Cybersecurity Risk Management and Strategy Disclosure |
12 Months Ended |
|---|---|
Mar. 31, 2025 | |
| Cybersecurity Risk Management, Strategy, and Governance [Line Items] | |
| Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] | We manage cybersecurity risk as a subset of IT risk, which is included in the broader risk category of operational risk. Operational risk is defined as the risk of potential loss resulting from inadequate or ineffective internal processes, people and systems, or due to external events. Cybersecurity risk management is integrated into our comprehensive risk management framework where we have adopted a three lines of defense approach. The first line of defense is the Cyber Security Division, which is the team primarily responsible for identifying and mitigating risks as well as designing and executing controls to manage cybersecurity risk. The second line of defense is the Corporate Risk Management Division, which reports to the Group Chief Risk Officer (CRO) and which is responsible for assessing and monitoring cybersecurity risk as well as testing the effectiveness of cybersecurity risk controls independently from the first line. The third line of defense is the Internal Audit Division, which audits the effectiveness of first-line and second-line cybersecurity risk management. Our cybersecurity risk management program incorporates features based on globally recognized standards such as those issued by the National Institute of Standards and Technology (NIST). Based on such globally recognized standards, the Cyber Security Division, which is supervised by the Group Chief Information Security Officer (CISO), establishes policies and standards to protect our information systems and conducts cybersecurity risk assessments. Among its other responsibilities, the Division also focuses on threat intelligence, including centralized information collection and impact analysis on newly discovered vulnerabilities and past experience, and prevention and remediation of such impacts on a global group-wide basis. Additionally, the Division conducts daily monitoring of our external-facing systems to identify and prevent any flaws in security updates or configuration settings. In an effort to enhance our round-the-clock monitoring and incident response capabilities on a global group-wide basis, we have established the MUFG Cyber Security Fusion Center (MUFG CSFC), which specializes in cybersecurity threat analysis and information security solutions. At the subsidiary level, the Computer Security Incident Response Teams (CSIRTs) have been established within subsidiaries to receive, investigate and implement measures in response to reports of cybersecurity incidents from within such respective subsidiaries in coordination with the MUFG Computer Security Incident Response Team (MUFG-CERT), a team established within the Cyber Security Division for centralizing our cybersecurity incident responses. We regularly conduct exercises and drills designed to ensure our ability to effectively perform cybersecurity incident response functions. We have also expanded our collaborative activities with government agencies, other companies in the financial industry and other information security communities, including the Financial Services Information Sharing and Analysis Center (FS-ISAC), the Financials Information Sharing and Analysis Center Japan (F-ISAC), the Forum of Incident Response and Security Teams (FIRST) and the Japan Computer Emergency Response Team Coordination Center (JPCERT/CC). Furthermore, in order to minimize third-party risks, we conduct risk assessments on third-party vendor contracts prior to contract initiation and subsequently conduct annual reviews to identify any significant changes in the risk environment. We also require our vendors to adhere to the standards set by us in order to ensure that our risk management protocols are consistently maintained. Along with regularly conducted internal reviews of our cybersecurity risk management program against market trends and best practices, we engage audit firms and external consultants as needed, receive evaluations, and utilize the results of these evaluations to continuously ensure and enhance the effectiveness of our program.
|
| Cybersecurity Risk Management Processes Integrated [Flag] | true |
| Cybersecurity Risk Management Processes Integrated [Text Block] | We manage cybersecurity risk as a subset of IT risk, which is included in the broader risk category of operational risk. Operational risk is defined as the risk of potential loss resulting from inadequate or ineffective internal processes, people and systems, or due to external events. Cybersecurity risk management is integrated into our comprehensive risk management framework where we have adopted a three lines of defense approach. The first line of defense is the Cyber Security Division, which is the team primarily responsible for identifying and mitigating risks as well as designing and executing controls to manage cybersecurity risk. The second line of defense is the Corporate Risk Management Division, which reports to the Group Chief Risk Officer (CRO) and which is responsible for assessing and monitoring cybersecurity risk as well as testing the effectiveness of cybersecurity risk controls independently from the first line. The third line of defense is the Internal Audit Division, which audits the effectiveness of first-line and second-line cybersecurity risk management.
