SEC Cybersecurity の開示昨年からの比較...: まるちゃんの情報セキュリティ気まぐれ日記

December 2025
Sun	Mon	Tue	Wed	Thu	Fri	Sat
	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30	31

2025.07.30

SEC Cybersecurity の開示昨年からの比較...

こんにちは、丸山満彦です。

2023.07.26にSECのルールが改正され、Cybersecurityについての開示が強化され、2023.12.15以後に終了する事業年度から、その開示が求められることになりましたが、それから1年と半年以上がすぎ、Form10-Kに記載されている事例、Form20-Fに記載されている事例もあります。２年間比較ができるようになったので、ちょっと紹介...

米国企業の場合は、10-KのItem 1C. Cybersecurityに

Risk Management and Strategyとして、サイバーセキュリティの脅威から生じる重要性のあるリスクの評価、特定、管理についてのプロセスがある場合には、

そのプロセスが、全体的リスク管理システムまたはプロセスに統合されているか、またどのように統合されているか
そのプロセスに関連して、評価者、コンサルタント、監査人またはその他の第三者を従事させているか
第三者の利用に関連するサイバーセキュリティの脅威から生じるリスクを監視および特定するプロセスを有しているか

を記載することになります。

また、過去のサイバーセキュリティインシデントの結果を含むサイバーセキュリティの脅威から生じるリスクが、その企業の事業戦略、業績、財務状況を含め、重要な影響を与えたか、重要な影響を与える可能性が合理的に高いかどうか、どのように影響を与えた（または、与える可能性が合理的に高いか）を記載する必要があります。。。

そして、

Governanceとして、サイバーセキュリティリスクについての取締役会の監督、経営者の役割についての記載が必要となります。

取締役会としての監督については、

サイバーセキュリティの脅威から生じるリスクの監督に責任を負う、取締役委員会または小委員会の特定
そのようなリスクについて取締役会または委員会が情報提供を受けるプロセス

経営者としての役割としては、

経営委員会または役職がそのようなリスクの評価や管理の責任を負うか、責任を負う場合には
- どの経営委員会又は役職が負うのか、
- その担当者や委員が有する関連する専門知識
その担当者または委員会がサイバーセキュリティインシデントの防止、検出、軽減、是正についての情報を提供され、監視を行うプロセス
その担当者または委員会は、当該リスクに関する情報を取締役会または取締役会内の委員会や小委員会に報告するか

海外企業の場合は、20-FのItem 16K. Cybersecurityに

そのプロセスが、全体的リスク管理システムまたはプロセスに統合されているか、またどのように統合されているか
そのプロセスに関連して、評価者、コンサルタント、監査人またはその他の第三者を従事させているか
第三者の利用に関連するサイバーセキュリティの脅威から生じるリスクを監視および特定するプロセスを有しているか

を記載することになります。

そして、

Governanceとして、サイバーセキュリティリスクについての取締役会の監督、経営者の役割についての記載が必要となります。

取締役会としての監督については、

サイバーセキュリティの脅威から生じるリスクの監督に責任を負う、取締役委員会または小委員会の特定
そのようなリスクについて取締役会または委員会が情報提供を受けるプロセス

経営者としての役割としては、

経営委員会または役職がそのようなリスクの評価や管理の責任を負うか、責任を負う場合には
- どの経営委員会又は役職が負うのか、
- その担当者や委員が有する関連する専門知識
その担当者または委員会がサイバーセキュリティインシデントの防止、検出、軽減、是正についての情報を提供され、監視を行うプロセス
その担当者または委員会は、当該リスクに関する情報を取締役会または取締役会内の委員会や小委員会に報告するか

詳細のルールは[PDF] SEC 17 CFR Parts 229, 232, 239, 240, and 249 [Release Nos. 33-11216; 34-97989; File No. S7-09-22] RIN 3235-AM89 Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure

1_20240714072701

● SECURITIES AND EXCHANGE COMMISSION - EDGAR

ということで、まずは、昨年みた10-K企業の比較...

・IBM

・Intel

・Boeing

・American Express

・Johnson & Johnson

・Pfizer

・Coca-Cola

・McDonalds Corp.

McDonaldsを除くと大きな変更はないように思います。（もともと、毎年大きな変更するようなものではないですし...）

・ INTERNATIONAL BUSINESS MACHINES CORP (IBM)

・Intel

・2024.01.26 10-K (Annual report)	・2025.01.31 10-K (Annual report)
Cybersecurity	Cybersecurity
We face significant and persistent cybersecurity risks due to: the breadth of geographies, networks, and systems we must defend against cybersecurity attacks; the complexity, technical sophistication, value, and widespread use of our systems, products and processes; the attractiveness of our systems, products and processes to threat actors (including state-sponsored organizations) seeking to inflict harm on us or our customers; the substantial level of harm that could occur to us and our customers were we to suffer impacts of a material cybersecurity incident; and our use of third-party products, services and components. We are committed to maintaining robust governance and oversight of these risks and to implementing mechanisms, controls, technologies, and processes designed to help us assess, identify, and manage these risks. While we have not, as of the date of this Form 10-K, experienced a cybersecurity threat or incident that resulted in a material adverse impact to our business or operations, there can be no guarantee that we will not experience such an incident in the future. Such incidents, whether or not successful, could result in our incurring significant costs related to, for example, rebuilding our internal systems, writing down inventory value, implementing additional threat protection measures, providing modifications or replacements to our products and services, defending against litigation, responding to regulatory inquiries or actions, paying damages, providing customers with incentives to maintain a business relationship with us, or taking other remedial steps with respect to third parties, as well as incurring significant reputational harm. In addition, these threats are constantly evolving, thereby increasing the difficulty of successfully defending against them or implementing adequate preventative measures. We have seen an increase in cyberattack volume, frequency, and sophistication. We seek to detect and investigate unauthorized attempts and attacks against our network, products, and services, and to prevent their occurrence and recurrence where practicable through changes or updates to our internal processes and tools and changes or updates to our products and services; however, we remain potentially vulnerable to known or unknown threats. In some instances, we, our suppliers, our customers, and the users of our products and services can be unaware of a threat or incident or its magnitude and effects. Further, there is increasing regulation regarding responses to cybersecurity incidents, including reporting to regulators, which could subject us to additional liability and reputational harm. See "Risk Factors" for more information on our cybersecurity risks and product vulnerability risks.	We face significant and persistent cybersecurity risks due to: the breadth of geographies, networks, and systems we must defend against cybersecurity attacks; the complexity, technical sophistication, value, and widespread use of our systems, products and processes; the attractiveness of our systems, products, and processes to threat actors (including state-sponsored organizations) seeking to inflict harm on us or our customers; the substantial level of harm that could occur to us and our customers were we to suffer impacts of a material cybersecurity incident; and our use of third-party products, services, and components. We are committed to maintaining robust governance and oversight of cybersecurity risks and to implementing mechanisms, controls, technologies, and processes designed to help us assess, identify, and manage these risks. See "Risk Factors" for more information on our cybersecurity risks and product vulnerability risks. While we have not, as of the date of this Form 10-K, experienced a cybersecurity threat or incident that resulted in a material adverse impact to our business or operations, there can be no guarantee that we will not experience such an incident in the future. We have seen an increase in cyberattack volume, frequency, and sophistication. Our cybersecurity program and governance approach are designed to protect our network and information systems, and we have policies, procedures, processes, and controls in place to identify, manage, and respond to risks from cybersecurity threats. We seek to detect and investigate unauthorized attempts and attacks against our network, products, and services, and to prevent their occurrence and recurrence where practicable through changes or updates to our internal processes and tools and changes or updates to our products and services; however, we remain potentially vulnerable to known or unknown threats. In some instances, we, our suppliers, our customers, and the users of our products and services can be unaware of a threat or incident or its magnitude and effects. Further, there is increasing regulation regarding responses to cybersecurity incidents, including reporting to regulators, which could subject us to additional liability and reputational harm.
We aim to incorporate industry best practices throughout our cybersecurity program. Our cybersecurity strategy focuses on implementing effective and efficient controls, technologies, and other processes to assess, identify, and manage material cybersecurity risks. Our cybersecurity program is designed to be aligned with applicable industry standards and is assessed annually by independent third-party auditors. We have processes in place to assess, identify, manage, and address material cybersecurity threats and incidents. These include, among other things: annual and ongoing security awareness training for employees; mechanisms to detect and monitor unusual network activity; and containment and incident response tools. We actively engage with industry groups for benchmarking and awareness of best practices. We monitor issues that are internally discovered or externally reported that may affect our products, and have processes to assess those issues for potential cybersecurity impact or risk. We also have a process in place to manage cybersecurity risks associated with third-party service providers. We impose security requirements upon our suppliers, including: maintaining an effective security management program; abiding by information handling and asset management requirements; and notifying us in the event of any known or suspected cyber incident.	We aim to incorporate industry best practices throughout our cybersecurity program. Our cybersecurity program includes written policies, standards, and procedures for information security, product security, and data privacy; is designed to be aligned with applicable industry standards; and is assessed annually by independent third-party auditors. Our cybersecurity strategy focuses on implementing effective and efficient controls, technologies, and other processes to assess, identify, manage, and address material cybersecurity threats, risks, and incidents. These include, among other things: annual and ongoing security awareness training for employees; mechanisms to detect and monitor unusual network activity; and containment and incident response tools. We actively engage with industry groups for benchmarking and awareness of best practices. We monitor issues that are internally discovered or externally reported and have processes to assess those issues for potential cybersecurity impact or risk. We also have a process in place to manage cybersecurity risks associated with third-party service providers. We impose security requirements upon our suppliers, including: maintaining an effective security management program; abiding by information handling and asset management requirements; and notifying us in the event of any known or suspected cyber incident.
Our Board of Directors has ultimate oversight of cybersecurity risk, which it manages as part of our enterprise risk management program. That program is utilized in making decisions with respect to company priorities, resource allocations, and oversight structures. The Board of Directors is assisted by the Audit & Finance Committee, which regularly reviews our cybersecurity program with management and reports to the Board of Directors. Cybersecurity reviews by the Audit & Finance Committee or the Board of Directors generally occur at least twice annually, or more frequently as determined to be necessary or advisable. A number of Intel directors have experience in assessing and managing cybersecurity risk.	Our Board of Directors has ultimate oversight of cybersecurity risk, which it manages as part of our enterprise risk management program. That program is utilized in making decisions with respect to company priorities, resource allocations, and oversight structures. The Board of Directors is assisted by the Audit & Finance Committee, which regularly reviews our cybersecurity program with management and reports to the Board of Directors. Cybersecurity reviews by the Audit & Finance Committee or the Board of Directors generally occur at least twice annually, or more frequently as determined to be necessary or advisable. A number of Intel directors have experience in assessing and managing cybersecurity risk.
Our cybersecurity program is run by our Chief Information Security Officer (CISO), who reports to our Executive Vice President and Chief Technology Officer (CTO). Our CISO is informed about and monitors prevention, detection, mitigation, and remediation efforts through regular communication and reporting from professionals in the information security team, many of whom hold cybersecurity certifications such as a Certified Information Systems Security Professional or Certified Information Security Manager, and through the use of technological tools and software and results from third party audits. Our CISO and CTO have extensive experience assessing and managing cybersecurity programs and cybersecurity risk. Our CISO has served in that position since 2015 and, before Intel, was previously the Chief Security Officer at McAfee and the Chief Information Officer and CISO for the US House of Representatives. Our CTO joined Intel in 2021 and was previously Senior Vice President and CTO at VMware, with responsibility for product security. Our CISO and CTO regularly report directly to the Audit & Finance Committee or the Board of Directors on our cybersecurity program and efforts to prevent, detect, mitigate, and remediate issues. In addition, we have an escalation process in place to inform senior management and the Board of Directors of material issues.	Our cybersecurity program is run by our Chief Information Security Officer (CISO), who reports to our Executive Vice President and Chief Technology Officer (CTO). Our CISO is informed about and monitors prevention, detection, mitigation, and remediation efforts through regular communication and reporting from professionals in the information security team—many of whom hold cybersecurity certifications such as a Certified Information Systems Security Professional or Certified Information Security Manager—and through the use of technological tools and software and results from third-party audits. Our CISO and CTO have extensive experience assessing and managing cybersecurity programs and cybersecurity risk. Our CISO has served in that position since 2015 and, before Intel, was the Chief Security Officer at McAfee and the Chief Information Officer and CISO for the US House of Representatives. Our CTO joined Intel in 2021 and was previously Senior Vice President and CTO at VMware, with responsibility for product security. Our CISO and CTO regularly report directly to the Audit & Finance Committee or the Board of Directors on our cybersecurity program and efforts to prevent, detect, mitigate, and remediate issues. In addition, we have an escalation process in place to inform senior management and the Board of Directors of material issues.

