Basic Cybersecurity Policy

1.Basic Cybersecurity Policy Formulation and Disclosure

SPARX Group (the "Group") has been striving to practice ever-better investments every day since its establishment in 1989, with the vision of becoming "the most trusted and respected investment company in the world" to realize our mission "to make the world wealthier, healthier, and happier (though investment)."
Corporate use of digital technology helps maintain social infrastructure, secure lifelines, protect consumers, ensure sustainable growth, and enable diverse working styles. Simultaneously, the safety and governance of digital businesses are vital from the perspective of ESG. Therefore, the Group established this policy to share its cybersecurity approach, responses, and strategies with all its stakeholders and fulfill its corporate social responsibilities by preserving and protecting stakeholders' information assets subject to various threats, including leaks and falsification.

2.Establishing Systems for Executives to Manage Security Risks

The Group defines its systems and responsibilities to adequately and reliably implement security measures. It provides information as necessary and actively collects data under its security management systems.
The Tokyo-based Group companies have established a Chief Information Officer (CIO) and a Chief Information Security Officer (CISO) directly under the management of the Board of Directors. It has also established a subcommittee that manages security and other systemic risks. In light of the increasing use of cloud services coinciding with digital transformation (DX) within the Group, this subcommittee acts as an intermediary between user departments and management, sharing issues that the Board of Directors and other management bodies should discuss and approve and alerting users to these issues.
The Group Risk Management Committee―under the Board of Directors of the Group's holding company, SPARX Group Co., Ltd.―must report quarterly on security and other system risks as it manages all Group risks and ensures the soundness and propriety of its operations.

3.Identifying Security Risks and Formulating Response Plans

The division in charge of each system analyzes risks―including those in the supply chain of the Group's affiliates, business partners, outsourcing partners, and cloud service providers―using vulnerability information provided by regulatory authorities and other sources. The security risk management department also periodically assesses the situation on a Groupwide basis. The Group uses the results of these analyses to formulate recurring countermeasures and priority countermeasures for the next fiscal year (e.g., reviewing existing countermeasures). Management works to identify risks and implement appropriate countermeasures by discussing, approving, and receiving progress reports on countermeasure plans and budgeting. The Group utilizes cyber insurance and outside experts for any risks it cannot tolerate based on risk analysis results and has already included these responses in the budget for recurring countermeasures.
At our Tokyo-based Group companies, management is committed to understanding the threats faced by the Group's stakeholders and implementing any necessary measures at the right time. It does so through reports from the subcommittee on system risk management, which drafts security measures and provides progress and incident reports.

4.Securing Resources (Including Budgets and Personnel) for Security Measures

The Group's departments that handle security risks use the results of risk analyses to formulate security measure proposals regularly or as necessary, depending on business conditions or scope. They receive approval from decision-making bodies for these proposals depending on their scale and nature, including using outside services and experts or recruiting human resources with the relevant knowledge or experience.
The Tokyo-based Group companies operate security education programs for all executives and employees to ensure they understand security's importance. Specific programs include targeted attack email drills and security-related e-learning courses that inform employees of the need to be alert to cyberattacks and promote knowledge about countermeasures against cybercrimes.

5.Establishing Emergency Response Systems

The Group has a business continuity plan (BCP) for crisis management to address all potential risks that could threaten business continuity. It also utilizes this BCP system for emergency responses to security issues.
The Tokyo-based Group companies have BCP Computer Security Incident Response Teams (BCP/CSIRT) that comprise executives, BCP Emergency Response Headquarters members, and the departments that handle system risks. The BCP/CSIRT is responsible for promptly identifying the damage and scope of impact, providing an initial response to prevent the spread of damage, handling the recovery response, considering strategies to prevent recurrence, and disclosing incidents outside the Group when appropriate. The Tokyo-based Group companies regularly conduct BCP/CSIRT drills to bolster their capabilities.


The Group will revise this policy as necessary to reflect changes in responses to new security risks coinciding with business expansion and changes in the requirements stipulated by laws, regulations, and notices in the countries and regions where it does business.