|
| Cybersecurity Risk Management Third Party Engaged [Flag] | true |
| Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] | true |
| Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] | false |
| Cybersecurity Risk Board of Directors Oversight [Text Block] | The Group Chief Information Officer (CIO) is responsible for operating and maintaining our cybersecurity risk management program and regularly reports on significant cybersecurity-related matters to the Board of Directors as well as the Executive Committee. In the fiscal year ended March 31, 2025, the cybersecurity-related matters reported on by the Group CIO to the Board of Directors included a plan for enhancing our global group-wide cybersecurity governance program such as updating the global risk assessment framework and securing resources. The Group CIO receives direct reporting from the Group CISO, who, as the most senior manager responsible for cybersecurity risk, supervises the Cyber Security Division. The Cyber Security Division receives information on cybersecurity incidents from the CSIRTs in accordance with our policies and procedures, supervises and coordinates incident response at our group companies, and provides relevant information to the Group CISO, the Group CIO, the Corporate Risk Management Division and, as appropriate, other senior management members. Our current Group CIO has over twenty years of experience in IT management, including cybersecurity risk management, and has experience as a member of a government information security organization. Similarly, the current Group CISO and senior members of the Cyber Security Division have extensive cybersecurity management experience and expertise, with many members participating in financial industry information security organizations, including the F-ISAC. The Board of Directors decides key cybersecurity risk management policies and oversees the execution of our cybersecurity risk management program on a global group-wide basis as part of its responsibility for deciding key management policies and overseeing management. The Board of Directors is informed by, and discusses with, the Group CIO, the Group CRO, who is responsible for assessing and overseeing management of material risks on a global group-wide basis, and other management members on important matters relating to risks from cybersecurity threats and management of such risks, while being assisted by board committees, including the Risk Committee and the Audit Committee, with the oversight of the execution of duties related to cybersecurity risk management carried out by directors and corporate executives. The Risk Committee receives reports from management and the Corporate Risk Management Division on, among other things, cybersecurity threats and incidents, risk trends in cybersecurity threat indicators, and the results of evaluations of the effectiveness of first-line controls in cybersecurity threat prevention and detection conducted by external consultants or audit firms, and discusses and makes recommendations to the Board of Directors on material cybersecurity risk-related matters. The Audit Committee obtains reports from management, the Internal Audit Division and external auditors on risks from cybersecurity threats, the management of such risks, and the design and operation of the corporate governance framework for cybersecurity risk management and, based on its analysis and expertise, assists the oversight of cybersecurity risk management by the Board of Directors.
|
| Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] | The Board of Directors decides key cybersecurity risk management policies and oversees the execution of our cybersecurity risk management program on a global group-wide basis as part of its responsibility for deciding key management policies and overseeing management. |
| Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] | The Board of Directors decides key cybersecurity risk management policies and oversees the execution of our cybersecurity risk management program on a global group-wide basis as part of its responsibility for deciding key management policies and overseeing management. |
| Cybersecurity Risk Role of Management [Text Block] | The Group Chief Information Officer (CIO) is responsible for operating and maintaining our cybersecurity risk management program and regularly reports on significant cybersecurity-related matters to the Board of Directors as well as the Executive Committee. In the fiscal year ended March 31, 2025, the cybersecurity-related matters reported on by the Group CIO to the Board of Directors included a plan for enhancing our global group-wide cybersecurity governance program such as updating the global risk assessment framework and securing resources. The Group CIO receives direct reporting from the Group CISO, who, as the most senior manager responsible for cybersecurity risk, supervises the Cyber Security Division. The Cyber Security Division receives information on cybersecurity incidents from the CSIRTs in accordance with our policies and procedures, supervises and coordinates incident response at our group companies, and provides relevant information to the Group CISO, the Group CIO, the Corporate Risk Management Division and, as appropriate, other senior management members. Our current Group CIO has over twenty years of experience in IT management, including cybersecurity risk management, and has experience as a member of a government information security organization. Similarly, the current Group CISO and senior members of the Cyber Security Division have extensive cybersecurity management experience and expertise, with many members participating in financial industry information security organizations, including the F-ISAC.
|
| Cybersecurity Risk Management Positions or Committees Responsible [Flag] | true |
| Cybersecurity Risk Management Positions or Committees Responsible [Text Block] | In the fiscal year ended March 31, 2025, the cybersecurity-related matters reported on by the Group CIO to the Board of Directors included a plan for enhancing our global group-wide cybersecurity governance program such as updating the global risk assessment framework and securing resources. The Group CIO receives direct reporting from the Group CISO, who, as the most senior manager responsible for cybersecurity risk, supervises the Cyber Security Division. The Cyber Security Division receives information on cybersecurity incidents from the CSIRTs in accordance with our policies and procedures, supervises and coordinates incident response at our group companies, and provides relevant information to the Group CISO, the Group CIO, the Corporate Risk Management Division and, as appropriate, other senior management members. |
| Cybersecurity Risk Management Expertise of Management Responsible [Text Block] | Our current Group CIO has over twenty years of experience in IT management, including cybersecurity risk management, and has experience as a member of a government information security organization. Similarly, the current Group CISO and senior members of the Cyber Security Division have extensive cybersecurity management experience and expertise, with many members participating in financial industry information security organizations, including the F-ISAC. |
| Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] | The Group Chief Information Officer (CIO) is responsible for operating and maintaining our cybersecurity risk management program and regularly reports on significant cybersecurity-related matters to the Board of Directors as well as the Executive Committee. In the fiscal year ended March 31, 2025, the cybersecurity-related matters reported on by the Group CIO to the Board of Directors included a plan for enhancing our global group-wide cybersecurity governance program such as updating the global risk assessment framework and securing resources. The Group CIO receives direct reporting from the Group CISO, who, as the most senior manager responsible for cybersecurity risk, supervises the Cyber Security Division. The Cyber Security Division receives information on cybersecurity incidents from the CSIRTs in accordance with our policies and procedures, supervises and coordinates incident response at our group companies, and provides relevant information to the Group CISO, the Group CIO, the Corporate Risk Management Division and, as appropriate, other senior management members.
|
| Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] | true |