・Boeing

・2024.01.31 10-K (Annual report)	・2025.02.03 10-K (Annual report)
Item 1C.Cybersecurity	Item 1C.Cybersecurity
Risk Management and Strategy	Risk Management and Strategy
Our cybersecurity strategy prioritizes detection, analysis and response to known, anticipated or unexpected threats; effective management of security risks; and resiliency against incidents. Our cybersecurity risk management processes include technical security controls, policy enforcement mechanisms, monitoring systems, employee training, contractual arrangements, tools and related services from third-party providers, and management oversight to assess, identify and manage material risks from cybersecurity threats. We implement risk-based controls to protect our information, the information of our customers, suppliers, and other third parties, our information systems, our business operations, and our products and related services. We have adopted security-control principles based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework, other industry-recognized standards, and contractual requirements, as applicable. We also leverage government partnerships, industry and government associations, third-party benchmarking, the results from regular internal and third-party audits, threat intelligence feeds, and other similar resources to inform our cybersecurity processes and allocate resources.	Our cybersecurity strategy prioritizes detection, analysis and response to known, anticipated or unexpected threats; effective management of security risks; and resiliency against incidents. Our cybersecurity risk management processes include technical security controls, policy enforcement mechanisms, monitoring systems, employee training, contractual arrangements, tools and related services from third-party providers, and management oversight to assess, identify and manage material risks from cybersecurity threats. We implement risk-based controls to protect our information, the information of our customers, suppliers, and other third parties, our information systems, our business operations, and our products and related services. We have adopted security-control principles based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework, other industry-recognized standards, and contractual requirements, as applicable. We also leverage government partnerships, industry and government associations, third-party benchmarking, the results from regular internal and third-party audits, threat intelligence feeds, and other similar resources to inform our cybersecurity processes and allocate resources.
We maintain security programs that include physical, administrative and technical safeguards, and we maintain plans and procedures whose objective is to help us prevent and timely and effectively respond to cybersecurity threats or incidents. Through our cybersecurity risk management process, we continuously monitor cybersecurity vulnerabilities and potential attack vectors to company systems as well as our aerospace products and services, and we evaluate the potential operational and financial effects of any threat and of cybersecurity countermeasures made to defend against such threats. We continue to integrate our cyber practice into our Enterprise Risk Management program and our Compliance Risk Management program, both of which are overseen by our Board of Directors and provide central, standardized frameworks for identifying and tracking cyber-related business and compliance risks across the Company. Risks from cybersecurity threats to our products and services are also overseen by our Board of Directors. In addition, we periodically engage third-party consultants to assist us in assessing, enhancing, implementing, and monitoring our cybersecurity risk management programs and responding to any incidents.	We maintain security programs that include physical, administrative and technical safeguards, and we maintain plans and procedures whose objective is to help us prevent and timely and effectively respond to cybersecurity threats or incidents. Through our cybersecurity risk management process, we continuously monitor cybersecurity vulnerabilities and potential attack vectors to company systems as well as our aerospace products and services, and we evaluate the potential operational and financial effects of any threat and of cybersecurity countermeasures made to defend against such threats. We continue to integrate our cyber practice into our Enterprise Risk Management program and our Compliance Risk Management program, both of which are overseen by our Board of Directors and provide central, standardized frameworks for identifying and tracking cyber-related business and compliance risks across the Company. Risks from cybersecurity threats to our products and services are also overseen by our Board of Directors. In addition, we periodically engage third-party consultants to assist us in assessing, enhancing, implementing, and monitoring our cybersecurity risk management programs and responding to any incidents.
As part of our cybersecurity risk management process, we conduct “tabletop” exercises during which we simulate cybersecurity incidents to ensure that we are prepared to respond to such an incident and to highlight any areas for potential improvement in our cyber incident preparedness. These exercises are conducted at both the technical level and senior management level, which has included participation by a member of our Board of Directors. In addition, all employees are required to pass a mandatory cybersecurity training course on an annual basis and receive monthly phishing simulations to provide “experiential learning” on how to recognize phishing attempts.	As part of our cybersecurity risk management process, we conduct “tabletop” exercises during which we simulate cybersecurity incidents to ensure that we are prepared to respond to such an incident and to highlight any areas for potential improvement in our cyber incident preparedness. In addition, all employees are required to complete a mandatory cybersecurity training course on an annual basis and receive monthly phishing simulations to provide “experiential learning” on how to recognize phishing attempts.
We have established a cybersecurity supply chain risk management program, which is a cross-functional program that forms part of our Enterprise Risk Management program and is supported by our security, compliance, and supply chain organizations. Through this evolving program, we assess the risks from cybersecurity threats that impact select suppliers and third-party service providers with whom we share personal identifying and confidential information. We continue to evolve our oversight processes to mature how we identify and manage cybersecurity risks associated with the products or services we procure from such suppliers. We generally require our suppliers to adopt security-control principles based on industry-recognized standards.	We have established a cybersecurity supply chain risk management program, which is a cross-functional program that forms part of our Enterprise Risk Management program and is supported by our security, compliance, and supply chain organizations. Through this evolving program, we assess the risks from cybersecurity threats that impact select suppliers and third-party service providers with whom we share personal identifying and confidential information. We continue to evolve our oversight processes to mature how we identify and manage cybersecurity risks associated with the products or services we procure from such suppliers. We generally require our suppliers to adopt security-control principles based on industry-recognized standards.
We have experienced, and may in the future experience, whether directly or through our supply chain or other channels, cybersecurity incidents. While prior incidents have not materially affected our business strategy, results of operations or financial condition, and although our processes are designed to help prevent, detect, respond to, and mitigate the impact of such incidents, there is no guarantee that a future cyber incident would not materially affect our business strategy, results of operations or financial condition. See “Risks Related to Cybersecurity and Business Disruptions” in “Risk Factors” on page 14 of this Form 10-K.	We have experienced, and may in the future experience, whether directly or through our supply chain or other channels, cybersecurity incidents. While prior incidents have not materially affected our business strategy, results of operations or financial condition, and although our processes are designed to help prevent, detect, respond to, and mitigate the impact of such incidents, there is no guarantee that a future cyber incident would not materially affect our business strategy, results of operations or financial condition. See “Risks Related to Technology, Security and Business Disruptions” in “Risk Factors” on pages 14 - 15 of this Form 10-K.
Governance	Governance
Our Board of Directors has overall responsibility for risk oversight, with its committees assisting the Board in performing this function based on their respective areas of expertise. Our Board of Directors has delegated oversight of risks related to cybersecurity to two Board committees, the Audit Committee and the Aerospace Safety Committee, and each committee reports on its activities and findings to the full Board after each meeting. The Audit Committee is charged with reviewing our cybersecurity processes for assessing key strategic, operational, and compliance risks. Our Chief Information Officer and Senior Vice President, Information Technology & Data Analytics (CIO) and our Chief Security Officer (CSO) provide presentations to the Audit Committee on cybersecurity risks at each of its bimonthly meetings. These briefings include assessments of cyber risks, the threat landscape, updates on incidents, and reports on our investments in cybersecurity risk mitigation and governance. In addition, the Audit Committee has designated one of its members with expertise in cyber risk management to meet regularly with management and review our cybersecurity strategy and key initiatives and progress toward our objectives. In the event of a potentially material cybersecurity event, the Chair of the Audit Committee is notified and briefed, and meetings of the Audit Committee and/or full Board of Directors would be held, as appropriate. The Aerospace Safety Committee provides oversight of the risks from cybersecurity threats related to our aerospace products and services. The Aerospace Safety Committee receives regular updates and reports from senior management, including the Chief Engineer, the Chief Aerospace Safety Officer, and the Chief Product Security Engineer, who provide briefings on significant cybersecurity threats or incidents that may pose a risk to the safe operation of our aerospace products. Both committees brief the full Board on cybersecurity matters discussed during committee meetings, and the CIO provides annual briefings to the Board on information technology and data analytics related matters, including cybersecurity.	Our Board of Directors has overall responsibility for risk oversight, with its committees assisting the Board in performing this function based on their respective areas of expertise. Our Board of Directors has delegated oversight of risks related to cybersecurity to two Board committees, the Audit Committee and the Aerospace Safety Committee, and each committee reports on its activities and findings to the full Board after each meeting. The Audit Committee is charged with reviewing our cybersecurity processes for assessing key strategic, operational, and compliance risks. Our Chief Information Digital Officer and Senior Vice President, Information Technology & Data Analytics (CIDO) and our Chief Security Officer (CSO) provide presentations to the Audit Committee on cybersecurity risks at each of its bimonthly meetings. These briefings include assessments of cyber risks, the threat landscape, updates on incidents, and reports on our investments in cybersecurity risk mitigation and governance. In addition, the Audit Committee has designated one of its members with expertise in cyber risk management to meet regularly with management and review our cybersecurity strategy and key initiatives and progress toward our objectives. In the event of a potentially material cybersecurity event, the Chair of the Audit Committee is notified and briefed, and meetings of the Audit Committee and/or full Board of Directors would be held, as appropriate. The Aerospace Safety Committee provides oversight of the risks from cybersecurity threats related to our aerospace products and services. The Aerospace Safety Committee receives regular updates and reports from senior management, including the Chief Engineer, the Chief Aerospace Safety Officer, and the Chief Product Security Engineer, who provide briefings on significant cybersecurity threats or incidents that may pose a risk to the safe operation of our aerospace products. Both committees brief the full Board on cybersecurity matters discussed during committee meetings, and the CIDO provides annual briefings to the Board on information technology and data analytics related matters, including cybersecurity.
At the management level, we have established a Global Security Governance Council (the Council) to further strengthen our cybersecurity risk management activities across the Company, including the prevention, detection, mitigation, and remediation of cybersecurity incidents. The Council is responsible for developing and coordinating enterprise cybersecurity policy and strategy, and for providing guidance to key management and oversight bodies.	At the management level, we have established a Global Security Governance Council (the Council) to further strengthen our cybersecurity risk management activities across the Company, including the prevention, detection, mitigation, and remediation of cybersecurity incidents. The Council is responsible for developing and coordinating enterprise cybersecurity policy and strategy, and for providing guidance to key management and oversight bodies.
Richard Puckett, as our CSO, serves as the chair of the Council. He is responsible for overseeing a unified security program that provides cybersecurity, fire and protection operations, physical security, insider threat, and classified security. Mr. Puckett has nearly 30 years of experience in the cybersecurity industry, including, prior to joining Boeing in 2022, as Chief Information Security Officer of SAP SE and Thomson Reuters Corporation, Vice President, Product and Commercial Security of General Electric, Inc., and Senior Security Architect at Cisco Systems, Inc. He reports directly to the CIO and meets regularly with other members of senior management and the Audit Committee.	Trent Cox, Vice President of Product and Business Operations, is serving as our interim CSO. In that role, he chairs the Council and is responsible for overseeing a unified security program that provides cybersecurity, fire and protection operations, physical security, insider threat, and classified security. Mr. Cox has over 25 years of experience in the aerospace and defense industry, including, prior to joining Boeing in 2024, Chief Information Officer of Raytheon UK, Deputy CIO and Executive Director of Collins Aerospace and Raytheon Intelligence and Space, and Executive Director for Program Execution for the Raytheon Missile Systems businesses. He reports directly to the CIDO and meets regularly with other members of senior management and the Audit Committee.
The Council also includes, among other senior executives, our Chief Engineer, Chief Information Officer, Chief Aerospace Safety Officer and Chief Product Security Engineer, who each have several decades of business and senior leadership experience managing risks in their respective fields, collectively covering all aspects of cybersecurity, data and analytics, product security engineering, enterprise engineering, safety and the technical integrity of our products and services.	The Council also includes, among other senior executives, our CIDO, Chief Engineer, Chief Information Officer, Chief Aerospace Safety Officer and Chief Product Security Engineer, who each have several decades of business and senior leadership experience managing risks in their respective fields, collectively covering all aspects of cybersecurity, data and analytics, product security engineering, enterprise engineering, safety and the technical integrity of our products and services.
The Council meets monthly and updates key members of the Company’s Executive Council on progress towards specific cybersecurity objectives. A strong partnership exists between Information Technology, Enterprise Security, Corporate Audit, and Legal so that identified issues are addressed in a timely manner and incidents are reported to the appropriate regulatory bodies as required.	The Council meets monthly and updates key members of the Company’s Executive Council on progress towards specific cybersecurity objectives. A strong partnership exists between Information Technology, Enterprise Security, Corporate Audit, and Law so that identified issues are addressed in a timely manner and incidents are reported to the appropriate regulatory bodies as required.

・American Express

・2024.02.09 10-K (Annual report)	・2025.02.07 10-K (Annual report)
ITEM 1C CYBERSECURITY	ITEM 1C CYBERSECURITY
We maintain an information security and cybersecurity program and a cybersecurity governance framework that are designed to protect our information systems against operational risks related to cybersecurity./span>	We maintain an information security and cybersecurity program and a cybersecurity governance framework that are designed to protect our information systems against operational risks related to cybersecurity.
Cybersecurity Risk Management and Strategy	Cybersecurity Risk Management and Strategy
We define information security and cybersecurity risk as the risk that the confidentiality, integrity or availability of our information and information systems are impacted by unauthorized or unintended access, use, disclosure, disruption, modification or destruction. Information security and cybersecurity risk is an operational risk that is measured and managed as part of our operational risk framework. Operational risk is incorporated into our comprehensive Enterprise Risk Management (ERM) program, which we use to identify, aggregate, monitor, report and manage risks. For more information on our ERM program, see “Risk Management” under “MD&A.”	We define information security and cybersecurity risk as the risk that the confidentiality, integrity or availability of our information and information systems are impacted by unauthorized or unintended access, use, disclosure, disruption, modification or destruction. Information security and cybersecurity risk is an operational risk that is measured and managed as part of our operational risk framework. Operational risk is incorporated into our comprehensive Enterprise Risk Management (ERM) program, which we use to identify, aggregate, monitor, report and manage risks. For more information on our ERM program, see “Risk Management” under “MD&A.”
Our Technology Risk and Information Security (TRIS) program, which is our enterprise information security and cybersecurity program incorporated in our ERM program and led by our Chief Information Security Officer (CISO), is designed to (i) ensure the security, confidentiality, integrity and availability of our information and information systems; (ii) protect against any anticipated threats or hazards to the security, confidentiality, integrity or availability of such information and information systems; and (iii) protect against unauthorized access to or use of such information or information systems that could result in substantial harm or inconvenience to us, our colleagues or our customers. The TRIS program is built upon a foundation of advanced security technology, employs a highly trained team of experts and is designed to operate in alignment with global regulatory requirements. The program deploys multiple layers of controls, including embedding security into our technology investments, designed to identify, protect, detect, respond to and recover from information security and cybersecurity incidents. Those controls are measured and monitored by a combination of subject matter experts and a security operations center with integrated cyber detection, response and recovery capabilities. The TRIS program includes our Enterprise Incident Response Program, which manages information security incidents involving compromises of sensitive information, and our Cyber Crisis Response Plan, which provides a documented framework for handling high-severity security incidents and facilitates coordination across multiple parts of the Company to manage response efforts. We also routinely perform simulations and drills at both a technical and management level, and our colleagues receive annual cybersecurity awareness training.	Our Technology Risk and Information Security (TRIS) program, which is our enterprise information security and cybersecurity program incorporated in our ERM program and led by our Chief Information Security Officer (CISO), is designed to (i) ensure the security, confidentiality, integrity and availability of our information and information systems; (ii) protect against any anticipated threats or hazards to the security, confidentiality, integrity or availability of such information and information systems; and (iii) protect against unauthorized access to or use of such information or information systems that could result in substantial harm or inconvenience to us, our colleagues or our customers. The TRIS program is built upon a foundation of advanced security technology, employs a highly trained team of experts and is designed to operate in alignment with global regulatory requirements. The program deploys multiple layers of controls, including embedding security into our technology investments, designed to identify, protect, detect, respond to and recover from information security and cybersecurity incidents. Those controls are measured and monitored by a combination of subject matter experts and a security operations center with integrated cyber detection, response and recovery capabilities. The TRIS program includes our Enterprise Incident Response Program, which manages information security incidents involving compromises of sensitive information, and our Cyber Crisis Response Plan, which provides a documented framework for handling high-severity security incidents and facilitates coordination across multiple parts of the Company to manage response efforts. We also routinely perform simulations and drills at both a technical and management level, and our colleagues receive annual cybersecurity awareness training.
In addition, we incorporate reviews by our Internal Audit Group and external expertise in our TRIS program, including an independent third-party assessment of our cybersecurity measures and controls and a third-party cyber maturity assessment of our TRIS program against the Cyber Risk Institute Profile standards for the financial sector. We also invest in threat intelligence, collaborate with our peers in areas of threat intelligence, vulnerability management, incident response and drills, and are active participants in industry and government forums.	In addition, we incorporate reviews by our Internal Audit Group and external expertise in our TRIS program, including an independent third-party assessment of our cybersecurity measures and controls and a third-party cyber maturity assessment of our TRIS program against the Cyber Risk Institute Profile standards for the financial sector. We also invest in threat intelligence, collaborate with our peers in areas of threat intelligence, vulnerability management, incident response and drills, and are active participants in industry and government forums.
Cybersecurity risks related to third parties are managed as part of our Third Party Management Policy, which sets forth the procurement, risk management and contracting framework for managing third-party relationships commensurate with their risk and complexity. Our Third Party Lifecycle Management (TLM) program sets guidelines for identifying, measuring, monitoring, and reporting the risks associated with third parties through the life cycle of the relationships, which includes planning, due diligence and third-party selection, contracting, ongoing monitoring and termination. Our TLM program includes the identification of third parties with risks related to information security. Third parties that access, process, collect, share, create, store, transmit or destroy our information or have access to our systems may have additional security requirements depending on the levels of risk, such as enhanced risk assessments and monitoring, and additional contractual controls.	Cybersecurity risks related to third parties are managed as part of our Third Party Management Policy, which sets forth the procurement, risk management and contracting framework for managing third-party relationships commensurate with their risk and complexity. Our Third Party Lifecycle Management (TLM) program sets guidelines for identifying, measuring, monitoring, and reporting the risks associated with third parties through the life cycle of the relationships, which includes planning, due diligence and third-party selection, contracting, ongoing monitoring and termination. Our TLM program includes the identification of third parties with risks related to information security. Third parties that access, process, collect, share, create, store, transmit or destroy our information or have access to our systems may have additional security requirements depending on the levels of risk, such as enhanced risk assessments and monitoring, and additional contractual controls.
While we do not believe that our business strategy, results of operations or financial condition have been materially adversely affected by any cybersecurity incidents, cybersecurity threats are pervasive and, similar to other global financial institutions, we, as well as our customers, colleagues, regulators, service providers and other third parties, have experienced a significant increase in information security and cybersecurity risk in recent years and will likely continue to be the target of cyber attacks. We continue to assess the risks and changes in the cyber environment, invest in enhancements to our cybersecurity capabilities, and engage in industry and government forums to promote advancements in our cybersecurity capabilities, as well as the broader financial services cybersecurity ecosystem. For more information on risks to us from cybersecurity threats, see “A major information or cybersecurity incident or an increase in fraudulent activity could lead to reputational damage to our brand and material legal, regulatory and financial exposure, and could reduce the use and acceptance of our products and services.” under “Risk Factors.”	While we do not believe that our business strategy, results of operations or financial condition have been materially adversely affected by any cybersecurity incidents, cybersecurity threats are pervasive and, similar to other global financial institutions, we, as well as our customers, colleagues, regulators, service providers and other third parties, have experienced a significant increase in information security and cybersecurity risk in recent years and will likely continue to be the target of cyberattacks. We continue to assess the risks and changes in the cyber environment, invest in enhancements to our cybersecurity capabilities, and engage in industry and government forums to promote advancements in our cybersecurity capabilities, as well as the broader financial services cybersecurity ecosystem. For more information on risks to us from cybersecurity threats, see “A major information or cybersecurity incident or an increase in fraudulent activity could lead to reputational damage to our brand and material legal, regulatory and financial exposure, and could reduce the use and acceptance of our products and services.” under “Risk Factors.”
Cybersecurity Governance	Cybersecurity Governance
Under our cybersecurity governance framework, our Board and our Risk Committee are primarily responsible for overseeing and governing the development, implementation and maintenance of our TRIS program, with the Board designating our Risk Committee to provide oversight and governance of technology and cybersecurity risks. Our Board receives an update on cybersecurity at least once a year from our CISO or their designee. Our Risk Committee receives reports on cybersecurity at least twice a year, including in at least one joint meeting with our Audit and Compliance Committee, and our Board and these committees all receive ad hoc updates as needed. In addition, our Risk Committee annually approves our TRIS program.	Under our cybersecurity governance framework, our Board and Risk Committee are primarily responsible for overseeing and governing the development, implementation and maintenance of our TRIS program, with our Board designating our Risk Committee to provide oversight and governance of technology and cybersecurity risks. Our Board receives an update on cybersecurity at least once a year from our CISO or their designee. Our Risk Committee receives reports on cybersecurity at least twice a year, including in at least one joint meeting with our Audit and Compliance Committee, and our Board and these committees all receive ad hoc updates as needed. In addition, our Risk Committee annually approves our TRIS program.
We have multiple internal management committees that are responsible for the oversight of cybersecurity risk. Our Operational Risk Management Committee (ORMC), chaired by our Chief Operational Risk Officer, provides oversight and governance for our information security risk management activities, including those related to cybersecurity.This includes efforts to identify, measure, manage, monitor and report information security risks associated with our information and information systems and potential impacts to the American Express brand. The ORMC escalates risks to our Enterprise Risk Management Committee (ERMC), chaired by our Chief Risk Officer, or our Board based on the escalation criteria provided in our enterprise-wide risk appetite framework. Members of management with cybersecurity oversight responsibilities are informed about cybersecurity risks and incidents through a number of channels, including periodic and annual reports, with the annual report also provided to our Risk Committee, the ORMC and ERMC.	We have multiple internal management committees that are responsible for the oversight of cybersecurity risk. Our Operational Risk Management Committee (ORMC), chaired by our Chief Operational Risk Officer, provides oversight and governance for our information security risk management activities, including those related to cybersecurity. This includes efforts to identify, measure, manage, monitor and report information security risks associated with our information and information systems and potential impacts to the American Express brand. The ORMC escalates risks to our Enterprise Risk Management Committee (ERMC), chaired by our Chief Risk Officer, or our Board based on the escalation criteria provided in our enterprise-wide risk appetite framework. Members of management with cybersecurity oversight responsibilities are informed about cybersecurity risks and incidents through a number of channels, including periodic and annual reports, with the annual report also provided to our Risk Committee, the ORMC and ERMC.
Our CISO leads the strategy, engineering and operations of cybersecurity across the Company and is responsible for providing annual updates to our Board, the ERMC and the ORMC on our TRIS program, as well as ad hoc updates on information security and cybersecurity matters. Our current CISO has held a series of roles in telecommunications, networking and information security at American Express, including promotion to the CISO role in 2013 and the addition of responsibility for technology risk management in 2023. Prior to joining American Express, our current CISO served in a variety of technology leadership roles at a public pharmaceutical and biotechnology company for 14 years. Our CISO reports to the Chief Information Officer, information about whom is included in “Information About Our Executive Officers” under “Business.”	Our CISO leads the strategy, engineering and operations of cybersecurity across the Company and is responsible for providing annual updates to our Board, the ERMC and the ORMC on our TRIS program, as well as ad hoc updates on information security and cybersecurity matters. Our current CISO has held a series of roles in telecommunications, networking and information security at American Express, including promotion to the CISO role in 2013, and is also responsible for technology risk management. Prior to joining American Express, our current CISO served in a variety of technology leadership roles at a public pharmaceutical and biotechnology company for 14 years. Our CISO reports to the Chief Information Officer, information about whom is included in “Information About Our Executive Officers” under “Business.”
For more information on our risk governance structure, see “Risk Management — Governance” and “Risk Management —Operational Risk Management Process” under “MD&A.”	For more information on our risk governance structure, see “Risk Management — Governance” and “Risk Management —Operational Risk Management Process” under “MD&A.”

