Risk Management

Risk management structure

In order to identify company-wide risks from various angles and prevent the materialization of risks, we have established a management system based on the concept of a three-line model. The first line is where each department in the head office conducts reviews that includes risks when devising various measures and policies on the ground, while also carrying out risk management in their own departments. The second line is where the Risk Management Division, an organization independent from business departments, headed by a the head of the Risk Management Division charged with overseeing risk management, conducts company-wide and comprehensive identification of risks and confirmation of the status of measures taken (conducted twice a year), and reports to the Risk Management Committee. The Risk Management Committee, which includes the President, COO, CFO, etc. as members and in which the Audit & Supervisory Board members and heads of the relevant departments also participate, determines the level of importance and the risk manager (risk owner) for each risk, gives instructions to take measures, etc. and through the head of the Risk Management Division, reports the status to the Board of Directors. The committee also supervises risks that may have a significant impact on the group (including telecommunications service risk, information security risk, and information systems risk) with a Director experienced in information security (Representative Director, President & CEO Junichi Miyakawa) playing a central role.
The Internal Audit Office conducts an independent audits the entire risk management system and situation from a position independent from the first and second lines.

The head of the Risk Management Division reports the content of reviews by the Risk Management Committee, including the risk identification process, to external (non-executive) directors who supervise the execution of company operations. In addition, the division head reports to the Audit & Supervisory Board and reflects the confirmations and advice on risk management methods and areas for improvement received from external (non-executive) directors and the Audit & Supervisory Board members in our risk management measures.

In addition, we establish a reporting system for subsidiaries and affiliated companies, and conduct periodic checks of business-related risks identified by each subsidiary and affiliated company and countermeasure status, from the standpoint of risk management for the group overall.

We strive to prevent any incidents, but in the unlikely event that one does occur, the department where the incident occurred acts as the first line in identifying the details and impact of the incident and reporting to the Risk Management Division in accordance with the reporting standards stipulated by the incident impact determination criteria. The Risk Management Division evaluates the impact of each incident and promptly reports any incidents that may have a significant impact on the management of the group to management, external directors (non-executive), and the Audit & Supervisory Board members, etc.
In addition, in terms of considering and implementing measures to reduce the impact of incidents and prevent recurrence, each department in the head office, as the first line, proactively reviews and implements specific measures, while the Risk Management Division has established a system as the second line to verify and evaluate the content of these measures and the status of their implementation, and provide advice and guidance as necessary. While promoting highly effective response measures by the first line that are suited to the actual situation on the ground, the second line provides appropriate supervision based on the risk management framework and rules, working to prevent the recurrence of incidents and minimize their impact.

  • Risk management structure
[Notes]
  1. *1
    Risk trend analysis: A technique where the latest news and public information is analyzed to provide material for identifying risks from new perspectives.
  2. *2
    KRI: Key risk indicators
  3. *
    The head of the Risk Management Division and the head of the Internal Audit Office independently report on risk management and audits to the Board of Directors based on their respective capacities.
  4. *
    We are working to further improve our risk management system through by outside evaluation of risk management by a third-party organization. This includes verification concerning evaluation of our risk management system and risk management process (conducted this fiscal year) in accordance with ISO 31000 (JISQ31000), as well as outside evaluation of risk management through an internal control reporting system as stipulated by the Financial Instruments and Exchange Act and evaluation of internal control (conducted once a year) that complies with SSAE18.

Risk management methods

Risk management methods

When devising various policies and measures, not only are we reviewing potential risks in conjunction with business opportunities, we are also implementing a PDCA cycle, as illustrated below, on a regular basis to identify, select, and assess a wide range of risks for the SoftBank group, through which we are working to uncover, mitigate, and prevent increasingly complex and diverse risks before they occur.

