Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Item 16K.

Cybersecurity

The risk of cybersecurity threats is growing ever more serious as a result of the accelerated digitization of financial services and changes to the surrounding environment. We strengthen our security controls in order to achieve a society that is resilient to cybersecurity threats and provide more secure services to our customers.

SMFG and some of SMBC Group companies have established a “Declaration of Cybersecurity Management.” This declaration indicates that we acknowledge cybersecurity as a key management issue, and expresses a commitment to enhancing the security posture not just within our organization, but across society as a whole. Under this declaration, we promote the strengthening of cybersecurity controls led by management in order to counter the increasing severity and sophistication of cyber threats.

Risk Management and Strategy

We define cybersecurity threats as one of our Top Risks. Under the concept of “three lines of defense,” we have integrated cybersecurity risk management, which assesses, identifies, and manages material risks arising from cybersecurity threats, into a company-wide risk management framework, and have established an SMBC Group-wide cybersecurity structure with over 850 personnel. Cybersecurity risk management forms part of our cybersecurity operational plan, which is subject to approval by the Management Committee.

We periodically engage third-party consultants to conduct maturity assessments based on global cybersecurity frameworks to test our cybersecurity controls. Using our threat intelligence function, we collect information such as the latest cybersecurity threats, vulnerabilities and geopolitical developments, and leverage them to detect and prevent those cybersecurity threats. To deter attacks exploiting vulnerabilities, we regularly conduct vulnerability assessments using various tools and also conduct

threat-led

penetration testing by entrusting external vendors to penetrate actual systems and evaluate vulnerabilities.

We have designed a multilayered cyber defense system that includes detection and interception of suspicious communications from the outside, as well as operation and monitoring of various security programs and systems, to protect against various cyberattacks such as unauthorized access and mass access attacks. We have established a Security Operation Center (“SOC”) with a

24-hour,

365-day

monitoring function and locate SOCs in various regions. Through coordination among SOCs in each region, we further strengthen security monitoring on a group-wide basis.

In terms of preparedness for cyber incidents, we established a Computer Security Incident Response Team (“CSIRT”) to prepare for any incidents and have set up a response system. The CSIRT actively collects cyber information on attackers’ methods and vulnerabilities from both inside and outside of our organization and shares them with external organizations such as government authorities in relevant nations and the Financial Services Information Sharing and Analysis Center

(“FS-ISAC”)

or other relevant organizations as necessary. In addition, we regularly participate in attack simulation exercises conducted by outside experts or the authorities to further strengthen our cyberattack response and resilience. We have established risk management processes covering third parties such as outsourced vendors, and regularly monitor the actual situation.

175

To foster a culture that enhances awareness of security measures, we conduct awareness-raising activities tailored to roles and responsibilities within the SMBC Group. For top management, we regularly hold study sessions on topics including management considerations in cybersecurity. For employees, we provide targeted attack email training and other actions to raise security awareness, and training for IT system planning staff to instill a “security by design” philosophy.

Based on the recognition, we recognize that the development of expert human resources is a vital issue in maintaining a medium- to long-term cybersecurity management structure. We focus on the development of core human resources through the use of internal and external content, the introduction of a program that supports obtaining qualifications, dispatch of staff to graduate schools in Japan and abroad, and participation in specialist organizations and industry associations. In addition, we work to secure expert human resources through

mid-career

recruitment, and have set up a cybersecurity course for new graduate hires as a part of ongoing structural strengthening.

For the fiscal year ended March 31, 2026, there were no cybersecurity incidents that had a material impact on our results of operations or financial condition.

Governance

The Management Committee regularly discusses cybersecurity risk management in order to further strengthen our security posture based on our cybersecurity operational plan.

In order to clarify the roles and responsibilities for promoting the effectiveness of security controls, the position of Group Chief Information Security Officer (“CISO”) has been assigned under the Group Chief Information Officer (“CIO”) and the Group Chief Risk Officer (“CRO”). The Group CISO is responsible for supervision and direction of controls to manage cybersecurity threats on a group-wide basis. The current Group CISO has been working in the systems sector for many years and has extensive experience in cybersecurity, technology risk management and information security. Group Vice CISOs and regional CISOs are stationed under the Group CISO to help secure cybersecurity controls.