・Johnson & Johnson

・2024.02.16 10-K (Annual report)	・2025.02.13 (Annual report)
Item 1C.Cybersecurity	Item 1C.Cybersecurity
Risk management and strategy	Risk management and strategy
The Company has documented cybersecurity policies and standards, assesses risks from cybersecurity threats, and monitors information systems for potential cybersecurity issues. To protect the Company’s information systems from cybersecurity threats, the Company uses various security tools supporting protection, detection, and response capabilities. The Company maintains a cybersecurity incident response plan to help ensure a timely, consistent response to actual or attempted cybersecurity incidents impacting the Company.	The Company has documented cybersecurity policies and standards, assesses risks from cybersecurity threats, and monitors information systems for potential cybersecurity issues. To protect the Company’s information systems from cybersecurity threats, the Company uses various security tools supporting protection, detection, and response capabilities. The Company maintains a cybersecurity incident response plan to help ensure a timely, consistent response to actual or attempted cybersecurity incidents impacting the Company.
The Company also identifies and assesses third-party risks within the enterprise, and through the Company's use of third-party service providers, across a range of areas including data security and supply chain through a structured third-party risk management program.	The Company also identifies and assesses third-party risks within the enterprise, and through the Company's use of third-party service providers, across a range of areas including data security and supply chain through a structured third-party risk management program.
The Company maintains a formal information security training program for all employees that includes training on matters such as phishing and email security best practices. Employees are also required to complete mandatory training on data privacy.	The Company maintains a formal information security training program for all employees that includes training on matters such as phishing and email security best practices. Employees are also required to complete mandatory training on data privacy.
To evaluate and enhance its cybersecurity program, the Company periodically utilizes third-party experts to undertake maturity assessments of the Company’s information security program.	To evaluate and enhance its cybersecurity program, the Company periodically utilizes third-party experts to undertake maturity assessments of the Company’s information security program.
To date, the Company is not aware of any cybersecurity incident that has had or is reasonably likely to have a material impact on the Company’s business or operations; however, because of the frequently changing attack techniques, along with the increased volume and sophistication of the attacks, there is the potential for the Company to be adversely impacted. This impact could result in reputational, competitive, operational or other business harm as well as financial costs and regulatory action. Refer to the risk factor captioned An information security incident, including a cybersecurity breach, could have a negative impact to the Company’s business or reputation in Part I, Item 1A. Risk factors for additional description of cybersecurity risks and potential related impacts on the Company.	To date, the Company is not aware of any cybersecurity incident that has had or is reasonably likely to have a material impact on the Company’s business or operations; however, because of the frequently changing attack techniques, along with the increased volume and sophistication of the attacks, there is the potential for the Company to be adversely impacted. This impact could result in reputational, competitive, operational or other business harm as well as financial costs and regulatory action. Refer to the risk factor captioned An information security incident, including a cybersecurity breach, could have a negative impact to the Company’s business or reputation in Part I, Item 1A. Risk factors for additional description of cybersecurity risks and potential related impacts on the Company.
Governance - management’s responsibility	Governance - management’s responsibility
The Company takes a risk-based approach to cybersecurity and has implemented cybersecurity controls designed to address cybersecurity threats and risks. The Chief Information Officer (CIO), who is a member of the Company’s Executive Committee, and the Chief Information Security Officer (CISO) are responsible for assessing and managing cybersecurity risks, including the prevention, mitigation, detection, and remediation of cybersecurity incidents.	The Company takes a risk-based approach to cybersecurity and has implemented cybersecurity controls designed to address cybersecurity threats and risks. The Chief Information Officer (CIO), who is a member of the Company’s Executive Committee, and the Chief Information Security Officer (CISO) are responsible for assessing and managing cybersecurity risks, including security incident detection, response, and recovery.
The Company’s CISO, in coordination with the CIO, is responsible for leading the Company’s cybersecurity program and management of cybersecurity risk. The current CISO has over twenty-five years of experience in information security, and his background includes technical experience, strategy and architecture focused roles, cyber and threat experience, and various leadership roles.	The Company’s CISO, in coordination with the CIO, is responsible for leading the Company’s cybersecurity program and management of cybersecurity risk. The current CISO has over twenty-five years of experience in information security, and his background includes technical experience, strategy and architecture focused roles, cyber and threat experience, and various leadership roles.
Governance - board oversight	Governance - board oversight
The Company’s Board of Directors oversees the overall risk management process, including cybersecurity risks, directly and through its committees. The Regulatory Compliance & Sustainability Committee (RCSC) of the board is primarily responsible for oversight of risk from cybersecurity threats and oversees compliance with applicable laws, regulations and Company policies related to, among others, privacy and cybersecurity.	The Company’s Board of Directors oversees the overall risk management process, including cybersecurity risks, directly and through its committees. The Regulatory Compliance & Sustainability Committee (RCSC) of the board is primarily responsible for oversight of risk from cybersecurity threats and oversees compliance with applicable laws, regulations and Company policies related to, among others, privacy and cybersecurity.
RCSC meetings include discussions of specific risk areas throughout the year including, among others, those relating to cybersecurity.The CISO provides at least two updates each year to RCSC on cybersecurity matters. These reports include an overview of the cybersecurity threat landscape, key cybersecurity initiatives to improve the Company’s risk posture, changes in the legal and regulatory landscape relative to cybersecurity, and overviews of certain cybersecurity incidents that have occurred within the Company and within the industry.	RCSC meetings include discussions of specific risk areas throughout the year including, among others, those relating to cybersecurity. The CISO provides quarterly updates each year to RCSC on cybersecurity matters. These reports include an overview of the cybersecurity threat landscape, key cybersecurity initiatives to improve the Company’s risk posture, changes in the legal and regulatory landscape relative to cybersecurity, and overviews of certain cybersecurity incidents that have occurred within the Company and within the industry.

・Pfizer

・Coca-Cola

・McDonalds Corp.

・2024.02.22 10-K (Annual report)	・2025.02.25 10-K (Annual report)
CYBERSECURITY	CYBERSECURITY
	Cybersecurity risk is an important and evolving focus for McDonald’s. Significant resources are devoted to protecting and enhancing the security of computer systems, software, networks, storage devices, and other technology. The Company’s security efforts are designed to protect against, among other things, cybersecurity attacks that can result in unauthorized access to confidential information, the destruction of data, disruptions to or degradations of service, the sabotaging of systems or other damage. McDonald’s has implemented measures and controls that it believes are reasonably designed to address the evolving cybersecurity risk environment, including enhanced threat monitoring. In addition, McDonald’s continues to regularly review its capabilities to address associated risks, such as those relating to the management of administrative access to systems.
	Third parties that help to facilitate the Company’s business activities (e.g., franchisees, vendors, suppliers, service providers, etc.) are also sources of cybersecurity risk to McDonald’s, and we have various processes and programs to manage cybersecurity risks associated with our third parties. Despite these risk-mitigation measures, a cybersecurity event impacting a third party may compromise Company data or negatively impact the Company’s ability to conduct business, which could have a material adverse effect on our business.
	Risks from cybersecurity threats, including as a result of any previous cybersecurity events, did not materially affect McDonald’s or its business strategy, results of operations or financial condition in 2024. Notwithstanding having what McDonald’s believes to be a comprehensive approach to address cybersecurity risk, no company is immune to cybersecurity threats, and McDonald’s may not be successful in preventing or mitigating a future cybersecurity incident that could have a material adverse effect on McDonald’s or its business strategy, results of operations or financial condition. In evaluating cybersecurity incidents, management considers the potential impact to the Company’s results of operations, control framework, and financial condition, as well as the potential impact, if any, to our business strategy and/or reputation.
	For additional information on risks from cybersecurity threats, please see our Risk Factors beginning on page 28.
Governance	Governance
Management has primary responsibility for enterprise-wide risk management (“ERM”), including cybersecurity risk, within our Company, as detailed below. Our Board of Directors is responsible for overseeing our ERM framework and exercises this oversight both as a full Board and through its standing committees. Our Board’s Public Policy & Strategy Committee (“PPS Committee”) has oversight responsibility for our strategy and processes relating to cybersecurity risk management. Our PPS Committee receives updates at regular intervals on cybersecurity matters from management, including our Global Chief Information Officer (“CIO”) and Chief Information Security Officer (“CISO”) who, as discussed below, are responsible for assessing and managing material cybersecurity risks. Such updates include a discussion of the status of our cybersecurity landscape and our cybersecurity strategies, including potential risks and mitigation efforts. If a cybersecurity incident meets our established internal escalation threshold, accelerated reporting of the incident is provided to the applicable members of the Board. The PPS Committee also considers potential remedies to any strategic or process gaps that may be identified during the Company’s review of specific cybersecurity incidents.	Management has primary responsibility for enterprise-wide risk management (“ERM”), including cybersecurity risk, within our Company, as detailed below. Our Board of Directors (the “Board”) is responsible for overseeing our ERM framework and exercises this oversight both as a full Board and through its standing committees. Our Board’s Audit & Finance Committee (“A&F Committee”) has oversight responsibility for our strategy and processes relating to cybersecurity risk management. Our A&F Committee receives updates at regular intervals on cybersecurity matters from management, including our Global Chief Information Officer (“CIO”) and Global Chief Information Security Officer (“CISO”) who, as discussed below, are responsible for assessing and managing material cybersecurity risks. Such updates include discussion of the status of our cybersecurity landscape and our cybersecurity strategies, including potential risks and mitigation efforts. For certain significant cybersecurity incidents, our procedures contemplate accelerated reporting of the incident to the applicable members of the Board. The A&F Committee also considers potential remedies to any strategic or process gaps that may be identified during the Company’s review of specific cybersecurity incidents.
Our Board of Directors recognizes the importance to the Company of effectively identifying, assessing and managing risks that could have a significant impact on our business strategy. The ERM framework leverages internal risk committees comprised of cross-functional leadership who meet regularly to evaluate and prioritize risks, including cybersecurity risk, in the context of our strategy, with further escalation to our CEO, Board and/or Committees, as appropriate. Effective management of cybersecurity risks is critical to the successful execution of our business strategy.	Our Board recognizes the importance to the Company of effectively identifying, assessing and managing risks that could have a significant impact on our business strategy. The ERM framework leverages internal risk committees comprised of cross-functional leadership who meet regularly to evaluate and prioritize risks, including cybersecurity risk, in the context of our strategy, with further escalation to our CEO, Board and/or Committees, as appropriate. Effective management of cybersecurity risks is critical to the successful execution of our business strategy.
Risk Management and Strategy	Risk Management and Strategy
Our CIO and CISO are responsible for assessing and implementing our cybersecurity risk management programs, which are informed by the National Institute of Standards and Technology (NIST) Cybersecurity Framework. These leaders and their teams have significant relevant experience in various fields, such as incident response, application security, data protection, network security and identity and access management, and have implemented and executed security programs across multiple industries at Fortune 100 companies. Our programs are designed to create a comprehensive, cross-functional approach to identify and mitigate cybersecurity risks as well as to prevent cybersecurity incidents in an effort to support business continuity and achieve operational resiliency.	The CISO reports to the CIO. McDonald’s CIO and CISO are responsible for assessing and implementing our cybersecurity risk management programs, which are informed by the National Institute of Standards and Technology (NIST) Cybersecurity Framework. These leaders and their teams have significant relevant experience in various fields, such as incident response, application security, data security, network security and identity and access management, and have implemented and executed security programs across multiple industries at Fortune 100 companies. Our programs are designed to create a comprehensive, cross-functional approach to identify, assess, manage and mitigate cybersecurity risks as well as to mitigate cybersecurity incidents to support business continuity and achieve operational resiliency.
We leverage certain third-party providers and local technology support teams to help execute certain aspects of our cybersecurity risk management programs. We also engage third parties in assessments and testing of our policies, processes and standards that are designed to identify and remediate cybersecurity incidents. These efforts include a wide range of activities focused on evaluating the effectiveness of the program, including audits, modeling, tabletop exercises and vulnerability testing. We also periodically engage independent third parties to perform assessments and evaluations of certain aspects of our information security control environment and operation of our program. Further, we have various processes and programs to manage cybersecurity risks associated with our use of third-party vendors and suppliers.	The CISO leads the Global Cybersecurity organization, which is responsible for executing the Company’s Global Cybersecurity Program and initiatives. This global program is responsible for identifying technology and cybersecurity risks and for implementing and maintaining controls to manage cybersecurity threats. These controls are designed to mitigate, detect and respond to cybersecurity incidents to help safeguard the confidentiality, integrity and availability of McDonald’s infrastructure, resources and information.
We provide regular, mandatory training for employees regarding cybersecurity threats to bring awareness on how they can help prevent and report potential cybersecurity incidents. In addition, key stakeholders involved with our cybersecurity risk management programs receive additional training and regularly participate in scenario-based training exercises to support the effective administration of our programs.	McDonald’s Global Cybersecurity Program includes the following functions:
We have established and regularly tested incident response processes and controls that identify and risk-rank incidents through a centralized system to promote timely escalation of cybersecurity incidents that exceed a particular level of risk, including escalation of incidents of sufficient magnitude or severity to our CIO and CISO. In evaluating cybersecurity incidents, management considers the potential impact to our results of operations, control framework, and financial condition, as well as the potential impact, if any, to our business strategy or reputation.	• Cybersecurity Services, which is responsible for deploying and operating the frontline security controls that are designed to protect and defend McDonald’s against cyber-attacks. Cybersecurity teams are focused on specific areas of a layered defense, including Network Security, Endpoint Protection, Identity and Access Management, Data Protection, and others, to ensure that these controls are integrated into critical systems and processes throughout the McDonald’s environment and operating effectively.
Cybersecurity threats, including as a result of our previous cybersecurity incidents, have not materially affected our results of operations or financial condition, including our business strategy, in 2023. For additional information on risks from cybersecurity threats, please see our Risk Factors beginning on page 28.	• Cyber Defense, which is responsible for implementing and maintaining controls designed to detect and respond to cybersecurity incidents against McDonald’s and includes a dedicated function for incident response and regular monitoring for cybersecurity threats and vulnerabilities, including those among McDonald’s third-party suppliers. The Company has established and regularly tested incident response processes and controls that identify and risk-rank incidents through a centralized system to promote timely escalation of cybersecurity incidents that exceed a particular level of risk, including escalation of incidents of sufficient magnitude or severity to the CIO and CISO.
	• Cyber Governance, Risk & Compliance, which is responsible for operationalizing technology risk and control frameworks, analyzing regulatory developments that may impact McDonald’s, and developing control catalogs and assessments of controls, as well as overseeing governance and reporting of technology and cybersecurity risk. The team provides awareness and training that reinforces information risk and security management practices and compliance with McDonald’s policies, standards and practices. The training is mandatory for all employees globally on a periodic basis, and it is supplemented by Company-wide testing initiatives, including periodic phishing tests.
	• Cyber Market Engagement, which is responsible for working with our market teams, International Developmental Licensee partners, and other entities to ensure a consistent approach for cybersecurity across the McDonald’s system.
	The governance structure for the Global Cybersecurity organization is designed to appropriately identify, escalate, and mitigate cybersecurity risks. Cybersecurity risk management and its governance and oversight are integrated into McDonald’s operational risk management framework, including through the escalation of key risk and control issues to management and the development of risk mitigation plans for heightened risk and control issues.
	As needed, McDonald’s engages third-party assessors or auditing firms with industry-recognized expertise on cybersecurity matters to review specific aspects of McDonald’s cybersecurity risk management framework, processes and controls. These efforts include a wide range of activities focused on evaluating the effectiveness of the program, including audits, modeling, tabletop exercises and vulnerability testing.

日本企業...昨年と順番かえてます...

・三菱UFJファイナンシャルグループ

・三井住友ファイナンシャル

・みずほファイナンシャル

・ORIX

・野村ホールディングス

・タケダ

・ソニー

・トヨタ

・ホンダ

みずほファインシャルサービスは、開示がより詳細になっていますね...