Plan The Risk Management Division conducts risk assessments using a risk classification table (compiled from risk scenarios relevant to SoftBank and its subsidiaries and affiliates), interviews with the heads of each division in the company and the management of our principal subsidiaries and affiliates, interviews with each risk owners for the fiscal year, and the Risk Management Committee identifies risks that have a significant impact on the company based both on perspectives from the field and from the perspective of management and appoints risk owners. We do this to conduct a more multifaceted risk analysis aimed at identifying risks from various viewpoints by collecting information by means of providing information beforehand, such as external environment reports that include risks and opportunities, and raising questions that include short-term and medium- to long-term viewpoints.
Do Risk owners review and implement measures, etc. for risks based on those that the Risk Management Committee has determined to have a significant impact on the company.
Check The Risk Management Division monitors the status of measures by risk owners on a monthly basis, and reports to management and the Risk Management Committee. Based on these reports, the Risk Management Committee checks the implementation status, etc. of measures, reviews risks, and checks the necessity, etc. of additional measures.
Action Risk owners examine and implement improvements and additional measures, etc. for any additional measures that are determined to be necessary by the Risk Management Committee.

Yearly schedule

  • Yearly schedule
[Note]
  1. *

We have implemented a system to broadly identify risks and opportunities, assess their significance and priority, and incorporate them into countermeasures and various initiatives. During risk assessments and interviews, we not only consider traditional risks but also include opportunities. Additionally, we evaluate their impact by establishing time horizons: short-term (within a few years), medium-term (approximately 3 to 5 years), and long-term (approximately 10 to 30 years), aiming for a more accurate analysis.
Consolidated risks are addressed through countermeasures led by the Risk Management Committee. Meanwhile, information on opportunities is shared across departments and utilized in the development of sustainability strategies and the establishment of materiality.

Training, etc.

For our employees, including new recruits, we ensure company-wide awareness on risks that need to be addressed and conduct training on risk management principles, etc. (e-learning, etc.), and have set up an internal consultation desk. We also share the same training materials with our subsidiaries and affiliates, and implement training on an as-needed basis. In addition, we incorporate risk management into competency assessment of employees, including those at the managerial level, which is reflected in remuneration assessments.
For external (non-executive) directors and audit & supervisory board members, we conduct periodic internal and external training, etc. on risk management, compliance, and other issues. To ensure that external directors and external auditors & supervisory board members can offer appropriate advice related to risk management, we provide explanations and opportunities to gain an understanding of risk selection and the status of countermeasures, as well as the results of risk reviews, the details of the group's businesses, and the latest risk-related information, etc., such as recent risk and technology developments, both when they first assume office, and periodically thereafter.

Risk appetite and
stress testing /
sensitivity analysis

We quantify each risk based on risk assessments and interviews with risk owners (those in charge of risks), etc. in terms of likelihood of occurrence (probability) and magnitude of potential effect (impact), and define the risk appetite (risk tolerance). We then obtain approval from the Risk Management Committee formed by those in management, including the president.

Below are examples of risks to the company and risk appetite.

Risk category Risk appetite
Compliance

Based on the SoftBank Code of Conduct for all executives and employees, we are working to achieve compliance with a strong sense of ethics and responsibility in our daily work, ensuring thorough compliance with no tolerance for risks that violate compliance such as impropriety, discrimination, and harassment.

Compliance

Intellectual Property and Brands

The SoftBank Code of Conduct which all executives, employees, and group company personnel must comply with states that “We recognize the importance of intellectual property rights, and will respect the intellectual property rights of others, and promote the appropriate protection and utilization of our own intellectual property rights.” By respecting the intellectual property of others while working to actively create, protect, and utilize intellectual property, we believe that we mitigate risks and can improve corporate value, which will in turn contribute to the industrial development of society at large.

Protecting Intellectual Property and Brands

In terms of financial risks, we conduct sensitivity analysis to foreign exchange rates and the like, and in terms of non-financial risks, we conduct risk analysis related to water stress at key business sites and the like.

Sensitivity analysis (Audited Consolidated Financial Statements)
Risk analysis related to water stress, etc. (Appropriate Use of Water Resources)

Addressing risks
that have significant
impact on the company

We assess and identify risks that have a significant impact on our company, using the following 4×4 matrix based on the risk's likelihood of occurrence (four levels) and magnitude of potential effect (four levels). Furthermore, from the identified risks, we comprehensively evaluate and prioritize the risks that require immediate attention and take appropriate countermeasures to reduce risks and prevent issues before they occur.

