|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Mar. 31, 2025
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Cybersecurity Strategy
Many of our systems are connected to our domestic and overseas locations, and the systems of our customers and various payment institutions, through a global network. As cyber attacks become more sophisticated, we recognize cybersecurity as an important management issue and continuously promote cybersecurity measures under management leadership.
We define cybersecurity risk as the risk that the group may incur tangible or intangible losses due to cybersecurity-related problems that occur at the group and/or at its clients, along with organizations, etc., that have a business relationship with the group, such as outside vendors and goods/services suppliers and view it as one of our top risks. Accordingly, we have established a system to centrally manage cybersecurity risk through the Risk Appetite Framework and the Comprehensive Risk Management Framework.
Governance System
At Mizuho Financial Group, the Board of Directors deliberates and resolves fundamental issues related to cybersecurity risk management. The Board of Directors receives reports from the Group Chief Information Security Officer (“CISO”) on cybersecurity risks that may have an impact on management policies and strategies, annual business plans, medium- to long-term business plans, etc., other cybersecurity risks that the Board of Directors should be aware of from a medium- to long-term perspective, and important matters such as the status of risk control.
The Risk Committee and the IT/Digital Transformation Committee *1, both of which are advisory bodies to the Board of Directors, each receive reports from the Group CRO on the status of comprehensive risk management and from the Group CISO on basic matters related to cybersecurity risk management, evaluate conformity with our basic management policies and the appropriateness of our cyber initiatives, and present recommendations or opinions to the Board of Directors. In addition, the independent third line in the three lines of defense *2 conducts audits on the initiatives of the first and second lines, and reports the results to the Operational Audit Committee, etc.
Under such supervision by the Board of Directors, the President and Chief Executive Officer oversees the cybersecurity risk management of Mizuho Financial Group, and the Group CISO, in accordance with the instructions of the Group CIO and the Group CRO, establishes measures for risk management through autonomous control activities by the first line, and monitoring, measurement, and evaluation by the second line of such autonomous control activities by the first line and give instructions to prevent cybersecurity risks that may arise from fraud or outsourcing, and to respond appropriately to cyber incidents.
The Group CISO has been engaged in the IT and systems industry for more than 30 years and, with extensive knowledge and experience, is responsible for the planning and operation of cybersecurity risk management.
Based on the instructions of the Group CISO, the Cybersecurity Management Department identifies possible cybersecurity risks to our business and systems, evaluates our preparedness, assesses risks identified by
analyzing the location and magnitude of cybersecurity risks, and then reviews and formulates additional measures to strengthen risk control, such as preventive measures and reactive responses, and strengthens risk control and governance through reflection in business plans.
The Cybersecurity Management Department reports to the Group CISO on the status of cybersecurity risk management, and the Group CISO regularly reports, and if applicable, submits proposals for deliberation, to the Management Committee via the IT Strategy Promotion Committee and to the Board of Directors, each on the status of our cybersecurity measures, etc., with the aim of developing and strengthening a system for ensuring cybersecurity.
We have appointed a person in charge of cybersecurity and have established a communication system at group companies, to monitor the status of our cybersecurity measures and to quickly gather information when an incident occurs.
Initiatives for Strengthening Cybersecurity
To identify and prevent the manifestation of cybersecurity risks, we collaborate with external organizations such as the Financial Services Information Sharing and Analysis Center
(FS-ISAC)and other financial institutions. We collect threat intelligence and implement prioritized measures based on the potential impact on us.
Specifically, we take measures to ensure consistent security throughout the entire system development lifecycle, from the planning phase to the development and operation phases.
After the release of systems, we promptly identify and address the impact of disclosed vulnerability information on our group’s system by introducing configuration management database, and vulnerability scanner systems.
To evaluate the effectiveness of these technical measures against cyber attacks on our systems, we also regularly conduct vulnerability assessments and
Threat-LedPenetration Testing *3.
As part of our preparedness measures, the
Mizuho-CyberIncident Response Team *4 and other highly qualified professionals are deployed, and a
24-hour,
365-daya year monitoring system is in place using an integrated Security Operation Center *5, etc.