・三菱UFJファイナンシャルグループ

・2024.07.30 20-F (Annual report - foreign issuer)	・2025.07.07 20-F (Annual report - foreign issuer)
Item 16K. Cybersecurity	Item 16K. Cybersecurity
Overview	Overview
As a financial institution operating globally, we are exposed to various cybersecurity risks, including ransomware, phishing, and distributed denial of service attacks. These risks are often influenced by criminal activity, international conflicts and other threat environments but are becoming increasingly more sophisticated and complex to deal with. We take seriously our responsibilities for securing the assets entrusted to us by our customers against cybersecurity threats and our obligation to provide secure and stable financial services. We have identified risks and threats posed by cyber-attacks and other relevant events as one of our top risks and have been developing and implementing cybersecurity measures under management leadership. During the fiscal year ended March 31, 2024, we did not identify any cybersecurity threats that have materially affected, or were reasonably likely to materially affect, our business strategy, results of operations or financial condition.	As a financial institution operating globally, we are exposed to various cybersecurity risks, including ransomware, phishing, and distributed denial of service attacks. These risks are often influenced by criminal activity, international conflicts and other threat environments but are becoming increasingly more sophisticated and complex to deal with. We take seriously our responsibilities for securing the assets entrusted to us by our customers against cybersecurity threats and our obligation to provide secure and stable financial services. We have identified risks and threats posed by cyber-attacks and other relevant events as one of our top risks and have been developing and implementing cybersecurity measures under management leadership. During the fiscal year ended March 31, 2025, we did not identify any cybersecurity threats that have materially affected, or were reasonably likely to materially affect, our business strategy, results of operations or financial condition.
While we endeavor to remain vigilant for, and continue to develop and implement measures to address, cybersecurity risk, we may not be able to prevent or mitigate a future cybersecurity incident that could have a material adverse impact on our business strategy, performance, and financial stability. See “Item 3.D. Key Information—Risk Factors—Operational Risk—Our operations are highly dependent on our information, communications and transaction management systems and are subject to an increasing risk of cyber-attacks and other information security threats and to changes in the business and regulatory environment.”	While we endeavor to remain vigilant for, and continue to develop and implement measures to address, cybersecurity risk, we may not be able to prevent or mitigate a future cybersecurity incident that could have a material adverse impact on our business strategy, performance, and financial stability. See “Item 3.D. Key Information—Risk Factors—Operational Risk—Our operations are highly dependent on our information, communications and transaction management systems and are subject to an increasing risk of cyber-attacks and other information security threats and to changes in the business and regulatory environment.”
Cybersecurity Risk Management Process	Cybersecurity Risk Management Process
We manage cybersecurity risk as a subset of IT risk, which is included in the broader risk category of operational risk. Operational risk is defined as the risk of potential loss resulting from inadequate or ineffective internal processes, people and systems, or due to external events. Cybersecurity risk management is integrated into our comprehensive risk management framework where we have adopted a three lines of defense approach. The first line of defense is the Cyber Security Division, which is the team primarily responsible for identifying and mitigating risks as well as designing and executing controls to manage cybersecurity risk. The second line of defense is the Corporate Risk Management Division, which is responsible for assessing and monitoring cybersecurity risk as well as testing the effectiveness of cybersecurity risk controls independently from the first line. The third line of defense is the Internal Audit Division, which audits the effectiveness of first-line and second-line cybersecurity risk management.	We manage cybersecurity risk as a subset of IT risk, which is included in the broader risk category of operational risk. Operational risk is defined as the risk of potential loss resulting from inadequate or ineffective internal processes, people and systems, or due to external events. Cybersecurity risk management is integrated into our comprehensive risk management framework where we have adopted a three lines of defense approach. The first line of defense is the Cyber Security Division, which is the team primarily responsible for identifying and mitigating risks as well as designing and executing controls to manage cybersecurity risk. The second line of defense is the Corporate Risk Management Division, which reports to the Group Chief Risk Officer (CRO) and which is responsible for assessing and monitoring cybersecurity risk as well as testing the effectiveness of cybersecurity risk controls independently from the first line. The third line of defense is the Internal Audit Division, which audits the effectiveness of first-line and second-line cybersecurity risk management.
Our cybersecurity risk management program incorporates features based on globally recognized standards such as those issued by the National Institute of Standards and Technology (NIST). Based on such globally recognized standards, the Cyber Security Division, which is supervised by the Group Chief Information Security Officer (CISO), establishes policies and standards to protect our information systems and conducts cybersecurity risk assessments. Among its other responsibilities, the Division also focuses on threat intelligence, including centralized information collection and impact analysis on newly discovered vulnerabilities and past experience, and prevention and remediation of such impacts on a global group-wide basis. Additionally, the Division conducts daily monitoring of our external-facing systems to identify and prevent any flaws in security updates or configuration settings. In an effort to enhance our round-the-clock monitoring and incident response capabilities on a global group-wide basis, we have established the MUFG Cyber Security Fusion Center (MUFG CSFC), which specializes in cybersecurity threat analysis and information security solutions. At the subsidiary level, the Computer Security Incident Response Teams (CSIRTs) have been established within subsidiaries to receive, investigate and implement measures in response to reports of cybersecurity incidents from within such respective subsidiaries in coordination with the MUFG Computer Security Incident Response Team (MUFG-CERT), a team established within the Cyber Security Division for centralizing our cybersecurity incident responses.	Our cybersecurity risk management program incorporates features based on globally recognized standards such as those issued by the National Institute of Standards and Technology (NIST). Based on such globally recognized standards, the Cyber Security Division, which is supervised by the Group Chief Information Security Officer (CISO), establishes policies and standards to protect our information systems and conducts cybersecurity risk assessments. Among its other responsibilities, the Division also focuses on threat intelligence, including centralized information collection and impact analysis on newly discovered vulnerabilities and past experience, and prevention and remediation of such impacts on a global group-wide basis. Additionally, the Division conducts daily monitoring of our external-facing systems to identify and prevent any flaws in security updates or configuration settings. In an effort to enhance our round-the-clock monitoring and incident response capabilities on a global group-wide basis, we have established the MUFG Cyber Security Fusion Center (MUFG CSFC), which specializes in cybersecurity threat analysis and information security solutions. At the subsidiary level, the Computer Security Incident Response Teams (CSIRTs) have been established within subsidiaries to receive, investigate and implement measures in response to reports of cybersecurity incidents from within such respective subsidiaries in coordination with the MUFG Computer Security Incident Response Team (MUFG-CERT), a team established within the Cyber Security Division for centralizing our cybersecurity incident responses.
We regularly conduct exercises and drills designed to ensure our ability to effectively perform cybersecurity incident response functions. We have also expanded our collaborative activities with government agencies, other companies in the financial industry and other information security communities, including the Financial Services Information Sharing and Analysis Center (FS-ISAC), the Financials Information Sharing and Analysis Center Japan (F-ISAC), the Forum of Incident Response and Security Teams (FIRST) and the Japan Computer Emergency Response Team Coordination Center (JPCERT/CC). Furthermore, in order to minimize third-party risks, we conduct risk assessments on third-party vendor contracts prior to contract initiation and subsequently conduct annual reviews to identify any significant changes in the risk environment. We also require our vendors to adhere to the standards set by us in order to ensure that our risk management protocols are consistently maintained. Along with regularly conducted internal reviews of our cybersecurity risk management program against market trends and best practices, we engage audit firms and external consultants as needed, receive evaluations, and utilize the results of these evaluations to continuously ensure and enhance the effectiveness of our program.	We regularly conduct exercises and drills designed to ensure our ability to effectively perform cybersecurity incident response functions. We have also expanded our collaborative activities with government agencies, other companies in the financial industry and other information security communities, including the Financial Services Information Sharing and Analysis Center (FS-ISAC), the Financials Information Sharing and Analysis Center Japan (F-ISAC), the Forum of Incident Response and Security Teams (FIRST) and the Japan Computer Emergency Response Team Coordination Center (JPCERT/CC). Furthermore, in order to minimize third-party risks, we conduct risk assessments on third-party vendor contracts prior to contract initiation and subsequently conduct annual reviews to identify any significant changes in the risk environment. We also require our vendors to adhere to the standards set by us in order to ensure that our risk management protocols are consistently maintained. Along with regularly conducted internal reviews of our cybersecurity risk management program against market trends and best practices, we engage audit firms and external consultants as needed, receive evaluations, and utilize the results of these evaluations to continuously ensure and enhance the effectiveness of our program.
Governance	Governance
The Group Chief Information Officer (CIO) is responsible for operating and maintaining our cybersecurity risk management program and regularly reports on significant cybersecurity-related matters to the Board of Directors as well as the Executive Committee. In the fiscal year ended March 31, 2024, the cybersecurity-related matters reported on by the Group CIO to the Board of Directors included the progress and future policy directions of various key measures, such as those designed to protect public internet assets with subject to significant attack risk, to strengthen the security posture of our internal information security environment, and to improve the security posture of our overseas facilities. As the most senior manager responsible for cybersecurity risk, the Group CISO supervises the Cyber Security Division and directly reports to the Group CIO. The Cyber Security Division receives information on cybersecurity incidents from the CSIRTs in accordance with our policies and procedures, supervises and coordinates incident response at our group companies, and provides relevant information to the Group CISO, the Group CIO, the Corporate Risk Management Division and, as appropriate, other senior management members. Our current Group CIO has over twenty years of experience in IT management, including cybersecurity risk management, and has experience as a member of a government information security organization. Similarly, the current Group CISO and senior members of the Cyber Security Division have extensive cybersecurity management experience and expertise, with many members participating in financial industry information security organizations, including the F-ISAC.	The Group Chief Information Officer (CIO) is responsible for operating and maintaining our cybersecurity risk management program and regularly reports on significant cybersecurity-related matters to the Board of Directors as well as the Executive Committee. In the fiscal year ended March 31, 2025, the cybersecurity-related matters reported on by the Group CIO to the Board of Directors included a plan for enhancing our global group-wide cybersecurity governance program such as updating the global risk assessment framework and securing resources. The Group CIO receives direct reporting from the Group CISO, who, as the most senior manager responsible for cybersecurity risk, supervises the Cyber Security Division. The Cyber Security Division receives information on cybersecurity incidents from the CSIRTs in accordance with our policies and procedures, supervises and incident response at our group companies, and provides relevant information to the Group CISO, the Group CIO, the Corporate Risk Management Division and, as appropriate, other senior management members. Our current Group CIO has over twenty years of experience in IT management, including cybersecurity risk management, and has experience as a member of a government information security organization. Similarly, the current Group CISO and senior members of the Cyber Security Division have extensive cybersecurity management experience and expertise, with many members participating in financial industry information security organizations, including the F-ISAC.
The Board of Directors decides key management policies and is responsible for management oversight. Decisions on particularly important matters, such as decisions on key management policies as cybersecurity risk management policy for the entire Group, and oversight of the execution of duties related to cybersecurity by directors and corporate executive officers are performed by the Board of Directors. In addition, the Risk Committee and the Audit Committee are established under the Board of Directors to assist the Board with oversight. The Risk Committee discusses and makes recommendations to the Board of Directors on material matters, including cybersecurity, relating to the risk management operations, matters relating to top risk matters and any other material matters that require discussion, and any other material matters that require discussion by the Risk Committee. The Audit Committee obtains reports from management, the Internal Audit Division and the external auditor on any cybersecurity risks and the risk management and corporate governance frameworks and the operation of such frameworks, and oversees them, and assists oversight of the Board of Directors.	The Board of Directors decides key cybersecurity risk management policies and oversees the execution of our cybersecurity risk management program on a global group-wide basis as part of its responsibility for deciding key management policies and overseeing management. The Board of Directors is informed by, and discusses with, the Group CIO, the Group CRO, who is responsible for assessing and overseeing management of material risks on a global group-wide basis, and other management members on important matters relating to risks from cybersecurity threats and management of such risks, while being assisted by board committees, including the Risk Committee and the Audit Committee, with the oversight of the execution of duties related to cybersecurity risk management carried out by directors and corporate executives. The Risk Committee receives reports from management and the Corporate Risk Management Division on, among other things, cybersecurity threats and incidents, risk trends in cybersecurity threat indicators, and the results of evaluations of the effectiveness of first-line controls in cybersecurity threat prevention and detection conducted by external consultants or audit firms, and discusses and makes recommendations to the Board of Directors on material cybersecurity risk-related matters. The Audit Committee obtains reports from management, the Internal Audit Division and external auditors on risks from cybersecurity threats, the management of such risks, and the design and operation of the corporate governance framework for cybersecurity risk management and, based on its analysis and expertise, assists the oversight of cybersecurity risk management by the Board of Directors.
Our cybersecurity risk management program is also operated and maintained under the supervision of the Board of Directors with the report on significant cybersecurity-related matters by the Group CIO and the assistance of the Risk Committee and the Audit Committee.

・三井住友ファイナンシャル

・2024.06.27 20-F (Annual report - foreign issuer)	・2025.06.27 (Annual report - foreign issuer)
Item 16K. Cybersecurity	Item 16K.Cybersecurity
The risk of cybersecurity threats is growing ever more serious as a result of the accelerated digitization of financial services and changes to the surrounding environment. We strengthen our security controls in order to achieve a society that is resilient to cybersecurity threats and provide more secure services to our customers.	The risk of cybersecurity threats is growing ever more serious as a result of the accelerated digitization of financial services and changes to the surrounding environment. We strengthen our security controls in order to achieve a society that is resilient to cybersecurity threats and provide more secure services to our customers.
SMFG and some of our group companies have established a “Declaration of Cybersecurity Management.” This declaration indicates that we acknowledge cybersecurity as a key management issue, and expresses a commitment to enhancing the security posture not just within our organization, but across society as a whole. Under this declaration, we promote the strengthening of cybersecurity controls led by management in order to counter the increasing severity and sophistication of cyber threats.	SMFG and some of our group companies have established a “Declaration of Cybersecurity Management.” This declaration indicates that we acknowledge cybersecurity as a key management issue, and expresses a commitment to enhancing the security posture not just within our organization, but across society as a whole. Under this declaration, we promote the strengthening of cybersecurity controls led by management in order to counter the increasing severity and sophistication of cyber threats.
Risk Management and Strategy	Risk Management and Strategy
We define cybersecurity threats as one of the top risks for our group. Under the concept of “three lines of defense,” we have integrated cybersecurity risk management, which assesses, identifies, and manages material risks from cybersecurity threats, into a company-wide framework and have established a structure with over 600 personnel. Cybersecurity risk management forms part of our cybersecurity operational plan, which is subject to approval by the Management Committee.	We define cybersecurity threats as one of the top risks for our group. Under the concept of “three lines of defense,” we have integrated cybersecurity risk management, which assesses, identifies, and manages material risks from cybersecurity threats, into a company-wide framework and have established a structure with over 700 personnel. Cybersecurity risk management forms part of our cybersecurity operational plan, which is subject to approval by the Management Committee.
We periodically engage third-party consultants to conduct maturity assessments based on global cybersecurity frameworks to test our cybersecurity controls. Using our threat intelligence function, we collect information such as the latest cybersecurity threats, vulnerabilities and geopolitical developments, and leverage them to detect and prevent those cybersecurity threats. To deter attacks exploiting vulnerabilities, we regularly conduct vulnerability assessments using various tools and also conduct threat-led penetration testing by entrusting external vendors to penetrate actual systems and evaluate vulnerabilities.	We periodically engage third-party consultants to conduct maturity assessments based on global cybersecurity frameworks to test our cybersecurity controls. Using our threat intelligence function, we collect information such as the latest cybersecurity threats, vulnerabilities and geopolitical developments, and leverage them to detect and prevent those cybersecurity threats. To deter attacks exploiting vulnerabilities, we regularly conduct vulnerability assessments using various tools and also conduct threat-led penetration testing by entrusting external vendors to penetrate actual systems and evaluate vulnerabilities.
We have designed a multilayered cyber defense system that includes detection and interception of suspicious communications from the outside, as well as operation and monitoring of various security programs and systems, to protect against various cyberattacks such as unauthorized access and mass access attacks. We have established a Security Operation Center (“SOC”) with a 24-hour, 365-day monitoring function and locate SOCs in various regions. Through coordination among SOCs in each region, we further strengthen security monitoring on a group-wide basis.	We have designed a multilayered cyber defense system that includes detection and interception of suspicious communications from the outside, as well as operation and monitoring of various security programs and systems, to protect against various cyberattacks such as unauthorized access and mass access attacks. We have established a Security Operation Center (“SOC”) with a 24-hour, 365-day monitoring function and locate SOCs in various regions. Through coordination among SOCs in each region, we further strengthen security monitoring on a group-wide basis.
In terms of preparedness for cyber incidents, we established a Computer Security Incident Response Team (“CSIRT”) to prepare for any incidents and have set up a response system. The CSIRT actively collects cyber information on attackers’ methods and vulnerabilities from both inside and outside of our organization and shares them with external organizations such as government authorities in relevant nations and the Financial Services Information Sharing and Analysis Center (“FS-ISAC”) or other relevant organizations as necessary. In addition, we regularly participate in attack simulation exercises conducted by outside experts or the authorities to further strengthen our cyberattack response and resilience. We have established risk management processes including in relation to third parties such as outsourced vendors, and regularly monitor the actual situation.	In terms of preparedness for cyber incidents, we established a Computer Security Incident Response Team (“CSIRT”) to prepare for any incidents and have set up a response system. The CSIRT actively collects cyber information on attackers’ methods and vulnerabilities from both inside and outside of our organization and shares them with external organizations such as government authorities in relevant nations and the Financial Services Information Sharing and Analysis Center (“FS-ISAC”) or other relevant organizations as necessary. In addition, we regularly participate in attack simulation exercises conducted by outside experts or the authorities to further strengthen our cyberattack response and resilience. We have established risk management processes including in relation to third parties such as outsourced vendors, and regularly monitor the actual situation.
For the fiscal year ended March 31, 2024, there were no cybersecurity incidents that had a material impact on our results of operations or financial condition.	For the fiscal year ended March 31, 2025, there were no cybersecurity incidents that had a material impact on our results of operations or financial condition.
Governance	Governance
The Management Committee regularly discusses cybersecurity risk management in order to further strengthen our security posture based on our cybersecurity operational plan.	The Management Committee regularly discusses cybersecurity risk management in order to further strengthen our security posture based on our cybersecurity operational plan.
In order to clarify the roles and responsibilities for promoting the effectiveness of security controls, the position of Group Chief Information Security Officer (“CISO”) has been assigned under the Group Chief Information Officer (“CIO”) and the Group Chief Risk Officer (“CRO”). The Group CISO is responsible for supervision and direction of controls to manage cybersecurity threats on a group-wide basis. The current Group CISO has been working in the systems sector for many years and has extensive experience in cybersecurity, technology risk management and information security. Group Vice CISOs and regional CISOs are stationed under the Group CISO to help secure cybersecurity controls.	In order to clarify the roles and responsibilities for promoting the effectiveness of security controls, the position of Group Chief Information Security Officer (“CISO”) has been assigned under the Group Chief Information Officer (“CIO”) and the Group Chief Risk Officer (“CRO”). The Group CISO is responsible for supervision and direction of controls to manage cybersecurity threats on a group-wide basis. The current Group CISO has been working in the systems sector for many years and has extensive experience in cybersecurity, technology risk management and information security. Group Vice CISOs and regional CISOs are stationed under the Group CISO to help secure cybersecurity controls.
Our directors, in their capacities serving on the full board of directors as well as on the risk committee and audit committee, obtain information and oversee the status of the cybersecurity risk management. Based on reports from the Group CIO regarding the status of cybersecurity risk management, the board supervises the cybersecurity operational plan and its implementation on risk management related to systems, including cybersecurity. The risk committee oversees the implementation of the cybersecurity operational plan on comprehensive risk management, which includes cybersecurity risk, based on regular reports from the Group CRO. The audit committee supervises the implementation status based on regular reports from the Group CISO on the status of cybersecurity controls. Additionally, members of our board of directors periodically receive reports on cybersecurity information including external threat trends and our cybersecurity control measures from the Group CISO.	Our directors, in their capacities serving on the full board of directors as well as on the risk committee and audit committee, obtain information and oversee the status of the cybersecurity risk management. Based on reports from the Group CIO regarding the status of cybersecurity risk management, the board supervises the cybersecurity operational plan and its implementation on risk management related to systems, including cybersecurity. The risk committee oversees the implementation of the cybersecurity operational plan on comprehensive risk management, which includes cybersecurity risk, based on regular reports from the Group CRO. The audit committee supervises the implementation status based on regular reports from the Group CISO on the status of cybersecurity controls. Additionally, members of our board of directors periodically receive reports on cybersecurity information including external threat trends and our cybersecurity control measures from the Group CISO.

・みずほファイナンシャル

・2024.06.26 20-F (Annual report - foreign issuer)	・2025.06.25 20-F (Annual report - foreign issuer)
ITEM 16K. Cybersecurity	ITEM 16K. Cybersecurity
Cybersecurity Strategy	Cybersecurity Strategy
Many of our systems are connected to our domestic and overseas locations, and the systems of our customers and various payment institutions, through a global network. In light of the growing sophistication and scope of cyber-attacks, we recognize cybersecurity as an important management issue and continuously promote cybersecurity measures under management leadership.	Many of our systems are connected to our domestic and overseas locations, and the systems of our customers and various payment institutions, through a global network. As cyber attacks become more sophisticated, we recognize cybersecurity as an important management issue and continuously promote cybersecurity measures under management leadership.
We define cybersecurity risk as the risk that the group may incur tangible or intangible losses due to cybersecurity-related problems that occur at the group and/or at its clients, along with organizations, etc., that have a business relationship with the group, such as outside vendors and goods/services suppliers and view it as one of our top risks. Accordingly, we have established a system to centrally manage cybersecurity risk through the Risk Appetite Framework and the Comprehensive Risk Management Framework.	We define cybersecurity risk as the risk that the group may incur tangible or intangible losses due to cybersecurity-related problems that occur at the group and/or at its clients, along with organizations, etc., that have a business relationship with the group, such as outside vendors and goods/services suppliers and view it as one of our top risks. Accordingly, we have established a system to centrally manage cybersecurity risk through the Risk Appetite Framework and the Comprehensive Risk Management Framework.
Governance System	Governance System
At Mizuho Financial Group, the Board of Directors deliberates and resolves fundamental issues related to cybersecurity risk management. The Board of Directors receives reports from the Group Chief Information Security Officer (“CISO”) *1 on cybersecurity risks that may have an impact on management policies and strategies, annual business plans, medium- to long-term business plans, etc., other cybersecurity risks that the Board of Directors should be aware of from a medium- to long-term perspective, and important matters such as the status of risk control.	At Mizuho Financial Group, the Board of Directors deliberates and resolves fundamental issues related to cybersecurity risk management. The Board of Directors receives reports from the Group Chief Information Security Officer (“CISO”) on cybersecurity risks that may have an impact on management policies and strategies, annual business plans, medium- to long-term business plans, etc., other cybersecurity risks that the Board of Directors should be aware of from a medium- to long-term perspective, and important matters such as the status of risk control.
The Risk Committee and the IT/Digital Transformation Committee 2, both of which are advisory bodies to the Board of Directors, each receive reports from the Group CRO on the status of comprehensive risk management and from the Group CISO on basic matters related to cybersecurity risk management, evaluate conformity with our basic management policies and the appropriateness of our cyber initiatives, and present recommendations or opinions to the Board of Directors. In addition, the independent third line in the three lines of defense 3 conducts audits on the initiatives of the first and second lines, and reports the results to the Operational Audit Committee, etc.	The Risk Committee and the IT/Digital Transformation Committee 1, both of which are advisory bodies to the Board of Directors, each receive reports from the Group CRO on the status of comprehensive risk management and from the Group CISO on basic matters related to cybersecurity risk management, evaluate conformity with our basic management policies and the appropriateness of our cyber initiatives, and present recommendations or opinions to the Board of Directors. In addition, the independent third line in the three lines of defense 2 conducts audits on the initiatives of the first and second lines, and reports the results to the Operational Audit Committee, etc.
Under such supervision by the Board of Directors, the President and Chief Executive Officer oversees the cybersecurity risk management of Mizuho Financial Group, and the Group CISO, in accordance with the instructions of the Group CIO and the Group CRO, establishes measures for risk management through autonomous control activities by the first line, and monitoring, measurement, and evaluation by the second line of such autonomous control activities by the first line and give instructions to prevent cybersecurity risks that may arise from fraud or outsourcing, and to respond appropriately to cyber incidents.	Under such supervision by the Board of Directors, the President and Chief Executive Officer oversees the cybersecurity risk management of Mizuho Financial Group, and the Group CISO, in accordance with the instructions of the Group CIO and the Group CRO, establishes measures for risk management through autonomous control activities by the first line, and monitoring, measurement, and evaluation by the second line of such autonomous control activities by the first line and give instructions to prevent cybersecurity risks that may arise from fraud or outsourcing, and to respond appropriately to cyber incidents.
The Group CISO has been engaged in the IT and systems industry for more than 30 years and, with extensive knowledge and experience, is responsible for the planning and operation of cybersecurity risk management.	The Group CISO has been engaged in the IT and systems industry for more than 30 years and, with extensive knowledge and experience, is responsible for the planning and operation of cybersecurity risk management.
Based on the instructions of the Group CISO, the Cybersecurity Management Department identifies possible cybersecurity risks to our business and systems, evaluates our preparedness, assesses risks identified by analyzing the location and magnitude of cybersecurity risks, and then reviews and formulates additional measures to strengthen risk control, such as preventive measures and reactive responses, and strengthens risk control and governance through reflection in business plans.	Based on the instructions of the Group CISO, the Cybersecurity Management Department identifies possible cybersecurity risks to our business and systems, evaluates our preparedness, assesses risks identified by analyzing the location and magnitude of cybersecurity risks, and then reviews and formulates additional measures to strengthen risk control, such as preventive measures and reactive responses, and strengthens risk control and governance through reflection in business plans.
The Cybersecurity Management Department reports to the Group CISO on the status of cybersecurity risk management, and the Group CISO reports, and if applicable, submits proposals for deliberation, to the Management Committee via the IT Strategy Promotion Committee and to the Board of Directors, each on the status of our cybersecurity measures, etc., with the aim of developing and strengthening a system for ensuring cybersecurity.	The Cybersecurity Management Department reports to the Group CISO on the status of cybersecurity risk management, and the Group CISO regularly reports, and if applicable, submits proposals for deliberation, to the Management Committee via the IT Strategy Promotion Committee and to the Board of Directors, each on the status of our cybersecurity measures, etc., with the aim of developing and strengthening a system for ensuring cybersecurity.
We have appointed a person in charge of cybersecurity and have established a communication system at group companies, to monitor the status of our cybersecurity measures and to quickly gather information when an incident occurs.	We have appointed a person in charge of cybersecurity and have established a communication system at group companies, to monitor the status of our cybersecurity measures and to quickly gather information when an incident occurs.
Initiatives for Cybersecurity Measures	Initiatives for Cybersecurity Measures
Based on the cybersecurity risks identified and assessed by the Cybersecurity Management Department, Mizuho Financial Group promotes cybersecurity risk management measures across the group, globally and in our supply chains. Specifically, the Mizuho-Cyber Incident Response Team 4 and other highly qualified professionals are deployed, and a 24-hour, 365-day a year monitoring system is in place using an integrated Security Operation Center 5, etc., while making full use of intelligence and advanced technologies in cooperation with external specialized agencies.	To identify and prevent the manifestation of cybersecurity risks, we collaborate with external organizations such as the Financial Services Information Sharing and Analysis Center (FS-ISAC) and other financial institutions. We collect threat intelligence and implement prioritized measures based on the potential impact on us.
Our systems have a virus analysis and a multi-layered defense mechanism, and we are working to strengthen our resilience by implementing Threat-Led Penetration Testing *6 to test the effectiveness of these technical measures and the effectiveness of the response process.	Specifically, we take measures to ensure consistent security throughout the entire system development lifecycle, from the planning phase to the development and operation phases.
We are also focusing on human resources development, such as conducting study groups for directors including outside directors, cybersecurity training for each executive layer, and phishing email training for all executives and employees at least once every six months.	After the release of systems, we promptly identify and address the impact of disclosed vulnerability information on our group’s system by introducing configuration management database, and vulnerability scanner systems.
We confirm in advance and on a regular basis the security management preparedness, including responses in the event of a cyber-incident, of third parties such as cloud service providers that provide outsourcing and cloud services. When we receive reports of cyber-incidents from third parties, in addition to identifying and analyzing the impact on the group, we also strive to respond appropriately to risks when there is concern about the impact on the group.	To evaluate the effectiveness of these technical measures against cyber attacks on our systems, we also regularly conduct vulnerability assessments and Threat-Led Penetration Testing *3.
In order to evaluate the maturity of these cybersecurity measures, we refer to third party assessment by the Cybersecurity Assessment Tool of the Federal Financial Institutions Examination Council and the Cybersecurity Framework of the National Institute of Standards and Technology.	As part of our preparedness measures, the Mizuho-Cyber Incident Response Team 4 and other highly qualified professionals are deployed, and a 24-hour, 365-day a year monitoring system is in place using an integrated Security Operation Center 5, etc.
	We are also focusing on human resources development, such as conducting study groups for directors including outside directors, cybersecurity training for each executive and employee layer, and phishing email training for all executives and employees at least once every six months.
	Additionally, we confirm in advance before, and on a regular basis after entering into a contract with a third party, the security management preparedness, including responses in the event of a cyber incident, of third parties such as cloud service providers that provide outsourcing and cloud services. When we receive reports of cyber incidents from third parties, in addition to identifying and analyzing the impact on the group, we also strive to respond appropriately to risks when there is concern about the impact on the group.
	We verify the effectiveness of our cybersecurity posture by referring to external frameworks related to cybersecurity, such as the Cybersecurity Framework developed by the National Institute of Standards and Technology and guidelines on cybersecurity published by the Financial Services Agency. Additionally, we also undergo evaluations by third parties.
	Impact and Response When a Cyber-Incident Occurs
	As a result of our enhanced cybersecurity measures, we are not aware of any past cyber attacks that could have had a significant impact on investor decisions or could have materially affected our business operations, results of operations and financial condition, in the fiscal year ended March 31, 2025. However, in the event of a cyber attack due to a failure to strengthen cybersecurity measures, leaks or falsification of electronic data, suspension of business operations, information leaks, and unauthorized remittances may occur and cause inconvenience and disadvantage to our customers.
	In addition, our business operations, results of operations and financial condition may be materially affected by compensation for damages, administrative actions and damage to reputation.
	In the unlikely event that a cyber-incident is detected, or if it is determined on firm grounds that the likelihood of a cyber incident occurring is very high, the Cybersecurity Management Department will report the cyber incident to the Group CISO. The Group CISO reports to the Management Committee and the Board of Directors when particularly important incidents occur or are likely to occur.
Based on the instructions from the Group CISO, the Cybersecurity Management Department monitors the cause of the incident (including incidents for which the likelihood of occurrence is determined on firm grounds to be very high), the nature and extent of the damage or expected damage, supports the formulation of effective containment, eradication, and recovery measures, analyzes attack methods or expected attack methods based on cyber-incident information, and conducts incident response.	Based on the instructions from the Group CISO, the Cybersecurity Management Department monitors the cause of the incident (including incidents for which the likelihood of occurrence is determined on firm grounds to be very high), the nature and extent of the damage or expected damage, supports the formulation of effective containment, eradication, and recovery measures, analyzes attack methods or expected attack methods based on cyber incident information, and conducts incident response.
Even after incident recovery, the Cybersecurity Management Department monitors changes that could lead to cyber-incidents in the group and promptly reports to the Group CISO when a breach of the threshold is identified. In addition, the Cybersecurity Management Department analyzes and evaluates the status of causes and risks, and implements necessary measures after consulting with the Group CISO on the response policy.	Even after incident recovery, the Cybersecurity Management Department monitors changes that could lead to cyber incidents in the group and promptly reports to the Group CISO when a breach of the threshold is identified. In addition, the Cybersecurity Management Department analyzes and evaluates the status of causes and risks, and implements necessary measures after consulting with the Group CISO on the response policy.
*1 Chief Information Security Officer	*1 IT/Digital Transformation Committee (as described in “Item6.C. Board Practices”)
*2 IT/Digital Transformation Committee (as described in “Item6.C. Board Practices”)	*2 Three lines of defense (concept for defining and classifying organizational functions and responsibilities in risk management and compliance)
*3 Three lines of defense (concept for defining and classifying organizational functions and responsibilities in risk management and compliance)	*3 Threat-Led Penetration Testing (evaluation of systems and response processes by analyzing targeted threats and conducting attacks that mimic actual attacks)
*4 Cyber Incident Response Team (incident response teams within the Cybersecurity Management Department that specialize in information security issues within the organization)	*4 Cyber Incident Response Team (incident response teams within the Cybersecurity Management Department that specialize in information security issues within the organization)
*5 Security Operation Center (a specialized team within the Cybersecurity Management Department that monitors and analyzes threats to information systems in organizations such as enterprises)	*5 Security Operation Center (a specialized team within the Cybersecurity Management Department that monitors and analyzes threats to information systems in organizations such as enterprises)
*6 Threat-Led Penetration Testing (evaluation of systems and response processes by analyzing targeted threats and conducting attacks that mimic actual attacks)