  • Impact
  • Probability

The results of evaluating typical risks are as follows.
With respect to impact, risks are mitigated by the implementation of countermeasures.

  • Addressing risks that have significant impact on the company

The risks that exert significant influence upon our company are as follows.

1. Risk related to
management strategy

Risk items Typical risk examples Risk reduction measures
a. Changes to economic conditions, regulatory or market environments, and competition with other companies
  • Domestic political conditions
  • Competitors' situations
  • Customer expectations
  • Amendments to laws
  • Economic fluctuations
  • Demographic changes
  • Product/service defects
  • Risk of increased competition in the telecommunications industry due to new entrants from other industries and the rapid spread of services from startups competing with the SoftBank group's services
  • Risk of providing products or services with major defects that cause damage to customers
b. Adapting to technology and business models
  • Technological innovation
Risk of the SoftBank group being unable to respond appropriately or in a timely manner to changes in the market such as the emergence of new technologies (including generative AI and AI agents) or business models Research the newest technology and market trends, conduct verification testing to introduce technically superior services, consider alliances with other companies, etc.
c. Leakage or Inappropriate use of information (including privacy information) and inappropriate use of products and services provided by the SoftBank group
  • Leakage or loss of information due to cyber attacks
  • Inappropriate use of information assets
  • Inappropriate use of products/services
  • Risk of information leakage, loss, etc. due to intentional or negligent actions of the SoftBank group or unauthorized access such as cyber attacks by a third party
  • Risk of losing society's confidence and trust in SoftBank group due to an error arising from inadequate management and utilization of our information assets resulting in social criticism
  • Risk of lowered confidence and trust due to misuse (crimes, etc. such as fraud) of apps or payment services provided by the SoftBank group
  • Limit work areas related to confidential information and establish access control rules; monitor and prevent unauthorized access due to cyber attacks from outside the company; separate and isolate access and networks according to information security levels
  • Establish guidelines and conduct training
  • Periodic monitoring of unauthorized use
d. Destabilization of the international situation
  • Procurement of equipment, facilities, etc.
Risk of delays in transportation of telecommunications business equipment and facilities due to regulations and restrictions imposed on aircraft, ships, and so forth by countries in conflict or other countries involved Monitoring, information gathering, decentralization and diversification of suppliers
e. Stable provision of network services
(a) Telecommunication network failures Risk of being unable to maintain telecommunications service quality due to increased network traffic or an inability to secure necessary frequency bands Bolster the telecommunication network based on predictions of future traffic
(b) Unpredictable circumstances such as natural disasters Risk of a natural disaster, pandemic, etc. preventing normal operation of telecommunication networks or information systems Introduce network redundancy, establish an emergency recovery system, and implement countermeasures for power outages at network centers and base stations
f. Corporate acquisition, business alliances, establishment of joint ventures, organizational restructuring within the group
  • Investment and loans
Risk of investee companies being unable to perform as expected; risk of business partnerships and joint ventures not producing expected results Conduct sufficient due diligence when considering each investment to make investment decisions in accordance with the prescribed approval process
g. Dependence on other companies' management resources
(a) Outsourcing
  • Inappropriate management of information by outsourced companies
  • Risk of outsourced companies being unable to perform work as expected
  • Risk of infringing on customers' human rights as a result of an outsourced company fraudulently acquiring SoftBank group and customer information or using it for other purposes
  • Conduct periodic audits of outsourced companies' work
  • Evaluate and select the supplier in accordance with our purchasing rules
(b) Use of other companies' facilities
  • Other companies' management resources
Risk of becoming unable to continue using communication line facilities owned by other operators Use multiple operators' communication line facilities
(c) Procurement of various equipment
  • Supply disruptions
  • Delivery delays
Risk of supply disruptions, delivery delays, etc. in the procurement of telecommunication equipment, etc. Build networks by procuring equipment from multiple suppliers
h. Use of the SoftBank brand
  • Brand use
Risk that our actions negatively impact the trust or interests of SoftBank Group Corp. and we become unable to use the SoftBank brand Bolster the system for checking prior to using the brand, release materials related to brand use, and conduct training
i. Service interruption or degradation due to related system failure
  • System failures
Risk of becoming unable to continuously provide service for customer-facing systems, the PayPay smartphone payment system, etc. due to human error, equipment/system problems, cyber attack by a third party, hacking, or other unauthorized access Add redundancy to the network and clarify recovery procedures in case of failure or other accidents
j. Training and securing human resources
  • Human resources (hiring, training)
  • Labor management (overwork, etc.)
  • Human rights
  • Diversity
  • Risk of being unable to secure engineers or other human resources necessary for business operation as planned
  • Risk of reducing society's trust and confidence in SoftBank due to being unable to meet social demands for consideration for basic human rights
  • Risk of reducing society's trust and confidence in SoftBank due to being unable to meet social demands for for respecting diversity and demonstrating their full potential
  • Adopt a remuneration system that considers the expertise of human resources with high market value
  • Establish a human rights policy and human rights due diligence process; conduct risk assessments
  • Ensure company-wide awareness of efforts related to diversity; conduct training
k. Climate change
  • Increasing damage from natural disasters
  • Biodiversity
  • Risk of higher restoration and maintenance costs due to an increase in disaster-affected facilities and worsening of damage
  • Risk of financial losses due to impacts on supply chains from the loss of biodiversity
  • Promote redundancy of core networks and secure communications in the event of a disaster, etc.
  • Conduct risk assessment on the impacts that business has on biodiversity