We are also focusing on human resources development, such as conducting study groups for directors including outside directors, cybersecurity training for each executive and employee layer, and phishing email training for all executives and employees at least once every six months.
Additionally, we confirm in advance before, and on a regular basis after entering into a contract with a third party, the security management preparedness, including responses in the event of a cyber incident, of third parties such as cloud service providers that provide outsourcing and cloud services. When we receive reports of cyber incidents from third parties, in addition to identifying and analyzing the impact on the group, we also strive to respond appropriately to risks when there is concern about the impact on the group.
We verify the effectiveness of our cybersecurity posture by referring to external frameworks related to cybersecurity, such as the Cybersecurity Framework developed by the National Institute of Standards and Technology and guidelines on cybersecurity published by the Financial Services Agency. Additionally, we also undergo evaluations by third parties.
Impact and Response When a Cyber Incident Occurs
As a result of our enhanced cybersecurity measures, we are not aware of any past cyber attacks that could have had a significant impact on investor decisions or could have materially affected our business operations, results of operations and financial condition, in the fiscal year ended March 31, 2025. However, in the event of a cyber attack due to a failure to strengthen cybersecurity measures, leaks or falsification of electronic data, suspension of business operations, information leaks, and unauthorized remittances may occur and cause inconvenience and disadvantage to our customers.
In addition, our business operations, results of operations and financial condition may be materially affected by compensation for damages, administrative actions and damage to reputation.
In the unlikely event that a cyber-incident is detected, or if it is determined on firm grounds that the likelihood of a cyber incident occurring is very high, the Cybersecurity Management Department will report the cyber incident to the Group CISO. The Group CISO reports to the Management Committee and the Board of Directors when particularly important incidents occur or are likely to occur.
Based on the instructions from the Group CISO, the Cybersecurity Management Department monitors the cause of the incident (including incidents for which the likelihood of occurrence is determined on firm grounds to be very high), the nature and extent of the damage or expected damage, supports the formulation of effective containment, eradication, and recovery measures, analyzes attack methods or expected attack methods based on cyber incident information, and conducts incident response.
Even after incident recovery, the Cybersecurity Management Department monitors changes that could lead to cyber incidents in the group and promptly reports to the Group CISO when a breach of the threshold is identified. In addition, the Cybersecurity Management Department analyzes and evaluates the status of causes and risks, and implements necessary measures after consulting with the Group CISO on the response policy.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|At Mizuho Financial Group, the Board of Directors deliberates and resolves fundamental issues related to cybersecurity risk management.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Board of Directors receives reports from the Group Chief Information Security Officer (“CISO”) on cybersecurity risks that may have an impact on management policies and strategies, annual business plans, medium- to long-term business plans, etc., other cybersecurity risks that the Board of Directors should be aware of from a medium- to long-term perspective, and important matters such as the status of risk control.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|The Risk Committee and the IT/Digital Transformation Committee *1, both of which are advisory bodies to the Board of Directors, each receive reports from the Group CRO on the status of comprehensive risk management and from the Group CISO on basic matters related to cybersecurity risk management, evaluate conformity with our basic management policies and the appropriateness of our cyber initiatives, and present recommendations or opinions to the Board of Directors. In addition, the independent third line in the three lines of defense *2 conducts audits on the initiatives of the first and second lines, and reports the results to the Operational Audit Committee, etc.
|Cybersecurity Risk Role of Management [Text Block]
|Under such supervision by the Board of Directors, the President and Chief Executive Officer oversees the cybersecurity risk management of Mizuho Financial Group, and the Group CISO, in accordance with the instructions of the Group CIO and the Group CRO, establishes measures for risk management through autonomous control activities by the first line, and monitoring, measurement, and evaluation by the second line of such autonomous control activities by the first line and give instructions to prevent cybersecurity risks that may arise from fraud or outsourcing, and to respond appropriately to cyber incidents.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|The Group CISO has been engaged in the IT and systems industry for more than 30 years and, with extensive knowledge and experience, is responsible for the planning and operation of cybersecurity risk management.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|analyzing the location and magnitude of cybersecurity risks, and then reviews and formulates additional measures to strengthen risk control, such as preventive measures and reactive responses, and strengthens risk control and governance through reflection in business plans.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef