Cybersecurity Risk Management and Strategy Disclosure |
12 Months Ended | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Mar. 31, 2025 | ||||||||||||||
| Cybersecurity Risk Management, Strategy, and Governance [Line Items] | ||||||||||||||
| Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] |
Sony recognizes the importance of cybersecurity, both in achieving financial success for the company and in maintaining the trust of its stakeholders, which include shareholders, customers, employees, suppliers, and business partners. Risk Management & Strategy As part of Sony’s risk management framework, Sony maintains and continuously strives to enhance its information security program. This program covers the entire Sony Group and is implemented in accordance with policies and standards, which include cybersecurity risk management and governance frameworks, and guidance, developed by Sony and based on globally recognized industry best practices and standards. The policies define information security responsibilities within Sony and outline certain actions and procedures that officers and employees are required to follow, including with respect to the assessment and management of cybersecurity risks to Sony, including its systems and information. The policies, standards, and guidance are structured to help Sony respond effectively to the dynamically changing environment of cybersecurity threats, cybersecurity risks, technologies, laws, and regulations. Sony modifies its policies, standards, and guidance as needed to adjust to this changing environment. If Sony’s cybersecurity risk management controls are overcome by a cyber attacker, Sony follows an incident response plan and escalation process as defined in the information security program. The response process includes an assessment of whether an incident may be material, and this assessment is adjusted as necessary as additional facts become known during the incident response. Any incident that is assessed as potentially material is escalated to Sony’s senior management and is reported to the two outside Directors in charge of information security on Sony Group Corporation’s Board of Directors (the “Board”). In the fiscal year ended March 31, 2025, Sony was the victim of several cyberattacks. None of these incidents was assessed to be material, nor did they materially affect Sony’s business strategy, the results of its operations, or its financial condition. However, there can be no guarantee that this will be the case with a future incident. For more information about risks Sony faces from cyberattacks, please refer to “Sony’s brand image, reputation and business may be harmed and Sony may be subject to legal claims if there is a breach or other compromise of Sony’s information security or that of its third-party service providers or business partners.” included in “Risk Factors” in “Item 3. Key Information Sony has also established policies and processes to help identify and manage cybersecurity risks associated with third parties, including companies that provide services and products to Sony, and companies that hold Sony information or have electronic access to Sony systems or information. The policies and processes include assessment of the cybersecurity and privacy programs at certain third parties, the use of this risk information when making contracting decisions, and the use of contract language that includes cybersecurity and privacy requirements. Most of the information security program is implemented by Sony employees. Sony also engages the services of external providers to enhance and support its information security program, including leading cyber response specialists as may be needed, and consultants to evaluate and help improve organization, policies, and other aspects of the program. |
|||||||||||||
| Cybersecurity Risk Management Processes Integrated [Flag] | true | |||||||||||||
| Cybersecurity Risk Management Processes Integrated [Text Block] | Sony recognizes the importance of cybersecurity, both in achieving financial success for the company and in maintaining the trust of its stakeholders, which include shareholders, customers, employees, suppliers, and business partners. |
|||||||||||||
| Cybersecurity Risk Management Third Party Engaged [Flag] | true | |||||||||||||
| Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] | false | |||||||||||||
| Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block] | In the fiscal year ended March 31, 2025, Sony was the victim of several cyberattacks. None of these incidents was assessed to be material, nor did they materially affect Sony’s business strategy, the results of its operations, or its financial condition. | |||||||||||||
| Cybersecurity Risk Board of Directors Oversight [Text Block] | Structure and Governance of Sony’s Information Security Program Sony’s information security program is under the responsibility of a Senior Executive, specifically, the Sony Group Chief Digital Officer (“CDO”), and the Sony Group Global Information Security Officer (“GISO”), who reports to the CDO. Under the leadership of the CDO and the GISO, and supported by a global information security team that works across the entire Sony Group, Sony implements the cybersecurity risk management and governance frameworks that are described in its policies and standards. Each business segment of Sony has a senior information security leader, called an Executive Information Security Officer (“EISO”), who reports both to the GISO and to the senior management of the particular business unit. The EISOs and their associated teams are responsible for ensuring implementation and operation of the information security program in a way that is tailored to each specific business unit, including as it relates to the assessment and management of cybersecurity risks. The GISO coordinates with the EISOs to monitor the implementation of Sony’s cybersecurity policies and standards. The current CDO has experience in launching and overseeing the development, technical operation, and business operations of large-scale network products and services at Sony, including overseeing implementation and operation of the information security program. The current GISO has more than 40 years of experience in cybersecurity. Before joining Sony, the GISO served as Deputy Chief Information Officer for Cybersecurity of the U.S. Department of Defense (the Department’s equivalent of a Chief Information Security Officer) and before that, as the Chief Information Assurance Executive at the Defense Information Systems Agency (DISA), an agency of the U.S. Department of Defense. The Sony Group CEO receives regular reports from the CDO and/or the GISO, additional reports as needed during the response to a cyber incident, and briefings from the CDO and GISO at various times during the year. The head of each Sony business segment also receives regular briefings from the CDO and the GISO, as well as reports and briefings from the business segment EISO. The Board oversees Sony’s information security risks, significant incidents, policies and key initiatives, including in the following ways. The full Board receives reports from the outside Directors in charge of information security as well as briefings several times a year from the CDO and the GISO, and also engages in discussion of these matters.
* Sony Group Corporation has proposed “To elect 11 Directors” as an agenda item for the Ordinary General Meeting of Shareholders to be held on June 24, 2025. If the proposal is approved, three (3) outside Directors in charge of information security (the current outside Directors Joseph A. Kraft Jr. and Neil Hunt, and a new outside Director, Ms. Nora Denzel) will be appointed at the Board of Directors meeting to be held after the Ordinary General Meeting of Shareholders.
|
|||||||||||||
| Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] | The current CDO has experience in launching and overseeing the development, technical operation, and business operations of large-scale network products and services at Sony, including overseeing implementation and operation of the information security program. The current GISO has more than 40 years of experience in cybersecurity. Before joining Sony, the GISO served as Deputy Chief Information Officer for Cybersecurity of the U.S. Department of Defense (the Department’s equivalent of a Chief Information Security Officer) and before that, as the Chief Information Assurance Executive at the Defense Information Systems Agency (DISA), an agency of the U.S. Department of Defense. | |||||||||||||
| Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] | Sony’s information security program is under the responsibility of a Senior Executive, specifically, the Sony Group Chief Digital Officer (“CDO”), and the Sony Group Global Information Security Officer (“GISO”), who reports to the CDO. | |||||||||||||
| Cybersecurity Risk Management Positions or Committees Responsible [Flag] | true | |||||||||||||
| Cybersecurity Risk Management Positions or Committees Responsible [Text Block] | The Sony Group CEO receives regular reports from the CDO and/or the GISO, additional reports as needed during the response to a cyber incident, and briefings from the CDO and GISO at various times during the year. The head of each Sony business segment also receives regular briefings from the CDO and the GISO, as well as reports and briefings from the business segment EISO. | |||||||||||||
| Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] | true |