2. Risk related to laws,
regulations,
and compliance

Risk items Typical risk examples Risk reduction measures
a. Laws, regulations, systems, etc.
  • Regulations based on laws
  • Subsidiaries and affiliated companies
  • Risk of violating laws/regulations; risk of new or revised laws/regulations that have adverse effects on operations
  • Risk of damaging society's trust in the company in the event that misconduct, etc. by a subsidiary or an affiliated company cannot be prevented
  • Monitor revisions of laws/regulations; consult with lawyers and other external experts as necessary
  • Bolster reporting systems and communication with each subsidiary and affiliated company; understand subsidiaries and affiliated companies' risks through risk assessments, etc.
b. Lawsuits, etc.
  • Contract disputes
  • Lawsuits
Risk of negatively impacting the SoftBank group's corporate image due to infringing upon the rights of a third party Confirm laws, regulations, systems, and agreement terms on contracts, etc.

3. Risk related to
finance and accounting

Risk items Typical risk examples Risk reduction measures
a. Fund procurement
  • Liquidity
  • Credit control
  • Exchange/interest rates
  • Financial markets
Risk of increased fund procurement cost due to rising interest rates, etc. Build a financial base to hold sufficient funds by diversifying means of fund procurement
b. Changes to accounting and tax systems
  • Covenants
  • Tax/accounting
Risk of impact to the SoftBank group's business development, financial condition, and performance due to additional tax burden caused by changes to accounting/tax systems, etc. Consult with external experts such as tax advisors as necessary
c. Impairment loss
  • Impairment loss
Risk of impact to the SoftBank group's business development, financial condition, and performance due to impairment loss Build a system for periodic monitoring

4. Other

Risk items Typical risk examples Risk reduction measures
a. Leadership team
  • Leadership team
Risk of impact to the SoftBank group's business development if unforeseen circumstances affect the leadership team Build an organizational structure that can take over work duties
b. Relationship with the parent company
  • Parent company control or substantial influence over matters to be resolved at a general meeting of shareholders
    • Independence
    • Objectivity
    • Transparency
  • Competition with other companies within the SoftBank group
  • Possibility of the parent company having substantial influence over matters to be resolved at a general meeting of shareholders
  • Competing with other group companies in pursuit of investment opportunities
  • Exercise the option to establish a nominating committee and compensation committee in order to ensure independence
  • Strengthen collaboration with SoftBank Group Corp. and its subsidiaries

Emerging risks

In addition, SoftBank also reviews risks on a periodic basis to identify and manage emerging risks that can potentially have a substantial impact on the business*1. We consider these identified emerging risks from short-term and medium- to long-term standpoints*2 and take measures to address them.
The emerging risks for FY2025 are as follows.