・ORIX

・野村ホールディングス

・2024.06.26 20-F (Annual report - foreign issuer)	・2025.06.23 20-F (Annual report - foreign issuer)
Item 16K.Cybersecurity	Item 16K.Cybersecurity
Risk Management and Strategy	Risk Management and Strategy
Nomura maintains a comprehensive cybersecurity strategy. Identifying, assessing and managing cybersecurity threats and risks are an integral component of Nomura’s Operational Risk Management (ORM) Framework. See Item 11. “Quantitative and Qualitative Disclosures about Market, Credit and Other Risk—Operational Risk Management Framework” for further information on the framework.	Nomura maintains a comprehensive cybersecurity strategy. Identifying, assessing and managing cybersecurity threats and risks are an integral component of Nomura’s Operational Risk Management (ORM) Framework. See Item 11. “Quantitative and Qualitative Disclosures about Market, Credit and Other Risk—Overview of Risk Management Policy and Procedures” for further information on the framework.
Nomura has invested and is continuing to invest in its cybersecurity strategy to address fast-evolving and sophisticated cybersecurity threats while at the same time complying with extensive global, legal and regulatory expectations. Our cybersecurity programs are designed to be in line with industry best practice standards and include core capabilities such as Security Governance, Security Awareness and Training, Threat Intelligence & Management, Security Operations Management, Vulnerability Management, Application Security, Data Security, and Identity and Access Management.	Nomura has invested and is continuing to invest in its cybersecurity strategy to address fast-evolving and sophisticated cybersecurity threats while at the same time complying with extensive global, legal and regulatory expectations. Our cybersecurity programs are designed to be in line with industry best practice standards and include core capabilities such as Security Governance, Security Awareness and Training, Threat Intelligence & Management, Security Operations Management, Vulnerability Management, Application Security, Data Security, and Identity and Access Management.
Nomura is regularly engaging various external service providers to perform independent assessments of our cybersecurity programs and controls. The results from these independent engagements are integrated into updates to our cybersecurity strategy as appropriate. We also conduct our own regular internal security assessments, such as penetration testing, vulnerability scanning, red teaming, and tabletop cyber attack simulations.	Nomura is regularly engaging various external service providers to perform independent assessments of our cybersecurity programs and controls. The results from these independent engagements are integrated into updates to our cybersecurity strategy as appropriate. We also conduct our own regular internal security assessments, such as penetration testing, vulnerability scanning, red teaming, and tabletop cyber attack simulations.
Nomura has developed a Third-Party Security Risk Management program that monitors and assesses the cybersecurity controls of our third-party vendors, which include, among others, service providers, SaaS providers, contractors, consultants, suppliers, etc. This program provides a consistent, controlled, cross-divisional approach to managing the services provided by third-party vendors. We perform various risk identification activities including security questionnaires, threat intel reports, SOC2 Type 2 attestation, and onsite reviews for critical suppliers. We also perform periodic reassessment of existing critical vendors. Security risks and exceptions observed are monitored per our global Operational Risk Management framework.	Nomura has developed a Third-Party Security Risk Management program that monitors and assesses the cybersecurity controls of our third-party vendors, which include, among others, service providers, SaaS providers, contractors, consultants, suppliers, etc. This program provides a consistent, controlled, cross-divisional approach to managing the services provided by third-party vendors. We perform various risk identification activities including security questionnaires, threat intel reports, SOC2 Type 2 attestation, and onsite reviews for critical suppliers. We also perform periodic reassessment of existing critical vendors. Security risks and exceptions observed are monitored per our global Operational Risk Management framework.
During the fiscal year ended March 31, 2024, we did not identify any risks from cybersecurity threats, including as a result of previously identified cybersecurity incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition. However, there is no guarantee that our business strategy, results of operations and financial condition will not be materially affected by a future cybersecurity incident, and we cannot provide assurances that we have not had occurrences of undetected cybersecurity incidents. See Item 3.D “ Risk Factors ” for further information on our cybersecurity-related risks.	During the year ended March 31, 2025, we did not identify any risks from cybersecurity threats, including as a result of previously identified cybersecurity incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations or financial condition. However, there is no guarantee that our business strategy, results of operations and financial condition will not be materially affected by a future cybersecurity incident, and we cannot provide assurances that we have not had occurrences of undetected cybersecurity incidents. See Item 3.D “Risk Factors” for further information on our cybersecurity-related risks.
Cybersecurity Risk Governance	Cybersecurity Risk Governance
Nomura’s cybersecurity strategy and programs are managed by senior officers: the Group Chief Information Officer (“CIO”), who is supported by the Group Chief Information Security Officer (“CISO”) and the Group Chief Data Officer (“CDO”).	Nomura’s cybersecurity strategy and programs are managed by senior officers: the Group Chief Information Officer (“CIO”), who is supported by the Group Chief Information Security Officer (“CISO”) and the Group Chief Data Officer (“CDO”).
These senior officers have extensive experience in technology, cybersecurity, information security, and data protection and privacy. The CIO has over 35 years of experience in various engineering, IT, Operations and information security roles. The CISO has over 20 years of experience leading cybersecurity teams at financial institutions, including in the areas of security engineering, risk and control management, data privacy, information security, and cybersecurity. The CDO has over 25 years of experience in data and analytics-led business transformation.	These senior officers have extensive experience in technology, cybersecurity, information security, and data protection and privacy. The CIO has over 35 years of experience in various engineering, IT, Operations and information security roles. The CISO has over 25 years of experience leading cybersecurity teams at financial institutions, including in the areas of security engineering, risk and control management, data privacy, information security, and cybersecurity. The CDO has over 25 years of experience in data and analytics-led business transformation.
Our Board of Directors (“BoD”) has overall responsibility for risk management, with its committees assisting the BoD in performing this function based on their respective areas of expertise. Our BoD delegates its authority to execute business to the Executive Officers led by Group CEO to the extent permitted by law. Among the matters delegated to the Executive Officers by the BoD, the most important matters of business are decided upon deliberation by the Executive Management Board (“EMB”) which consists of the Executive Officers. The EMB delegates responsibility for deliberation of matters concerning risk management including cybersecurity risks to the Group Risk Management Committee (“GRMC”). The CIO is an observer of the EMB and the GRMC, and provides cybersecurity updates to the EMB and the GRMC.	Our Board of Directors (“BoD”) has overall responsibility for risk management, with its committees assisting the BoD in performing this function based on their respective areas of expertise. Our BoD delegates its authority to execute business to the Executive Officers led by Group CEO to the extent permitted by law. Among the matters delegated to the Executive Officers by the BoD, the most important matters of business are decided upon deliberation by the Executive Management Board (“EMB”) which consists of the Executive Officers. The EMB delegates responsibility for deliberation of matters concerning risk management including cybersecurity risks to the Group Risk Management Committee (“GRMC”). The CIO is an observer of the EMB and the GRMC, and provides cybersecurity updates to the EMB and the GRMC.
The GRMC, based on a delegation from the EMB, meets regularly and reports on its activities and findings to the EMB. These meetings cover critical security topics such as resources and budget in cybersecurity risk mitigation and governance, cybersecurity risks, as well as security incidents and cyber tabletop simulations. In addition to these regular reporting activities to the GRMC, the EMB, and the BoD, potentially material cybersecurity events will be escalated to the same management bodies as well as key stakeholders according to Nomura’s security incident response process including crisis management perspectives.	The GRMC, based on a delegation from the EMB, meets regularly and reports on its activities and findings to the EMB. These meetings cover critical security topics such as resources and budget in cybersecurity risk mitigation and governance, cybersecurity risks, as well as security incidents and cyber tabletop simulations. In addition to these regular reporting activities to the GRMC, the EMB, and the BoD, potentially material cybersecurity events will be escalated to the same management bodies as well as key stakeholders according to Nomura’s security incident response process including crisis management perspectives.

・タケダ

・ソニー

・トヨタ

・ホンダ

⚫︎ まるちゃんの情報セキュリティ気まぐれ日記

・2024.10.25 米国 SEC Unisys、Checkpointほか、年次報告書における誤解を与えるセキュリティ開示で罰金を支払う...

・2024.07.19 SECのルールの改正によるサイバーセキュリティ開示 (20-F) 阿里巴巴 (Alibaba)、捜狐 (SOHU)、網易 (NETEASE) の場合

・2024.07.15 SECのルールの改正によるサイバーセキュリティ開示 (20-F) 三井住友ファイナンシャル、ORIX、みずほファイナンシャル、野村、タケダ、ソニー、トヨタ、ホンダの場合（MUFGも追加）

・2024.07.14 SECのルールの改正によるサイバーセキュリティ開示 (10-K) IBM, Intel, Boeing, AMEX, Jonson & Johnson, Pfizer, Coca-Cola. McDonaldsの場合

2025.07.30 00:00 in 情報セキュリティ / サイバーセキュリティ, in 法律 / 犯罪, in ESG/CSR, in 内部統制 / リスクマネジメント | Permalink
Tweet

まるちゃんの情報セキュリティ気まぐれ日記

サイト内検索

Archives

Categories

Recent Posts

Recent Comments

Recent Trackbacks

連載 (ITmedia)

ウェブページ

2025.07.30

SEC Cybersecurity の開示昨年からの比較...

Comments

Post a comment

ココログ

まるちゃん

関連団体

情報法関連Blog

情報法 Web

セキュリティ Blog

セキュリティ web

内部統制

・2024.02.26 10-K (Annual report)	・2025.02.25 10-K (Annual report)
Item 1C.Cybersecurity:	Item 1C.Cybersecurity:
Risk Management and Strategy	Risk Management and Strategy
Cybersecurity is a critical part of risk management at IBM and is integrated with the company’s overall enterprise risk management framework. The Board of Directors and the Audit Committee of the Board are responsible for overseeing management’s execution of cybersecurity risk management and for assessing IBM’s approach to risk management. Senior management is responsible for assessing and managing IBM’s exposure to cybersecurity risks on an ongoing basis.	Cybersecurity is a critical part of risk management at IBM and is integrated with the company’s overall enterprise risk management framework. The Board of Directors and the Audit Committee of the Board are responsible for overseeing management’s execution of cybersecurity risk management and for assessing IBM’s approach to risk management. Senior management is responsible for assessing and managing IBM’s exposure to cybersecurity risks on an ongoing basis.
From an enterprise perspective, we implement a multi-faceted risk management approach based on the National Institute of Standards and Technology Cybersecurity Framework. We have established policies and procedures that provide the foundation upon which IBM’s infrastructure and data are managed. We regularly assess and adjust our technical controls and methods to identify and mitigate emerging cybersecurity risks. We use a layered approach with overlapping controls to defend against cybersecurity attacks and threats on IBM networks, end-user devices, servers, applications, data, and cloud solutions.	From an enterprise perspective, we implement a multi-faceted risk management approach based on the National Institute of Standards and Technology Cybersecurity Framework. We have established policies and procedures that provide the foundation upon which IBM’s infrastructure and data are managed. We regularly assess and adjust our technical controls and methods to identify and mitigate emerging cybersecurity risks. We use a layered approach with overlapping controls to defend against cybersecurity attacks and threats on IBM networks, end-user devices, servers, applications, data, and cloud solutions.
We draw heavily on our own commercial security solutions and services to manage and mitigate cybersecurity risks. IBM maintains a Security Operations Center (“SOC”) that monitors for threats to IBM’s networks and systems, utilizing threat intelligence provided by a range of sources, including the IBM Security X-Force Exchange platform, which maintains one of the largest compilations of threat intelligence in the world. We also rely on tools licensed from third party security vendors to monitor and manage cybersecurity risks. We periodically engage third parties to supplement and review our cybersecurity practices and provide relevant certifications.	We draw heavily on our own commercial security solutions and services to manage and mitigate cybersecurity risks. IBM maintains a Security Operations Center (“SOC”) that monitors for threats to IBM’s networks and systems, utilizing threat intelligence provided by a range of sources, including the IBM Security X-Force Exchange platform, which maintains one of the largest compilations of threat intelligence in the world. We also rely on tools licensed from third party security vendors to monitor and manage cybersecurity risks. We periodically engage third parties to supplement and review our cybersecurity practices and provide relevant certifications.
We have a global incident response process, managed by IBM’s Computer Security Incident Response Team (“CSIRT”), that relies primarily on internal expertise to respond to cybersecurity threats and attacks. We utilize a combination of online training, educational tools, videos and other awareness initiatives to foster a culture of security awareness and responsibility among our workforce, including responsibility for reporting suspicious activity.	We have a global incident response process, managed by IBM’s Computer Security Incident Response Team (“CSIRT”), that relies primarily on internal expertise to respond to cybersecurity threats and attacks. We utilize a combination of online training, educational tools, videos and other awareness initiatives to foster a culture of security awareness and responsibility among our workforce, including responsibility for reporting suspicious activity.
IBM has a third party supplier risk management program to oversee and identify risks from cybersecurity threats associated with its use of third party service providers and vendors. Risks are assessed and prioritized based, among other things, on the type of offering/engagement, supplier assessments, threat intelligence, and industry practices.	IBM has a third party supplier risk management program to oversee and identify risks from cybersecurity threats associated with its use of third party service providers and vendors. Risks are assessed and prioritized based, among other things, on the type of offering/engagement, supplier assessments, threat intelligence, and industry practices.
As discussed in greater detail in Item 1A., "Risk Factors," the company faces numerous and evolving cybersecurity threats, including risks originating from intentional acts of criminal hackers, hacktivists, nation states and competitors; from intentional and unintentional acts or omissions of customers, contractors, business partners, vendors, employees and other third parties; and from errors in processes or technologies, as well as the risks associated with an increase in the number of customers, contractors, business partners, vendors, employees and other third parties working remotely. While the company continues to monitor for, identify, investigate, respond to and remediate cybersecurity risks, including incidents and vulnerabilities, there have not been any that have had a material adverse effect on the company, though there is no assurance that there will not be cybersecurity risks that will have a material adverse effect in the future.	As discussed in greater detail in Item 1A., "Risk Factors," the company faces numerous and evolving cybersecurity threats, including risks originating from the increased use of AI, intentional acts of individual and groups of criminal hackers, hacktivists, state-sponsored organizations, nation states and competitors; from intentional and unintentional acts or omissions of customers, contractors, business partners, vendors, employees and other third parties; and from errors in processes or technologies, as well as the risks associated with the number of customers, contractors, business partners, vendors, employees and other third parties working remotely. While the company continues to monitor for, identify, investigate, respond to and remediate cybersecurity risks, including incidents and vulnerabilities, there have not been any that have had a material adverse effect on the company, though there is no assurance that there will not be cybersecurity risks that will have a material adverse effect in the future.
Governance	Governance
IBM’s Enterprise & Technology Security (“E&TS”) organization has oversight responsibility for the security of both IBM’s internal systems and external offerings and works across all of the organizations within the company to protect IBM, its brand, and its clients against cybersecurity risks. E&TS also addresses cybersecurity risks associated with third party suppliers. For these purposes, E&TS includes a dedicated Chief Information Security Officer (“CISO”) whose team is responsible for leading enterprise-wide information security strategy, policy, standards, architecture, and processes for IBM’s internal systems. The CISO manages the CSIRT. The CISO also manages the Product Security Incident Response Team (“PSIRT”), which focuses on product vulnerabilities potentially affecting the security of offerings sold to customers. IBM also has Business Information Security Officers (“BISO”) who coordinate with the Office of the CISO on security issues specific to particular business segments.	IBM’s Enterprise & Technology Security (“E&TS”) organization has oversight responsibility for the security of both IBM’s internal systems and external offerings and works across all of the organizations within the company to protect IBM, its brand, and its clients against cybersecurity risks. E&TS also addresses cybersecurity risks associated with third party suppliers. For these purposes, E&TS includes a dedicated Chief Information Security Officer (“CISO”) whose team is responsible for leading enterprise-wide information security strategy, policy, standards, architecture, and processes for IBM’s internal systems. The CISO manages the CSIRT. The CISO also manages the Product Security Incident Response Team (“PSIRT”), which focuses on product vulnerabilities potentially affecting the security of offerings sold to customers. IBM also has Business Information Security Officers (“BISO”) who are coordinated by the Office of the CISO on security issues specific to particular business segments.
The CSIRT team, together with the Office of the Chief Information Officer (“CIO”), Cyber Legal, Corporate Security, and BISOs, engages in on-going reviews of incidents, threat intelligence, detections, and vulnerabilities, including to assess client and regulatory impact. Events of interest are promptly reported to the Senior Vice President (“SVP”) for Legal & Regulatory Affairs and General Counsel (“GC”) and the SVP overseeing cybersecurity (“SVP Sponsor”).	The CSIRT team, together with the Office of the Chief Information Officer (“CIO”), Cyber Legal, Corporate Security, and BISOs, engages in on-going reviews of incidents, threat intelligence, detections, and vulnerabilities, including to assess client and regulatory impact. Events of interest are promptly reported to the Senior Vice President (“SVP”) and Chief Legal Officer ("CLO"), and the SVP overseeing cybersecurity (“SVP Sponsor”).
Incidents are delegated to an appropriate incident response team for assessment, investigation, and remediation. Depending on the nature of the matter, the incident response team may include individuals from E&TS, the Office of the CISO, the Office of the CIO, Cyber Legal, Business Units, the Chief Privacy Office, Human Resources, Procurement, Finance and Operations, and Corporate Security. The incident response teams advise and consult with the GC and the SVP Sponsor, as appropriate.	Incidents are delegated to an appropriate incident response team for assessment, investigation, and remediation. Depending on the nature of the matter, the incident response team may include individuals from E&TS, the Office of the CISO, the Office of the CIO, Cyber Legal, Business Units, the Office of Privacy and Responsible Technology, Human Resources, Procurement, Finance and Operations, and Corporate Security. The incident response teams advise and consult with the CLO and the SVP Sponsor, as appropriate.
The Cybersecurity Advisory Committee (“CAC”) meets regularly and is responsible for overseeing management of the Company’s cybersecurity risk. The CAC is composed of, among others, SVPs from the major business units, the SVP Sponsor, and the GC. The CAC is responsible for, among other things, setting the Company’s governance structure for managing cybersecurity risk and reviewing noteworthy cybersecurity incidents and strategies to prevent recurrence. IBM management responsible for managing cybersecurity risk reflects a cross-section of functions from across the organization with significant experience in managing such risk as well as the technologies underlying these risks. They also hold leadership positions outside of IBM in the field of cybersecurity, serving on governing and advisory boards of public and private institutions at the forefront of issues related to cybersecurity, including technology development, cybersecurity policy, and national security.	The Cybersecurity Advisory Committee (“CAC”) meets regularly and is responsible for overseeing management of the Company’s cybersecurity risk. The CAC is composed of, among others, SVPs from the major business units, the SVP Sponsor, and the CLO. The CAC is responsible for, among other things, setting the Company’s governance structure for managing cybersecurity risk and reviewing noteworthy cybersecurity incidents and strategies to prevent recurrence. IBM management responsible for managing cybersecurity risk reflects a cross-section of functions from across the organization with significant experience in managing such risk as well as the technologies underlying these risks. They also hold leadership positions outside of IBM in the field of cybersecurity, serving on governing and advisory boards of public and private institutions at the forefront of issues related to cybersecurity, including technology development, cybersecurity policy, and national security.
The Board of Directors and the Audit Committee oversees the cyber governance process. Leadership from E&TS, including the CISO, make regular presentations to the Audit Committee and the full Board on identification, management, and remediation of cybersecurity risks, both internal and external, as well as threat intelligence, emerging global policies and regulations, cybersecurity technologies, and best practices. In addition, senior management provides briefings as needed to the Audit Committee Chair, the Audit Committee, and, as appropriate, the full Board, on cybersecurity issues and incidents of potential interest.	The Board of Directors and the Audit Committee oversee the cyber governance process. Leadership from E&TS, including the CISO, make regular presentations to the Audit Committee and the full Board on identification, management, and remediation of cybersecurity risks, both internal and external, as well as threat intelligence, emerging global policies and regulations, cybersecurity technologies, and best practices. In addition, senior management provides briefings as needed to the Audit Committee Chair, the Audit Committee, and, as appropriate, the full Board, on cybersecurity issues and incidents of potential interest.

