XML 20 R10.htm IDEA: XBRL DOCUMENT v3.25.2
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Mar. 31, 2025
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
(1) Risk management and strategy
Our Information Security Control Department reports to and manages cyber and information security risks to the Information Technology Management Committee.
Our Information Security Control Department has established a cyber and information security awareness training program for our consolidated group companies. All employees of our consolidated group companies, including investee companies, and employees of outsourcing companies with access to our network are required to take online training at least once a year. These educational programs also include phishing
e-mails
simulations, which are conducted several times a year on an irregular basis. We also provide training through escalation and response simulations in the event of a cyber or information security incident.
Each of our consolidated group companies is assigned an Information Security Accountable Owner, and cyber and information security knowledge and the Group’s security policies are shared with the companies on a quarterly basis to raise readiness levels across the ORIX Group.
In order to control cyber and information security risks we face through our interactions with and reliance on third parties, such as through our outsourcing activities and use of cloud services, we conduct regular security assessments of business partners and outsourcing vendors. In addition, we have a framework in place for the Information Security Control Department to evaluate the security risks of information systems and cloud services provided by business partners and outsourcing vendors.
The Information Security Control Department is responsible for assessing and managing our cyber and information security risks and where necessary, engages third-party consultants for advice regarding specific areas where enhanced controls or
in-depth
analysis is required.
The ORIX Group has also established a framework to respond to cyber and information security incidents and to mitigate the risk of security breaches, system failures and information leaks, including cyber attacks and damage to information security systems. A system has been established to assess the impact on operations and the likelihood of secondary damage in the event of a cyber and information security incident caused by cyber attacks. The Information Security Control Department analyzes and investigates the incident and also works with the legal department and compliance department to minimize the impact of the incident and prevent secondary damage. Any serious incidents are reported to the Executive Officer in charge of the Information Security Control Department and appropriate action is taken under his/her direction. The current Executive Officer in charge of information security at ORIX has extensive knowledge of information technology and security, cultivated through his experience with system development, project management and security management in over two decades at various international companies prior to joining ORIX Corporation, including over a decade of experience in the financial business sector.
In the current fiscal year, we did not identify any cyber or information security incidents that have materially affected or are reasonably likely to materially affect our business activities, results of operations or financial condition.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block] Our Information Security Control Department reports to and manages cyber and information security risks to the Information Technology Management Committee.
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]
In the current fiscal year, we did not identify any cyber or information security incidents that have materially affected or are reasonably likely to materially affect our business activities, results of operations or financial condition.
Cybersecurity Risk Board of Directors Oversight [Text Block]
(2) Governance
The ORIX Group has established internal rules governing the structure, basic policies, management standards for information security, education, and audits in accordance with global standards for information security controls such as ISO and NIST.
The Information Security Management Rules stipulate that strategies and policies regarding cyber and information security and its response policies for cyber and information security incidents, are to be discussed and determined at the Information Technology Committee, consisting of the Group CEO, chief financial officer (“CFO”) and other members. In addition, the response status of any cyber or information security incident is reported to the Audit Committee by the Executive Officer in charge of the Information Security Control Department to ensure appropriate information sharing.
We have a system in place to determine the seriousness of cyber or information security incidents, report to the Disclosure Committee in a timely manner, as well as to disclose information on cyber security risks, strategies, and governance on a regular basis, in addition to the status of incident management. In addition to the management of incidents, we have also established a system that enables regular disclosure of cyber security risks, strategies, and governance.
We have also established company-wide security requirements with which all consolidated group companies must comply, such as keeping systems up to date through vulnerability management program and technical measures for network defense. We have also established internal rules for security log management that take into account physical and logical boundaries with external networks as well as information breaches caused by internal fraud.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
The Information Security Management Rules stipulate that strategies and policies regarding cyber and information security and its response policies for cyber and information security incidents, are to be discussed and determined at the Information Technology Committee, consisting of the Group CEO, chief financial officer (“CFO”) and other members. In addition, the response status of any cyber or information security incident is reported to the Audit Committee by the Executive Officer in charge of the Information Security Control Department to ensure appropriate information sharing.
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] In addition, the response status of any cyber or information security incident is reported to the Audit Committee by the Executive Officer in charge of the Information Security Control Department to ensure appropriate information sharing.
Cybersecurity Risk Role of Management [Text Block]
The Information Security Management Rules stipulate that strategies and policies regarding cyber and information security and its response policies for cyber and information security incidents, are to be discussed and determined at the Information Technology Committee, consisting of the Group CEO, chief financial officer (“CFO”) and other members. In addition, the response status of any cyber or information security incident is reported to the Audit Committee by the Executive Officer in charge of the Information Security Control Department to ensure appropriate information sharing.
We have a system in place to determine the seriousness of cyber or information security incidents, report to the Disclosure Committee in a timely manner, as well as to disclose information on cyber security risks, strategies, and governance on a regular basis, in addition to the status of incident management. In addition to the management of incidents, we have also established a system that enables regular disclosure of cyber security risks, strategies, and governance.
We have also established company-wide security requirements with which all consolidated group companies must comply, such as keeping systems up to date through vulnerability management program and technical measures for network defense. We have also established internal rules for security log management that take into account physical and logical boundaries with external networks as well as information breaches caused by internal fraud.
Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
We have a system in place to determine the seriousness of cyber or information security incidents, report to the Disclosure Committee in a timely manner, as well as to disclose information on cyber security risks, strategies, and governance on a regular basis, in addition to the status of incident management. In addition to the management of incidents, we have also established a system that enables regular disclosure of cyber security risks, strategies, and governance.
We have also established company-wide security requirements with which all consolidated group companies must comply, such as keeping systems up to date through vulnerability management program and technical measures for network defense. We have also established internal rules for security log management that take into account physical and logical boundaries with external networks as well as information breaches caused by internal fraud.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true