[Notes]
  1. *1
    Risks that do not currently exist or are not recognized, but may appear or change due to changes in the external environment, etc. and can potentially have a substantial impact on the business that requires changes to business strategy or business models.
  2. *2
    In general, we consider “medium- to long-term” to be a timeframe of three to five years or longer.

Regulatory Risks Related to
AI Technology

Risk definition Risk of impeding continuity of operations and business development, loss of social credibility and trust in the company, and economic and financial losses (penalties) due to violation of laws and regulations to be complied with in relation to AI, or being unable to comply with new legislation or regulations, or changes in the operation of government agencies.
Typical risk examples
  • Impacts on the company's strategy impeding the continuity of operations and business development as a result of being unable to comply with enactment and revisions to laws and regulations, or changes in operations by government agencies in countries or regions where we operate businesses related to AI.
  • Violation of laws and regulations to be complied with in relation to AI may lead to loss of social credibility and trust in the company, and economic and financial losses (penalties).
  • If stricter or unforeseeable laws and regulations, etc. related to AI are enacted in the future, to the extent that they affect technological innovation, research and development, and new investments, etc., it will inhibit the creation or development of the company's new businesses, or impede the continuity of existing businesses.
Impact on business

With the advent of generative AI*1 that can be used interactively, and its deployment into AI agents*2 that autonomously examine and execute tasks on behalf of users, AI is expected to continue making a significant contribution to improved business productivity.

In addition to actively utilizing AI in various operations to realize improvements and streamlining, the SoftBank group proposes and sells related products and services to its client companies, etc. For example, the group began offering a beta version of the generative AI agent service “satto” in August 2024.

Also, to make our corporate philosophy of “Information Revolution — Happiness for everyone” a reality by achieving SoftBank's long-term vision of providing next-generation digital infrastructure that is essential for the development of a digital society that we announced in May 2023, we are also working on building distributed AI data centers and digital infrastructure that supports a society able to coexist with AI. Following the company's certification from the Ministry of Economy, Trade and Industry for the plan to secure the supply of “Cloud Programs,” a specified critical product under the Economic Security Promotion Act in May 2024, we are making capital investments of approximately 150 billion yen to expand our AI computing infrastructure and are building new AI computing infrastructure at multiple locations across Japan between FY2024 and FY2025.

Meanwhile, the World Economic Forum (WEF) Global Risks Report 2025, following the 2024 report, ranked “misinformation and disinformation” as the most serious global short-term risk (next two years), and “adverse outcomes of AI technology” as a long-term risk (next 10 years). The fact that it is now possible to use AI technology without needing advanced technology or specialized knowledge has made it even easier to spread misinformation and disinformation. This causes not only new confusion and anxiety in society, but also political and economic security concerns that have led some countries to consider regulation. In Japan, the AI Utilization Promotion Act*3 was passed and enacted by the House of Councilors on May 28, 2025, requiring developers and businesses that use AI to strive to use AI technology appropriately, ensure transparency and fairness, and protect the rights and interests of users.

Amid these circumstances, SoftBank believes that the implementation of “responsible AI”*4 is essential, and utilizes AI, proposes and sells AI-related products and services to client companies, and conducts development of generative AI and AI agents, etc. However, if stricter laws or regulations were to be enacted in the future and we were unable to properly respond thereto, the group's AI-related business plans may be significantly delayed.

Furthermore, if we were to violate relevant laws and regulations, for example, by leaking confidential or personal information in the use of our generative AI, or by infringing on copyrights of third parties in our use of generated work, we could lose our social credibility and trust, as well as incur economic and financial losses (penalties). Additionally, if our involvement in or response to the formulation of rules such as laws and regulations related to AI is delayed, it could affect our strategies, thus hindering the continuity of operations and business development.

