For the purpose of providing safe and secure services to our customers, we recognize that ensuring the highest standard for privacy and security is one of our key management issues. We have been strengthening our security measures by establishing security- and privacy-related policies, rules and procedures in order to handle ever-changing circumstances including the change in security risks under a flexible work environment, more sophisticated cyber attacks and amendments of laws and regulations in and out of Japan.

Privacy and Information Security Policy

We have appropriate measures in place for safeguarding personal information in accordance with the relevant laws and regulations including the Act on the Protection of Personal Information. We have established “Rules for Handling Personal Information,” “Rules for Handling Specific Personal Information,” and “Detailed Rules for Handling Personal Information and Specific Personal Information” so that we can handle personal information in an appropriate and safe manner. We disclose our Privacy and Information Security Policy on our website.

Personal Information and Privacy Policy

In addition, in order to safeguard information assets including personal information, we have established “Security Policy,” “Information Security Management Rules,” and “Information Security Management Procedures.”

Information Security Management

At WealthNavi, the Information Control Supervisory Manager manages enterprise-level security by evaluating and improving security measures. We also reinforce our security by appointing a Security Control Manager in each department. Security Control Managers take the lead to inform the team members about security rules and to implement and manage security measures at their departments continuously.

We have established incident response procedures to react promptly in case of major security incidents. We also proactively review and improve security measures, roles of related personnel and reporting structure through such activities as participating in training sessions provided by Financials ISAC (Information Sharing and Analysis Center) Japan.

Chart of information security management

Zero-trust security

We have been promoting the “zero-trust security”¹ framework in order to securely protect information assets including personal data. We have been enhancing security measures by upgrading architectures and expanding our security team to provide our service securely.
1 “Zero-trust security” is a new security model to defend against cybersecurity threats. A “castle and moat” model used to be widely adopted to ensure cybersecurity. With the change in data environments under such circumstances as widespread remote work, the zero-trust security assumes that the network perimeter no longer exists.

Human measures

We believe that it is crucial to develop each employee’s skills and knowledge on information security to ensure effective security measures and secure handling of personal data. At WealthNavi, we provide training and post-training tests on information security and privacy protection on a regular basis. We also provide this training at the time of onboarding.

Physical measures

In order to protect and handle customers’ personal information appropriately and securely, we establish restricted areas in our office. Only authorized employees can enter these areas and access personal information. In addition, we install security cameras in these areas to prevent crimes and accidents as well as to identify the causes in case something happens.

Cybersecurity supply chain risk management

We use various services provided by external vendors and partner companies including cloud computing services. It is important to build a successful supply chain with our external vendors and to manage associated risks properly. We are endeavoring to mitigate supply chain risk by evaluating security risks and asking for the deployment of countermeasures if needed prior to service implementation.

Security assessment and audit

We proactively check for potential system vulnerability through security testings conducted internally as well as in cooperation with third-party cybersecurity companies.
In addition, we conduct system audits by independent security auditors periodically which leads to effective and efficient business management and secure operations.

Third-party certifications

We have obtained ISO/IEC 27001 certification, a globally recognized standard for information security management systems, as well as ISMS cloud security certification based on ISO/IEC 27017. We will continue to enhance and strengthen our information security to provide our users with secure and reliable services.