In order to ensure that clients' information and assets are securely protected from increasingly challenging cyber security threats, and to enable clients to conduct transactions with peace of mind, Nomura Group continues to strengthen its cyber security platform under the leadership of the Crisis Management Committee and Group Chief Information Officer.

The leadership team will be leveraging the "Comprehensive Guidelines for Supervision of Financial Instruments Business Operators, etc." of the Financial Services Agency, the "Cybersecurity Framework" of the National Institute of Standards and Technology (NIST) and other industry-wide frameworks, as references to manage the Cybersecurity strategic programs and operations across the entire Nomura Group.

To manage cybersecurity incidents, Nomura Group has established the Nomura Group Computer Security Incident Response Team (CSIRT) under the Crisis Management Committee’s secretariat. In addition, Nomura Securities and Nomura Group companies have established CSIRTs to protect their operations, information assets, and systems.

Organizational Structure

CSIRT Structure, Nomura Group

Cyber Countermeasures

The following cyber countermeasures are being promoted for each of the five functional categories defined by the NIST Cybersecurity Framework.

Identify

  • Based on our management vision and risk appetite, we have identified information assets to be protected, and have established a Group-wide governance system.
  • We are continuously strengthening our system through threat-based penetration testing and third-party risk assessments.
  • We are conducting cyber risk assessments and countermeasures, including programs utilizing support from outside vendors.

Protect

  • We have deployed several system-related measures to protect against unauthorized access and computer viruses.
  • We regularly implement training, drills, and awareness-raising activities to increase the knowledge of executives and employees.
  • We have established a system to collect and share information on attackers and attack methods through communication with Financials ISAC Japan and specialized cyber security vendors.
  • We have independent external audits which are based on information security frameworks.

Detect

  • We have established a monitoring system that operates 24 hours a day, 365 days a year, to detect abnormalities in a timely manner.
  • We have created a mechanism to collect and analyze system logs and to detect abnormalities, including internal misconduct.

Respond

  • In preparation for cyber incidents, we have established a system for quickly contacting clients, related institutions, and senior management.
  • We have created an incident response manual, and we analyze the cause of incidents, minimize damage, and otherwise respond mainly through CSIRT.
  • We have established and communicated response and escalation process for executives and employees to follow when they notice abnormal device behavior or suspicious incidents.

Recover

  • We have established a business continuity plan and a backup data center.
  • We have prepared for rapid recovery of business and systems through system switching training and cyber exercises.

Development of Policies for the Appropriate Protection of Information Assets

Nomura Group has established the “Nomura Group Basic Policy on Information Security” to ensure the appropriate protection of information assets. In accordance with this basic policy, each Group company has developed its own information security-related standards. These information security standards define the fundamental principles regarding information assets and information security, with the objective of appropriately safeguarding information assets, including the following:

  • Establishment, thorough dissemination, and education of guidelines for ensuring information security, as well as inspection, examination, and corrective action regarding information handling practices
  • Maintenance of confidentiality, integrity, and availability of information assets
  • Monitoring of abnormal records suspected of fraud
  • Prompt investigation and response in the event of information-related incidents
  • Responsibilities of officers, employees, etc., regarding handling of information assets and information management
  • Ensuring information security when entrusting the handling of personal information to third parties

The number of significant information breaches reported in fiscal year 2024 was 0. In the event of a significant information security incident, following an investigation relevant information will be promptly disclosed on the Company website.