[Notes]
  1. *1
    Artificial intelligence capable of generating various content, including text, images, and programming code.
  2. *2
    AI technology that autonomously selects the optimal means to achieve a goal and carries out the task on behalf of the user.
  3. *3
    Act on the Promotion of Research, Development, and Utilization of Artificial Intelligence-Related Technologies.
  4. *4
    This refers to companies and organizations taking responsibility for addressing issues and potential risks related to AI, such as ethics, privacy, and security, and developing and providing AI services that are reliable and fair.
Countermeasures

Under our “Beyond Carrier” strategy, we are working to provide innovative services and promote digital transformation by utilizing cutting-edge technologies such as AI and IoT. In particular, as the use of AI is expanding, ethical considerations are becoming more important, and so we formulated the SoftBank AI Ethics Policy in 2022 to ensure appropriate use of AI and the provision of safe and secure services. Specifically, it sets forth guidelines across six categories: human-centered principles, respect for fairness, pursuit of transparency and accountability, safety assurance, privacy protection and security assurance, and education for AI talent and literacy. We have declared that we will operate our business and develop services in accordance with these guidelines. We have established various internal rules such as regulations, standards, guidelines, and checklists based on the AI Ethics Policy, and in formulating these rules, we took into consideration compliance with the Social Principles of Human-Centric AI created by the Cabinet Office, which form the basis of the AI Guidelines for Business (Version 1.0), the AI Development Guidelines and AI Utilization Guidelines created by the Ministry of Internal Affairs and Communications, and the Governance Guidelines for Implementation of AI Principles created by the Ministry of Economy, Trade and Industry. Furthermore, there is a system in place to be able to apply this policy to group companies, and as of March 1, 2025, 74 companies have adopted it. In addition, we are working to mitigate risk by conducting risk assessments for group companies based on the risk perspectives in the AI governance that we have established.

As the strategic division for our AI business, the AI Strategy Office is tasked with the mission of promoting AI governance at SoftBank. Within that, we have established the AI Governance Promotion Office as an independent, specialized division to promote governance in the divisions of the company that use AI, and this office is managed and supervised by a steering committee consisting of the CIO(Chief Information Officer), CDO(Chief Data Officer), CISO(Chief Information Security Officer), and CCO(Chief Compliance Officer). In April 2024, we established the AI Ethics Committee, an advisory board for AI governance composed of external expert members and internal members. The external expert members come from a wide range of specialized fields, including AI ethics and AI technology in general, data governance, finance, law, consumers, and ESG (environment, social, and governance). They discuss and offer recommendations on various issues related to AI ethics, as well as share their knowledge on the latest trends both in Japan and overseas. As AI technology rapidly evolves and the associated challenges become more complex on a global scale, by incorporating the diverse perspectives and knowledge of external experts, we are able to achieve objective and highly effective AI governance that takes into account the perspectives of our customers.

In addition, in our AI governance promotion strategy, we place importance on promoting AI ethics and governance education. Specifically, we provide education to all employees, including executives, through initiatives such as e-learning (once a year), study sessions (twice a year), and a monthly email newsletter. The agenda for educational content includes case studies of AI incidents occurring both in Japan and overseas, precautions to take when using AI, including generative AI (bias, information leaks, copyright infringement, hallucinations, etc.), and social trends regarding AI ethics as we work to improve literacy for all employees.

Security risk of cyberattacks brought about
by changes
in the international situation

Risk definition Cyberattacks are growing more diverse, complex, and sophisticated, and are becoming more common due to changes in the international situation, which may result in the leakage, falsification, destruction, erasure, or theft, etc. of our information assets or the suspension of or damage to the services of our company or our affiliate companies, resulting in economic and financial losses and loss of social credibility and trust in the group.
Typical risk examples Due to heightened geopolitical risks resulting from changes in the international situation, advanced cyberattacks suspected to be state-sponsored that use AI or other technologies to target telecommunications companies, which are essential infrastructure, could occur in the following situations, resulting in economic and financial losses for the company:
  • If our core systems were to stop functioning and communications services were to be interrupted, our ability to provide services to customers would be hindered, leading to a loss of customers.
  • The suspension of services we provide and data encryption (ransomware) could disrupt our business operations, making business continuity difficult.
  • Theft or leakage of data that includes personal information could result in administrative sanctions or fines from supervisory authorities.
Impact on business