・2024.02.22 10-K (Annual report)	・2025.02.27 10-K (Annual report)
ITEM 1C CYBERSECURITY	ITEM 1C CYBERSECURITY
Managing cybersecurity risk is a crucial part of our overall strategy for safely operating our business. We incorporate cybersecurity practices into our Enterprise Risk Management (ERM) approach, which is subject to oversight by our BOD. Our cybersecurity policies and practices are aligned with relevant industry standards.	Managing cybersecurity risk is a crucial part of our overall strategy for safely operating our business. We incorporate cybersecurity practices into our Enterprise Risk Management (ERM) program. Management is responsible for assessing and managing risk, including through the ERM program, subject to oversight by our BOD. Our cybersecurity policies and practices are aligned with NIST (National Institute of Standards and Technology) industry standards.
Consistent with our overall ERM program and practices, our cybersecurity program includes:	Consistent with our overall ERM program and practices, our cybersecurity program includes:
• Vigilance: We maintain a global cybersecurity operation that endeavors to detect, prevent, contain, and respond to cybersecurity threats and incidents in a prompt and effective manner with the goal of minimizing business disruptions. <	•Vigilance: We maintain a global cybersecurity operation that endeavors to detect, prevent, contain, and respond to cybersecurity threats and incidents in a prompt and effective manner with the goal of minimizing business disruptions.
• External Collaboration: We collaborate with public and private entities, including intelligence and law enforcement agencies, industry groups and third-party service providers to identify, assess and mitigate cybersecurity risks.	•External Collaboration: We collaborate with public and private entities, including intelligence and law enforcement agencies, industry groups and third-party service providers to identify, assess and mitigate cybersecurity risks.
• Systems Safeguards: We deploy technical safeguards that are designed to protect our information systems, products, operations and sensitive information from cybersecurity threats. These include firewalls, intrusion prevention and detection systems, disaster recovery capabilities, malware and ransomware prevention, access controls and data protection. We continuously conduct vulnerability assessments to identify new risks and periodically test the efficacy of our safeguards through both internal and external penetration tests.	•Systems Safeguards: We deploy technical safeguards that are designed to protect our information systems, products, operations and sensitive information from cybersecurity threats. These include firewalls, intrusion prevention and detection systems, disaster recovery capabilities, malware and ransomware prevention, access controls and data protection. We continuously conduct vulnerability assessments to identify new risks and periodically test the efficacy of our safeguards through both internal and external penetration tests.
• Education: We provide periodic training for all personnel regarding cybersecurity threats, with such training appropriate to the roles, responsibilities and access of the relevant Company personnel. Our policies require all workers to report any real or suspected cybersecurity events.	•Education: We provide periodic training for all personnel regarding cybersecurity threats, with such training appropriate to the roles, responsibilities and access of the relevant Company personnel. Our policies require all workers to report any real or suspected cybersecurity events.
• Supplier Ecosystem Management: We extend our cybersecurity management control expectations to our supply chain ecosystem, as applicable. This includes identifying cybersecurity risks presented by third parties.	•Supplier Ecosystem Management: We extend our cybersecurity management control expectations to our supply chain ecosystem, as appropriate. This includes identifying cybersecurity risks presented by third parties.
• Incident Response Planning: We have established, and maintain and periodically test, incident response plans that direct our response to cybersecurity events and incidents. Such plans include the protocol by which material incidents would be communicated to executive management, our BOD, external regulators and shareholders.	•Incident Response Planning: We have established, and maintain and periodically test, incident response plans that direct our response to cybersecurity events and incidents. Such plans include the protocol by which certain significant or potentially material incidents would be communicated to executive management, our BOD, external regulators and shareholders, as appropriate.
• Enterprise-Wide Coordination: We engage experts from across the Company to identify emerging risks and respond to cybersecurity threats. This cross-functional approach includes personnel from our R&D, manufacturing, commercial, technology, legal, compliance, internal audit and other business functions.	•Enterprise-Wide Coordination: We engage relevant stakeholders from across the Company to identify emerging risks and respond to cybersecurity threats. This cross-functional approach includes personnel from our R&D, manufacturing, commercial, technology, legal, compliance, internal audit and other business functions.
• Governance: Our BOD’s oversight of cybersecurity risk management is led by the Audit Committee, which oversees our ERM program. Cybersecurity threats, risks and mitigation are periodically reviewed by the Audit Committee and such reviews include both internal and independent assessment of risks, controls and effectiveness.	•Governance: Our BOD’s oversight of cybersecurity risk management is led by the Audit Committee, which oversees our ERM program. Cybersecurity threats, risks and mitigation are periodically reviewed by the Audit Committee and such reviews include both internal and independent assessment of risks, controls and effectiveness.
Our risk assessment efforts have indicated that we are a target for theft of intellectual property, financial resources, personal information, and trade secrets from a wide range of actors including nation states, organized crime, malicious insiders and activists. The impacts of attacks, abuse and misuse of Pfizer’s systems and information include, without limitation, loss of assets, operational disruption and damage to Pfizer’s reputation.	Our risk assessment efforts have indicated that we are a target for theft of intellectual property, financial resources, personal information, and trade secrets from a wide range of actors including nation states, organized crime, malicious insiders and activists. The impacts of attacks, abuse and misuse of Pfizer’s systems and information could include, without limitation, loss of assets, operational disruption and damage to Pfizer’s reputation.
A key element of managing cybersecurity risk is the ongoing assessment and testing of our processes and practices through auditing, assessments, drills and other exercises focused on evaluating the sufficiency and effectiveness of our risk mitigation. We regularly engage third parties to perform assessments of our cybersecurity measures, including information security maturity assessments and independent reviews of our information security control environment and operating effectiveness. Certain results of such assessments and reviews are reported to the Audit Committee and the BOD, as appropriate, and we make adjustments to our cybersecurity processes and practices as necessary based on the information provided by the third-party assessments and reviews.	A key element of managing cybersecurity risk is the ongoing assessment and testing of our processes and practices through auditing, assessments, drills and other exercises focused on evaluating the sufficiency and effectiveness of our risk mitigation. We regularly engage third parties to perform assessments of our cybersecurity measures, including information security maturity assessments and independent reviews of our information security control environment and operating effectiveness. Certain results of such assessments and reviews are reported by the Chief Information Security Officer (CISO) to certain senior leaders, the Audit Committee and the BOD, as appropriate, and we make adjustments to our cybersecurity processes and practices as necessary based on the information provided by the third-party assessments and reviews.
The Audit Committee oversees cybersecurity risk management, including the policies, processes and practices that management implements to prevent, detect and address risks from cybersecurity threats. The Audit Committee receives regular briefings on cybersecurity risks and risk management practices, including, for example, recent developments in the external cybersecurity threat landscape, evolving standards, vulnerability assessments, third-party and independent reviews, technological trends and considerations arising from our supplier ecosystem. The Audit Committee may also promptly receive information regarding any material cybersecurity incident that may occur, including any ongoing updates regarding the same. The Audit Committee periodically discusses our approach to cybersecurity risk management with our Chief Information Security Officer (CISO).	The Audit Committee oversees cybersecurity risk management, including the policies, processes and practices that management implements to prevent, detect and address risks from cybersecurity threats. The Audit Committee receives periodic briefings on, and discusses with our CISO, cybersecurity risks and risk management practices, including, for example, recent developments in the external cybersecurity threat landscape, evolving standards, vulnerability assessments, third-party and independent reviews, technological trends and considerations arising from our supplier ecosystem. The Audit Committee may also promptly receive information regarding certain significant or potentially material cybersecurity incidents that may occur, including any ongoing updates regarding the same.
Our CISO is a member of our management team who is principally responsible for overseeing our cybersecurity risk management program, in partnership with other business leaders across the Company. The CISO works in coordination with other members of the management team, including, among others, the Chief Digital Officer, the Chief Financial Officer, the Chief Compliance and Risk Officer and the General Counsel and their designees. We believe our business leaders have the appropriate expertise, background and depth of experience to manage risks arising from cybersecurity threats.	Our CISO is a member of our management team who is principally responsible for overseeing our cybersecurity risk management program, in partnership with other business leaders across the Company. We believe our CISO and the information security organization have the appropriate expertise, background and depth of experience relating to monitoring the prevention, mitigation, detection and remediation of cybersecurity incidents to manage risks arising from cybersecurity threats. The CISO works in coordination with other members of the management team, including, among others, the Chief Digital Officer, the Chief Financial Officer and the Chief Legal Officer and their designees.
Our CISO, along with leaders from our privacy and corporate compliance functions, collaborate to implement a program designed to manage our exposure to cybersecurity risks and to promptly respond to cybersecurity incidents. Prompt response to incidents is delivered by multi-disciplinary teams in accordance with our incident response plan. Through ongoing communications with these teams during incidents, the CISO monitors the triage, mitigation and remediation of cybersecurity incidents, and reports such incidents to executive management, the Audit Committee and other Pfizer colleagues in accordance with our cybersecurity policies and procedures, as is appropriate.	Our CISO, along with leaders from our privacy and corporate compliance functions, collaborate to implement a program designed to manage our exposure to cybersecurity risks and to promptly respond to cybersecurity incidents. Prompt response to incidents is delivered by multi-disciplinary teams in accordance with our incident response plan. Through ongoing communications with these teams during incidents, the CISO monitors the triage, mitigation and remediation of cybersecurity incidents, and reports such incidents to executive management, the Audit Committee and other Pfizer colleagues in accordance with our cybersecurity policies and procedures, as is appropriate.
As of the date of this Form 10-K, we are not aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations, or financial condition at this time. For further discussion of the risks associated with cybersecurity incidents, see the Item 1A. Risk Factors—Information Technology and Security section in this Form 10-K.	For the fiscal year ended December 31, 2024, we are not aware of any cybersecurity incidents that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations, or financial condition. For further discussion of the risks associated with cybersecurity incidents, see the Item 1A. Risk Factors—Information Technology and Security section in this Form 10-K.

・2024.06.27 20-F (Annual report - foreign issuer)	・2025.06.24 20-F (Annual report - foreign issuer)
Item 16K.Cybersecurity	Item 16K.Cybersecurity
(1) Risk management and strategy	(1) Risk management and strategy
Our Information Security Control Department reports to and manages cyber and information security risks to the Information Technology Management Committee.	Our Information Security Control Department reports to and manages cyber and information security risks to the Information Technology Management Committee.
Our Information Security Control Department has established a cyber and information security awareness training program for our consolidated group companies. All employees of our consolidated group companies, including investee companies, and employees of outsourcing companies with access to our network are required to take online training at least once a year. These educational programs also include phishing e-mails simulations, which are conducted several times a year on an irregular basis. We also provide training through escalation and response simulations in the event of a cyber or information security incident.	Our Information Security Control Department has established a cyber and information security awareness training program for our consolidated group companies. All employees of our consolidated group companies, including investee companies, and employees of outsourcing companies with access to our network are required to take online training at least once a year. These educational programs also include phishing e-mails simulations, which are conducted several times a year on an irregular basis. We also provide training through escalation and response simulations in the event of a cyber or information security incident.
Each of our consolidated group companies is assigned an Information Security Accountable Owner, and cyber and information security knowledge and the Group’s security policies are shared with the companies on a quarterly basis to raise readiness levels across the ORIX Group.	Each of our consolidated group companies is assigned an Information Security Accountable Owner, and cyber and information security knowledge and the Group’s security policies are shared with the companies on a quarterly basis to raise readiness levels across the ORIX Group.
In order to control cyber and information security risks we face through our interactions with and reliance on third parties, such as through our outsourcing activities and use of cloud services, we conduct regular security assessments of business partners and outsourcing vendors. In addition, we have a framework in place for the Information Security Control Department to evaluate the security risks of information systems and cloud services provided by business partners and outsourcing vendors.	In order to control cyber and information security risks we face through our interactions with and reliance on third parties, such as through our outsourcing activities and use of cloud services, we conduct regular security assessments of business partners and outsourcing vendors. In addition, we have a framework in place for the Information Security Control Department to evaluate the security risks of information systems and cloud services provided by business partners and outsourcing vendors.
The Information Security Control Department is responsible for assessing and managing our cyber and information security risks and where necessary, engages third-party consultants for advice regarding specific areas where enhanced controls or in-depth analysis is required.	The Information Security Control Department is responsible for assessing and managing our cyber and information security risks and where necessary, engages third-party consultants for advice regarding specific areas where enhanced controls or in-depth analysis is required.
The ORIX Group has also established a framework to respond to cyber and information security incidents and to mitigate the risk of security breaches, system failures and information leaks, including cyber attacks and damage to information security systems. A system has been established to assess the impact on operations and the likelihood of secondary damage in the event of a cyber and information security incident caused by cyber attacks. The Information Security Control Department analyzes and investigates the incident and also works with the legal department and compliance department to minimize the impact of the incident and prevent secondary damage. Any serious incidents are reported to the Executive Officer in charge of the Information Security Control Department and appropriate action is taken under his/her direction. The current Executive Officer in charge of information security at ORIX has extensive knowledge of information technology and security, cultivated through his experience with system development, project management and security management in over two decades at various international companies prior to joining ORIX Corporation, including over a decade of experience in the financial business sector.	The ORIX Group has also established a framework to respond to cyber and information security incidents and to mitigate the risk of security breaches, system failures and information leaks, including cyber attacks and damage to information security systems. A system has been established to assess the impact on operations and the likelihood of secondary damage in the event of a cyber and information security incident caused by cyber attacks. The Information Security Control Department analyzes and investigates the incident and also works with the legal department and compliance department to minimize the impact of the incident and prevent secondary damage. Any serious incidents are reported to the Executive Officer in charge of the Information Security Control Department and appropriate action is taken under his/her direction. The current Executive Officer in charge of information security at ORIX has extensive knowledge of information technology and security, cultivated through his experience with system development, project management and security management in over two decades at various international companies prior to joining ORIX Corporation, including over a decade of experience in the financial business sector.
In the current fiscal year, we did not identify any cyber or information security incidents that have materially affected or are reasonably likely to materially affect our business activities, results of operations or financial condition.	In the current fiscal year, we did not identify any cyber or information security incidents that have materially affected or are reasonably likely to materially affect our business activities, results of operations or financial condition.
(2) Governance	(2) Governance
The ORIX Group has established internal rules governing the structure, basic policies, management standards for information security, education, and audits in accordance with global standards for information security controls such as ISO and NIST.	The ORIX Group has established internal rules governing the structure, basic policies, management standards for information security, education, and audits in accordance with global standards for information security controls such as ISO and NIST.
The Information Security Management Rules stipulate that strategies and policies regarding cyber and information security and its response policies for cyber and information security incidents, are to be discussed and determined at the Information Technology Committee, consisting of the Group CEO, CFO and other members. In addition, the response status of any cyber or information security incident is reported to the Audit Committee by the Executive Officer in charge of the Information Security Control Department to ensure appropriate information sharing.	The Information Security Management Rules stipulate that strategies and policies regarding cyber and information security and its response policies for cyber and information security incidents, are to be discussed and determined at the Information Technology Committee, consisting of the Group CEO, chief financial officer (“CFO”) and other members. In addition, the response status of any cyber or information security incident is reported to the Audit Committee by the Executive Officer in charge of the Information Security Control Department to ensure appropriate information sharing.
We have a system in place to determine the seriousness of cyber or information security incidents, report to the Disclosure Committee in a timely manner, as well as to disclose information on cyber security risks, strategies, and governance on a regular basis, in addition to the status of incident management. In addition to the management of incidents, we have also established a system that enables regular disclosure of cyber security risks, strategies, and governance.	We have a system in place to determine the seriousness of cyber or information security incidents, report to the Disclosure Committee in a timely manner, as well as to disclose information on cyber security risks, strategies, and governance on a regular basis, in addition to the status of incident management. In addition to the management of incidents, we have also established a system that enables regular disclosure of cyber security risks, strategies, and governance.
We have also established company-wide security requirements with which all consolidated group companies must comply, such as keeping systems up to date through vulnerability management program and technical measures for network defense. We have also established internal rules for security log management that take into account physical and logical boundaries with external networks as well as information breaches caused by internal fraud.	We have also established company-wide security requirements with which all consolidated group companies must comply, such as keeping systems up to date through vulnerability management program and technical measures for network defense. We have also established internal rules for security log management that take into account physical and logical boundaries with external networks as well as information breaches caused by internal fraud.