Our directors, in their capacities serving on the full board of directors as well as on the risk committee and audit committee, obtain information and oversee the status of the cybersecurity risk management. Based on reports from the Group CIO regarding the status of cybersecurity risk management, the board supervises the cybersecurity operational plan and its implementation on risk management related to systems, including cybersecurity. The risk committee oversees the implementation of the cybersecurity operational plan on comprehensive risk management, which includes cybersecurity risk, based on regular reports from the Group CRO. The audit committee supervises the implementation status based on regular reports from the Group CISO on the status of cybersecurity controls. Additionally, members of our board of directors periodically receive reports on cybersecurity information including external threat trends and our cybersecurity control measures from the Group CISO.

Cybersecurity Risk Management Processes Integrated [Text Block]

we have integrated cybersecurity risk management, which assesses, identifies, and manages material risks arising from cybersecurity threats, into a company-wide risk management framework, and have established an SMBC Group-wide cybersecurity structure with over 850 personnel. Cybersecurity risk management forms part of our cybersecurity operational plan, which is subject to approval by the Management Committee.

We periodically engage third-party consultants to conduct maturity assessments based on global cybersecurity frameworks to test our cybersecurity controls. Using our threat intelligence function, we collect information such as the latest cybersecurity threats, vulnerabilities and geopolitical developments, and leverage them to detect and prevent those cybersecurity threats. To deter attacks exploiting vulnerabilities, we regularly conduct vulnerability assessments using various tools and also conduct

threat-led

penetration testing by entrusting external vendors to penetrate actual systems and evaluate vulnerabilities.

We have designed a multilayered cyber defense system that includes detection and interception of suspicious communications from the outside, as well as operation and monitoring of various security programs and systems, to protect against various cyberattacks such as unauthorized access and mass access attacks. We have established a Security Operation Center (“SOC”) with a

24-hour,

365-day

monitoring function and locate SOCs in various regions. Through coordination among SOCs in each region, we further strengthen security monitoring on a group-wide basis.

In terms of preparedness for cyber incidents, we established a Computer Security Incident Response Team (“CSIRT”) to prepare for any incidents and have set up a response system. The CSIRT actively collects cyber information on attackers’ methods and vulnerabilities from both inside and outside of our organization and shares them with external organizations such as government authorities in relevant nations and the Financial Services Information Sharing and Analysis Center

(“FS-ISAC”)

or other relevant organizations as necessary. In addition, we regularly participate in attack simulation exercises conducted by outside experts or the authorities to further strengthen our cyberattack response and resilience. We have established risk management processes covering third parties such as outsourced vendors, and regularly monitor the actual situation.

Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]

true

Cybersecurity Risk Board of Directors Oversight [Text Block]

Governance

The Management Committee regularly discusses cybersecurity risk management in order to further strengthen our security posture based on our cybersecurity operational plan.

In order to clarify the roles and responsibilities for promoting the effectiveness of security controls, the position of Group Chief Information Security Officer (“CISO”) has been assigned under the Group Chief Information Officer (“CIO”) and the Group Chief Risk Officer (“CRO”). The Group CISO is responsible for supervision and direction of controls to manage cybersecurity threats on a group-wide basis. The current Group CISO has been working in the systems sector for many years and has extensive experience in cybersecurity, technology risk management and information security. Group Vice CISOs and regional CISOs are stationed under the Group CISO to help secure cybersecurity controls.

Our directors, in their capacities serving on the full board of directors as well as on the risk committee and audit committee, obtain information and oversee the status of the cybersecurity risk management. Based on reports from the Group CIO regarding the status of cybersecurity risk management, the board supervises the cybersecurity operational plan and its implementation on risk management related to systems, including cybersecurity. The risk committee oversees the implementation of the cybersecurity operational plan on comprehensive risk management, which includes cybersecurity risk, based on regular reports from the Group CRO. The audit committee supervises the implementation status based on regular reports from the Group CISO on the status of cybersecurity controls. Additionally, members of our board of directors periodically receive reports on cybersecurity information including external threat trends and our cybersecurity control measures from the Group CISO.

Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]

true