In recent years, with the international situation growing more unstable due to Russia's invasion of Ukraine, the Middle East conflict that began in Gaza, and the deterioration of relations between the US and China and between South Korea and North Korea, cyberattacks that appear to be state-sponsored are on the rise. Furthermore, as AI technological innovation progresses and the range of users expands, even attackers with little technical expertise can carry out cybercrime with the help of AI, which has dramatically increased the speed and scale of attacks. For example, generative AI can automatically generate natural, persuasive sentences and code, making the creation of malware and other programs much easier and more sophisticated. The World Economic Forum's Global Cybersecurity Outlook 2025 highlights the fact that nearly 60% of organizations stated that geopolitical tensions have affected their cybersecurity strategy, and 47% cite adversarial advances powered by generative AI as their primary concern.

In the telecommunications industry, the spread of 5G and IoT has made communications infrastructure highly complex, thereby increasing new points to attack. Furthermore, new vulnerabilities have emerged, making for targets that are easier to attack. For us as a telecommunications company, the negative aspects of these technological innovations could pose medium- to long-term risks that threaten the stable provision of telecommunications networks.

As a telecommunications company, we transmit and store large volumes of confidential data (with a cumulative total of 31.77 million smartphone contracts in the fiscal year ending March 31, 2025), so if unauthorized access through a cyberattack or a ransomware attack were to occur and data that includes personal information were to be stolen or leaked, this could damage customer trust and lead to a loss of customers.

In addition, we do business with several thousand companies, and if an attacker were to use malware to encrypt our internal systems or servers and halt operations, and we are not able to respond appropriately, it may become difficult for us to continue our business. This is not limited to our company, as the disruption of our supply chains in Japan and overseas, including those of our business partners, by a cyberattack due to geopolitical factors may delay the supply of important telecommunications equipment, etc., which could disrupt our ability to provide services.

Furthermore, communications infrastructure is the foundation of society, and its destruction could have a major impact on society, which could act as a motive for attacks. According to a survey by Check Point Software Technologies (Q1 2025), as cyberattacks continue to surge around the world, the telecommunications industry reported the highest percentage increase by any industry, with a massive 94% year-on-year increase. SoftBank was designated as a specified essential infrastructure service provider (essential infrastructure business) in the telecommunications business sector under the Economic Security Promotion Act*1 on November 16, 2023. If a cyberattack were to disrupt the maintenance and management of critical telecommunications equipment and affect the provision of telecommunications services, not only could we be subject to penalties from the supervisory authorities, but social credibility and trust in the company could also be damaged.

[Note]
  1. *1
    Act on the Promotion of Ensuring National Security through Integrated Implementation of Economic Measures
Countermeasures

At SoftBank, approximately 40,000 people, including employees and contractors, use approximately 100,000 devices and over 1,000 IT systems to carry out their work. In an IT environment on such a large scale, many security events occur on a daily basis, including external reconnaissance, attacks targeting vulnerabilities, viruses, and phishing.

Our countermeasures include compliance with laws, regulations, and other norms related to information security and establishment of an information security management system aimed at protecting information assets and defending against cyberattacks. Specifically, we have established an Information Security Policy that employees must comply with, appointed a Chief Information Security Officer (CISO), and furthermore, organized the Information Security Committee chaired by the CISO and the SoftBank Computer Security Incident Response Team (SoftBank CSIRT) to review measures in response to environmental changes and technological innovations and share information that is useful in information security and cybersecurity measures.

The SoftBank CSIRT is made up of members from the Security Department and members appointed by the heads of each department under the CISO to prevent security incidents and minimize damage through rapid incident response, and in addition, the CSIRT Office has been established to respond to incidents together with the Information Security Committee Office and related organizations both inside and outside the company. In addition, to prevent incidents from occurring, we deal with vulnerabilities (collecting and analyzing information, requesting responses, and monitoring the status of responses), establish security rules, provide security education, and issue warnings, and to prepare for incidents, we develop procedures for responding when incidents occur and conduct incident response training. Similarly, risk management systems have been established for our affiliate companies (subsidiaries and affiliates). We have established the SBKK Group Security Committee, chaired by the CISO and comprised of information security managers from affiliate companies, to share information, provide education and training, and cooperate in responding to incidents when they occur. Additionally, we are working to reduce and prevent risks related to information security and cyber security by formulating the SoftBank Affiliate Company Security Guidelines, which stipulate the systems and compliance rules required for appropriate security management at affiliate companies.

