Information Security

Information Security at ORIX and Information Security Governance Structure
Compliance with International Standards and Security Rating Services
Information Security Management Policies
Response to Information Security Incidents
Cyber Security Training

Information Security at ORIX and Information Security Governance Structure

ORIX recognizes that risks related to Information /Cyber security are an important management issue, and strives to ensure appropriate protection of information and safe management of information assets. These ideas and policies on information security are stipulated in the Information Security Policy. We established information security management rules as internal regulations, which stipulate appropriate use of information and information systems by officers and employees, as well as information security management systems, basic policies, management standards and cyber security incident response.

Information Security Governance Structure

Compliance with International Standards and Security Rating Services

ORIX’s information security controls conform to the following international standards: ISO31000, ISO27001, COBIT, NIST.

Information Security Management Policies

In order to manage information security risks, ORIX has established an information security standard and minimum security standards.
The information security standard sets 16 management domains and establishes necessary management practices to ensure a certain level of security is achieved in each domain. Each company and department in ORIX Group considers these measures based on their own risks, taking into account the nature of the business, information possessed, threats, and regulatory expectations.
In addition, minimum security standards set out 14 management policies that must be carried out by all ORIX Group companies both within Japan and overseas (regardless of size) within the information security standard.

Response to Information Security Incidents

ORIX has organized ISC-CSIRT to manage cyber incidents for entire group companies. The CSIRT of each ORIX Group company and department establishes a reporting system and procedures for responding to information security incidents and conducts drills in accordance with the reporting procedures. In the event of an incident, the CSIRT of each ORIX Group company and department shall respond to the incident with the support or instructions of ISC-CSIRT. In addition, a communications framework has been established, in the event of a critical cyber incident, the status of response, measures to prevent recurrence, and improvement measures are reported to the CEO and the Disclosure Committee.

Cyber Security Training

A cyber security training and a phishing email training are available to all Group officers and employees throughout the year. In the fiscal year ended March 31, 2024, 34,627 people received training.