・2024.06.25 20-F (Annual report - foreign issuer)	・2025.06.20 20-F (Annual report - foreign issuer)
Item 16K. Cybersecurity	Item 16K. Cybersecurity
Sony recognizes the importance of cybersecurity, both in achieving financial success for the company and in maintaining the trust of its stakeholders, which include shareholders, customers, employees, suppliers, and business partners.	Sony recognizes the importance of cybersecurity, both in achieving financial success for the company and in maintaining the trust of its stakeholders, which include shareholders, customers, employees, suppliers, and business partners.
Risk Management & Strategy	Risk Management & Strategy
As part of Sony’s risk management framework, Sony maintains and continuously strives to enhance its information security program. This program covers the entire Sony Group and is implemented in accordance with policies and standards, which include cybersecurity risk management and governance frameworks, and guidance, developed by Sony and based on globally recognized industry best practices and standards. The policies define information security responsibilities within Sony and outline certain actions and procedures that officers and employees are required to follow, including with respect to the assessment and management of cybersecurity risks to Sony, including its systems and information. The policies, standards, and guidance are structured to help Sony respond effectively to the dynamically changing environment of cybersecurity threats, cybersecurity risks, technologies, laws, and regulations. Sony modifies its policies, standards, and guidance as needed to adjust to this changing environment.	As part of Sony’s risk management framework, Sony maintains and continuously strives to enhance its information security program. This program covers the entire Sony Group and is implemented in accordance with policies and standards, which include cybersecurity risk management and governance frameworks, and guidance, developed by Sony and based on globally recognized industry best practices and standards. The policies define information security responsibilities within Sony and outline certain actions and procedures that officers and employees are required to follow, including with respect to the assessment and management of cybersecurity risks to Sony, including its systems and information. The policies, standards, and guidance are structured to help Sony respond effectively to the dynamically changing environment of cybersecurity threats, cybersecurity risks, technologies, laws, and regulations. Sony modifies its policies, standards, and guidance as needed to adjust to this changing environment.
If Sony’s cybersecurity risk management controls are overcome by a cyber attacker, Sony follows an incident response plan and escalation process as defined in the information security program. The response process includes an assessment of whether an incident may be material, and this assessment is adjusted as necessary as additional facts become known during the incident response. Any incident that is assessed as potentially material is escalated to Sony’s senior management and is reported to the two outside Directors in charge of information security on Sony Group Corporation’s Board of Directors (the “Board”).	If Sony’s cybersecurity risk management controls are overcome by a cyber attacker, Sony follows an incident response plan and escalation process as defined in the information security program. The response process includes an assessment of whether an incident may be material, and this assessment is adjusted as necessary as additional facts become known during the incident response. Any incident that is assessed as potentially material is escalated to Sony’s senior management and is reported to the two outside Directors in charge of information security on Sony Group Corporation’s Board of Directors (the “Board”).
In the fiscal year ended March 31, 2024, Sony was the victim of several cyberattacks. None of these incidents was assessed to be material, nor did they materially affect Sony’s business strategy, the results of its operations, or its financial condition. However, there can be no guarantee that this will be the case with a future incident. For more information about risks Sony faces from cyberattacks, please refer to “Sony’s brand image, reputation and business may be harmed and Sony may be subject to legal claims if there is a breach or other compromise of Sony’s information security or that of its third-party service providers or business partners.” included in “Risk Factors” in “Item 3. Key Information.”	In the fiscal year ended March 31, 2025, Sony was the victim of several cyberattacks. None of these incidents was assessed to be material, nor did they materially affect Sony’s business strategy, the results of its operations, or its financial condition. However, there can be no guarantee that this will be the case with a future incident. For more information about risks Sony faces from cyberattacks, please refer to “Sony’s brand image, reputation and business may be harmed and Sony may be subject to legal claims if there is a breach or other compromise of Sony’s information security or that of its third-party service providers or business partners.” included in “Risk Factors” in “Item 3. Key Information.”
Sony has also established policies and processes to help identify and manage cybersecurity risks associated with third parties, including companies that provide services and products to Sony, and companies that hold Sony information or have electronic access to Sony systems or information. The policies and processes include assessment of the cybersecurity and privacy programs at certain third parties, the use of this risk information when making contracting decisions, and the use of contract language that includes cybersecurity and privacy requirements.	Sony has also established policies and processes to help identify and manage cybersecurity risks associated with third parties, including companies that provide services and products to Sony, and companies that hold Sony information or have electronic access to Sony systems or information. The policies and processes include assessment of the cybersecurity and privacy programs at certain third parties, the use of this risk information when making contracting decisions, and the use of contract language that includes cybersecurity and privacy requirements.
Most of the information security program is implemented by Sony employees. Sony also engages the services of external providers to enhance and support its information security program, including leading cyber response specialists as may be needed, and consultants to evaluate and help improve organization, policies, and other aspects of the program.	Most of the information security program is implemented by Sony employees. Sony also engages the services of external providers to enhance and support its information security program, including leading cyber response specialists as may be needed, and consultants to evaluate and help improve organization, policies, and other aspects of the program.
Structure and Governance of Sony’s Information Security Program	Structure and Governance of Sony’s Information Security Program
Sony’s information security program is under the responsibility of a Senior Executive, specifically, the Sony Group Chief Digital Officer (“CDO”), and the Sony Group Chief Information Security Officer (“CISO”), who reports to the CDO.	Sony’s information security program is under the responsibility of a Senior Executive, specifically, the Sony Group Chief Digital Officer (“CDO”), and the Sony Group Global Information Security Officer (“GISO”), who reports to the CDO.
Under the leadership of the CDO and CISO, and supported by a global information security team that works across the entire Sony Group, Sony implements the cybersecurity risk management and governance frameworks that are described in its policies and standards. Each business segment of Sony has a senior information security leader, called an Executive Information Security Officer (“EISO”), who reports both to the CISO and to the senior management of the particular business unit. EISOs and their associated teams are responsible for ensuring implementation and operation of the information security program in a way that is tailored to each specific business unit, including as it relates to the assessment and management of cybersecurity risks. The CISO coordinates with the EISOs to monitor the proper implementation and compliance with Sony’s cybersecurity policies and standards.	Under the leadership of the CDO and the GISO, and supported by a global information security team that works across the entire Sony Group, Sony implements the cybersecurity risk management and governance frameworks that are described in its policies and standards. Each business segment of Sony has a senior information security leader, called an Executive Information Security Officer (“EISO”), who reports both to the GISO and to the senior management of the particular business unit. The EISOs and their associated teams are responsible for ensuring implementation and operation of the information security program in a way that is tailored to each specific business unit, including as it relates to the assessment and management of cybersecurity risks. The GISO coordinates with the EISOs to monitor the implementation of Sony’s cybersecurity policies and standards.
The current CDO has experience within Sony in launching and overseeing the development, technical operation, and business operations of large-scale network products and services, including overseeing implementation and operation of the information security program. The current CISO has more than 40 years of experience in cybersecurity. Before joining Sony, the CISO served as Deputy Chief Information Officer for Cybersecurity of the U.S. Department of Defense (the department’s equivalent of a CISO) and before that, as the Chief Information Assurance Executive at the Defense Information Systems Agency (DISA), an agency of the U.S. Department of Defense.	The current CDO has experience in launching and overseeing the development, technical operation, and business operations of large-scale network products and services at Sony, including overseeing implementation and operation of the information security program. The current GISO has more than 40 years of experience in cybersecurity. Before joining Sony, the GISO served as Deputy Chief Information Officer for Cybersecurity of the U.S. Department of Defense (the Department’s equivalent of a Chief Information Security Officer) and before that, as the Chief Information Assurance Executive at the Defense Information Systems Agency (DISA), an agency of the U.S. Department of Defense.
To oversee the information security program, the Sony Group CEO and COO receive regular reports from the CDO, monthly reports from the CISO, additional reports as needed during the response to a cyber incident, and briefings from the CDO and CISO at various times during the year. The head of each Sony business segment also receives the monthly reports from the CDO and the CISO, as well as reports and briefings from the business segment EISO.	The Sony Group CEO receives regular reports from the CDO and/or the GISO, additional reports as needed during the response to a cyber incident, and briefings from the CDO and GISO at various times during the year. The head of each Sony business segment also receives regular briefings from the CDO and the GISO, as well as reports and briefings from the business segment EISO.
The Board oversees Sony’s information security efforts, including in the following ways:	The Board oversees Sony’s information security risks, significant incidents, policies and key initiatives, including in the following ways. The full Board receives reports from the outside Directors in charge of information security as well as briefings several times a year from the CDO and the GISO, and also engages in discussion of these matters.
• Two outside Directors oversee Sony’s information security efforts, via monthly meetings and ad-hoc incident response communications with the CDO and CISO. Those meetings address, among other matters, significant cybersecurity incidents and Sony Group-level policies and key initiatives regarding cybersecurity.	• As of the date of this report, the following two outside Directors oversee Sony’s information security efforts, via monthly meetings and ad-hoc incident response communications with the CDO and GISO.(*)
- One of these two outside Directors has extensive experience in the development of large-scale information systems, including experience with management of the risks associated with cyberattacks.	- Joseph A. Kraft Jr., outside Director, serves simultaneously as the Chair of the Audit Committee.
- The other outside Director serves simultaneously as the Chair of the Audit Committee.	- Neil Hunt, outside Director, has extensive experience in the development of large-scale information systems, including experience with the management of cybersecurity risks.
• The full Board receives reports from the outside Directors in charge of information security and briefings several times a year from the CDO and the CISO. The full Board also engages in discussion of these matters.	* Sony Group Corporation has proposed “To elect 11 Directors” as an agenda item for the Ordinary General Meeting of Shareholders to be held on June 24, 2025. If the proposal is approved, three (3) outside Directors in charge of information security (the current outside Directors Joseph A. Kraft Jr. and Neil Hunt, and a new outside Director, Ms. Nora Denzel) will be appointed at the Board of Directors meeting to be held after the Ordinary General Meeting of Shareholders.
	- Ms. Nora Denzel has wide experience in information technology cultivated at several Silicon Valley-based companies, including experience with the management of cybersecurity risks.

・2024.06.20 20-F (Annual report - foreign issuer)	・2025.06.18 20-F (Annual report - foreign issuer)
Item 16K. Cybersecurity	Item 16K. Cybersecurity
Risk Management and Strategy	Risk Management and Strategy
Honda has established a management system and standards for information system security in order to minimize the negative impact on its business and business results from the occurrence of cybersecurity incidents. Based on these standards, we have implemented security measures in both hardware and software aspects to strengthen the security of our information systems. To address security, including product security, we have established a cross-functional system across business and manufacturing systems, software, quality, and other areas.	Honda has established a management system and standards for information system security in order to minimize the negative impact on its business and business results from the occurrence of cybersecurity incidents. Based on these standards, we have implemented security measures in both hardware and software aspects to strengthen the security of our information systems. To address security, including product security, we have established a cross-functional system across business and manufacturing systems, software, quality, and other areas.
We develop rules and procedures based on laws and regulations, formulate response flows, verify and implement measures for improvement through cybersecurity exercises, and develop human resources, among other things. We also utilize solutions for managing cybersecurity information and monitoring malicious activities to monitor and analyze cybersecurity threats and vulnerabilities, and in the event of a security incident related to a cyberattack with a significant impact on Honda, we establish a Global Emergency Headquarters under the supervision and monitoring of the Risk Management Officer, and the supervisory division in charge of risks from cybersecurity threats plays a central role in quickly ascertaining the actual situation and taking measures to minimize the impacts of cybersecurity incidents from a company-wide perspective.	We develop rules and procedures based on laws and regulations, formulate response flows, verify and implement measures for improvement through cybersecurity exercises, and develop human resources, among other things. We also utilize solutions for managing cybersecurity information and monitoring malicious activities to monitor and analyze cybersecurity threats and vulnerabilities, and in the event of a security incident related to a cyberattack with a significant impact on Honda, we establish a Global Emergency Headquarters under the supervision and monitoring of the Risk Management Officer, and the supervisory division in charge of risks from cybersecurity threats plays a central role in quickly ascertaining the actual situation and taking measures to minimize the impacts of cybersecurity incidents from a company-wide perspective.
When implementing third-party packaged software and cloud services, we make decisions based on risk assessments following established security standards and conduct annual checks after implementation. In response to cyberattacks on production facilities and suppliers, we verify the status of security measures at both domestic and overseas production facilities and suppliers. Based on the results of these verifications, we take measures to strengthen security, such as supporting the introduction of solutions for managing cybersecurity incident information, and monitoring malicious activities. For such activities to strengthen security, we have concluded outsourcing agreements with security consulting companies and external specialists to receive support.	When implementing third-party packaged software and cloud services, we make decisions based on risk assessments following established security standards and conduct annual checks after implementation. In response to cyberattacks on production facilities and suppliers, we verify the status of security measures at both domestic and overseas production facilities and suppliers. Based on the results of these verifications, we take measures to strengthen security, such as supporting the introduction of solutions for managing cybersecurity incident information, and monitoring malicious activities. For such activities to strengthen security, we have concluded outsourcing agreements with security consulting companies and external specialists to receive support.
With regard to personal information protection regulations and cybersecurity-related laws and regulations in various countries, in addition to current regulations, we collect and monitor information on regulatory trends that are expected to be enforced in the future.	With regard to personal information protection regulations and cybersecurity-related laws and regulations in various countries, in addition to current regulations, we collect and monitor information on regulatory trends that are expected to be enforced in the future.
These comprehensive cybersecurity response processes are incorporated into Honda’s comprehensive risk management system and will be discussed in detail in the following “Governance” section.	These comprehensive cybersecurity response processes are incorporated into Honda’s comprehensive risk management system and will be discussed in detail in the following “Governance” section.
For a description of information security-related risks, including risks from cybersecurity threats, identified by Honda as of the filing date of this Annual Report, please refer to Item 3. “Key Information—D. Risk Factors—Information Security Risks”.	For a description of information security-related risks, including risks from cybersecurity threats, identified by Honda as of the filing date of this Annual Report, please refer to Item 3. “Key Information—D. Risk Factors—Information Security Risks”.
Honda has been targeted by cyberattacks in the past; however, no risks from cybersecurity threats have been identified that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition, over the past three fiscal years, including the fiscal year that is the subject of this annual report.	Honda has been targeted by cyberattacks in the past; however, no risks from cybersecurity threats have been identified that have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations or financial condition, over the past three fiscal years, including the fiscal year that is the subject of this annual report.
Governance	Governance
Based on the resolution of the Board of Directors, the Board of Directors has appointed the Director, Executive Vice President and Representative Executive Officer as the Risk Management Officer, who monitors and supervises the response status of significant risks, including risks from cybersecurity threats.	Based on the resolution of the Board of Directors, the Board of Directors has appointed the Senior Managing Executive Officer and Chief Officer for Automobile Operations as the Risk Management Officer*, who monitors and supervises the response status of significant risks, including risks from cybersecurity threats.
The Risk Management Committee, chaired by the Risk Management Officer, has been established to deliberate on important matters related to risk management, including risk from cybersecurity threats. Honda has established the Honda Global Risk Management Policy, which stipulates the Company’s basic policy for risk management, the collection of risk information, and the response system in the event of risk occurrence.	The Risk Management Committee, chaired by the Risk Management Officer, has been established to deliberate on important matters related to risk management, including risk from cybersecurity threats. Honda has established the Honda Global Risk Management Policy, which stipulates the Company’s basic policy for risk management, the collection of risk information, and the response system in the event of risk occurrence.
In accordance with the aforementioned Policy, Honda has designated its cybersecurity supervisory divisions to conduct risk assessments and report the status of cybersecurity risk responses to the Risk Management Officer through the Risk Management Committee. The designated cybersecurity supervisory divisions consisted of 64 members as of the filing date of this Annual Report with practical experience in various roles related to information technology, including security, auditing, and systems are established in both the Quality Innovation Operations and Corporate Administration Operations divisions. The Risk Management Officer, who has knowledge and experience in overall risk management, receives technical support from the cybersecurity risk supervisory divisions, and monitors and supervises the responses to risks from cybersecurity threats.	In accordance with the aforementioned Policy, Honda has designated its cybersecurity supervisory divisions to conduct risk assessments and report the status of cybersecurity risk responses to the Risk Management Officer through the Risk Management Committee. The designated cybersecurity supervisory divisions consists of members with practical experience in various roles related to information technology, including security, auditing, and systems are established in both the Quality Innovation Operations and Corporate Administration Operations divisions. The Risk Management Officer, who has knowledge and experience in overall risk management, receives technical support from the cybersecurity risk supervisory divisions, and monitors and supervises the responses to risks from cybersecurity threats.
In the event of a material cybersecurity incident, the cybersecurity risk supervisory divisions are to immediately report it to the Risk Management Officer. Upon receiving the report, the Risk Management Officer is to establish a Global Emergency Headquarters, which coordinate with relevant organizations affected by the incident in order to prevent and contain the crisis. Such response status is reported to the Board of Directors and the Executive Council as necessary based on the judgment of the Risk Management Officer.	In the event of a material cybersecurity incident, the cybersecurity risk supervisory divisions are to immediately report it to the Risk Management Officer through the Risk Management Committee. Upon receiving the report, the Risk Management Officer is to establish a Global Emergency Headquarters, which coordinate with relevant organizations affected by the incident in order to prevent and contain the crisis. Such response status is reported to the Board of Directors and the Executive Council as necessary based on the judgment of the Risk Management Officer.
	* After the ordinary general meeting of shareholders to be held on June 19, 2025 and the resolution of the Board of Directors following such meeting, the position will become Director, Senior Managing Executive Officer and Chief Officer for Automobile Operations.