Furthermore, the number of actual cyberattacks against our company in FY2023 reached 16 billion security events per day, with 12 million reconnaissance and vulnerability-targeting attacks and 80 thousand viruses and phishing emails. To combat these cyberattacks, we are implementing multiple security solutions as countermeasures and working daily to strengthen our cybersecurity.

Addressing emergency

In the event of emergency situations such as major disasters, an Emergency Response Headquarters headed by the president will be established, and the departments in charge will collect and analyze information on the impact and damage in their areas of responsibility. An Emergency Response Headquarters will then be established based on the impact and damage, and will take action to rapidly restore the situation.

Emergency response
headquarters structure

  • Emergency response headquarters structure

Structure based on Disaster
Response Agreements

To assist swift restoration efforts in the event of a major disaster or emergency, SoftBank has signed “Disaster Response Agreements” with Japan's Ministry of Defense and the Japan Coast Guard for the purpose of securing communications and mutually cooperating in a wide range of areas.

As communications are a necessary means of assisting life-saving activities following a disaster, SoftBank provides satellite mobile phones, SoftBank mobile phones and other communication equipment to the Ministry of Defense and the Japan Coast Guard. Furthermore, the Ministry and Coast Guard provides SoftBank with logistics assistance and the ability to use their facilities and equipment so SoftBank can better secure communications and conduct restoration activities in affected areas.

SoftBank will continue to work closely with the Ministry of Defense, Coast Guard and other related institutions in disaster preparedness and carry out its responsibilities to society as a communications carrier.

Emergency operational plans

SoftBank Corp. is working to ensure the provision of stable telecommunications services and to ensure the safety of customers in emergency situations such as natural disasters, terrorist attacks or pandemics.

Disaster operational plan

Japan's Disaster Countermeasures Basic Act was established for the purpose of protecting national land as well as citizens' lives, livelihoods and property, and to maintain social order and secure public welfare in the event of a disaster. The Act's disaster management system stipulates the roles and responsibilities of the national government, local governments and designated public corporations.

Under the Act, SoftBank is designated public corporations as set out by the national government, and thus formulate Disaster operational plans. The company has established systems for disaster prevention and preparedness, and in the case of disasters, respond in accordance with their Disaster operational plans while working closely with relevant government organizations and public corporations.

Civil protection
operational plan

The Law concerning the Measures for Protection of the People in Armed Attack Situations etc. (“the Civil Protection Law”) was formulated with the aim of protecting the lives, health and assets of citizens in the event of an armed attack and minimizing the impact of an armed attack on citizens' lives and on the nation's economy. The Civil Protection Law allocates roles to the national government, prefectural and municipal governments, cities, towns and villages, defines the roles of designated public institutions and delineates an organizational framework for protecting civilians.

SoftBank, which is designated public institutions, has developed a Civil protection operational plan based on the Civil Protection Law. In the event of the threat or occurrence of a terrorist attack, the company will coordinate with other relevant institutions in accordance with the Civil protection operational plan.

New flu strains countermeasure
operational plan

In its Guidelines on Measures against New Flu Strains, the Japanese government sets out strengthened measures to counter new strains of influenza for the purpose of protecting citizens' lives and health, and to minimize any potential impact on daily life and the economy. The Guidelines stipulate the roles and responsibilities of designated public companies and a management system for emergencies.

Under the Guidelines, SoftBank, which is designated public corporation as set out by the national government, is formulating Operational Plans in line with the government's action plan. We shall work closely with relevant government organizations and public corporations to respond to an outbreak by specifying structures for the preparation, initial response phases, and subsequent periods, as well as necessary countermeasures.