our name, SMS (text message) cases, or the launch of phishing sites, we post such information on our website to alert our customers.

In addition, the Bank of Yokohama has been working to improve and promote cybersecurity measures among enterprises in the prefecture. These efforts have included holding the March 2022 Kanagawa Cybersecurity Forum, a cybersecurity educational event for companies in Kanagawa Prefecture. In June 2022, the bank joined the Kanagawa Prefecture Enterprise Cybersecurity Public-Private Joint Project, which aims to raise cybersecurity levels among companies in the prefecture. By joining this project, the bank is working to improve its own technology through information sharing with companies that have cutting-edge technology and expertise and is supporting efforts to improve the level of cybersecurity at companies in the prefecture.